Your SlideShare is downloading. ×
  • Like
Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

  • 268 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
268
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks firewall orchestration using CloudStack June 25th, 2013 Brian Torres-Gil Ian Rae
  • 2. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Overview Intro to speakers Project objectives Approach Solution overview Demo (demo gods permitting) FAQ Next Steps
  • 3. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Who? Ian Rae Founder and CEO CloudOps Brian Torres-Gil Solutions Architect Palo Alto Networks
  • 4. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com CloudOps Overview • CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid) • Unique expertise with load balancing built over 14 years of experience • Unique expertise with EUEM and APM from Coradiant background • Develops best-in-class cloud architectures and operational models • Customers in Canada, US and Europe • Based in Montreal, Canada
  • 5. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally
  • 6. www.paloaltonetworks.com www.cloudops.com Palo Alto - Safe application enablement • Identify, control, and safely enable all applications by user • Inspect content for known and unknown threats in real time • High throughput and performance • Simplify infrastructure and reduce TCO • Enable diverse deployment scenarios Our fundamentally new approach:
  • 7. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Why? CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
  • 8. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Why. Some clouds have important security requirements not met by CS-VR There is often a need for greater visibility and advanced security services (i.e. content filtering) Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
  • 9. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com What? Project Objectives • Support of CloudStack advanced network topology. • Support of multiple Palo Alto Networks firewalls. • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler). • Configuration of connectivity with Palo Alto Networks firewall through CloudStack UI and persistence of this information. • Allow the selection of Palo Alto firewall when defining CloudStack network service offering for: – Firewall (Ingress & Egress) – Source NAT – Static NAT – Port forwarding • Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs. • Proper display of Palo Alto connectivity status in CloudStack UI. • Functional/Integration testing on PA-3020 platform (version 5.0.0) • Full documentation of the solution (architecture, design, APIs)
  • 10. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How?
  • 11. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Example external device NSP
  • 12. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How, in a picture. Solution overview Note: VRs are not actually “inline”
  • 13. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA. • Pre-configure the Public interface according to the Public IP range in CS.
  • 14. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Add the PA as a service provider • Add the PA device as a guest network service provider. • Enable the provider.
  • 15. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Create a Network Offering • Expose the PA through a network offering. • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services. • Enable the new offering.
  • 16. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Use the Palo Alto • Add a network using the service offering. • Launch a VM on the new network.
  • 17. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Check what happened on the PA • A Source NAT IP is allocated on ‘ae1’. • A guest network has been setup on ‘ae2’. • A Source NAT rule now connects the guest network to the public IP. • A policy isolates the guest network.
  • 18. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Egress firewall rules
  • 19. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Static NAT rules
  • 20. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Port Forwarding rules
  • 21. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Ingress firewall rules
  • 22. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com FAQ Q: Is it open source? A: Yes - will be contributed to CloudStack. Q: What is it based on? A: Current dev is based on 4.2 Master branch circa a few weeks ago Q: Which release of CS will it be included in A: Depending on the next steps and funding, probably 4.3 Q: What’s planned next? A: Glad you asked
  • 23. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Information Documentation is here! https://cwiki.apache.org/CLOUDSTACK/pal o-alto-firewall-integration.html Code is here: https://github.com/cloudops/cs_palo_alto /tree/palo_alto Contact: @ianrae and @CloudOps_