There are 2 key drivers we see that is driving new security requirements for how enterprises secure applications and data.
First, with the move to virtualization and cloud, networking and security needs to evolve to not be a bottleneck. security boundaries based on perimeter and traditional trust model breaks down as the infrastructure is shared between multiple tenants and we can no longer assume anything is trusted inside the data center network.
2nd the threat landscape is evolving and attacks are not only getting past existing security controls but are also harder to detect as they laterally move through various systems inside the data center
Existing security model cannot effectively address these new security requirements.
First, current protection model in Enterprise datacenters is largely perimeter-centric. Only the traffic gets through the firewall into a zone there is very little segmentation to prevent malware from spreading from one server to another within the same zone. In addition, the firewalls are placed in specific points in the network and security zoning is based on static network topology. If workloads are moved around within the data center or to another data center or cloud the security policies don’t move with the workloads and requires manual intervention to re-configure.
Second, with the increasing attack sophistication and evolving threat landscape we cannot assume that all attacks can be prevented by protective controls. Currently there is no visibility to east/west application traffic inside the data center as it is impossible to . Visibility and security analytics are key to help detect attacks.
Last but not least, the current security provisioning model for applications is largely manual and device-centric. It can take weeks in an enterprise to provision firewall policies for a new application deployment and obtain the approvals from various stakeholders. In addition, the ACLs themselves are a challenge to manage.. ACLs are based on IP addresses and subnets and arent mapped to applications. As a result, ACLs are not touched even though the application is de-commissioned. This doesn’t scale for cloud environment and presents a bottleneck.
Nuage SDN (VSP) together with security eco-system partners (such as PANW and others) can help address these challenges.
One of the key capabilities enabled by SDN to address the new security requirements is micro-segmentation. Micro-segmentation is the ability to insert a security service between between any two end-points (VMs or containers or BM) in the same broadcast domain. Instead of assuming any traffic that goes based a DMZ or internal firewall is trusted, one can enforce security between various application components / tiers (such as web/app/db) inside the data center or even security within a particular tier of an application.
In a micro-segmented environment, security is enforced in every end-point and hence we no longer need to assume trust based on static boundaries.. All east/west traffic can be inspected and appropriate security controls applied with distributed security controls closer to the workload.
A key benefit of micro-segmented environment when appropriate policies are in place is to contain the spread of malware from one server to another. If policy is enforced at each end-point/server where workload resides (as with Nuage SDN and few others) with distributed firewall, policies can follow workloads and you get security anywhere in the network and enable mobility.
Clearly moving an entire enterprise data center from current model to a micro-segmented environment is not a simple under-taking. What we are seeing from enterprise customers are they are picking specific use cases for micro-segmentation. Severa financials are picking high value assets/applications as a key use case. We also see compliance as a key use case where customers want to use micro-segmentation to reduce the scope of PCI compliance. Another key use case is restricting access to shared services such as backup infrastructure that various services can connect to address the lateral spread using shared infra as a channel.
The intent of this slide is to go a little bit into “HOW” Nuage VSP solution delivers secure multi-tenancy and micro-segmentation.
There are three key abstractions that enables Nuage SDN to support these capabilities. First is the concept of tenant to provide separation of organization from organization/adminsitrative perspective. 2nd is the the concept of virtual networks / domain. The 3rd key concept is policy based grouping to offer logical segmentation.
Nuage VSP SDN solution is a software based network virtualization and distributed security platform that offers the ability to create multi-tenant, isolated virtual networks / domains on top of any IP based physical network. Unlike some of the competitive alternatives, Nuage SDN solution can work with any IP based underlay network and can support multi-hypervisors (ESXi, KVM), containers, PaaS (openshift)/Orchestration (kubernetes)
Nuage VSP SDN solution supports logical segmentation of application end-points based on logical context (such as app-tier, app lifecycle, compliance requirements) using the concept of policy groups/zones rather than requiring segmentation policies to be defined and enforced based on IP subnets/VLANs. This abstraction provide the capability to enforce security even as workloads move in the datacenter and cloud environment.
Security automation is a key requirement for cloud and modern data center environment.
With Nuage VSP platform. There are 3 key areas of security automation as it pertains to automating security for distributed applications.
First, one the key areas to address is compliance. Enterprise security teams define a set of security policies that their IT environment including network, compute and storage needs to adhere to. With Nuage VSP, these enterprise wide network security policies can be centrally defined in a logical template and automatically enforced in every virtual network that is instantiated based on the template. Another use of this template is to automate security policy to say a new worm or a virus at every workload by simply adding a global policy in the template to block a specific set of ports/protocols without having to configure every firewall in the data center.
Second area of automation is actually provision security policies for a application deployment – both new as well as expansion of capacity for an existing application. With the current provisioning model, it can take weeks to implement a ACL with all the approvals in the organization. With Nuage SDN, security policies (ACLs) are automatically pushed to every end-point where the workload is brought up and enforced using L4 distributed firewall. In addition, we can also insert advanced security services such as NGFW (PANW and others) based on forwarding policies.
The insertion and configuration of advanced security services such as NGFW is today manual. With Nuage integration with NGFW that you will see in the PANW integration demonstration not only is the insertion of security services be automated via policies but the policies for a new workload instance that is spun is automatically configured by our integration with NGFW.
Several organizations lack the visibility to east/west application traffic inside the data center. This makes is harder to figure out what is going on inside the data center network as well as detect some advanced threats.
Nuage VSP offers rich set of capabilities such as ACL allow/deny logs with additional context such as Policy group. In addition, traffic can be selectively mirrored based on policy to security analytics tools to further analyze traffic for detection. VSP also provides stats and threshold crossing alerts to automate abnormal events such as increase in policy violations (# ACL denys) etc.
Beyond security operations, the ACL allow/deny logs can be used to address the problem of defining policies can micro-segmentation. By using ACL logs one visualize application flows and drive policies based on actual application traffic ,to build a whitelist policy model.
Nuage VSP can automate insertion of both physical and virtual Palo alto networks NGFW and provide the ability to protect any workload (bare-metal, virtual – multi-hypervisor KVM/ESXi, containers)
Challenge
Granular segmentation of virtual workloads
Security policy enforcement tied to workload mobility
Application segmentation and protection against advanced threats
Joint Integration
L3/L4 distributed firewall for reduces attack surface area with L4 segmentation
VM-Series provides application level micro-segmentation and protection against advanced threats
Benefits:
Automation and correlation for reduced TCO
Meet compliance mandates
Key differentiation of Nuage Networks integrated solution with Palo Alto is the ability to provide micro-segmentation with advanced security, automation and visibility for heterogeneous environments: multi-hypervisor, multi-cloud mgmt systems (Openstack/Cloud), multiple workload type (VM. Container, bare-metal) etc.