CloudOps has add support for enterprise grade security products in ACS. CloudOps has developed an integration with the Palo Alto Networks firewall appliance to enable ACS to orchestrate network features such as network creation, Source NAT, Static NAT, Port Forwarding and Firewall rules on the Palo Alto device. Additionally, CloudOps has extended ACS to support SSL certificate management as well as SSL termination by external load balancers. The existing ACS NetScaler plugin has been improved to support this new SSL termination functionality. The talk will cover the features added as well as a basic overview of how they are used.
Will Stevens is the Lead Developer at CloudOps. He has been directly involved in extending ACS to support more enterprise grade security functionality. Will has over 10 years experience as a software developer and is primarily focused on cloud integrations at CloudOps.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Enterprise grade firewall and ssl termination to ac by will stevens
1. Enterprise Grade Security and SSL
termination in ACS 4.3
December 3rd, 2013
@cloudops_
www.cloudops.com
2. Introductions
• Will Stevens – Lead Developer @ CloudOps
• CloudOps builds and operates clouds of
all shapes and sizes
• Develops cloud infrastructure solutions
and operational models
• 24x7x365 managed service for CloudStack
based cloud infrastructures
• Customers are global
• Based in Montreal, Canada
@cloudops_
www.cloudops.com
3. To be covered…
• Palo Alto Networks firewall appliance
integration
– Feature overview
– Challenges and decisions
• SSL Termination added to ACS and
implemented for NetScaler
– Certificate management
– SSL Termination overview
@cloudops_
www.cloudops.com
4. Motivations for Palo Alto integration
CloudStack virtual router:
For Advanced Networking it often handles
NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for
horizontally scaled
commodity networking
services BUT can be a
bottleneck and a bit of a
black box security wise
@cloudops_
www.cloudops.com
5. More reasons why
• Customer driven - Palo Alto is an
increasingly popular enterprise security
product
• Many enterprises require greater visibility
and advanced policies (i.e. content
filtering, heuristics, intrusion detection)
• Use cases: Enterprise private clouds, PCI
compliance, service providers to
enterprise
@cloudops_
www.cloudops.com
8. Pre-configure the Palo Alto device
• Setup a Virtual Router on the Palo Alto to
handle the routing of the Public traffic
• Setup a Static Route for the next hop
@cloudops_
www.cloudops.com
9. Pre-configure the Palo Alto device
• Setup the Public and Private interfaces on
the PA
• Pre-configure the Public interface
according to the Public IP range in CS
@cloudops_
www.cloudops.com
10. Add the PA as a service provider
• Add the PA device as
a guest network
service provider
• Enable the provider
@cloudops_
www.cloudops.com
11. Create a Network Offering
• Expose the PA through
a network offering
• PA provides: Source NAT,
Static NAT, Port Forwarding
and Firewall services
• Enable the new offering
@cloudops_
www.cloudops.com
12. Use the Palo Alto
• Add a network using the service offering
• Launch a VM on the new network
@cloudops_
www.cloudops.com
13. What actually happened
• A Source NAT IP is allocated on ‘ae1’
• A guest network has been setup on ‘ae2’
• A Source NAT rule now connects the guest
network to the public IP
• A policy isolates the guest network
@cloudops_
www.cloudops.com
18. Support for Palo Alto profiles
• Added support for Palo Alto Networks
‘Security Profile Groups’ and ‘Log
Forwarding Profiles’
• Globally configured at the device level
(for now) and are associated with every
‘allow’ firewall rule
• Enables basic support for
IDS/IPS/Network AV threats, Wildfire
(Anti-Malware), Data Protection, URL
Filtering
@cloudops_
www.cloudops.com
19. PA VM Appliance Support
• Special considerations to support the Palo
Alto virtual appliance
• Simplify the implementation to the
lowest common denominator
• Using sub-interfaces instead of ‘vsys’ for
configuration isolation
• Ensuring support for the Palo Alto VM
appliance enables support for Palo Alto
running on the NetScaler SDX (currently
in beta)
@cloudops_
www.cloudops.com
20. Known limitations
• Requires some initial configuration, it is
not entirely plug and play (yet)
• Currently only supports a single Public IP
range
• Public IP usage tracking is currently not
handled
• Fine grain control of ICMP is currently not
handled
• Not validating SSL certificates when ACS
communicates with the Palo Alto device
@cloudops_
www.cloudops.com
22. SSL Termination in ACS
• Developed by Syed Ahmed @ CloudOps
• To be released in ACS 4.3
• Added Certificate management
–
–
–
–
Supports
Supports
Supports
Supports
certificate verification
certificate trust chains
self-signed certificates
encrypted private keys
• Added a generic SSL Termination implementation
to ACS for external load balancers
• Added SSL Termination support for the NetScaler
by extending the existing NetScalerplugin
@cloudops_
www.cloudops.com
23. SSL Termination workflow
Add SSL Termination
1) To create an SSL vserver on the NetScaler, use
createLoadBalancerRule with the lb_protocol
parameter set to SSL.
2) Upload the certificate to ACS using
UploadSslCert(cert, key, chain, password_for_key)
3) Assign the certificate to the load balancer rule
AssignCertToLoadBalancer(cert_id, lb_rule_id)
Remove SSL Termination
1) Remove the cert from the load balancer
removeFromLoadBalance(cert_id, lb_rule_id)
2) Remove the certificate
@cloudops_
deleteSslCert(cert_id)
www.cloudops.com
25. Additional notes
• The implementation is not yet available
in the UI, only via the API
• Each certificate can be bound to multiple
load balancer rules
• Each load balancer rule can only be
bound to one certificate
– The bound certificate can be part of a chain
• Does not support revocation lists (yet)
FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Ter
mination+Support
@cloudops_
www.cloudops.com