In OpenStack environments with a network functions virtualization infrastructure (NFVI) enabled you can run an IDPS instance as a virtualized network function (VNF). VNFs are building blocks that you can use to create a scalable service that includes a sequence of virtual functions in service chaining.

To enable IDPS as a VNF:

  1. Once IDPS VM is configured and verified, upload the IDPS VM image to your cloud environment using OpenStack Dashboard. QCOW2 or VMDK formats of the image are preferable.

  2. Go to the Contrail web UI. For example:

  3. Open the Service Templates panel in the Configure tab.

  4. Create an IPS template service.

    1. Select the service mode for your service:

      • In-Network or routed mode

        Service VM instance is between at least two networks and packets are routed. Examples include NAT, Layer 3 firewall, load balancer, HTTP proxy, and so on.

      • In-Network NAT

        Similar to in-network mode. However, return traffic does not need to be routed to the source network. In-network-nat mode is particularly useful for NAT service.

      • Transparent or bridge mode

        Is transparent for communication between instances and packets are not modified. The transparent mode fits L2 firewall and IDPS.

    2. Specify the number of interfaces for a service in Service Type.

      • For Firewall type Contrail allocates at least two interfaces: ingress and egress.
      • For Analyzer type - at least one interface is needed.
    3. In Advanced Options you can enable Service Scaling, select Availability Zone for your service instances, and select an instance flavor.

  5. In Service instances panel, create an ips-instance service instance based on the available service template and connect network interfaces to internal and external networks. As a result, ips-instance will act as an alternative router connecting two networks.

  6. Go to the Networking->Policies panel to create a service policy. The ips-policy tells Contrail to pass any traffic between internal and external to the ips-instance service instance.



    OpenContrail provides traffic mirroring feature as well.

  7. Assign the created ips-policy policy to the affected networks internal and external in the Networking->Networks panel.

  8. Test your service chaining:

    1. Create a VM TestVM from where you can download malicious content from external network.

    2. Configure iptables to route traffic between internal and external traffic (a router mode).


      You can also test your IPS service instance in a bridge mode by installing it between the default router and external network.

    3. The current network topology with ips-instance and the TestVM running in the internal network will look like:

    4. Verify if Contrail correctly direct traffic between networks to the service instance.

      1. From the TestVM ping the external network gateway. For example:

      2. On the ips-instance VM, start tcpdump:

        sudo tcpdump -i eth0
      3. In the ips-instance VM, verify that you can see ICMP packets going between two networks:

    5. Set up a web server in external network and create a test file with the word Alarm inside.

    6. Download the test file from TestVM. For example:

    7. In the ips-instance VM, view the fast.log to check if Suricata generated the appropriate alert message: Alarm detected:

      tail -f /etc/suricata/fast.log