Secured automation of the multicloud

CONFIDENTIALITY AND LEGAL NOTICE

This material contains information that is confidential and proprietary to Juniper Networks, Inc. Recipient may not distribute, copy, or repeat information in the document.

This statement of product direction sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation.

Contrail program participants are subject to a license agreement that describes program terms and conditions.

MACRO TRENDS

C L O U DT R E N D S

Device Explosion

▪ Billions of connected / IOT devices

▪ Running applications in the cloud

Machine Learning & AI

▪ Device Explosion leads to data explosion

▪ ML / AI being key to monitor / detect / remediate issues (performance, security, etc.)

▪ NLP interfaces to devices

Cloud Migration

▪ Custom apps are being built in the Cloud

▪ Enterprises apps migrating to SaaS

Microservices / Scale-out Apps

▪ TTM of apps

▪ App portability & scalability

▪ Move from monolithic to microservices

OpenSource Adoption

▪ Proprietary software perceived as ‘vendor lock-in’

▪ All layers of stack are open-sourced

PUBLIC CLOUD

DISRUPTION IN ENTERPRISE

Developers

Deployers

SaaS

Enterprise Hosted Apps

Private Cloud

Monolithic Apps

Private / Colo

Private DC (IT)

IaaS / PaaS / Hybrid Cloud Usage

SaaS Usage

Time

Serv

ice

Cre

atio

n

Consumer of Services

Serv

ice

Co

nsu

mp

tio

n Enterprise Apps to SaaS

Monolithic to Scale-out Apps

Private / Colo to Hybrid Cloud

PaaS

IaaS

SER

VIC

E O

VER

LAY

UN

DER

LAY

MG

MT

CPE

Customer Branch

ENABLING & INTERCONNECTING MULTIPLE HETEROGENOUS ENVIRONMENTS

Multi-vendor Orchestration & Management

Multi-site DC / POP Private Clouds (VMs, BMS, Containers)Legacy (VLAN-based, VMware)

VMware VMs Bare Metal

VLAN

VMs

BMS

Containers

…

Public Cloud

FIREWALL

VNF / PNF

Private Cloud

Legacy (VMware, BMS) Interconnect

VMs & Containers

Multi-DC Interconnect

Hybrid Cloud (Public Cloud Interconnect)

SaaS Clouds

IaaS (VMs & Containers)

NFV & Service Chaining (Mobility, CDNaaS)

SDWAN

Connected Cars / IOTTelco CloudBMaaSPublic Cloud

SDN as a platform : Connect, secure, manage, operate

FABRIC AND MULTICLOUD

AUTOMATION

ENHANCED NETWORK SERVICES DELIVERED ACROSS PRIVATE & PUBLIC/HYBRID CLOUD

SDN CONTROLLER

(Config, Control, Analytics, Svr Mgmt)

Health Check

DDI FW LBL3 VNL2 VN

AnalyticsSvc Ch. Sec Policy QoS

NETWORK SERVICES

SDN GW

Seamless Security & Connectivity Solution for Hybrid Env.

TOR SwitchTOR Switch OR vRouter

VMs (ESXi, KVM)Containers Bare Metal Servers

vRouter

A Fabric is a system that delivers networking (L2/L3) across connected endpoints

A cloud delivers application services (logical networking , often called ‘overlay’) through cloud-native APIs , programming the networking behavior of the Fabric to connect endpoints according to the service logic

Fabric

Controller

API

User

plane

Multicloud networking controller as a Platform

Private cloud (physical/virtualized)

vpc

SDN/VPNGateway

TOR

DC

Computes

NativeContrailworkloads

Spine

vRouter

BareMetalworkloads

vRouter

PNF

Native Public cloud

vRouter-based images

Public cloud with Contrail

BMSEC2

inst

Docker

cntVM

Azure

lifecycle management

Contrail

Management

Control

Telemetry

Forwarding (extended IP Fabric)

Xm

pp,

netc

onf

rpc

Public cloud tenant SDN Controller

vRouter

Contrail controller federation

bgp

(ip,

evpn,

ipvpn_

Ip,

ipsec,,

evpn/v

xla

n

ipsec,

Tls

/dtls

rest/https

Ip,

ipsec

Xm

pp,

jflo

w,g

rpc

bgp

MULTI-CLOUD SECURITY

▪ Security is Perimeter based – but perimeter is everywhere▪ Explosion in # of apps, endpoints, environments on the one hand▪ Explosion in # of threats, malware, spyware, hacking, attacks, data leaks on the other hand▪ Results in Policy explosion – management complexity and nightmare▪ Manual, error prone and non-automated. Does not scale.

CHALLENGES OF TRADITIONAL SECURITY PARADIGM

What to protect

1. Applications2. Number of endpoints3. Environments – dev, prod, staging, on-

prem, public cloud, 4. …

What to protect against:

1. Data leaks2. DDoS3. Malware4. Hacks5. Viruses6. Spyware, etc

Policy explosion

The Security Scale Challenge

Applications, Tiers, Environments

Thre

ats,

Mal

war

es,

etc

…

PROBLEM STATEMENT – SIMPLIFY & EXTEND SECURITY FRAMEWORK

C u r r e n t B e h a v i o r D e s i r e d B e h a v i o r

Can we use one policy to be applied in all the different deployments ?

Web

App

db

App1, Deployment = Dev

Network Policy = P1

Web

App

db

App1, Deployment = Staging

Network Policy = P2

…

Web

App

db

App1, Deployment = Prod

Network Policy = P3 …

Web

App

db

App1, Deployment = Dev

Web

App

db

App1, Deployment = Staging

Web

App

db

App1, Deployment = Prod

Policy = P

1. Reduced Complexity (less # of policies)2. Simplified Manageability (change control,

etc. is much easier)3. Improved Scalability

Site = US

Consistent Intent-

Driven Policy

▪ How to extend the same set of policies to

Mesos, AWS, Kubernetes, Bare Metal

Servers → without policy rule explosion

Single policy

No Policy Rewrite …

Define Once → Enforce

Everywhere

Security

Admin

OpenStack

Application Policy Config

& Flow Visualization

▪ Offer visualization, analytics, and

orchestration for security configurations

▪ Provide reporting, troubleshooting and

compliance

Discover Inter- and Intra-application traffic

flows with/without enforcing policies

NEW SOLUTIONS - KEY REQUIREMENTS

▪ L4 Enforcement at the vRouter

(Kernel, DPDK, vCenter, Smart NIC)

▪ L7 enforcement at the L7 Firewall

Multiple Enforcement

Points

Web App DB

Host-Based FW

Controller

DE

FIN

ITIO

NE

NF

OR

CE

ME

NT

L4 L7

CONSISTENT POLICIES ACROSS ENVIRONMENTS

App Discovery, Tag based Policy & Visualization across heterogeneous and distributed environments (ESXi & KVM VMs, K8s / containers, bare-metal servers, Public Cloud, etc.)

consistent security policies and enforcement across different environments

Compute Nodes Compute Nodes

…

GW

Public or Private Internet or Direct Connect

…vRouter vRouter

Consistent Intent-driven Policy Configuration with Detailed Security Analytics / Prediction and Traffic Visualization along with compliance

Public Cloud VPC / VNPrivate Cloud DCPolicy-based Encryption

CONTROLLER

Virtual Networking connects multiple heterogenous environments

Distributed enforcement of policies at L4 and L7

INTENT-DRIVEN POLICIES

site = US site = EMEA

Web

App

App = Finance, Deployment = Dev

Web App

App = Finance, Deployment = Prod

Web

App

App = Finance, Deployment = Dev

Web App

App = Finance, Deployment = Staging

match deploymentallow TCP 80 tier=web > tier=app1

allow TCP 3036 tier=app > tier=db match site2

Dev

Pro

du

ctio

nSt

agin

g

Legacy Data (tier = db)

&& site

E n

f o

r c

e m

e n

tD

e f

n

Legacy Data (tier = db)

Note: The Concept of ‘match’ (patent-pending) is a big competitive differentiator (that reduces the # of policy rules even further than what competition can do …)

Conclusion - Controller key attributes & future

FABRIC MODES

▪ Multi-Site (Federated & Centralized Mgmt)▪ Multi-Cloud connectivity, security & operations (Project Kenai, Project Katmai)

MULTI-VENDOR

▪ Virtual (vRouter)▪ Physical and Virtual (TOR, vRouter/BMS)▪ Physical

▪ Open Source Product with a multi-vendor community▪ Standard based

▪ No vendor lock-in as Open Standards based (BGP, XMPP, etc.)

MULTI-CLOUD

▪ Industry standard CNI-based integration for Kubernetes, Mesos, OpenShift▪ Seamless extensibility of Virtual Networks across BM/VM/Container environmentsCONTAINER NETWORKING

OPEN

SCALE & PERFORMANCE▪ Significantly higher scale across computes, virtual networks, policies, service chains etc▪ High Performance capabilities such as SmartIO

Thank youThank you