Palo Alto Networks. Security Models in the Software Defined Data Center

Palo Alto Networks Security Models in the Software Defined Data Center Christer Swartz Palo Alto Networks CCIE #2894

Network Overlay Boundaries & Security Traditionally, all Network Overlay or Tunneling technologies have created some kind of smart edge where a forwarding decision or encapsulation occurs, and a dumb core which is focused on fast switching. Such as MPLS, TRILL, FabricPath, Qfabric, etc. In all of these, the edge has been a piece of networking hardware, and these technologies have been initiated by networking hardware. And firewalls have traditionally been deployed at the boundary between this network edge and end-systems. Server s Firewall Smart Edge Dumb Core Firewall Server s Data Center Core Network

Network Overlay Boundaries & Security But with emerging SDN technologies, overlay technologies can be initiated from hosts. The network edge can now be a host, with the entire physical network focused on dumb fast switching. Examples are VXLAN, NVGRE, and STT. Hardware firewalls deployed in the physical network core now only see North/South traffic that exists a physical host, not East/West traffic within a host, nor traffic within Overlay tunnels. Smart Edge Server s Firewall Dumb Core Firewall Server s VXLAN Data Center Core Network

Firewalls In order to maintain visibility into East/West traffic, and contents of Overlay technologies Initiated from hosts, virtual firewalls need to be deployed within the host systems. To maintain full security visibility across entire Data Center, physical and virtual firewalls need to coordinate policy and network intelligence. Smart Edge Server s Firewall Dumb Core Firewall Server s Firewall Data Center Core Network Firewall

Why place any firewall in a virtual topology? - Web / App / DB Isolation - PCI / Non-PCI isolation - Malware, Virus - Administrative Isolation - Dev / Production isolation - Whitelisting VM Firewall? VM Switch Hypervisor Data Center Core Network Hardware Firewalls

How do firewalls define Applications? Traditional: Applications = TCP/UDP Ports Next Gen: Applications = Data Payload Signatures

Build rules against applications, not ports

Track Apps, Content, & Users, not IP s SQL SQL Sharepoint

Writing Security Policy based on tags, not IP s Dynamic Address Groups VMware vcenter or ESXi PAN-OS Dynamic Address Groups Name IP Guest OS Container web-sjc-01 10.1.1.2 Ubuntu 12.04 Web sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint web-sjc-02 10.1.1.3 Ubuntu 12.04 Web Name Tags Addresses SharePoint Servers MySQL Servers SharePoint Win 2008 R2 sp MySQL Ubuntu 12.04 db 10.1.5.4 10.1.5.8 10.5.1.5 10.5.1.2 10.5.1.9 exch-mia-03 10.4.2.2 Win 2008 R2 Exchange exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange Miami DC mia 10.4.2.2 10.1.5.8 10.5.1.5 sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL San Jose Linux Web Servers sjc web Ubuntu 12.04 10.1.1.2 10.1.1.3 db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL PAN-OS Security Policy Source Destination Action SharePoint Servers MySQL Servers San Jose Linux Web Servers Miami DC

Consistent Security Policy across entire DC Central Management For & Physical Firewalls Hypervisor Hypervisor Hypervisor PA-7050 PA-7050

Data Center Firewall Deployment Models 6. Endpoint security software. ( Cyvera, Symantec, IPTables ) 5. VM firewalls inspecting packets at source, VM-to-VM steering. ( PAN VM-1000-HV firewall ) VLAN 100 VLAN 200 vswitch Hypervisor 4. VM firewall between VLAN's. ( PAN Gateway, Cisco vasa ) 3. Kernel module firewall. ( NSX DFW, Juniper Firefly Host ) 2. Linux Container, Docker. ( Possible future. Only IPTables today ) 1. Physical Firewall. ( PAN, SRX, ASA )

2 Different Firewall Types Using NSX VM-1000-HV VM Firewall Using vsphere Gateway VM Firewall We reside within the network topology, as in a traditional network. We see packets after they reach the network stack. Traffic is steered to us for inspection above the Forwarding Plane, so security is applied before packets ever reach the network stack. Security now has zero impact on network topology since security is abstracted from the network. Security occurs within Network VM-1 VM-2 VM-1 VM-2 PAN Security is abstracted above Network Step-1 Step-3 Step-2 vshield VMware s Switch Hypervisor ESX & ESXi Forwarding Plane PAN VMware s Switch Hypervisor ESX & ESXi Data Center Core Network Data Center Core Network

Phase 1: Just trunk all VLAN s to server uplinks VM VM VM Physical Host Hypervisor VLAN s Top of Rack Switch Hardware Firewall

Easy for hardware firewalls to go blind VM VM VM Physical Host Hypervisor VLAN s Logical Router Quagga, Vyatta, Halon, VMware DLR & ESG, Static Routes in Linux, etc. Top of Rack Switch Hardware Firewall

VM Firewall VM-A VM-B Port Group-A vshield Switch Port Group-B Hypervisor ESX & ESXi Data Center Core Network

Hypervisor-Aware Firewall VM-A VM-B Switch One Port Group Hypervisor ESX & ESXi Data Center Core Network

VMware NSX Distributed Firewall Performs Stateful firewalling Distributed Port Groups NSX Distributed Firewall Hypervisor A Hypervisor B

Augmenting the Distributed Firewall Deep-Packet firewalling Distributed Port Groups NSX Distributed Firewall PAN VM Firewall Hypervisor A Hypervisor B PAN VM Firewall

Security Policy above the Forwarding Plane Web DB App App Web DB Switch Forwarding Plane NSX Distributed Firewall Hypervisor

Security Policy above the Forwarding Plane Web DB App App Web DB NetX API re-directs data flows to us. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

Security Policy above the Forwarding Plane Web DB App App Web DB We hand traffic back to filter. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

Security Policy above the Forwarding Plane Web DB App App Web DB Only then does packet reach any network segment. Switch Forwarding Plane NSX Distributed Firewall Hypervisor

SDN Controllers Switch Switch Routers Hardware Firewalls??? SDN Controller Protocols: - OpenFlow - NetConf - XMPP - I2RS Controllers: - Juniper Contrail - Open Daylight - Nuage - Google s Andromeda

SDN Controllers Hardware Firewalls: Transparent ( vwire ) Switch Switch Routers Hardware Firewalls vwire SDN Controller

SDN: Service Chaining & NFV Switch Switch Switch SDN Controller

SDN: Service Chaining & NFV NFV ( Network Functions ization ) Nodes Palo Alto Networks Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 Switch Switch Switch

SDN: Service Chaining & NFV NFV ( Network Functions ization ) Nodes Palo Alto Networks Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 Service Chain-2 Service Chain-1 Switch Switch Switch

Service Chaining Tunnel Types Different Controllers use different tunnels to define a Service Chain. These tunnels terminate at vswitch, not at the Services themselves. Firewall Load-Balancer WAN Accelerator VM-1 Tenant 1 VM-2 Tenant 2 VLAN s VXLAN s - MPLS - VXLAN - GRE - GENEVE Switch Switch Switch

SDN-derived protocols: Arista DirectFlow Assist Point to Arista Switch as a Syslog server Arista Switch Firewall Physical or Forward initial packets to us, for decision. 10 Gig 10 Gig 10 Gig

Orchestration: Template model or Plugin model API s imported into Cloud OS. CloudStack API s imported as Templates or Agents API s contained in a Plugin written by each vendor. Such as OpenStack. Nova Module Swift Module Neutron Module Plugins

CloudStack Orchestration API s via templates External network. Firewall deployed as a CloudStack Service Provider using VR s. CloudStack Router doing DNS & DHCP. CloudStack Pod networks. 31 2014, Palo Alto Networks. Confidential and Proprietary.

OpenStack Multi-Tenant Cloud External Network Private Network 1 Private Network 2 VM VM VM VM VM Tenant 1 Tenant 2

Dynamic Address Groups via REST API Orchestration System or Scripts: Puppet, Chef, Ansible, etc. REST API calls Harvest IP s and tags REST API calls Push or Pull PAN-OS Dynamic Address Groups Name Tags Addresses SharePoint Servers MySQL Servers Miami DC San Jose Linux Web Servers SharePoint Win 2008 R2 sp MySQL Ubuntu 12.04 db mia sjc web Ubuntu 12.04 10.1.5.4 10.1.5.8 10.5.1.5 10.5.1.2 10.5.1.9 10.4.2.2 10.1.5.8 10.5.1.5 10.1.1.2 10.1.1.3 Cloud OS DB

Data Center Ecosystem Cloud-based Threat intelligence Central Management Hypervisor Communication Endpoint Security Software Hardware Firewalls Firewalls Orchestration / Automation SDK, API, etc. OSPF, BGP VSYS, VR Multiple Hypervisors