Network Virtualization Solutions - A Practical Solution

Similar documents
F5 Application Delivery in a Virtual Network

Securing the Virtualized Data Center With Next-Generation Firewalls

SINGLE-TOUCH ORCHESTRATION FOR PROVISIONING, END-TO-END VISIBILITY AND MORE CONTROL IN THE DATA CENTER

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Open SDN for Network Visibility

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

IT Security at the Speed of Business: Security Provisioning with Symantec Data Center Security

Securing Virtual Applications and Servers

VMware vcloud Networking and Security

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Tufin Orchestration Suite

Software defined networking. Your path to an agile hybrid cloud network

A Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks

Cisco and Red Hat: Application Centric Infrastructure Integration with OpenStack

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

About the VM-Series Firewall

White Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com

Virtualization Essentials

Use Case Brief CLOUD MANAGEMENT SOFTWARE AUTOMATION

WildFire. Preparing for Modern Network Attacks

Implementing Software- Defined Security with CloudPassage Halo

Simplifying Data Data Center Center Network Management Leveraging SDN SDN

Virtualized Hadoop. A Dell Hadoop Whitepaper. By Joey Jablonski. A Dell Hadoop Whitepaper

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

VIRTUALIZED SERVICES PLATFORM Software Defined Networking for enterprises and service providers

Software-Defined Storage: What it Means for the IT Practitioner WHITE PAPER

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Software Defined Networks Virtualized networks & SDN

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

Data Center Virtualization and Cloud QA Expertise

Assessing the Business Value of SDN Datacenter Security Solutions

A Look at the New Converged Data Center

Enterprise Data Center Networks

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

Top Ten Reasons to Transition Your IT Sandbox Environments to the Cloud

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

TOP 5 REASONS WHY FINANCIAL SERVICES FIRMS SHOULD CONSIDER SDN NOW

Pluribus Netvisor Solution Brief

Operationalizing the Network: SDN

Software-Defined Networks Powered by VellOS

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

SOFTWARE DEFINED NETWORKING

Use Case Brief NETWORK SECURITY

VMware vcloud Networking and Security Overview

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

Cloud Infrastructure Services for Service Providers VERYX TECHNOLOGIES

Set Up a VM-Series NSX Edition Firewall

Federated Application Centric Infrastructure (ACI) Fabrics for Dual Data Center Deployments

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

Securing the private cloud

Optimally Manage the Data Center Using Systems Management Tools from Cisco and Microsoft

IT Infrastructure Services. White Paper. Utilizing Software Defined Network to Ensure Agility in IT Service Delivery

SDN/Virtualization and Cloud Computing

Data Center Network Evolution: Increase the Value of IT in Your Organization

Software Defined Data Centers Network Virtualization & Security. Jeremy van Doorn Director of Systems Engineering EMEA, Network & Security

Building Scalable Multi-Tenant Cloud Networks with OpenFlow and OpenStack

WHITE PAPER: Egenera Cloud Suite

Panorama PANORAMA. Panorama provides centralized policy and device management over a network of Palo Alto Networks next-generation firewalls.

F5 PARTNERSHIP SOLUTION GUIDE. F5 and VMware. Virtualization solutions to tighten security, optimize performance and availability, and unify access

How To Protect Your Cloud From Attack

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Junos Space for Android: Manage Your Network on the Go

SDN Software Defined Networks

2013 ONS Tutorial 2: SDN Market Opportunities

Strategic Direction of Networking IPv6, SDN and NFV Where Do You Start?

The Road to SDN: Software-Based Networking and Security from Brocade

Getting on the Road to SDN. Attacking DMZ Security Issues with Advanced Networking Solutions

SDN PARTNER INTEGRATION: SANDVINE

SYMANTEC DATA CENTER SECURITY: MONITORING EDITION 6.5

Cisco Hybrid Cloud Solution: Deploy an E-Business Application with Cisco Intercloud Fabric for Business Reference Architecture

SDN Applications in Today s Data Center

Enhancing Cisco Networks with Gigamon // White Paper

SDN for Wi-Fi OpenFlow-enabling the wireless LAN can bring new levels of agility

Intelligent Data Access Networking TM

Using SouthBound APIs to build an SDN Solution. Dan Mihai Dumitriu Midokura Feb 5 th, 2014

The Promise and the Reality of a Software Defined Data Center

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

Virtualization, SDN and NFV

ALCATEL-LUCENT ENTERPRISE DATA CENTER SWITCHING SOLUTION Automation for the next-generation data center

Software Defined Networking - a new approach to network design and operation. Paul Horrocks Pre-Sales Strategist 8 th November 2012

Transforming Service Life Cycle Through Automation with SDN and NFV

Network Packet Monitoring Optimizations in Data Centre

The promise of SDN. EU Future Internet Assembly March 18, Yanick Pouffary Chief Technologist HP Network Services

How To Build A Software Defined Data Center

Network Services in the SDN Data Center

Cloud and Data Center Security

Bringing the Cloud to the Enterprise Branch and WAN: Unleashing Agility with Nuage Networks Virtualized Network Services EXECUTIVE SUMMARY

Enterprises Seek The Benefits Of Hybrid Cloud, And Work To Overcome The Challenges

Transcription:

SOLUTION GUIDE Deploying Advanced Firewalls in Dynamic Virtual Networks Enterprise-Ready Security for Network Virtualization 1

This solution guide describes how to simplify deploying virtualization security and network virtualization with Palo Alto Networks next-generation firewalls and the Big Virtual Switch application from Big Switch Networks. The combination of Dynamic Address Objects and the XML Management API in the Palo Alto Networks operating system (PAN-OS), and the northbound API exposed by Big Network Controller and Big Virtual Switch, enable network engineers and security administrators to automate the definition and management of security policies. This solution reduces the complexity of data center configuration, avoids repetitive and manual configuration changes and enables staff to become more productive by automating the tasks required to roll out new workloads or to secure existing deployments. The solution leverages programmability available in next-generation firewalls and the Network Application platform from Big Switch Networks, Big Network Controller, to make your data center network programmable: unified, flexible, and more cost effective. Table of Contents The Challenge and Promise of Cloud Networks... 3 Next Generation Firewalls in Virtual Networks... 4 RESTful Interfaces and Dynamic Objects... 5 Under The Hood... 6 Generate a Key... 6 List the current mappings... 7 Update the mapping for dynamic object... 7 Unified. Flexible. Open... 8 About Big Switch Networks... 8 2

The Challenge and Promise of Cloud Networks Big Virtual Switch, a network virtualization application from Big Switch Networks, makes your network as agile and dynamic as your other cloud infrastructure. To extract the value of private clouds, you must embrace automation. Significant degrees of automation have been achieved in compute and storage deployment and operations. The same cannot be said of networks. Network virtualization has lagged behind other technologies in the data center and has posed a barrier to delivering a truly virtual data center. The network now poses a productivity barrier because the output of automated compute deployment tools is often held up by the need for network change orders to be completed manually. Big Virtual Switch, a network virtualization application from Big Switch Networks provides a solution to these challenges. Big Virtual Switch, a network virtualization application from Big Switch Networks, makes your network as agile and dynamic as your public cloud infrastructure. The solution supports existing physical systems, including firewall appliances, and can program both physical and virtual switches to meet the requirements of application instances. Big Virtual Switch can integrate with next generation firewalls, enabling the networking and security teams to work more efficiently. Big Virtual Switch delivers a degree of automation that was once thought impossible to achieve, enabling the use of abstractions to pool resources and providing a robust implementation for programming the network while cleanly separating the network engineering duties from other tasks. Instead of using traditional static network configuration constructs like VLANs and subnets that can t scale to the needs of private clouds, Big Virtual Switch delivers a flexible, unified, and dramatically more efficient approach to scaling data center networks for cloud deployments. The combination of Palo Alto Networks next-generation firewalls and Big Virtual Switch solves the challenges of securing virtual workloads with virtual networks, enabling enterprises to reap the benefits of a private cloud while simultaneously reducing risk and simplifying network operations. Big Virtual Switch Northbound API Open Source Core Big Network Controller 10.1.1.0 192.168.1.0 172.64.1.0 Open Flow vswitches Open Flow vswitches Figure 1: Big Network Controller has at its core, the open-source SDN controller, Floodlight, which is Apache licensed. Often, to accommodate the limitations of device-oriented networks and the risk of manual change orders, traditional networks must move slowly, tracking each modification with rigorous change control and tying the network design to physical systems and their associated application workloads. For example, tying a VLAN and a subnet to an application 3

and then configuring those network properties directly into devices defeats the very purpose of server virtualization and cloud architectures. These designs are optimized to limit configuration errors and fix the settings to avoid an outage and to simplify the burden of maintaining compliance with regulations that require traffic isolation and other security policy enforcement. For example, in a traditional design, a VLAN is often coupled to a subnet and that subnet might be coupled to a specific rack or a set of racks and networking systems. Such configurations result in inflexible architectures that are slow to respond to business needs, slowing application ramp times due to personnel constraints or due to the costs required to build out all the systems required for an application. Big Virtual Switch solves these problems, driving the benefits of virtualization and automation into the network. With Big Virtual Switch, the underlying network can be dynamically and automatically sliced into segments according to corporate security and compliance policies. Network engineers don t have to work a task list with dozens of tasks associated with each new workload request. Application teams don t have to work within the constraints of a traditional network or learn everything it takes to engineer a truly scalable network. Next Generation Firewalls in Virtual Networks In concept, securing applications in virtual datacenters is much the same as in a traditional environment. A security policy needs to be defined taking into consideration the applications being accessed, the access control policies by user, and the appropriate threat protection framework. Compute virtualization and network virtualization, introduce some differences. The dynamic nature of virtual machines and the fact that machines and workloads with different trust levels can be co-located on the same physical servers and physical networks, introduces the need for visibility into the virtualized environment, in particular the need to inspect intra-host communications. The security solution must also support the highly dynamic nature of adds, changes, and moves within virtual data center while ensuring that the data center is protected against known and unknown threats. This means the ability to protect against known threats via IPS, anti-malware and anti-botnet support, and unknown threats via sandbox analysis of suspicious files. In addition, the ability to address remotely exploitable hypervisor vulnerabilities must be supported. Northbound API Big Network Controller App1 App2 App3 HYPERVISOR Figure 2: In a virtual data center, the updates to the network must be kept in synch with the network security policies. Updating these policies manually burdens security administrators with extra work and risks that an inconsistency could put risk a breach or cause an outage. 4

The Palo Alto Networks next-generation firewall addresses the network security requirements of virtual data centers while Big Virtual Switch delivers the network segmentation and workload isolation required to support network virtualization. The high rate of change in virtual networks, however, makes it difficult to integrate these systems manually. Open Software Defined Networking enables these systems to communicate and modify state based on changes in the network without requiring direct management of these systems at their respective consoles. This Open SDN integration enables the network and security policy to be as agile as the cloud systems and the applications and workloads that are deployed through systems such as OpenStack. By combining the network security systems and the network virtualization systems in a coordinated fashion, the process of provisioning the network and the required security policy can be transformed from a manual, slow and error-prone task that delays deployments into a seamless process that is simultaneously more efficient and more secure. Network virtualization and integration with next-generation firewalls via an Open SDN solution speed the response of the network to application requests and simplify security in a virtual data center. The key element of solution is the automated association of virtual network properties with security policies. As virtual machines are instantiated and moved within and across data centers, these changes need to be reflected in the security systems and enforced without requiring any manual configuration whatsoever. Automating this process protects applications and workloads from unauthorized access and from threats and enables network security systems to move as quickly as network virtualization and cloud computing systems, meeting business demands without delays and without risking non-compliance with regulatory mandates. RESTful Interfaces and Dynamic Objects Using the XML Management API available from Palo Alto Networks in conjunction with the northbound API from Big Virtual Switch and Big Network Controller, the system can discover the IP addresses associated with Virtual Network Segments, applications and workloads. As these addresses change, the solution updates a new address object type within PAN-OS, Dynamic Address Objects. Dynamic Address Objects can be updated via the XML API and can be referenced in security policies. When changes to the object occur, the update can be referenced within policies automatically. Setting and modifying these objects programmatically incorporates network security to data center orchestration processes with no additional, manual workflow. 1 Navigate to Address Objects 2 Choose and Name Dynamic Address Object Use Object within Security Policy Rules 3 Figure 3: Dynamic Address Objects are easy to set up within Panorama. Subsequent address updates can be completed programmatically, reducing administrator workload significantly. 5

As virtual servers are instantiated, terminated or migrated to new compute resources within or across data centers, Palo Alto Networks next-generation firewalls remain in lock-step with these changes because each event programmed within Big Virtual Switch is communicated to the firewall, and the Dynamic Address Objects are updated to ensure compliance without modifying the security policy. Northbound API Big Network Controller XML API App1 App2 App3 HYPERVISOR Under The Hood Figure 4: Open SDN integration using the PAN-OS XML API enables address objects to be updated without requiring manual work or a configuration change commit. The solution uses a Python-based integration layer that runs atop the Big Network Controller platform. This scripted module uses HTTPS to communicate with the next-generation firewalls and get the list of dynamic objects via the PAN-OS XML API. It then maintains a mapping of Virtual Network Segments and updates address changes in these segments by notifying PAN-OS. The steps required are: 1. Authenticate and generate a key 2. List the currently defined Dynamic Address Objects 3. Update the mapping of IP addresses that are associated with the object Generate a Key The first request generates a key, which is an authentication token that is used subsequently: https://firewall_host/api/?type=keygen&user=admin&password=admin 6

A successful request generates this response: <response status= success > <result> <key> KEY_VALUE </key> </result> </response> where KEY_VALUE is the token, such as: LUFRPT11K1BkTmpIZ1RnSHJlRHFGYkpOZTAyUDdzZmc9dEFVZHppNUlYbk54UCtmV3h6M0 6amdoVDI0SHVlczZHa2lFWkJINnZLYz0= List the current mappings The next request lists the current mappings of the available Dynamic Address Objects: https://firewall_host/api/type=op&cmd=<show><object><dynamic-address-object><all></all></ dynamic-address-object></object></show>&key=key_value A successful request generates this response: <response status= success > <result> <response cmd= status status= success ><result> <entry identifier= blue ip= 192.168.220.20 name= app1 vsys= vsys1 /> <entry identifier= blue ip= 1234:5678:90ab:cdef:2234:2678:20ab:2def name= app1 vsys= vsys1 /> <entry identifier= green ip= 192.168.220.19 name= app2 vsys= vsys1 /> <entry identifier= green ip= fe80::250:56ff:fea0:923 name= app2 vsys= vsys1 /> </result></response> </response> Where Dynamic Address Object named app1 is configured with a link identifier of blue and DAO named app2 is configured with a link identifier of green, and the respective IP addresses are the actual IP address of these virtual servers. Update the mapping for dynamic object The final request updates the current mappings for the Dynamic Address Objects: https://firewall_host/api/?type=user-id&key=keyvalue=&action=set&vsys=vsys1&cmd= <uid-message><version>1.0</version><type>update</type><payload><register><entry identifier= blue ip= 10.1.200.127 /><entry identifier= green ip= 10.1.200.135 /></ register></payload></uid-message> A successful request generates this response: <response status= success > In order to update these mappings, the module must maintain information about the current Virtual Network Segments and their associated network properties, such as the IP addresses that will be used in mappings. This information is retrieved from the controller and from Big Virtual Switch using the northbound API and, in this implementation, the Python interface to the API, which is called bsc.py. For more information on this solution or on the Python interface, please contact us at http://www.bigswitch.com/contact. 7

Unified. Flexible. Open. The flexibility of this Open SDN solution overcomes the challenges of building out a significant volume of virtualized workloads by enabling automated integration with network security systems. The ability to systematically build up and change the policy objects simplifies the burden of maintaining regulatory compliance and meeting performance expectations. The onerous tasks and parades of trouble tickets associated with network change orders and traditional network security policy workflows disappear while responsibility for ensuring compliance with HIPAA, PCI, or SOX compliance is preserved. Introducing network virtualization and deploying security services by policy, without requiring manual, device-bydevice configuration can reduce a common source or delays: reconciling compliance requirements and completing the procedures of maintaining compliance. By working with existing physical systems and virtual systems and by enabling network engineers and security administrators to collaborate on a path forward to without neglecting ongoing requirements, Palo Alto Networks next-generation firewalls and Big Virtual Switch deliver a programmable network that supports software-defined network security. The combination of next-generation firewalls and Big Virtual Switch enable enterprises to realize the benefits of comprehensive shared infrastructure, optimizing the deployment and entire life cycle of applications and controlling the traffic these applications generate and process more securely. The end result is that an enterprise can reap the benefits of a private cloud while simultaneously simplifying network operations. About Big Switch Networks Big Switch Networks is the leader in open source Software-Defined Networking (SDN) products, delivering unmatched network agility, automated network provisioning, and dramatic reductions in the cost of network operations. The company s Open SDN platform offers an OpenFlow switch fabric that can run on bare metal switches and hypervisor virtual switches, and enables a wide variety of SDN network applications including data center network virtualization and network monitoring. For more information, visit www.bigswitch.com 8 Headquarters 100 West Evelyn Street, Suite 110 Mountain View, CA 94041, USA Phone: +1.650.322.6510 or: +1.800.653.0565 bigswitch.com Copyright 2013 Big Switch Networks, Inc. All rights reserved. Big Switch Networks, Big Network Controller, Big Tap, Big Virtual Switch, Switch Light, Floodlight and Open SDN are trademarks or registered trademarks of Big Switch Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Big Switch Networks assumes no responsibility for any inaccuracies in this document. Big Switch Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. SG03-03 July 2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information