Palo Alto Networks. Security Models in the Software Defined Data Center

Christer Swartz Palo Alto Networks CCIE #2894

Security Models in the

Software Defined Data Center

Palo Alto Networks

Dumb Core Smart Edge

Server

s Firewall

Server s

Firewall

Network Overlay Boundaries & Security

Traditionally, all Network Overlay or Tunneling technologies have created some kind of

“smart edge” where a forwarding decision or encapsulation occurs, and a “dumb core”

which is focused on fast switching. Such as MPLS, TRILL, FabricPath, Qfabric, etc.

In all of these, the edge has been a piece of networking hardware, and these technologies have been initiated by networking hardware. And firewalls have traditionally been deployed at the boundary between this network edge and end-systems.

Data Center Core Network

Dumb Core Smart Edge

Server

s Firewall

Server s

Firewall

Network Overlay Boundaries & Security

But with emerging SDN technologies, overlay technologies can be initiated from hosts.

The network edge can now be a host, with the entire physical network focused on “dumb”

fast switching. Examples are VXLAN, NVGRE, and STT.

Hardware firewalls deployed in the physical network core now only see North/South traffic

that exists a physical host, not East/West traffic within a host, nor traffic within Overlay tunnels.

Data Center Core Network

VXLAN

Dumb Core Smart Edge

Server

s Firewall

Server s

Firewall

Virtual Firewalls

In order to maintain visibility into East/West traffic, and contents of Overlay technologies Initiated from hosts, virtual firewalls need to be deployed within the host systems.

To maintain full security visibility across entire Data Center, physical and virtual firewalls need to coordinate policy and network intelligence.

Data Center Core Network

Virtual Firewall

Virtual Firewall

Why place any firewall in a virtual topology?

Hypervisor

Data Center Core Network

Hardware Firewalls

Virtual Switch

- Web / App / DB Isolation - PCI / Non-PCI isolation - Malware, Virus - Administrative Isolation - Dev / Production isolation - Whitelisting

Virtual Firewall?

VM VM

How do firewalls define Applications?

Next Gen: Applications = Data Payload Signatures

Traditional: Applications = TCP/UDP Ports

Build rules against applications, not ports

Track Apps, Content, & Users, not IP’s

SQL

Sharepoint

SQL

VMware vCenter or ESXi

Writing Security Policy based on tags, not IP’s Dynamic Address Groups

Name IP Guest OS Container

web-sjc-01 10.1.1.2 Ubuntu 12.04 Web

sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint

web-sjc-02 10.1.1.3 Ubuntu 12.04 Web

exch-mia-03 10.4.2.2 Win 2008 R2 Exchange exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint

db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL

db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL

PAN-OS Security Policy

Source Destination Action

PAN-OS Dynamic Address Groups

Name Tags Addresses

SharePoint Servers

MySQL Servers

Miami DC

San Jose Linux Web Servers

Name Tags Addresses

SharePoint Servers

SharePoint Win 2008 R2

“sp”

MySQL Servers

MySQL Ubuntu 12.04

“db”

Miami DC “mia”

San Jose Linux Web Servers

“sjc”

“web”

Ubuntu 12.04

Name Tags Addresses

SharePoint Servers

SharePoint Win 2008 R2

“sp”

10.1.5.4 10.1.5.8

MySQL Servers

MySQL Ubuntu 12.04

“db”

10.5.1.5 10.5.1.2

Miami DC “mia”

10.4.2.2 10.1.5.8 10.5.1.5

San Jose Linux Web Servers

“sjc”

“web”

Ubuntu 12.04

10.1.1.2 10.1.1.3 IP

10.1.1.2 10.1.5.4 10.1.1.3 10.4.2.2 10.4.2.3 10.1.5.8 10.5.1.5 10.5.1.2

Name

SharePoint Servers

MySQL Servers

Miami DC

San Jose Linux Web Servers

Source Destination Action

SharePoint Servers

San Jose Linux

Web Servers ✔

MySQL

Servers Miami DC 

db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL

10.5.1.9

Hypervisor

Hypervisor Hypervisor

Consistent Security Policy across entire DC

PA-7050 PA-7050

Central Management

For Virtual & Physical Firewalls

VLAN 100 VLAN 200 4. VM firewall between VLAN's.

( PAN Gateway, Cisco vASA )

5. VM firewalls inspecting packets at source, VM-to-VM steering.

( PAN VM-1000-HV firewall )

3. Kernel module firewall.

( NSX DFW, Juniper Firefly Host )

Hypervisor

2. Linux Container, Docker.

( Possible future. Only IPTables today )

1. Physical Firewall.

( PAN, SRX, ASA )

vSwitch

6. Endpoint security software.

( Cyvera, Symantec, IPTables )

Data Center Firewall Deployment Models

Hypervisor – ESX & ESXi VMware’s Virtual Switch

Data Center Core Network

vShield

Hypervisor – ESX & ESXi VMware’s Virtual Switch

Data Center Core Network Forwarding

Plane

Using vSphere – “Gateway” VM Firewall

We reside within the network topology, as in a traditional network. We see packets after they reach the network stack.

Using NSX – “VM-1000-HV” VM Firewall

Traffic is steered to us for inspection above the Forwarding Plane, so security is applied before

packets ever reach the network stack.

Security now has zero impact on network topology since security is abstracted from the network.

2 Different Virtual Firewall Types

Security is abstracted aboveNetwork Security

occurs within Network

VM-1

VM-2 VM-1 VM-2

PAN

Step-1

Step-2

Step-3

Top of Rack Switch

Hypervisor

VM VM VM

VLAN’s

Phase 1: Just trunk all VLAN’s to server uplinks

Hardware Firewall

Physical Host

Top of Rack Switch

Hypervisor

VM VM VM

VLAN’s

Easy for hardware firewalls to go blind

Hardware Firewall

Physical Host

Logical Router

Quagga, Vyatta, Halon, VMware DLR & ESG, Static Routes in Linux, etc.

Hypervisor – ESX & ESXi Virtual Switch

Data Center Core Network

Port Group-A Port Group-B

VM-A VM-B

vShield

VM Firewall

VM-A VM-B

Virtual Switch

Data Center Core Network

One Port Group

Hypervisor – ESX & ESXi

Hypervisor-Aware Firewall

NSX Distributed Firewall

Distributed Port Groups

Hypervisor A Hypervisor B

VMware NSX Distributed Firewall

Performs Stateful firewalling

NSX Distributed Firewall

Distributed Port Groups

Hypervisor A Hypervisor B

PAN VM Firewall

PAN VM Firewall

Augmenting the Distributed Firewall

Deep-Packet firewalling

Hypervisor Virtual Switch

NSX Distributed Firewall

Web DB App App Web DB

Security Policy above the Forwarding Plane

Forwarding Plane

Hypervisor Virtual Switch

NetX API re-directs data flows to us.

NSX Distributed Firewall

Web DB App App Web DB

Security Policy above the Forwarding Plane

Forwarding Plane

Hypervisor Virtual Switch

We hand traffic back to filter.

NSX Distributed Firewall

Web DB App App Web DB

Security Policy above the Forwarding Plane

Forwarding Plane

Hypervisor Virtual Switch

Only then does packet reach any network segment.

NSX Distributed Firewall

Web DB App App Web DB

Security Policy above the Forwarding Plane

Forwarding Plane

SDN Controller

Virtual Switch Virtual Switch

???

Hardware Firewalls

Virtual Routers

Protocols:

- OpenFlow - NetConf - XMPP - I2RS

Controllers:

- Juniper Contrail - Open Daylight - Nuage

- Google’s Andromeda

SDN Controllers

SDN Controller

Virtual Switch Virtual Switch

Hardware Firewalls: Transparent ( vWire )

vWire

Virtual Routers

Hardware Firewalls

SDN Controllers

SDN Controller

Virtual Switch Virtual Switch

SDN: Service Chaining & NFV

Virtual Switch

Virtual Load-Balancer Virtual

Palo Alto Networks Firewall

VM-1 Tenant 1

VM-2 Tenant 2

Virtual Switch

Virtual Switch

Virtual Switch NFV ( Network Functions Virtualization ) Nodes

Virtual

WAN Accelerator

SDN: Service Chaining & NFV

Virtual Load-Balancer Virtual

Palo Alto Networks Firewall

Service Chain-1

Service Chain-2

Virtual Switch

Virtual Switch

Virtual Switch NFV ( Network Functions Virtualization ) Nodes

Virtual

WAN Accelerator VM-1

Tenant 1

VM-2 Tenant 2

SDN: Service Chaining & NFV

Virtual Load-Balancer Virtual

Firewall

Virtual Switch

Virtual Switch

Virtual Switch Virtual

WAN Accelerator VM-1

Tenant 1

VM-2 Tenant 2

- MPLS - VXLAN - GRE - GENEVE

VLAN’s

Service Chaining Tunnel Types

Different Controllers use different tunnels to define a Service Chain.

These tunnels terminate at vSwitch, not at the Services themselves.

VXLAN’s

Firewall

Physical or Virtual

SDN-derived protocols:

Arista “DirectFlow Assist”

Arista Switch

10 Gig 10 Gig

10 Gig

Point to Arista Switch as a Syslog server

Forward initial packets to us, for decision.

API’s imported into Cloud OS. API’s contained in a Plugin written by each vendor.

Such as OpenStack.

Orchestration: Template model or Plugin model

Nova Module

Swift Module

Plugins Neutron Module API’s imported

as Templates or Agents

CloudStack

CloudStack Orchestration

API’s via templates

31 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Firewall deployed as a

CloudStack “Service Provider”

using VR’s.

CloudStack “Virtual Router”

doing DNS & DHCP.

CloudStack “Pod” networks.

External network.

OpenStack Multi-Tenant Cloud

Tenant 1

VM VM VM

Tenant 2

VM VM

Private Network 2 Private Network 1

External Network

PAN-OS Dynamic Address Groups

Name Tags Addresses

SharePoint Servers

MySQL Servers

Miami DC

San Jose Linux Web Servers

Name Tags Addresses

SharePoint Servers

SharePoint Win 2008 R2

“sp”

MySQL Servers

MySQL Ubuntu 12.04

“db”

Miami DC “mia”

San Jose Linux Web Servers

“sjc”

“web”

Ubuntu 12.04

Name Tags Addresses

SharePoint Servers

SharePoint Win 2008 R2

“sp”

10.1.5.4 10.1.5.8

MySQL Servers

MySQL Ubuntu 12.04

“db”

10.5.1.5 10.5.1.2

Miami DC “mia”

10.4.2.2 10.1.5.8 10.5.1.5

San Jose Linux Web Servers

“sjc”

“web”

Ubuntu 12.04

10.1.1.2 10.1.1.3 Name

SharePoint Servers

MySQL Servers

Miami DC

San Jose Linux Web Servers

10.5.1.9

Dynamic Address Groups

via REST API

Orchestration System or Scripts:

Puppet, Chef, Ansible, etc.

REST API calls

Cloud OS DB

Harvest IP’s and tags

Push or Pull

REST API calls

Hypervisor Communication

OSPF, BGP VSYS, VR

Cloud-based Threat intelligence

Endpoint Security Software Virtual Firewalls

Hardware Firewalls

Central Management

Orchestration / Automation SDK, API, etc.

Multiple Hypervisors

Data Center

Ecosystem