Day 2-2 11 Correia€¦ · security gets in their way • Application users – want to use the apps, from wherever they are, and don’t want any hurdles in their way (connectivity,

Secure Networking for Multi-CloudMargarida Correia

2 © 2017 Juniper Networks, Inc. All rights reserved.

AGENDA

Cloud Trends

Multi-Cloud Networking Requirements

Multi-Cloud Networking and Security

1

2

3

Cloud Trends


Centralizing applications in large data centers provides economies of scale and simpler rollouts

Distributing the applications closer to the user reduces the latency and increases scale

With an agile architecture, Cloud Applications are extremely well positioned to monetize the business

End-to-end Service experience is ultimately defined by the network capacity and latency

THE ROLE OF THE CLOUD FOR THE BUSINESS‘Application Experience’ Is Today's Business Benchmark

XaaS


CLOUD MACRO TRENDS

CLOUDTRENDS

Device Explosion§ Billions of connected / IOT

devices§ Running applications in the

cloud

Machine Learning & AI§ Device Explosion leads to

data explosion§ ML / AI being key to monitor /

detect / remediate issues (performance, security, etc.)

§ NLP interfaces to devices

Cloud Migration§ Custom apps are being built in the Cloud§ Enterprises apps migrating to SaaS

Microservices / Scale-out Apps§ TTM of apps § App portability & scalability§ Move from monolithic to

microservices

OpenSource Adoption§ Proprietary software perceived

as ‘vendor lock-in’ § All layers of stack are open-

sourced


PrivateCloud

PUBLIC CLOUD

ENTERPRISE: MOVE TO CLOUD

Developers

Deployers

SaaS

EnterpriseHosted Apps

Monolithic Apps

Private/Co-lo

PrivateDC

IaaS/PaaS/HybridCloudUsage

SaaSUsage

Time

Service

Creation

Consumer ofServices

Service

Consumption AppstoSaaS

MonolithictoScale-outApps

Private/Co-lotoHybridCloud

PaaS

IaaS

MULTI-CLOUD NETWORKINGREQUIREMENTS


CLOUD PLAYERS’ REQUIREMENTS• Application developers

– want their apps to work, usually just want basic connectivity, and security gets in their way

• Application users– want to use the apps, from wherever they are, and don’t want any

hurdles in their way (connectivity, security, performance, etc.)• IT Management

– Network Agility / Network Operations Automation – Consistent security enforcement and validation independent of

how and where applications are deployed– Compliance validation, Measurable SLA/Performance– Best ROI on cloud infrastructure, prefer to buy it “as a Service”


SECURE AUTOMATED NETWORKING

CORE & WAN

vNS 1 Services

vNS 2 Services

vNS 3 Services

BRANCH CAMPUS

VIRTUAL NETWORKS

DC / PRiVATE CLOUD PUBLIC CLOUD

USERS APPLICATIONS

CORE & WAN

vNS 1 Services

vNS 2 Services

vNS 3 Services

CORE & WAN

vNS 1 Services

vNS 2 Services

vNS 3 Services

ServicePortal AppDeveloper/Owner

User/Operator Policy Engine

RTTelemetryAnalyticsTopology

ApplicationsDefinitionRepositoy/Catalogue

SecurityPolicies

Repository SecurityAdmin

Firewalls, Fabric, Routers and Servers Configuration Manager

Secure Network Service Automation

CustomerInventory

MULTICLOUD NETWORKING ANDSECURITY


Manageabi lity&Operations

SecurityPolicy&Visualization

Connectivity

CONTRAIL: Secure Networking across Multi-Cloud

CPE

Remote BranchOffice

TelcoPOPs

Apps(running inmultiple environments)

…

Public Cloud (VPCs)MultisiteDataCenter/PrivateCloud (VMs,

BMS, Containers, VNFs)

FIREWALL

VMs

Containers

IPFabric

BMS

…

People(Developers, NetOps, CISO,…) VISION

Provideconnectivity, security, andmanageabilityfor:1. Peopleßà Apps2. Appsßà Apps

CustomApps


MULTI-CLOUD SECURE NETWORKINGDESIGN GOALS & VALUE PROPOSITION

Createsecuremulti-tenantenvironments,withexistingapplicationdeveloperworkflow

Offermultipledeploymentoptions(i.e.baremetalserver,Private/PublicClouds,etc.)

Seamlessmigration&interopofexistingPhysical,virtualnon-containerenvironmentswithcontainerenvironments

Extend allvirtualnetwork features(QoS,FloatingIP,DDI,etc.)to cloudenvironment

AllowOperatortomodify infrasecurity (&isolation) levels,transparenttoappdeveloper


CONTRAIL NETWORK SERVICES

VMs(KVM/Linux)BMSContainers

VMs(ESXi)

OpenStack Kubernetes Marathon/Mesos ICO/ICM AmdocsNCSO JuniperCSODocker Swarm Custom…

vRouter vRouter

FORW

ARDING

SERV

ICES

ORCH

.

DDI FW LB SvcCh. SecPolicy QoS HealthCheck Analytics

CONT

ROL

Router/TORvRouter

L3VNL2VN

...…

Config Plane: Netconf, OVSDBControl Plane: BGP (EVPN, L3VPN), OVSDB


HostO/SvRouter

Physical IPFabric- Underlay(no changes)

CONTRAIL NETWORKING

CONTRAILCONTROLLER

ORCHESTRATOR/APPS

HostO/SvRouter

NetworkOrchestration

GatewayToInternet/WANor

Legacy

(Config, Control, Analytics,TSN,…)

(Windows, Linux….)on BMS

TOR

Centralized

PolicyDe

finition

Distributed

PolicyEnforcem

ent

BGP

XMPPOVSDB or

EVPN/ Netconf

VirtualNetworkBlue

VirtualNetworkRed

Scale-outFW

LogicalView

…

DCComputes

CPEDevices

PublicCloudVM

XMPP

Overlaytunnels:-VXLAN-MPLSoverUDP-MPLSoverGRE


SDN GATEWAY: L2 with any Type of ToR

BMS Rack (L2 Extension)

Hybrid Rack

Control & Config= XMPP

Control = EVPN Config = Netconf

VLAN

Red

VLAN

Gre

en

SDN Gateway (MX) Contrail Controller

Contrail Overlay Rack

Data Tunnels

E(L3)VPN+Netconf

EVPN+XMPP


CONTRAIL ENCRYPTIONEncryption of Control and Data Plane across Multi-Cloud environments

Mgt. Plane: Https access to all VNC APIs

Control Plane: MD5 Authentication of all BGP peers

Config Plane: Encryption of XMPP channel between Control node and vRouter

Compute Nodes

Compute Nodes

CONTROLLER

…Compute

Nodes

…vRouter

1. Group VPN (IPsec mesh) or SSLVN (with dTLS) 2. L4 Policy-based encryption

VPC

Cloud DC

GW

dTLSorIPsecEncryption

vRouter

…Internet or Direct

Connect


§ L4 Enforcement at the vRouter (Kernel, DPDK, vCenter, Smart NIC)

§ L7 enforcement at the L7 Firewall

MultipleEnforcementPoints

ConsistentIntent-DrivenPolicy

§ How to extend the same set of policies to Mesos, AWS, Kubernetes, Bare Metal Servers à without policy rule explosion

Singlepolicy

No Policy Rewrite … Define Once à Enforce Everywhere

Security Admin

OpenStack

Application Policy Config&FlowVisualization

§ Offer visualization, analytics, and orchestration for security configurations

§ Provide reporting, troubleshooting and compliance

Discover Inter- and Intra-application traffic flows with/without enforcing policies

Web App DB

Host-BasedFW

Controller

DEF

INIT

ION

ENFO

RC

EMEN

T

L4 L7

CONTRAIL SECURITY KEY CAPABILITIES


POLICY CONFIGURATION OBJECTS

ApplicationPolicy SetApplication

Policy SetApplicationPolicy Set

FWPolFW-7

[FW-7, FW-8, …]

TagT7

Project A

ApplicationPolicy SetApplication

Policy SetApplicationPolicy Set

FWPolFW-1

[FW-1, FW-2, …]

TagT1FWRulesRule-1

[Rule-1, Rule-2, …]

[Rule-1, Rule-2, …]

GlobalLevel

ProjectLevel FWRules

Rule-1

[Uses Tags, AddressGroups, ServiceGroups]

[Uses Tags, AddressGroups, ServiceGroups]


POLICY CONSTRUCTION

Objects at different levels can be tagged

5 ON allow TCP 80 tier=web > tier=app match deployment && site log

Tags can be defined at different levels§ Global§ Project§ Network§ VM / Container / BMS§ Interface Policieswillfinallybeenforcedatthelogicalinterfacelevel

Tagexpression

Tagexpression

Tagexpression

Policy Tags

Tags / Labels

Policy Enforcement

PolicyExample:

Service DirectionStatusOrder EndPoint2EndPoint1Action OptActionCondition


Application Traffic Visibility and Advanced Analytics


CLOUD NETWORKS AND SECURITY• SingleSDNdeploymentprovidingbothConnectivity&Securityacrossmultipleenvironments• Discoveryoftopologyandactivitywithin/acrossapplicationtiers(underlay- overlaycorrelation)• Centralizedsecuritypolicieswithmultipledistributedenforcementpoints(L2-L4,L7usingHost-basedfirewall)• Visualizationforpolicydefinitionandreporting (troubleshooting,appflowdiscovery,etc.)

SingleSDNwithsecurity, real-timeanalyticsandoperations automation(Offeringconnectivity &security Layerformultipleenvironments)

ContrailNetworkPolicyFramework

VirtualMachines Containers Public Cloud BareMetal


Demo: Three-tier Web ApplicationThree-tier web application deployed in a multi-cloud environment:

• Mix of Bare Metal, VM, and Public Cloud

• Public cloud to private cloud connectivity using encrypted overlay tunneling

• Security and isolation provided by Contrail Security tag-based firewalling

AWS

On-Prem DataCenter

Internet

Users

BMS VM

4.4.4.3

5.5.5.36.6.6.3

Encrypted Overlay

WebFront-End

WebApplicationDatabase

Thank You!

[email protected]

Documents

Day 2-2 11 Correia€¦ · security gets in their way • Application users – want to use the apps, from wherever they are, and don’t want any hurdles in their way (connectivity,