FSM: Gatekeeper Service Updates
- Former user (Deleted)
Design
Gatekeeper is an FSM plugin that enforces data traffic flow policy decisions. The plugin acts as a policy engine that uses an external threat intelligence service (IP threat detection) to allow or block the data flows.
Controller Involvement
Providing Gatekeeper support for IP threat detection
Configuring the OVSDB FSM_Policy table to use Gatekeeper as an IP reputation service
Configuring the OVSDB Flow_Service_Manager_Config table IP threat entry to use the gate
OVSDB Configuration
FSM_Policy Configuration
Add an FSM_Policy table entry dedicated to the Gatekeeper DPI requests. The policy does not need to have rules that differentiate between the inbound and outbound rules. Device request to the Gatekeeper service indicates that the IP address to process belongs to an outbound or an inbound flow.
$ ovsh s FSM_Policy -w idx==8
-------------------------------
_uuid | 72d8~b542 |
_version | 5e2b~bb0c |
action | gatekeeper |
fqdn_op | ["set",[]] |
fqdncat_op | ["set",[]] |
fqdncats | ["set",[]] |
fqdns | ["set",[]] |
idx | 8 |
ipaddr_op | ["set",[]] |
ipaddrs | ["set",[]] |
log | blocked |
mac_op | ["set",[]] |
macs | ["set",[]] |
name | gk_ip_all |
next | ["map",[]] |
other_config | ["map",[]] |
policy | gatekeeper_dpi |
redirect | ["set",[]] |
risk_level | ["set",[]] |
risk_op | ["set",[]] |
------------------------------- |
Flow_Service_Manager_Config Configuration
Update the Flow_Service_Manager_Config ipthreat_dpi entry to point to the gatekeeper-dpi policy. As noted above, the IP threat detection DPI plugin does not have to be provided for both (inbound and outbound) policies.
$ ovsh -j s Flow_Service_Manager_Config -w handler==ipthreat_dpi
[
{
"if_name": "",
"_version": [
"uuid",
"a1c80e4e-acb0-48f5-9d2f-b060fbcba61f"
],
"other_config": [
"map",
[
[
"dpi_dispatcher",
"core_dpi_dispatch"
],
[
"mqtt_v",
"IP/Threats/opensync/XXXXX002B3/XXXXXf5acbb22513f0ae5e17"
],
[
"policy_table", <---------- unique policy table
"gatekeeper_dpi"
],
[
"provider_plugin", <---------- gatekeeper as a provider
"gatekeeper"
],
[
"targeted_devices",
"${iptd-devices}"
],
[
"wc_hero_stats_interval_secs",
"1800"
],
[
"wc_hero_stats_topic",
"IP-WC/Stats/Hero/opensync/XXXXXf5acbb22513f0ae5e17/XXXXX002B3"
]
]
],
"type": "dpi_plugin",
"plugin": "",
"_uuid": [
"uuid",
"72be1f99-1194-4dfa-8e0a-9d9d1bf8dca5"
],
"pkt_capt_filter": "",
"handler": "ipthreat_dpi"
}
] |
Reporting
Reporting is done using MQTT. The ipCategorization info has fields specific to the Gatekeeper service (gatekeeperFilter).
{
"action": "blocked",
"classifiedBy": "ip",
"deviceMac": "00:AA:BB:CC:9F:85",
"direction": "outbound",
"flow": {
"dstIpaddr": "10.2.0.43",
"dstPort": 12345,
"proto": 17,
"srcIpaddr": "192.168.40.111",
"srcPort": 39806
},
"ipAddr": "10.2.0.43",
"ipCategorization": {
"categoryId": 100,
"confidenceLevel": 30,
"gatekeeperFilter": "gk_outbound_ipv4", <---------- hint provided by the gatekeeper service, reported as is by the FW
"source": "gatekeeper"
},
"locationId": "XXXXXf5acbb22513f0ae5e17",
"nodeId": "XXXXX002B3",
"policy": "gatekeeper_dpi",
"policyIndex": 10,
"reportedAt": "2021-04-30T00:36:53.026Z",
"ruleName": "gk_ip_all",
"version": "1.0.0"
} |
Published Content
https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf
https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf