Downloaded 24 times
Uploaded byeli lama sabachtani sinaga
cn-series-se-presentation.pptx
This document discusses Palo Alto Networks' CN-Series Kubernetes Next Generation Firewall (NGFW). It provides an overview of CN-Series' container network security capabilities including outbound traffic protection with URL filtering and threat prevention demonstrations. The document also reviews CN-Series' container-native architecture, easy Kubernetes orchestration using Helm charts, and product details such as supported infrastructures, software versions, performance metrics, and licensing model.
More Related Content
Similar to cn-series-se-presentation.pptx
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
cn-series-se-presentation.pptx
- 1. CN-Series: Kubernetes NGFW July, 2020 RajPatil Sudeep Padiyar
- 2. ● Comprehensive CloudNative Security ● Container Network Security Use cases ● Industry first Kubernetes NGFW !! ● Demo ○ K8s Native Orchestration ○ URL Filtering for Outbound Security ○ Threat Prevention ● Product and Licensing details ● Resources Agenda 2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
- 3. Asset Inventory Configuration Assessment ComplianceManagement IAM Governance Vulnerability Management Workload Security Network Visibility Microsegmentation Layer 7 Threat Protection Privileged Activity Monitoring User Entity Behavior Analytics Runtime Defense Visibility & Governance Compute Security Network Protection Identity Security Prisma Cloud Comprehensive cloud native security across the entire application lifecycle
- 4. Network Visibility 4 |© 2020 Palo Alto Networks, Inc. All rights reserved. A Multi-Layered Network Security Strategy Layer 7 Threat Protection Microsegmentation
- 5. Container Network Securitywith Prisma Cloud & NGFW Compute Security Limit east-west traffic based on the machine and application identity Network-based detection and protection of compromised applications 5 | © 2020 Palo Alto Networks, Inc. All rights reserved. Identity-based Microsegmentation Layer 7 Threat Protection Reduce risk and protect compute with runtime and application security Prisma™ Cloud Prisma™ Cloud Vulnerability Management
- 6. 6 | ©2020 Palo Alto Networks, Inc. All rights reserved. Use Cases for VM-Series in Cloud Outbound Stop data exfiltration East-West Prevent lateral propagation Inbound Block attackers from breaking-in Ordering Payments for traffic crossing “trust boundaries” (VPCs in AWS, GCP / Subnets in Azure) Customers deploy VM-Series in these scenarios in the cloud Internet CN NGFW
- 7. 7 | ©2020 Palo Alto Networks, Inc. All rights reserved. Outbound Lack of container context East-West Lack of Visibility and Control Inbound Lack of container context for traffic crossing “trust boundaries” (namespaces in containers) Internet K8s Cluster Node CN NGFW Node Node Ordering Payments Containers create blind spots for customers Customers cannot protect all traffic flows using existing firewalls like VM-Series
- 8. 8 | ©2020 Palo Alto Networks, Inc. All rights reserved. Internet K8s Cluster Node CN NGFW Node Node Ordering Payments Outbound Stop data exfiltration with container- context East-West Prevent lateral propagation within container clusters Inbound Container-level protection against break-ins CN-Series providers comprehensive security for containerized applications By running a CN-Series NGFW on each node Introducing CN-Series (Containerized NGFW)
- 9. 9 | ©2020 Palo Alto Networks, Inc. All rights reserved. Complete NFGW Security for K8s ● Outbound protection for pods accessing VMs/servers, repos etc. ● East West protection between pods ● Inbound protection for K8S services Container-Native Architecture ● Distributed PAN-OS architecture; CN-MGMT & CN-NGFW pods Easy K8s-native Orchestration ● CN-NGFW runs as a DaemonSet (one command to deploy on all nodes) ● CN-MGMT runs as a StatefulSet ● Network insertion via CNI-chaining (standard for all CNI providers) Context-aware Policies ● K8s Plugin for Panorama to enable context-aware policies K8s Cluster K8s Plugin CN MGMT Introducing NGFW for Kubernetes Node Node Node
- 10. CN-Series: Cloud NativeKubernetes Orchestration GKE/AKS/EKS, OpenShift, Native K8s
- 11.
- 12. Default-NS GKE – K8S Cluster Internet DPDP MP Native K8S POD1 POD N K8S Plugin Panorama Deploying CN-Series using Helm MP
- 13. Helm Demo 13 |© 2016, Palo Alto Networks. Confidential and Proprietary.
- 14.
- 15. Use case -Outbound Traffic Protection with URL Filtering Acme Dev Cluster Github.com/PaloAltoNetworks Acme-Dev-ns Acme-Staging-ns NODE NODE NODE Source Destination Application Action Profile Jenkins Any Github-download Allow Only Palo alto Repo Web App Any Any Allow Any Repo
- 16.
- 17.
- 18. 18 | ©2020 Palo Alto Networks, Inc. All rights reserved. Graboid - First ever crypto-jacking worm
- 19. Use case -Outbound Traffic Protection with Anti-Malware Acme-Dev-ns Acme-Staging-ns NODE NODE NODE Acme Dev Cluster Source Destination Application Action Vulnerability Protection Ngnix ( With Graboid ) Any Any Allow Strict
- 20. Graboid demo 20 |© 2020 Palo Alto Networks, Inc. All rights reserved.
- 21.
- 22. Supported Cloud NativeInfrastructures 22 | © 2020 Palo Alto Networks, Inc. All rights reserved. Self-Managed On-premises Public Cloud Cloud-Managed
- 23. Product Details 23 |© 2020 Palo Alto Networks, Inc. All rights reserved. Software Versions PAN-OS 10.0 K8s Panorama Plugin 1.0.0 Container Runtime Docker, CR-IO Provider Managed Kubernetes Azure AKS, AWS EKS, GCP GKE, Openshift 4.2 Native K8s 1.13, 1.14, 1.15 Kubernetes Host VM OS Ubuntu 16.04, 18.04, RHEL/Centos 7.3 +, CoreOS 21XX, 22XX CNI Plugins Calico, Weave, Flannel, Azure, AWS Metric Performance per core App-ID 500 mbps Threat 250 mbps
- 24. Licensing 24 | ©2020 Palo Alto Networks, Inc. All rights reserved. Pricing Model Component Approach Rationale Licensing Number of CN-Series firewall units (total number of firewalls protecting K8s nodes) ● Easy to understand, predict, and measure Licensing Model Term-based ● Aligned with cloud pricing models Pricing Structure and Price Levels ● Basic Bundle: (CN-Series + Support) ● Bundle One: (CN-Series + Support + TP) ● Bundle Two: (CN-Series + Support + TP + Wildfire + URL + DNS) ● Align with VM-Series bundle structure ● Align with VM pricing method License Terms Term based ( 1 to 5 years) ● Consistency with VM-Series licensing ELA Part of VM ELA (7 tokens for CN-Series) ● Enable VM ELA customers to adopt CN- Series easily
- 25. ● Product Documentation ● Github ●Qwiklabs - Try it for free. ○ Request for Qwiklab access - cn- seriessupport@paloalto networks.com Resources 25 | © 2020 Palo Alto Networks, Inc. All Rights Reserved.
- 26.
Editor's Notes
- #3 Racquel
- #4 Now, network security is not the end all be all of container security. Prisma Cloud provides a comprehensive toolset for securing cloud native apps, inclusive of features that deliver governance, compute security and workload protection, and identity security. As you can see, CN-Series rounds out the Network Protection pillar with its layer 7 threat protection capabilities.
- #5 When it comes to network security, micro-segmentation and segmentation in general is only part of the picture. To illustrate this point, let’s think about how we secure airports. In an airport, we install cameras so that the security team can see everything that’s going on. In the network security world, security cameras are akin to network visibility. They’re ideal for reactive investigative work after an incident has already taken place, but they’re most likely not going to help stop the incident from happening in the first place. A more proactive security measure is issuing every traveler a boarding pass. Boarding passes dictate where a traveler is allowed to go, just like micro-segmentation dictates where traffic can flow in an enterprise network. But boarding passes alone aren’t enough to prevent threats from getting into the airport or onto planes. A boarding pass has no concept of whether or not I’m carrying a weapon onto the plane. That’s why airport security uses metal detectors at strategic parts of the airport, forcing travelers through a deeper level of inspection for threats. This is the role that next-gen firewalls play in internal network security, as well.
- #6 Palo Alto offers a suit of products PCC : Vulnerability management for containers in your CICD pipeline prior to containers being deployed and runtime threat analytics on the host Aporeto : Reducing the scope of lateral attacks within your infrastructure by minimizing allowed connections. When an unpatched asset is potentially compromised reduce the spread of the attack. NGFW: Threat analytics for allowed connections at your network trust boundaries. Example : Enforcing egress controls for traffic leaving my k8s cluster, VM environment. This is how both PayPal and Comcast mix NGFW with Aporeto’s capabilities
- #10 Racquel
- #12 https://drive.google.com/file/d/1HmrKOOjx9V-w3-nRsPTGuDh593cEth8A/view?usp=drivesdk
- #16 https://drive.google.com/file/d/1Eh99K3ngMW6G5VYRrFEyPoNo0QtIRhpj/view?usp=drivesdk
- #19 https://drive.google.com/file/d/146tcBhjY-p39-tD1yFNI9o2zItKXjXfi/view?usp=drivesdk
- #23 CN-Series can be deployed in self-managed Kubernetes environments hosted on-prem or in the public cloud. This includes RedHat Openshift environments, as well. It can also be deployed into managed Kubernetes environments offered by cloud service providers. These environments include the Google Kubernetes Engine, Amazon’s Elastic Kubernetes Service, the Azure Kubernetes Service. For an exhaustive list of supported environments, versions, and operating systems, reference the CN-Series data sheet.
- #26 Racquel