Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Secure Networking for Multi-CloudMargarida Correia
2 © 2017 Juniper Networks, Inc. All rights reserved.
AGENDA
Cloud Trends
Multi-Cloud Networking Requirements
Multi-Cloud Networking and Security
1
2
3
Cloud Trends
4 © 2017 Juniper Networks, Inc. All rights reserved.
Centralizing applications in large data centers provides economies of scale and simpler rollouts
Distributing the applications closer to the user reduces the latency and increases scale
With an agile architecture, Cloud Applications are extremely well positioned to monetize the business
End-to-end Service experience is ultimately defined by the network capacity and latency
THE ROLE OF THE CLOUD FOR THE BUSINESS‘Application Experience’ Is Today's Business Benchmark
XaaS
5 © 2017 Juniper Networks, Inc. All rights reserved.
CLOUD MACRO TRENDS
CLOUDTRENDS
Device Explosion§ Billions of connected / IOT
devices§ Running applications in the
cloud
Machine Learning & AI§ Device Explosion leads to
data explosion§ ML / AI being key to monitor /
detect / remediate issues (performance, security, etc.)
§ NLP interfaces to devices
Cloud Migration§ Custom apps are being built in the Cloud§ Enterprises apps migrating to SaaS
Microservices / Scale-out Apps§ TTM of apps § App portability & scalability§ Move from monolithic to
microservices
OpenSource Adoption§ Proprietary software perceived
as ‘vendor lock-in’ § All layers of stack are open-
sourced
6 © 2017 Juniper Networks, Inc. All rights reserved.
PrivateCloud
PUBLIC CLOUD
ENTERPRISE: MOVE TO CLOUD
Developers
Deployers
SaaS
EnterpriseHosted Apps
Monolithic Apps
Private/Co-lo
PrivateDC
IaaS/PaaS/HybridCloudUsage
SaaSUsage
Time
Service
Creation
Consumer ofServices
Service
Consumption AppstoSaaS
MonolithictoScale-outApps
Private/Co-lotoHybridCloud
PaaS
IaaS
MULTI-CLOUD NETWORKINGREQUIREMENTS
8 © 2017 Juniper Networks, Inc. All rights reserved.
CLOUD PLAYERS’ REQUIREMENTS• Application developers
– want their apps to work, usually just want basic connectivity, and security gets in their way
• Application users– want to use the apps, from wherever they are, and don’t want any
hurdles in their way (connectivity, security, performance, etc.)• IT Management
– Network Agility / Network Operations Automation – Consistent security enforcement and validation independent of
how and where applications are deployed– Compliance validation, Measurable SLA/Performance– Best ROI on cloud infrastructure, prefer to buy it “as a Service”
9 © 2016 Juniper Networks, Inc. All rights reserved.
SECURE AUTOMATED NETWORKING
CORE & WAN
vNS 1 Services
vNS 2 Services
vNS 3 Services
BRANCH CAMPUS
VIRTUAL NETWORKS
DC / PRiVATE CLOUD PUBLIC CLOUD
USERS APPLICATIONS
CORE & WAN
vNS 1 Services
vNS 2 Services
vNS 3 Services
CORE & WAN
vNS 1 Services
vNS 2 Services
vNS 3 Services
ServicePortal AppDeveloper/Owner
User/Operator Policy Engine
RTTelemetryAnalyticsTopology
ApplicationsDefinitionRepositoy/Catalogue
SecurityPolicies
Repository SecurityAdmin
Firewalls, Fabric, Routers and Servers Configuration Manager
Secure Network Service Automation
CustomerInventory
MULTICLOUD NETWORKING ANDSECURITY
11 © 2017 Juniper Networks, Inc. All rights reserved.
Manageabi lity&Operations
SecurityPolicy&Visualization
Connectivity
CONTRAIL: Secure Networking across Multi-Cloud
CPE
Remote BranchOffice
TelcoPOPs
Apps(running inmultiple environments)
…
Public Cloud (VPCs)MultisiteDataCenter/PrivateCloud (VMs,
BMS, Containers, VNFs)
FIREWALL
VMs
Containers
IPFabric
BMS
…
People(Developers, NetOps, CISO,…) VISION
Provideconnectivity, security, andmanageabilityfor:1. Peopleßà Apps2. Appsßà Apps
CustomApps
12 © 2017 Juniper Networks, Inc. All rights reserved.
MULTI-CLOUD SECURE NETWORKINGDESIGN GOALS & VALUE PROPOSITION
Createsecuremulti-tenantenvironments,withexistingapplicationdeveloperworkflow
Offermultipledeploymentoptions(i.e.baremetalserver,Private/PublicClouds,etc.)
Seamlessmigration&interopofexistingPhysical,virtualnon-containerenvironmentswithcontainerenvironments
Extend allvirtualnetwork features(QoS,FloatingIP,DDI,etc.)to cloudenvironment
AllowOperatortomodify infrasecurity (&isolation) levels,transparenttoappdeveloper
13 © 2016 Juniper Networks, Inc. All rights reserved.
CONTRAIL NETWORK SERVICES
VMs(KVM/Linux)BMSContainers
VMs(ESXi)
OpenStack Kubernetes Marathon/Mesos ICO/ICM AmdocsNCSO JuniperCSODocker Swarm Custom…
vRouter vRouter
FORW
ARDING
SERV
ICES
ORCH
.
DDI FW LB SvcCh. SecPolicy QoS HealthCheck Analytics
CONT
ROL
Router/TORvRouter
L3VNL2VN
...…
Config Plane: Netconf, OVSDBControl Plane: BGP (EVPN, L3VPN), OVSDB
14 © 2017 Juniper Networks, Inc. All rights reserved.
HostO/SvRouter
Physical IPFabric- Underlay(no changes)
CONTRAIL NETWORKING
CONTRAILCONTROLLER
ORCHESTRATOR/APPS
HostO/SvRouter
NetworkOrchestration
GatewayToInternet/WANor
Legacy
(Config, Control, Analytics,TSN,…)
(Windows, Linux….)on BMS
TOR
Centralized
PolicyDe
finition
Distributed
PolicyEnforcem
ent
BGP
XMPPOVSDB or
EVPN/ Netconf
VirtualNetworkBlue
VirtualNetworkRed
Scale-outFW
LogicalView
…
DCComputes
CPEDevices
PublicCloudVM
XMPP
Overlaytunnels:-VXLAN-MPLSoverUDP-MPLSoverGRE
15 © 2016 Juniper Networks, Inc. All rights reserved.
SDN GATEWAY: L2 with any Type of ToR
BMS Rack (L2 Extension)
Hybrid Rack
Control & Config= XMPP
Control = EVPN Config = Netconf
VLAN
Red
VLAN
Gre
en
SDN Gateway (MX) Contrail Controller
Contrail Overlay Rack
Data Tunnels
E(L3)VPN+Netconf
EVPN+XMPP
16 © 2017 Juniper Networks, Inc. All rights reserved.
CONTRAIL ENCRYPTIONEncryption of Control and Data Plane across Multi-Cloud environments
Mgt. Plane: Https access to all VNC APIs
Control Plane: MD5 Authentication of all BGP peers
Config Plane: Encryption of XMPP channel between Control node and vRouter
Compute Nodes
Compute Nodes
CONTROLLER
…Compute
Nodes
…vRouter
1. Group VPN (IPsec mesh) or SSLVN (with dTLS) 2. L4 Policy-based encryption
VPC
Cloud DC
GW
dTLSorIPsecEncryption
vRouter
…Internet or Direct
Connect
17 © 2017 Juniper Networks, Inc. All rights reserved.
§ L4 Enforcement at the vRouter (Kernel, DPDK, vCenter, Smart NIC)
§ L7 enforcement at the L7 Firewall
MultipleEnforcementPoints
ConsistentIntent-DrivenPolicy
§ How to extend the same set of policies to Mesos, AWS, Kubernetes, Bare Metal Servers à without policy rule explosion
Singlepolicy
No Policy Rewrite … Define Once à Enforce Everywhere
Security Admin
OpenStack
Application Policy Config&FlowVisualization
§ Offer visualization, analytics, and orchestration for security configurations
§ Provide reporting, troubleshooting and compliance
Discover Inter- and Intra-application traffic flows with/without enforcing policies
Web App DB
Host-BasedFW
Controller
DEF
INIT
ION
ENFO
RC
EMEN
T
L4 L7
CONTRAIL SECURITY KEY CAPABILITIES
18 © 2017 Juniper Networks, Inc. All rights reserved.
POLICY CONFIGURATION OBJECTS
ApplicationPolicy SetApplication
Policy SetApplicationPolicy Set
FWPolFW-7
[FW-7, FW-8, …]
TagT7
Project A
ApplicationPolicy SetApplication
Policy SetApplicationPolicy Set
FWPolFW-1
[FW-1, FW-2, …]
TagT1FWRulesRule-1
[Rule-1, Rule-2, …]
[Rule-1, Rule-2, …]
GlobalLevel
ProjectLevel FWRules
Rule-1
[Uses Tags, AddressGroups, ServiceGroups]
[Uses Tags, AddressGroups, ServiceGroups]
19 © 2017 Juniper Networks, Inc. All rights reserved.
POLICY CONSTRUCTION
Objects at different levels can be tagged
5 ON allow TCP 80 tier=web > tier=app match deployment && site log
Tags can be defined at different levels§ Global§ Project§ Network§ VM / Container / BMS§ Interface Policieswillfinallybeenforcedatthelogicalinterfacelevel
Tagexpression
Tagexpression
Tagexpression
Policy Tags
Tags / Labels
Policy Enforcement
PolicyExample:
Service DirectionStatusOrder EndPoint2EndPoint1Action OptActionCondition
20 © 2016 Juniper Networks, Inc. All rights reserved.
Application Traffic Visibility and Advanced Analytics
21 © 2017 Juniper Networks, Inc. All rights reserved.
CLOUD NETWORKS AND SECURITY• SingleSDNdeploymentprovidingbothConnectivity&Securityacrossmultipleenvironments• Discoveryoftopologyandactivitywithin/acrossapplicationtiers(underlay- overlaycorrelation)• Centralizedsecuritypolicieswithmultipledistributedenforcementpoints(L2-L4,L7usingHost-basedfirewall)• Visualizationforpolicydefinitionandreporting (troubleshooting,appflowdiscovery,etc.)
SingleSDNwithsecurity, real-timeanalyticsandoperations automation(Offeringconnectivity &security Layerformultipleenvironments)
ContrailNetworkPolicyFramework
VirtualMachines Containers Public Cloud BareMetal
22 © 2016 Juniper Networks, Inc. All rights reserved.
Demo: Three-tier Web ApplicationThree-tier web application deployed in a multi-cloud environment:
• Mix of Bare Metal, VM, and Public Cloud
• Public cloud to private cloud connectivity using encrypted overlay tunneling
• Security and isolation provided by Contrail Security tag-based firewalling
AWS
On-Prem DataCenter
Internet
Users
BMS VM
4.4.4.3
5.5.5.36.6.6.3
Encrypted Overlay
WebFront-End
WebApplicationDatabase
Thank You!