Security Policy Enhancements
As the Contrail environment has grown and become more complex, it has become harder to achieve
desired security results with the exisng network policy and security group constructs. The Contrail
network policies have been ed to roung, making it dicult to express security policies for
environments such as cross seconing between categories, or having a mul-er applicaon supporng
development and producon environment workloads with no cross environment trac.
Starng with Contrail Release 4.1, limitaons of the current network policy and security group
constructs are addressed by supporng decoupling of roung from security policies, muldimension
segmentaon, and policy portability. This release also enhances user visibility and analycs funcons for
security.
Contrail Release 4.1 introduces new rewall security policy objects, including the following
enhancements:
•Roung and policy decoupling—introducing new rewall policy objects, which decouples policy from
roung.
•Muldimension segmentaon—segment trac and add security features, based on mulple
dimensions of enes, such as applicaon, er, deployment, site, usergroup, and so on.
• Policy portability—security policies can be ported to dierent environments, such as ‘from
development to producon’, ‘from pci-complaint to producon’, ‘to bare metal environment’ and ‘to
container environment’.
• Visibility and analycs
Using Tags and Conguraon Objects to Enhance Security Policy
Starng with Contrail Release 4.1, tags and conguraon objects are used to create new rewall policy
objects that decouple roung and network policies, enabling muldimension segmentaon and policy
portability.
Muldimension trac segmentaon helps you segment trac based on dimensions such as applicaon,
er, deployment, site, and usergroup.
You can also port security policies to dierent environments. Portability of policies are enabled by
providing match condions for tags. Match tags must be added to the policy rule to match tag values of
source and desnaon workloads without menoning tag values. For example, in order for the ‘allow
protocol tcp source application-tier=web destination application-tier=application match application and site’ rule
to take eect, the applicaon and site values must match.
3