Palo Alto Networks. Security Models in the Software Defined Data Center

Transcription

1 Palo Alto Networks Security Models in the Software Defined Data Center Christer Swartz Palo Alto Networks CCIE #2894

2 Network Overlay Boundaries & Security Traditionally, all Network Overlay or Tunneling technologies have created some kind of smart edge where a forwarding decision or encapsulation occurs, and a dumb core which is focused on fast switching. Such as MPLS, TRILL, FabricPath, Qfabric, etc. In all of these, the edge has been a piece of networking hardware, and these technologies have been initiated by networking hardware. And firewalls have traditionally been deployed at the boundary between this network edge and end-systems. Server s Firewall Smart Edge Dumb Core Firewall Server s Data Center Core Network

3 Network Overlay Boundaries & Security But with emerging SDN technologies, overlay technologies can be initiated from hosts. The network edge can now be a host, with the entire physical network focused on dumb fast switching. Examples are VXLAN, NVGRE, and STT. Hardware firewalls deployed in the physical network core now only see North/South traffic that exists a physical host, not East/West traffic within a host, nor traffic within Overlay tunnels. Smart Edge Server s Firewall Dumb Core Firewall Server s VXLAN Data Center Core Network

4 Firewalls In order to maintain visibility into East/West traffic, and contents of Overlay technologies Initiated from hosts, virtual firewalls need to be deployed within the host systems. To maintain full security visibility across entire Data Center, physical and virtual firewalls need to coordinate policy and network intelligence. Smart Edge Server s Firewall Dumb Core Firewall Server s Firewall Data Center Core Network Firewall

5 Why place any firewall in a virtual topology? - Web / App / DB Isolation - PCI / Non-PCI isolation - Malware, Virus - Administrative Isolation - Dev / Production isolation - Whitelisting VM Firewall? VM Switch Hypervisor Data Center Core Network Hardware Firewalls

6 How do firewalls define Applications? Traditional: Applications = TCP/UDP Ports Next Gen: Applications = Data Payload Signatures

7 Build rules against applications, not ports

8 Track Apps, Content, & Users, not IP s SQL SQL Sharepoint

9 Writing Security Policy based on tags, not IP s Dynamic Address Groups VMware vcenter or ESXi PAN-OS Dynamic Address Groups Name IP Guest OS Container web-sjc Ubuntu Web sp-sjc Win 2008 R2 SharePoint web-sjc Ubuntu Web Name Tags Addresses SharePoint Servers MySQL Servers SharePoint Win 2008 R2 sp MySQL Ubuntu db exch-mia Win 2008 R2 Exchange exch-dfw Win 2008 R2 Exchange Miami DC mia sp-mia Win 2008 R2 SharePoint db-mia Ubuntu MySQL San Jose Linux Web Servers sjc web Ubuntu db-dfw Ubuntu MySQL db-mia Ubuntu MySQL PAN-OS Security Policy Source Destination Action SharePoint Servers MySQL Servers San Jose Linux Web Servers Miami DC

10 Consistent Security Policy across entire DC Central Management For & Physical Firewalls Hypervisor Hypervisor Hypervisor PA-7050 PA-7050

11 Data Center Firewall Deployment Models 6. Endpoint security software. ( Cyvera, Symantec, IPTables ) 5. VM firewalls inspecting packets at source, VM-to-VM steering. ( PAN VM-1000-HV firewall ) VLAN 100 VLAN 200 vswitch Hypervisor 4. VM firewall between VLAN's. ( PAN Gateway, Cisco vasa ) 3. Kernel module firewall. ( NSX DFW, Juniper Firefly Host ) 2. Linux Container, Docker. ( Possible future. Only IPTables today ) 1. Physical Firewall. ( PAN, SRX, ASA )

12 2 Different Firewall Types Using NSX VM-1000-HV VM Firewall Using vsphere Gateway VM Firewall We reside within the network topology, as in a traditional network. We see packets after they reach the network stack. Traffic is steered to us for inspection above the Forwarding Plane, so security is applied before packets ever reach the network stack. Security now has zero impact on network topology since security is abstracted from the network. Security occurs within Network VM-1 VM-2 VM-1 VM-2 PAN Security is abstracted above Network Step-1 Step-3 Step-2 vshield VMware s Switch Hypervisor ESX & ESXi Forwarding Plane PAN VMware s Switch Hypervisor ESX & ESXi Data Center Core Network Data Center Core Network

13 Phase 1: Just trunk all VLAN s to server uplinks VM VM VM Physical Host Hypervisor VLAN s Top of Rack Switch Hardware Firewall

14 Easy for hardware firewalls to go blind VM VM VM Physical Host Hypervisor VLAN s Logical Router Quagga, Vyatta, Halon, VMware DLR & ESG, Static Routes in Linux, etc. Top of Rack Switch Hardware Firewall

15 VM Firewall VM-A VM-B Port Group-A vshield Switch Port Group-B Hypervisor ESX & ESXi Data Center Core Network

16 Hypervisor-Aware Firewall VM-A VM-B Switch One Port Group Hypervisor ESX & ESXi Data Center Core Network

17 VMware NSX Distributed Firewall Performs Stateful firewalling Distributed Port Groups NSX Distributed Firewall Hypervisor A Hypervisor B

18 Augmenting the Distributed Firewall Deep-Packet firewalling Distributed Port Groups NSX Distributed Firewall PAN VM Firewall Hypervisor A Hypervisor B PAN VM Firewall

19 Security Policy above the Forwarding Plane Web DB App App Web DB Switch Forwarding Plane NSX Distributed Firewall Hypervisor

20 Security Policy above the Forwarding Plane Web DB App App Web DB NetX API re-directs data flows to us. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

21 Security Policy above the Forwarding Plane Web DB App App Web DB We hand traffic back to filter. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

22 Security Policy above the Forwarding Plane Web DB App App Web DB Only then does packet reach any network segment. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

23 SDN Controllers Switch Switch Routers Hardware Firewalls??? SDN Controller Protocols: - OpenFlow - NetConf - XMPP - I2RS Controllers: - Juniper Contrail - Open Daylight - Nuage - Google s Andromeda

24 SDN Controllers Hardware Firewalls: Transparent ( vwire ) Switch Switch Routers Hardware Firewalls vwire SDN Controller

25 SDN: Service Chaining & NFV Switch Switch Switch SDN Controller

26 SDN: Service Chaining & NFV NFV ( Network Functions ization ) Nodes Palo Alto Networks Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 Switch Switch Switch

27 SDN: Service Chaining & NFV NFV ( Network Functions ization ) Nodes Palo Alto Networks Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 Service Chain-2 Service Chain-1 Switch Switch Switch

28 Service Chaining Tunnel Types Different Controllers use different tunnels to define a Service Chain. These tunnels terminate at vswitch, not at the Services themselves. Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 VLAN s VXLAN s - MPLS - VXLAN - GRE - GENEVE Switch Switch Switch

29 SDN-derived protocols: Arista DirectFlow Assist Point to Arista Switch as a Syslog server Arista Switch Firewall Physical or Forward initial packets to us, for decision. 10 Gig 10 Gig 10 Gig

30 Orchestration: Template model or Plugin model API s imported into Cloud OS. CloudStack API s imported as Templates or Agents API s contained in a Plugin written by each vendor. Such as OpenStack. Nova Module Swift Module Neutron Module Plugins

31 CloudStack Orchestration API s via templates External network. Firewall deployed as a CloudStack Service Provider using VR s. CloudStack Router doing DNS & DHCP. CloudStack Pod networks , Palo Alto Networks. Confidential and Proprietary.

32 OpenStack Multi-Tenant Cloud External Network Private Network 1 Private Network 2 VM VM VM VM VM Tenant 1 Tenant 2

33 Dynamic Address Groups via REST API Orchestration System or Scripts: Puppet, Chef, Ansible, etc. REST API calls Harvest IP s and tags REST API calls Push or Pull PAN-OS Dynamic Address Groups Name Tags Addresses SharePoint Servers MySQL Servers Miami DC San Jose Linux Web Servers SharePoint Win 2008 R2 sp MySQL Ubuntu db mia sjc web Ubuntu Cloud OS DB

34 Data Center Ecosystem Cloud-based Threat intelligence Central Management Hypervisor Communication Endpoint Security Software Hardware Firewalls Firewalls Orchestration / Automation SDK, API, etc. OSPF, BGP VSYS, VR Multiple Hypervisors