Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Nuage-Palo Alto Security Automation
Similar to Nuage-Palo Alto Security Automation (20)
Recently uploaded
Recently uploaded (20)
Nuage-Palo Alto Security Automation
- 1. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION SDN Killer App Beyond Micro-Segmentation Security Automation, Visibility and Monitoring
- 2. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Agenda 1. Trends and Security Challenges 2. Nuage VSP Security 3. Palo Alto NGFW Integration 4. Demo 5. Q&A 9/23/2020 2
- 3. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Market Trends Driving New Security Requirements 9/23/2020 3 Private / Public / Hybrid • Security Automation • Multi-tenancy • Support Mobility • Mitigate lateral spread • Visibility to East/West Traffic • Fast Response Threat LandscapeMove to Cloud
- 4. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION SDN can help address these challenges! Challenges with Existing Data Center Security Model • Lack of visibility to east/west traffic • Detection is hard, slow • Complex to manage ACL lifecycle • Service insertion is manual • Lack of sufficient segmentation • Limited by static network topology Protection Detection Operations 9/23/2020 4
- 5. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Micro-Segmentation reduces risks with “Zero-Trust” Model Benefits Enforce security between end-points anywhere Restricts lateral movement of malware Use Cases High value asset protection PCI compliance Restrict shared services access Securing east/west application traffic Gartner, Network Security Architectures for Virtualized Data Centers, Joerg Fritsch, 10 August 2015 Untrusted Zone Outside (South) DMZ Trusted Zone Restricted Zone SQL VoIPLaurel App 1 WWW Mobile Index Mail DB Stuttgart Amsterdam Hardy DB Record Domain Big Data Search Perimeter Perimeter Perimeter Figure 2. Microsegmentation is Changing the Network Security Architecture 9/23/2020 5
- 6. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Secure multi-tenancy Isolation based on virtual networks Logical segmentation using policy groups Distributed L4 stateful firewall Supports bare-metal, VMs, containers Nuage VSP enables Flexible Segmentation for ANY End-point Tenant 1 Virtual Network 1 (PCI Domain) Virtual Network 2 (Non PCI Domain) E-commerce front-end Policy Group E-commerce back-end Policy Group Web Tier/ Policy Group App Tier/ Policy Group Data Tier/ Policy Group 9/23/2020 6
- 7. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Automate security service insertion based on forwarding policy Automate security provisioning at the time of workload instantiation, removal Automate enterprise wide security enforcement to ensure compliance Security Automation with Nuage VSP Global Policy Template Hypervisor ACL Config Network Security Application Team Application Specific Policy Hypervisor ACL Config 9/23/2020 7
- 8. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Visibility and Security Monitoring in Virtual Networks • Contextual Flow Visibility • Application Flow Detection • Security Alerts • Monitoring Reports • ACL Flow Logging • Policy based Mirroring Web App DB 9/23/2020 8
- 9. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks Integration with Palo Alto Networks Next Generation Firewall 9/23/2020 9
- 10. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage VSP and Palo Alto Networks VM-Series …joint integration brings advanced security for SDN enabled data centers VM-1000-HV Panorama Nuage VSP • Dynamic and transparent insertion of VM- Series as security service during workload deployment • Automated security policy updates • Micro segmentation of applications and data • Prevention of known and unknown threats • Protection from lateral movement of cyberattacks
- 11. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks VSP integration with Palo Alto Networks for Advanced Security and Security Automation Security Automation Policy based insertion of physical or virtual security services Policy based security automation for any workload Advanced Security Controls Application based micro- segmentation Advanced threat protection Virtualized Services Directory Virtualized Services Controller HYPERVISOR Virtualized Router/Switch Physical Gateway HYPERVISOR Virtual Gateway API calls Event & Policy Synchronization 9/23/2020 11
- 12. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Use Case: Secure your high value assets 12 …with network and application-level micro segmentation and advanced threat protection Intra-Tier Segmentation with Nuage L3/L4 Distributed Firewall Inter-Tier Segmentation with Palo Alto Networks VM-Series NOVANEUTRON
- 13. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Demo Overview Micro-segmentation using Nuage policy groups and Layer 4 distributed firewall Security automation to dynamically move VM to suspect tier based on alerts Security policy automated dynamically to include suspect VM using Palo Alto Networks Integration Advanced security protection with Palo Alto Networks VM-Series NGFW 9/23/2020 13 WEB-Tier APP-Tier SUSPECT-Tier External network DB-Tier VM1 VM2 VM3
- 14. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Overcoming DeJaVu ..an example of a targeted attack for achieving lateral movement within data centers Apache Web Server IBM WebSphere Application Server MySQL Database Server Remote code injection over SOAP/HTTP(S) Root privileges Exfiltration of data CVE 2015-7450
- 15. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Physical / Baremetal Containers / PaaS PODPODPODVM VMVMVM VMVM Openstack /CloudstackMulti-Hypervisor Nuage VSP with Palo Alto Networks Delivers Advanced Security, Automation and Visibility for ANY workload Summary Micro-Segmentation Advanced Protection Security Automation Visibility & Security Monitoring 9/23/2020 15
- 16. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Resources Nuage Networks Micro-Segmentation and Security Automation White Paper http://bit.ly/microsegmentation Nuage Networks Micro-Segmentation, Automation and Visibility Demo with Palo Alto Networks NGFW http://bit.ly/nuage-pan-security-demo Nuage Networks VSP integration with Palo Networks NGFW Solution Brief http://bit.ly/nuage-pan-solution 9/23/2020 16
- 17. © 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 9/23/2020 17 THANK YOU
Editor's Notes
- There are 2 key drivers we see that is driving new security requirements for how enterprises secure applications and data. First, with the move to virtualization and cloud, networking and security needs to evolve to not be a bottleneck. security boundaries based on perimeter and traditional trust model breaks down as the infrastructure is shared between multiple tenants and we can no longer assume anything is trusted inside the data center network. 2nd the threat landscape is evolving and attacks are not only getting past existing security controls but are also harder to detect as they laterally move through various systems inside the data center
- Existing security model cannot effectively address these new security requirements. First, current protection model in Enterprise datacenters is largely perimeter-centric. Only the traffic gets through the firewall into a zone there is very little segmentation to prevent malware from spreading from one server to another within the same zone. In addition, the firewalls are placed in specific points in the network and security zoning is based on static network topology. If workloads are moved around within the data center or to another data center or cloud the security policies don’t move with the workloads and requires manual intervention to re-configure. Second, with the increasing attack sophistication and evolving threat landscape we cannot assume that all attacks can be prevented by protective controls. Currently there is no visibility to east/west application traffic inside the data center as it is impossible to . Visibility and security analytics are key to help detect attacks. Last but not least, the current security provisioning model for applications is largely manual and device-centric. It can take weeks in an enterprise to provision firewall policies for a new application deployment and obtain the approvals from various stakeholders. In addition, the ACLs themselves are a challenge to manage.. ACLs are based on IP addresses and subnets and arent mapped to applications. As a result, ACLs are not touched even though the application is de-commissioned. This doesn’t scale for cloud environment and presents a bottleneck. Nuage SDN (VSP) together with security eco-system partners (such as PANW and others) can help address these challenges.
- One of the key capabilities enabled by SDN to address the new security requirements is micro-segmentation. Micro-segmentation is the ability to insert a security service between between any two end-points (VMs or containers or BM) in the same broadcast domain. Instead of assuming any traffic that goes based a DMZ or internal firewall is trusted, one can enforce security between various application components / tiers (such as web/app/db) inside the data center or even security within a particular tier of an application. In a micro-segmented environment, security is enforced in every end-point and hence we no longer need to assume trust based on static boundaries.. All east/west traffic can be inspected and appropriate security controls applied with distributed security controls closer to the workload. A key benefit of micro-segmented environment when appropriate policies are in place is to contain the spread of malware from one server to another. If policy is enforced at each end-point/server where workload resides (as with Nuage SDN and few others) with distributed firewall, policies can follow workloads and you get security anywhere in the network and enable mobility. Clearly moving an entire enterprise data center from current model to a micro-segmented environment is not a simple under-taking. What we are seeing from enterprise customers are they are picking specific use cases for micro-segmentation. Severa financials are picking high value assets/applications as a key use case. We also see compliance as a key use case where customers want to use micro-segmentation to reduce the scope of PCI compliance. Another key use case is restricting access to shared services such as backup infrastructure that various services can connect to address the lateral spread using shared infra as a channel.
- The intent of this slide is to go a little bit into “HOW” Nuage VSP solution delivers secure multi-tenancy and micro-segmentation. There are three key abstractions that enables Nuage SDN to support these capabilities. First is the concept of tenant to provide separation of organization from organization/adminsitrative perspective. 2nd is the the concept of virtual networks / domain. The 3rd key concept is policy based grouping to offer logical segmentation. Nuage VSP SDN solution is a software based network virtualization and distributed security platform that offers the ability to create multi-tenant, isolated virtual networks / domains on top of any IP based physical network. Unlike some of the competitive alternatives, Nuage SDN solution can work with any IP based underlay network and can support multi-hypervisors (ESXi, KVM), containers, PaaS (openshift)/Orchestration (kubernetes) Nuage VSP SDN solution supports logical segmentation of application end-points based on logical context (such as app-tier, app lifecycle, compliance requirements) using the concept of policy groups/zones rather than requiring segmentation policies to be defined and enforced based on IP subnets/VLANs. This abstraction provide the capability to enforce security even as workloads move in the datacenter and cloud environment.
- Security automation is a key requirement for cloud and modern data center environment. With Nuage VSP platform. There are 3 key areas of security automation as it pertains to automating security for distributed applications. First, one the key areas to address is compliance. Enterprise security teams define a set of security policies that their IT environment including network, compute and storage needs to adhere to. With Nuage VSP, these enterprise wide network security policies can be centrally defined in a logical template and automatically enforced in every virtual network that is instantiated based on the template. Another use of this template is to automate security policy to say a new worm or a virus at every workload by simply adding a global policy in the template to block a specific set of ports/protocols without having to configure every firewall in the data center. Second area of automation is actually provision security policies for a application deployment – both new as well as expansion of capacity for an existing application. With the current provisioning model, it can take weeks to implement a ACL with all the approvals in the organization. With Nuage SDN, security policies (ACLs) are automatically pushed to every end-point where the workload is brought up and enforced using L4 distributed firewall. In addition, we can also insert advanced security services such as NGFW (PANW and others) based on forwarding policies. The insertion and configuration of advanced security services such as NGFW is today manual. With Nuage integration with NGFW that you will see in the PANW integration demonstration not only is the insertion of security services be automated via policies but the policies for a new workload instance that is spun is automatically configured by our integration with NGFW.
- Several organizations lack the visibility to east/west application traffic inside the data center. This makes is harder to figure out what is going on inside the data center network as well as detect some advanced threats. Nuage VSP offers rich set of capabilities such as ACL allow/deny logs with additional context such as Policy group. In addition, traffic can be selectively mirrored based on policy to security analytics tools to further analyze traffic for detection. VSP also provides stats and threshold crossing alerts to automate abnormal events such as increase in policy violations (# ACL denys) etc. Beyond security operations, the ACL allow/deny logs can be used to address the problem of defining policies can micro-segmentation. By using ACL logs one visualize application flows and drive policies based on actual application traffic ,to build a whitelist policy model.
- Nuage VSP can automate insertion of both physical and virtual Palo alto networks NGFW and provide the ability to protect any workload (bare-metal, virtual – multi-hypervisor KVM/ESXi, containers)
- Challenge Granular segmentation of virtual workloads Security policy enforcement tied to workload mobility Application segmentation and protection against advanced threats Joint Integration L3/L4 distributed firewall for reduces attack surface area with L4 segmentation VM-Series provides application level micro-segmentation and protection against advanced threats Benefits: Automation and correlation for reduced TCO Meet compliance mandates
- Key differentiation of Nuage Networks integrated solution with Palo Alto is the ability to provide micro-segmentation with advanced security, automation and visibility for heterogeneous environments: multi-hypervisor, multi-cloud mgmt systems (Openstack/Cloud), multiple workload type (VM. Container, bare-metal) etc.