Network Virtualization Solutions - A Practical Solution

Transcription

1 SOLUTION GUIDE Deploying Advanced Firewalls in Dynamic Virtual Networks Enterprise-Ready Security for Network Virtualization 1

2 This solution guide describes how to simplify deploying virtualization security and network virtualization with Palo Alto Networks next-generation firewalls and the Big Virtual Switch application from Big Switch Networks. The combination of Dynamic Address Objects and the XML Management API in the Palo Alto Networks operating system (PAN-OS), and the northbound API exposed by Big Network Controller and Big Virtual Switch, enable network engineers and security administrators to automate the definition and management of security policies. This solution reduces the complexity of data center configuration, avoids repetitive and manual configuration changes and enables staff to become more productive by automating the tasks required to roll out new workloads or to secure existing deployments. The solution leverages programmability available in next-generation firewalls and the Network Application platform from Big Switch Networks, Big Network Controller, to make your data center network programmable: unified, flexible, and more cost effective. Table of Contents The Challenge and Promise of Cloud Networks... 3 Next Generation Firewalls in Virtual Networks... 4 RESTful Interfaces and Dynamic Objects... 5 Under The Hood... 6 Generate a Key... 6 List the current mappings... 7 Update the mapping for dynamic object... 7 Unified. Flexible. Open... 8 About Big Switch Networks

3 The Challenge and Promise of Cloud Networks Big Virtual Switch, a network virtualization application from Big Switch Networks, makes your network as agile and dynamic as your other cloud infrastructure. To extract the value of private clouds, you must embrace automation. Significant degrees of automation have been achieved in compute and storage deployment and operations. The same cannot be said of networks. Network virtualization has lagged behind other technologies in the data center and has posed a barrier to delivering a truly virtual data center. The network now poses a productivity barrier because the output of automated compute deployment tools is often held up by the need for network change orders to be completed manually. Big Virtual Switch, a network virtualization application from Big Switch Networks provides a solution to these challenges. Big Virtual Switch, a network virtualization application from Big Switch Networks, makes your network as agile and dynamic as your public cloud infrastructure. The solution supports existing physical systems, including firewall appliances, and can program both physical and virtual switches to meet the requirements of application instances. Big Virtual Switch can integrate with next generation firewalls, enabling the networking and security teams to work more efficiently. Big Virtual Switch delivers a degree of automation that was once thought impossible to achieve, enabling the use of abstractions to pool resources and providing a robust implementation for programming the network while cleanly separating the network engineering duties from other tasks. Instead of using traditional static network configuration constructs like VLANs and subnets that can t scale to the needs of private clouds, Big Virtual Switch delivers a flexible, unified, and dramatically more efficient approach to scaling data center networks for cloud deployments. The combination of Palo Alto Networks next-generation firewalls and Big Virtual Switch solves the challenges of securing virtual workloads with virtual networks, enabling enterprises to reap the benefits of a private cloud while simultaneously reducing risk and simplifying network operations. Big Virtual Switch Northbound API Open Source Core Big Network Controller Open Flow vswitches Open Flow vswitches Figure 1: Big Network Controller has at its core, the open-source SDN controller, Floodlight, which is Apache licensed. Often, to accommodate the limitations of device-oriented networks and the risk of manual change orders, traditional networks must move slowly, tracking each modification with rigorous change control and tying the network design to physical systems and their associated application workloads. For example, tying a VLAN and a subnet to an application 3

4 and then configuring those network properties directly into devices defeats the very purpose of server virtualization and cloud architectures. These designs are optimized to limit configuration errors and fix the settings to avoid an outage and to simplify the burden of maintaining compliance with regulations that require traffic isolation and other security policy enforcement. For example, in a traditional design, a VLAN is often coupled to a subnet and that subnet might be coupled to a specific rack or a set of racks and networking systems. Such configurations result in inflexible architectures that are slow to respond to business needs, slowing application ramp times due to personnel constraints or due to the costs required to build out all the systems required for an application. Big Virtual Switch solves these problems, driving the benefits of virtualization and automation into the network. With Big Virtual Switch, the underlying network can be dynamically and automatically sliced into segments according to corporate security and compliance policies. Network engineers don t have to work a task list with dozens of tasks associated with each new workload request. Application teams don t have to work within the constraints of a traditional network or learn everything it takes to engineer a truly scalable network. Next Generation Firewalls in Virtual Networks In concept, securing applications in virtual datacenters is much the same as in a traditional environment. A security policy needs to be defined taking into consideration the applications being accessed, the access control policies by user, and the appropriate threat protection framework. Compute virtualization and network virtualization, introduce some differences. The dynamic nature of virtual machines and the fact that machines and workloads with different trust levels can be co-located on the same physical servers and physical networks, introduces the need for visibility into the virtualized environment, in particular the need to inspect intra-host communications. The security solution must also support the highly dynamic nature of adds, changes, and moves within virtual data center while ensuring that the data center is protected against known and unknown threats. This means the ability to protect against known threats via IPS, anti-malware and anti-botnet support, and unknown threats via sandbox analysis of suspicious files. In addition, the ability to address remotely exploitable hypervisor vulnerabilities must be supported. Northbound API Big Network Controller App1 App2 App3 HYPERVISOR Figure 2: In a virtual data center, the updates to the network must be kept in synch with the network security policies. Updating these policies manually burdens security administrators with extra work and risks that an inconsistency could put risk a breach or cause an outage. 4

5 The Palo Alto Networks next-generation firewall addresses the network security requirements of virtual data centers while Big Virtual Switch delivers the network segmentation and workload isolation required to support network virtualization. The high rate of change in virtual networks, however, makes it difficult to integrate these systems manually. Open Software Defined Networking enables these systems to communicate and modify state based on changes in the network without requiring direct management of these systems at their respective consoles. This Open SDN integration enables the network and security policy to be as agile as the cloud systems and the applications and workloads that are deployed through systems such as OpenStack. By combining the network security systems and the network virtualization systems in a coordinated fashion, the process of provisioning the network and the required security policy can be transformed from a manual, slow and error-prone task that delays deployments into a seamless process that is simultaneously more efficient and more secure. Network virtualization and integration with next-generation firewalls via an Open SDN solution speed the response of the network to application requests and simplify security in a virtual data center. The key element of solution is the automated association of virtual network properties with security policies. As virtual machines are instantiated and moved within and across data centers, these changes need to be reflected in the security systems and enforced without requiring any manual configuration whatsoever. Automating this process protects applications and workloads from unauthorized access and from threats and enables network security systems to move as quickly as network virtualization and cloud computing systems, meeting business demands without delays and without risking non-compliance with regulatory mandates. RESTful Interfaces and Dynamic Objects Using the XML Management API available from Palo Alto Networks in conjunction with the northbound API from Big Virtual Switch and Big Network Controller, the system can discover the IP addresses associated with Virtual Network Segments, applications and workloads. As these addresses change, the solution updates a new address object type within PAN-OS, Dynamic Address Objects. Dynamic Address Objects can be updated via the XML API and can be referenced in security policies. When changes to the object occur, the update can be referenced within policies automatically. Setting and modifying these objects programmatically incorporates network security to data center orchestration processes with no additional, manual workflow. 1 Navigate to Address Objects 2 Choose and Name Dynamic Address Object Use Object within Security Policy Rules 3 Figure 3: Dynamic Address Objects are easy to set up within Panorama. Subsequent address updates can be completed programmatically, reducing administrator workload significantly. 5

6 As virtual servers are instantiated, terminated or migrated to new compute resources within or across data centers, Palo Alto Networks next-generation firewalls remain in lock-step with these changes because each event programmed within Big Virtual Switch is communicated to the firewall, and the Dynamic Address Objects are updated to ensure compliance without modifying the security policy. Northbound API Big Network Controller XML API App1 App2 App3 HYPERVISOR Under The Hood Figure 4: Open SDN integration using the PAN-OS XML API enables address objects to be updated without requiring manual work or a configuration change commit. The solution uses a Python-based integration layer that runs atop the Big Network Controller platform. This scripted module uses HTTPS to communicate with the next-generation firewalls and get the list of dynamic objects via the PAN-OS XML API. It then maintains a mapping of Virtual Network Segments and updates address changes in these segments by notifying PAN-OS. The steps required are: 1. Authenticate and generate a key 2. List the currently defined Dynamic Address Objects 3. Update the mapping of IP addresses that are associated with the object Generate a Key The first request generates a key, which is an authentication token that is used subsequently: 6

7 A successful request generates this response: <response status= success > <result> <key> KEY_VALUE </key> </result> </response> where KEY_VALUE is the token, such as: LUFRPT11K1BkTmpIZ1RnSHJlRHFGYkpOZTAyUDdzZmc9dEFVZHppNUlYbk54UCtmV3h6M0 6amdoVDI0SHVlczZHa2lFWkJINnZLYz0= List the current mappings The next request lists the current mappings of the available Dynamic Address Objects: dynamic-address-object></object></show>&key=key_value A successful request generates this response: <response status= success > <result> <response cmd= status status= success ><result> <entry identifier= blue ip= name= app1 vsys= vsys1 /> <entry identifier= blue ip= 1234:5678:90ab:cdef:2234:2678:20ab:2def name= app1 vsys= vsys1 /> <entry identifier= green ip= name= app2 vsys= vsys1 /> <entry identifier= green ip= fe80::250:56ff:fea0:923 name= app2 vsys= vsys1 /> </result></response> </response> Where Dynamic Address Object named app1 is configured with a link identifier of blue and DAO named app2 is configured with a link identifier of green, and the respective IP addresses are the actual IP address of these virtual servers. Update the mapping for dynamic object The final request updates the current mappings for the Dynamic Address Objects: <uid-message><version>1.0</version><type>update</type><payload><register><entry identifier= blue ip= /><entry identifier= green ip= /></ register></payload></uid-message> A successful request generates this response: <response status= success > In order to update these mappings, the module must maintain information about the current Virtual Network Segments and their associated network properties, such as the IP addresses that will be used in mappings. This information is retrieved from the controller and from Big Virtual Switch using the northbound API and, in this implementation, the Python interface to the API, which is called bsc.py. For more information on this solution or on the Python interface, please contact us at 7

8 Unified. Flexible. Open. The flexibility of this Open SDN solution overcomes the challenges of building out a significant volume of virtualized workloads by enabling automated integration with network security systems. The ability to systematically build up and change the policy objects simplifies the burden of maintaining regulatory compliance and meeting performance expectations. The onerous tasks and parades of trouble tickets associated with network change orders and traditional network security policy workflows disappear while responsibility for ensuring compliance with HIPAA, PCI, or SOX compliance is preserved. Introducing network virtualization and deploying security services by policy, without requiring manual, device-bydevice configuration can reduce a common source or delays: reconciling compliance requirements and completing the procedures of maintaining compliance. By working with existing physical systems and virtual systems and by enabling network engineers and security administrators to collaborate on a path forward to without neglecting ongoing requirements, Palo Alto Networks next-generation firewalls and Big Virtual Switch deliver a programmable network that supports software-defined network security. The combination of next-generation firewalls and Big Virtual Switch enable enterprises to realize the benefits of comprehensive shared infrastructure, optimizing the deployment and entire life cycle of applications and controlling the traffic these applications generate and process more securely. The end result is that an enterprise can reap the benefits of a private cloud while simultaneously simplifying network operations. About Big Switch Networks Big Switch Networks is the leader in open source Software-Defined Networking (SDN) products, delivering unmatched network agility, automated network provisioning, and dramatic reductions in the cost of network operations. The company s Open SDN platform offers an OpenFlow switch fabric that can run on bare metal switches and hypervisor virtual switches, and enables a wide variety of SDN network applications including data center network virtualization and network monitoring. For more information, visit 8 Headquarters 100 West Evelyn Street, Suite 110 Mountain View, CA 94041, USA Phone: or: bigswitch.com Copyright 2013 Big Switch Networks, Inc. All rights reserved. Big Switch Networks, Big Network Controller, Big Tap, Big Virtual Switch, Switch Light, Floodlight and Open SDN are trademarks or registered trademarks of Big Switch Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Big Switch Networks assumes no responsibility for any inaccuracies in this document. Big Switch Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. SG03-03 July 2013