Software Defined Networking (SDN) Software Defined Security

(1)

Software Defined Networking (SDN)

Software Defined Security

Kurt Knochner

Fortinet Senior Systems Engineer [email protected]

(2)

How to describe the (IT) world of 2015

It was the best of times, it was the worst of times, it was

the age of wisdom, it was the age of foolishness..

Charles Dickens A Tale of Two Cities

(3)

Challenges in the Datacenter 2015

Increasing Complexity

Increasing Network Speed

Increasing Security Challenges

(4)

Increasing Complexity

Sorry, we can’t help you with this … All we can say: It’s going to get worse ;-)

HOWEVER: We are committed to NOT add complexity to your

environment, by keeping the management of our products as simple and effective as possible!

(5)

Increasing Network Speed / Security Challenges

Fortinet is best know for it’s HIGH SPEED and

SECURE appliances, so

don’t be afraid, we will be there to support you !!

1,000,000,000 100,000 10,000 1,000 100 100 Gigabit 10 Gigabit Gigabit R a te Mb /s Server I/O Doubling ~24 mos Core Networking Doubling ~18 mos 1 Terabit

(6)

Increasing levels of Virtualization

(7)

To sum it up ….

Virtual Appliances & VDOM’s Provide Scale-Out Elasticity

Scale-Out Performance Boundary Benefits S cal e -Up

Elastic Firewall East-West Deployable in

vSphere

XenServer Hyper-V

(8)

(9)

Software Defined Data Center Decoupling/Abstraction Orchestration VM OS N e tw or k C om pu te S to rag e Se c u rit y

Network Compute Storage Security Physical SD VM VM OS OS OS App App App

(10)

SDDC - The Big Picture Orchestration Network Storage Compute Physical Virtual Applications Services Security

Software Defined Networks Software Defined Compute

(11)

SDDC - The Big Picture Orchestration Network Storage Compute Physical Virtual Applications Services Security

Software Defined Networks Software Defined Security Software Defined Compute

(12)

Virtual Data Center Challenges

High Availability

Live Migration Securing flows within

the same vSwitch

No auto-import of object Manual or scripted

automation and orchestration

(13)

Fortinet Software Defined Security Framework Virtual x86 Containers Virtual Appliances/ Services Platform Orchestration & Automation Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

(14)

Fortinet Software Defined Security Framework

 Complete security ecosystem

» FW/NGFW (FortiGate)

» Web Application Firewall (FortiWeb)

» Secure Mail GW (FortiMail)

» Application Delivery (FortiADC)

» Sandboxing (FortiSandbox)

» vSphere, HyperV, KVM, Citrix Xen

» AWS, Microsoft Azure

Virtual x86 Containers Virtual Appliances/ Services Platform Orchestration & Automation Single Pane-of-Glass Management

(15)

 Security optimized orchestration

» SDN application

» FortiSphere Security SDN controller

» FortiCore SDN Security Director

(16)

» SDN application

 Single Pane-of-Glass management

» Management (FortiManager)

» Reporting & visibility (FortiAnalyzer) _{Virtual x86 Containers}

Virtual Appliances/ Services Platform Orchestration & Automation Single Pane-of-Glass Management

(17)

» SDN application

» Management (FortiManager)

» Reporting & visibility (FortiAnalyzer) _{Virtual x86 Containers}

Virtual Appliances/ Services Platform Orchestration & Automation Single Pane-of-Glass Management

Platform Extensibility

 Integration with external ecosystem

» Open Source

» Commercial

(18)

 FW NFV service chaining

» ETSI Multi-Vendor PoC on D-NFV (CPE)

» D-NFV Alliance – RAD V-CPE

Fortinet Software Defined Security Framework – CSP Extensions

NFV On-Demand

Self - Service

Sec-aaS Multi -Tenancy

(19)

 Utility based consumption

» Licensing

» Provisioning

» Metering

» Billing

NFV On-Demand

Self - Service

(20)

 Utility based consumption

» Licensing » Provisioning » Metering » Billing  FortiPrivateCloud » Security-aaS portal

Virtual x86 Containers Hardware-Based Platforms Virtual Appliances/ Services Platform Orchestration & Automation Single Pane-of-Glass Management

NFV On-Demand

Self - Service

(21)

Fortinet Programmable Networking Partnership Ecosystem ORCHESTRATION PLATFORMS PROGRAMMABLE SWITCHING ACI vCNS certified NSX Partner program NSX Manager Full NSX

CENTRALIZED POLICY & ANALYTICS

P lat for m E x tens ibi lit y

(22)

Cisco ACI #1 SDN platform sought by enterprise customers Joint PR - Integration of FortiGate into Cisco ACI deployment Joint demo at Interop (April 2015) – ACI service insertion Product launch Q3 2015

(23)

OpenStack Integration

Open Source OpenStack »ML2 plugin

»FWaaS plugin »VTEP support

Commercial OpenStack

»HP Helion

Fortinet announced HP AllianceOne partnership FortiGate certified HP Helion Ready

Integration with HP VAN Controller and SDN switches

FortiSDN Demo application for HPs enterprise SDN ecosystem

(24)

(25)

Fortinet SDDC Positioning

NSX integration is part of a Three Steps Program

Currently Fortinet solution uses NSX Manager with limited NetX APIs functionality

vSphere v5.5u2 vCNS integration certified vSphere v5.5 u2 vCNS integration NSX Compatible NSX new SDK integration Released Q4 2014

Support for vSphere v5.5 Update 2 Certified with vCNS Manager and NetX API Released January 2015

Support for vSphere v5.5 Update 2

Certified compatible with NSX Manager and NetX API Support for new NSX Manager

Will only work with NSX deployments

Advanced NSX NetX functionality for tighter control of traffic

Q4 2014

January 2014 Q1 2015 2015

vCNS (Q4 2014) NSX Compatible

(26)

4. F or ti G at e -V MX c onnec ts w it h F or ti G at e -V MX S er v ic e Manager

FortiGate and NSX Integration/Interactions

1. Initiate communication with vCenter Server

2. Register Fortinet as security service with NSX Manager

dvSwitch A ut o -depl oy F or ti G at e -V MX t o al l hos ts ec ur it y c lus ter

5. License verification and configuration synchronization with FortiGate-VMX

er nel agent c reat ion and def aul t r e -ti on r ul es f or eac h hos t i n c lus ter

7. Real-time updates of object database

8. P us h pol ic y s y nc hr oni z at ion to a ll F o rt iG a te -V MX depl oy ed in c lus ter FGT-VMX FGT-VMX FortiGate-VMX Service Manager

(27)

VMware Kernel

dvSwitch

FGT-VMX and VMWARE Kernel Agent Interaction

Kernel Agent Kernel Agent Kernel Agent Kernel Agent Kernel Agent Kernel Agent Kernel Agent Kernel Agent

1 Define NGFW Firewall Policies

2 FGT-VMX

fsw tsw

Packet Flow 1. From VM to Kernel Agent

2. Kernel Agent always Forward to Third party Solution (FGT-VMX) 3. FGT-VMX applies Security and

sends packet back to Kernel Agent 4. Kernel Agent can do service

chaining or send packet to

FortiGate-VMX Service Manager

(28)

(29)

FortiGate-VMX License Model

One license for the FortiGate-VMX Service Manager

Stackable license for the FGT-VMX Agents based on the number of Agents deployed

2 FGT-VMX Licenses

Hypervisor with 2 Sockets Hypervisor with 4 Sockets Hypervisor with 2 Sockets 3 FGT-VMX

(30)

(31)

(32)

FGT-SVM Policy Creation

(33)

NSX Integration - What’s Next?

1. Service Composer

a. Define Security Tag Based on Workflow requirements

b. Security Tag imported on FortiGate-VMX to define Firewall Policy c. Set and Unset Tags to Workflow VM based on Security Requirements

New Feature with Full NSX Integration

Firewall Policy =

(34)

(35)

Why Fortinet?

Committed to Security

Committed to High Performance

(36)

(37)

(38)

“

We take care of security so you

can take care of business.

“

Ken Xie CEO & Chairman of the Board

(39)

Ein letztes Zitat…

“Wir stecken keine Mark in die Werbung, sondern jede

Mark in die Schoklade”

Aplia Schokolade Springer & Jacoby

(40)

Kurt Knochner [email protected]