This week Nuage Networks is attending the Palo Alto Networks Ignite Cybersecurity Conference in sunny Las Vegas. Security policy orchestration in cloud networks has become a leading use case for SDN overlay networks, and we are showing off our capabilities with Palo Alto Networks VM-Series Next-Generation Firewalls along with Mirantis OpenStack cloud orchestration. The end result is a highly scalable, easily managed, secure infrastructure for large enterprises, service providers and carrier grade private clouds.
SDN Security Trends
Cloud requirements for on-demand, automated application deployments, run-anywhere services, and micro-segmentation have dramatically shaped SDN security solutions over the last couple years. Virtual firewalls are proliferating as part of virtual overlay networks, while physical firewalls continue to play an important role at the network edge and gateways. The proliferation of virtual firewall instances, configured on-demand as part of application-specific overlay networks, with granular security policies protecting individual workloads, has increased the complexity of security policy lifecycle management by orders of magnitude.
Nuage Networks solves these security challenges by bringing the same network and cloud orchestration capabilities from SDN to security policy automation, along with leading next-generation firewall capabilities from Palo Alto Networks, and cloud orchestration from Mirantis OpenStack.
Key Points of Integration
The following diagram provides a high-level view of the integration models with Palo Alto Networks next-generation firewalls and Panorama, Palo Alto Networks management platform. The Nuage Networks Virtual Services Directory (VSD) is the policy repository for the Nuage SDN system. It maintains policy consistency across the Panorama security policy repository and the cloud management system, such as Mirantis OpenStack. The Virtual Services Controller (VSC) relays network and security device configuration updates based on the defined policies to virtual network endpoints, such as the Nuage Virtual Router and Switch (VRS). To provide policy consistency across physical and virtual applications and networks, Nuage optionally provides the VRS-Gateway (VRS-G) or the Virtual Services Gateway (VSG), a hardware appliance. The virtual VRS network appliances can route traffic to either physical or virtual Palo Alto Network firewall instances (see diagram). Palo Alto Networks next-generation firewalls, physical and virtual bring secure application enablement and advanced threat prevention to private, public and hybrid cloud environments. They can be managed using the same management platform, Panorama™, ensuring a consistent set of policies is maintained across your private, public and hybrid cloud environments.
Key capabilities enabled in the joint solution include:
- Traffic steering to firewall instances – Application-specific security polices stored in the Nuage VSD configure VRS nodes to redirect traffic to an appropriate firewall before reaching the destination workload. VRS, with full layer-3 routing capabilities, can redirect to any firewall instance, and makes the application location-independent and easily moved between server racks, datacenters or a cloud provider.
- Policy alignment between Nuage SDN policy model and Palo Alto Networks security policies – The Palo Alto Networks next-generation firewall uses Dynamic Address Groups to build security policies (such as which classes of workloads can reach other workloads). The content of these Dynamic Address Groups needs to be populated with vport IP addresses from the Nuage Networks system. Dynamic Address Group based policies are thus aligned with policy group constructs used in the Nuage Networks SDN system.
- Event synchronization between management stations and SDN controllers – Once a firewall has been deployed as part of an overlay network, there is also a need to constantly monitor network events in the Nuage Networks VSD to ensure that any change is relayed to the Panorama™ manager. Changes to the VM vports and Policy Group (PG) membership must be promptly synchronized. The following diagram illustrates that concept. As the new policy group instance is created in the Nuage system, detailed firewall rules are automatically updated on the Panorama™ system.
Establishing a new application instance on a cloud network, with appropriate security policy configurations and service insertion, consists of two main workflows: 1) setting up the virtual firewall instance, including redirection rules, and 2) creating the overlay network VM’s and configuring security policies based on the application-specific security requirements from the Nuage Networks VSD.
Key Solution Benefits
Service providers who use the joint Nuage Networks-Mirantis-Palo Alto Networks solution for their OpenStack deployments may realize the following key benefits:
- Ease of Deployment and Operations. By simplifying both deployment and maintenance of your OpenStack cluster, the integration of Mirantis OpenStack and Nuage Networks reduces cost by enabling greater control, easier management, and more robust scalability.
- Security keeps pace with business requirements. Accelerate innovation, improve operational efficiency and compete by rapidly provisioning applications along with next-generation security to protect your OpenStack clouds.
- Next-generation security at scale. Security is now a resource that scales on-demand within your OpenStack cloud infrastructure and beyond the boundaries of any single service provider’s network.
- Enforce Zero Trust (never trust, always verify) security model. Enable a Zero Trust security model across your OpenStack cloud to prevent and contain new attacks across the entire attack lifecycle.
- Increases operational effectiveness with fully integrated deployment, provisioning and management for OpenStack and SDN environments using the power of OpenStack, Fuel, Palo Alto Networks VM-Series and Nuage Networks.
- Reduces cost, by enabling greater control, easier management, and more robust scalability.
At Ignite 2016 in Las Vegas, Nuage Networks will be hosting several hands-on labs to become more familiar with the joint solution, a breakout presentation, as well as showing demos of how we can enable advanced security policy automation and cloud orchestration to your infrastructure.