how to protect your virtual datacenter michiel van den bos

How to protect your Virtual Datacenter

Michiel van den Bos

Security challenges in the cloudPhysical firewalls may not see the East-West traffic

Firewalls placement is designed around expectation of layer 3 segmentation

Network configuration changes required to secure East-West traffic flows are manual, time-consuming and complex

Ability to transparently insert security into the traffic flow is needed

MS-SQL SharePoint Web Front End

2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Security challenges in the cloudIncomplete security features on existing virtual security solutions

In the cloud, applications of different trust levels now run on a single server VM-VM traffic (East-West) needs to be inspected Port and protocol-based security is not sufficient Virtualized next-generation security is needed to:

Safely enable application traffic between VMs Protect against against cyber attacks

MS-SQL SharePoint Web Front End


Security challenges in the cloudStatic policies cannot keep pace with dynamic workload deployments

Provisioning of applications can occur in minutes with frequent changes

Security approvals and configurations may take weeks/months

Dynamic security policies that understand VM context are needed


VMware and Palo Alto Networks solution

Cloud security challenges SolutionManual networking configuration to steer traffic to security appliance

Automated, transparent services insertion of VM-Series with VMware NSX

Incomplete security capabilities Virtualized security appliance supporting PAN-OSTM

Static policies cannot keep up with virtual machine changes

Dynamic security policies with VM context


Applying Zero Trust concepts in the data center

All resources are accessed in a secure manner regardless of location.

Access control is on a “need-to-know” basis and is strictly enforced.

Verify and never trust.

Inspect and log all traffic.


Segmentation for all data center traffic

Virtualized servers Physical servers

corporate network/DMZ

Security

Network

Application

Segment North South (physical) and East West (virtual) traffic

Tracks virtual application provisioning and changes via dynamic address groups

Automation and orchestration support via REST-API


VM-Series for east-west traffic inspection

• Next-generation firewall in a virtual form factor • Consistent features as hardware-based next-generation firewall • Inspects and safely enables intra-host communications (East-

West traffic) • Tracks VM creation and movement with dynamic address

groups• New model will be released to support VMware NSX


Dynamic address groups

• Dynamic Address Groups delivers policy abstraction layer for physical and virtual security appliances

• Replaces static object definitions with dynamic data

• Dynamic Address Groups replaces Dynamic Address Objects:

• Supports multiple tags representing VM attributes

• Increased maximum of registered IP addresses per object and per system

• Multiple tags can be resolved for policy (Example: Policy for VMs with “DB” & “windows O/S” tags)

Policies

DatabaseDatabase

IP: 14.28.56.11212.12.12.1222.22.22.2233.33.33.33

Windows


VMware vCenter or ESXi

Power of dynamic address groups

Name IP Guest OS Container

web-sjc-01 10.1.1.2 Ubuntu 12.04 Web

sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint

web-sjc-02 10.1.1.3 Ubuntu 12.04 Web

exch-mia-03 10.4.2.2 Win 2008 R2 Exchange

exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange

sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint

db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL

db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL

PAN-OS Security Policy

Source Destination Action

PAN-OS Dynamic Address Groups

Name Tags Addresses

SharePoint Servers

MySQL Servers

Miami DC

San Jose LinuxWeb Servers

Name Tags Addresses

SharePoint Servers

SharePointWin 2008 R2

“sp”

MySQL ServersMySQL

Ubuntu 12.04“db”

Miami DC “mia”


“sjc”“web”

Ubuntu 12.04

Name Tags Addresses

SharePoint Servers

SharePointWin 2008 R2

“sp”10.1.5.410.1.5.8

MySQL ServersMySQL

Ubuntu 12.04“db”

10.5.1.510.5.1.2

Miami DC “mia”10.4.2.210.1.5.810.5.1.5


“sjc”“web”

Ubuntu 12.0410.1.1.210.1.1.3

IP

10.1.1.2

10.1.5.4

10.1.1.3

10.4.2.2

10.4.2.3

10.1.5.8

10.5.1.5

10.5.1.2

Name

SharePoint Servers

MySQL Servers

Miami DC


Source Destination Action

SharePoint Servers

San Jose LinuxWeb Servers ✔

MySQLServers Miami DC

db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL

10.5.1.9


Panorama centralized management and policy automation

Global, centralized management of security policies for all Palo Alto Networks datacenter firewalls, physical or virtual platforms

Centralized logging and reporting

Deploy virtually or via M-100 physical appliance

Scalability to manage up to 1,000 firewalls

Automatically provision security policies together with your existing orchestrated tasks

RESTful XML API over SSL connection enables integration with leading orchestration vendors

Derive management efficiencies via orchestrated: Application/service/tenant resource allocations Service state tracking Policy mapping

Integration With Orchestration

Vendors


How The Joint Integration Works


VMware NSX and Palo Alto Networks integration


VM-1

000-

HV

Meeting the needs of both infrastructure and security

• Accelerate app deployments and unlock cloud agility

• Meet expectations of security in new operating model

• Increase visibility and protection against cyber attacks

• Maintain consistent security controls for all DC traffic

Cloud Security


For more information on the integration, visitwww.paloaltonetworks.com/partners/vmware.html

how to protect your virtual datacenter michiel van den bos

Documents

generation security

virtual security appliances

application traffic

protocolbased security

eastwest traffic inspection

west traffic flows

dynamic address objects

vm context