Enterprise grade firewall and ssl termination to ac by will stevens

849 views

Published on

CloudOps has add support for enterprise grade security products in ACS. CloudOps has developed an integration with the Palo Alto Networks firewall appliance to enable ACS to orchestrate network features such as network creation, Source NAT, Static NAT, Port Forwarding and Firewall rules on the Palo Alto device. Additionally, CloudOps has extended ACS to support SSL certificate management as well as SSL termination by external load balancers. The existing ACS NetScaler plugin has been improved to support this new SSL termination functionality. The talk will cover the features added as well as a basic overview of how they are used.

Will Stevens is the Lead Developer at CloudOps. He has been directly involved in extending ACS to support more enterprise grade security functionality. Will has over 10 years experience as a software developer and is primarily focused on cloud integrations at CloudOps.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
849
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • TheCloudStack VR provides DHCP and DNS in this service offering.
  • Enterprise grade firewall and ssl termination to ac by will stevens

    1. 1. Enterprise Grade Security and SSL termination in ACS 4.3 December 3rd, 2013 @cloudops_ www.cloudops.com
    2. 2. Introductions • Will Stevens – Lead Developer @ CloudOps • CloudOps builds and operates clouds of all shapes and sizes • Develops cloud infrastructure solutions and operational models • 24x7x365 managed service for CloudStack based cloud infrastructures • Customers are global • Based in Montreal, Canada @cloudops_ www.cloudops.com
    3. 3. To be covered… • Palo Alto Networks firewall appliance integration – Feature overview – Challenges and decisions • SSL Termination added to ACS and implemented for NetScaler – Certificate management – SSL Termination overview @cloudops_ www.cloudops.com
    4. 4. Motivations for Palo Alto integration CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise @cloudops_ www.cloudops.com
    5. 5. More reasons why • Customer driven - Palo Alto is an increasingly popular enterprise security product • Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection) • Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise @cloudops_ www.cloudops.com
    6. 6. Resulting network services • CloudStack Virtual Router – DHCP – DNS • Palo Alto Service Provider – Source NAT – Firewall Rules (Ingress & Egress) – Static NAT – Port Forwarding @cloudops_ www.cloudops.com
    7. 7. Overview of the implementation @cloudops_ www.cloudops.com
    8. 8. Pre-configure the Palo Alto device • Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic • Setup a Static Route for the next hop @cloudops_ www.cloudops.com
    9. 9. Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA • Pre-configure the Public interface according to the Public IP range in CS @cloudops_ www.cloudops.com
    10. 10. Add the PA as a service provider • Add the PA device as a guest network service provider • Enable the provider @cloudops_ www.cloudops.com
    11. 11. Create a Network Offering • Expose the PA through a network offering • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services • Enable the new offering @cloudops_ www.cloudops.com
    12. 12. Use the Palo Alto • Add a network using the service offering • Launch a VM on the new network @cloudops_ www.cloudops.com
    13. 13. What actually happened • A Source NAT IP is allocated on ‘ae1’ • A guest network has been setup on ‘ae2’ • A Source NAT rule now connects the guest network to the public IP • A policy isolates the guest network @cloudops_ www.cloudops.com
    14. 14. Egress firewall rules @cloudops_ www.cloudops.com
    15. 15. Ingress firewall rules @cloudops_ www.cloudops.com
    16. 16. Static NAT rules @cloudops_ www.cloudops.com
    17. 17. Port Forwarding rules @cloudops_ www.cloudops.com
    18. 18. Support for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’ • Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule • Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering @cloudops_ www.cloudops.com
    19. 19. PA VM Appliance Support • Special considerations to support the Palo Alto virtual appliance • Simplify the implementation to the lowest common denominator • Using sub-interfaces instead of ‘vsys’ for configuration isolation • Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta) @cloudops_ www.cloudops.com
    20. 20. Known limitations • Requires some initial configuration, it is not entirely plug and play (yet) • Currently only supports a single Public IP range • Public IP usage tracking is currently not handled • Fine grain control of ICMP is currently not handled • Not validating SSL certificates when ACS communicates with the Palo Alto device @cloudops_ www.cloudops.com
    21. 21. Changing gears… Next up: SSL Termination in ACS… @cloudops_ www.cloudops.com
    22. 22. SSL Termination in ACS • Developed by Syed Ahmed @ CloudOps • To be released in ACS 4.3 • Added Certificate management – – – – Supports Supports Supports Supports certificate verification certificate trust chains self-signed certificates encrypted private keys • Added a generic SSL Termination implementation to ACS for external load balancers • Added SSL Termination support for the NetScaler by extending the existing NetScalerplugin @cloudops_ www.cloudops.com
    23. 23. SSL Termination workflow Add SSL Termination 1) To create an SSL vserver on the NetScaler, use createLoadBalancerRule with the lb_protocol parameter set to SSL. 2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key) 3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id) Remove SSL Termination 1) Remove the cert from the load balancer removeFromLoadBalance(cert_id, lb_rule_id) 2) Remove the certificate @cloudops_ deleteSslCert(cert_id) www.cloudops.com
    24. 24. Associated APIs • Certificate Management – uploadSSLCert – deleteSSLCert – listSSLCerts • Load Balancer changes/additions – createLoadBalancerRule • use ‘lb_protocol=SSL’ to enable SSL termination – assignToLoadBalancerRule – removeFromLoadBalancerRule @cloudops_ www.cloudops.com
    25. 25. Additional notes • The implementation is not yet available in the UI, only via the API • Each certificate can be bound to multiple load balancer rules • Each load balancer rule can only be bound to one certificate – The bound certificate can be part of a chain • Does not support revocation lists (yet) FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Ter mination+Support @cloudops_ www.cloudops.com
    26. 26. Questions ? Will Stevens www.cloudops.com @cloudops_ @cloudops_ www.cloudops.com

    ×