FIREWALL - NETWORK FUNCTION VIRTUALIZATION June 2013
FIREWALL USE-CASE: MULTI-TIER APPLICATION Compute Storage Network Recipe (app), Service on- boarding CLOUDBAND MANAGEMENT SYSTEM Service Catalogue Ready Application Menu vfirewall vload Balancer Enterprise Cloud Data Centers Cloud Data Centers DB Logical Representation Access Network VPN Backbone Network FW -3 App App Allow port 22/xxx Only from App zone to/from DB zone Deny Everything Else Multi-Tier Application: Example Permit: port 80 and 443 for web zone s Permit: port 22/xxx on DB s Allow comm. b/w Web and App zone only Allow comm. b/w App and DB zone only Explicitly deny all other traffic to the zones DB Zone App Zone Web Zone DB App App FW Hypervisor Server HW Web Web Optional LB -1 FW -2 Web FW -1 Allow port xxxx (e.g. JBOSS port) Only from Web Zone to/from App Zone Deny Everything Else Allow port 80/443 Deny Everything Else 2
FIREWALL CLOUDIFICATION BENEFITS: OPERATIONAL ASPECTS Attribute Conventional CloudBand Appliance Hardware appliance of software application on generic server (bare-metal) architected for peak capacity Virtualized software appliance on cloud infrastructure architected for current capacity Deployment Site engineer investigates, deployment engineer installs, configures and provisions the system and monitors heath Management and Orchestration system deploys new instance with standard configuration and automatically monitors health Scale Add new cards/blades/servers into the system hardware and perform re-configuration (re-architect with capacity planning) Orchestration system adds additional instances of the appliance and automatically adds them to the loadbalanced pool Upgrade Replace new upgraded blade with existing blade Upgrade a new virtual instance and just switch traffic to it. Delete old instance Operations Hardware, OS, Application, Alarms OS, Hypervisor, Application, Alarms Multi-tenancy Service partitioning of hardware based systems can be quite cumbersome or deploy multiple, parallel hardware/software systems Simply create a new service slice by deploying new application instance and service chain with other NFV components 3
CloudBand NFV Platform: Virtual Firewalls Firewall as Virtualized Network Function (VNF) Use Case Load Balance VNF Virtualized, Software-based firewall deployed as VNFs on CloudBand NFV Platform to create a distributed, scalable, highly-available and secure cloud based application delivery solution Automated, one-touch deployment of firewall VNF Applicaiton Single mode or VRRP based High Availability deployment mode for reliability VNF Self-healing with upto date configuration state Full Life Cycle Management of the Application Service Chaining with other VNF Applications New Business Models & Offerings Elastic, Scalable and highperformance Service Agility Value Proposition: Vyatta FW on NFV Platform Ability to create new service offerings and business models such as FW as a service with multi-tenancy- new revenue stream. Built-in mechanisms for rapid and infinite scalability, elasticity and performance based on demand all on a multi-version, multitenant deployment Accelerated service realization through rapid instance deployments dramatically reduces time to market. Service chaining with other NFV components creates new services easily Lower TCO Streamlined operations and processes with cookie cutter deployments on high-volume, COTS hardware CloudBand NFV Platform: Benefits/Differentiators Versatile NFV Platform Central management & Orchestration Multi-Tenancy Service Provisioning Industry leading NFV platform with development since 2011 even before NFV was formed. Fully automated, distributed deployment for NFV apps with cpaas control Centralized management and orchestration framework for provisioning, deploying, configuring and operating of NFV applications Multi-tenant deployment with per-tenant monitoring, auditing and reports Rapid, cookie-cutter based service provisioning and configuration of isolated multiple instances in a multi-tenant deployment
VYATTA FIREWALL ON CLOUDBAND DEPLOYMENT Web Server-1 Traffic Generation Client (e.g. Browser) Vyatta Firewall 1 CBMS Network http access Public IP 2 Deploy, Monitor, Scale, Heal FW cpaas App Server-2 CloudBand Management Network 3 Configuration Manager Configuration and Rules Updates Deploy Virtual Firewall Appliance first before any other servers DB Server-3 XX cpaas 5
VYATTA FIREWALL ON CLOUDBAND HIGH-AVAILABILITY Traffic Generation Client (e.g. Browser) Vyatta Firewall 1 Web Server-1 CBMS Network http access Public IP VRRP 2 Deploy, Monitor, Scale, Heal FW cpaas App Server-2 CloudBand Management Network 3 Configuration and Rules Updates XX cpaas Configuration Manager DB Server-3 6