Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to protect your Virtual Datacenter Michiel van den Bos.

Similar presentations


Presentation on theme: "How to protect your Virtual Datacenter Michiel van den Bos."— Presentation transcript:

1 How to protect your Virtual Datacenter Michiel van den Bos

2 Security challenges in the cloud Physical firewalls may not see the East-West traffic  Firewalls placement is designed around expectation of layer 3 segmentation  Network configuration changes required to secure East-West traffic flows are manual, time-consuming and complex  Ability to transparently insert security into the traffic flow is needed MS-SQLSharePointWeb Front End 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

3 Security challenges in the cloud Incomplete security features on existing virtual security solutions In the cloud, applications of different trust levels now run on a single server  VM-VM traffic (East-West) needs to be inspected  Port and protocol-based security is not sufficient  Virtualized next-generation security is needed to:  Safely enable application traffic between VMs  Protect against against cyber attacks MS-SQLSharePointWeb Front End 3 | ©2014, Palo Alto Networks. Confidential and Proprietary.

4 Security challenges in the cloud Static policies cannot keep pace with dynamic workload deployments  Provisioning of applications can occur in minutes with frequent changes  Security approvals and configurations may take weeks/months  Dynamic security policies that understand VM context are needed 4 | ©2014, Palo Alto Networks. Confidential and Proprietary.

5 VMware and Palo Alto Networks solution Cloud security challengesSolution Manual networking configuration to steer traffic to security appliance Automated, transparent services insertion of VM- Series with VMware NSX Incomplete security capabilitiesVirtualized security appliance supporting PAN-OS TM Static policies cannot keep up with virtual machine changes Dynamic security policies with VM context 5 | ©2014, Palo Alto Networks. Confidential and Proprietary.

6 Applying Zero Trust concepts in the data center All resources are accessed in a secure manner regardless of location. Access control is on a “need-to-know” basis and is strictly enforced. Verify and never trust.Inspect and log all traffic. 6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

7 Segmentation for all data center traffic Virtualized serversPhysical servers corporate network/DMZ Security Network Application Segment North South (physical) and East West (virtual) traffic Tracks virtual application provisioning and changes via dynamic address groups Automation and orchestration support via REST-API 7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

8 VM-Series for east-west traffic inspection Next-generation firewall in a virtual form factor Consistent features as hardware-based next-generation firewall Inspects and safely enables intra-host communications (East- West traffic) Tracks VM creation and movement with dynamic address groups New model will be released to support VMware NSX 8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

9 Dynamic address groups Dynamic Address Groups delivers policy abstraction layer for physical and virtual security appliances Replaces static object definitions with dynamic data Dynamic Address Groups replaces Dynamic Address Objects: Supports multiple tags representing VM attributes Increased maximum of registered IP addresses per object and per system Multiple tags can be resolved for policy (Example: Policy for VMs with “DB” & “windows O/S” tags) Policies Database IP: 14.28.56.112 12.12.12.12 22.22.22.22 33.33.33.33 Windows 9 | ©2014, Palo Alto Networks. Confidential and Proprietary.

10 VMware vCenter or ESXi Power of dynamic address groups NameIPGuest OSContainer web-sjc-0110.1.1.2Ubuntu 12.04Web sp-sjc-0410.1.5.4Win 2008 R2SharePoint web-sjc-0210.1.1.3Ubuntu 12.04Web exch-mia-0310.4.2.2Win 2008 R2Exchange exch-dfw-0310.4.2.3Win 2008 R2Exchange sp-mia-0710.1.5.8Win 2008 R2SharePoint db-mia-0110.5.1.5Ubuntu 12.04MySQL db-dfw-0210.5.1.2Ubuntu 12.04MySQL PAN-OS Security Policy SourceDestinationAction PAN-OS Dynamic Address Groups NameTagsAddresses SharePoint Servers MySQL Servers Miami DC San Jose Linux Web Servers NameTagsAddresses SharePoint Servers SharePoint Win 2008 R2 “sp” MySQL Servers MySQL Ubuntu 12.04 “db” Miami DC“mia” San Jose Linux Web Servers “sjc” “web” Ubuntu 12.04 NameTagsAddresses SharePoint Servers SharePoint Win 2008 R2 “sp” 10.1.5.4 10.1.5.8 MySQL Servers MySQL Ubuntu 12.04 “db” 10.5.1.5 10.5.1.2 Miami DC“mia” 10.4.2.2 10.1.5.8 10.5.1.5 San Jose Linux Web Servers “sjc” “web” Ubuntu 12.04 10.1.1.2 10.1.1.3 IP 10.1.1.2 10.1.5.4 10.1.1.3 10.4.2.2 10.4.2.3 10.1.5.8 10.5.1.5 10.5.1.2 Name SharePoint Servers MySQL Servers Miami DC San Jose Linux Web Servers SourceDestinationAction SharePoint Servers San Jose Linux Web Servers ✔ MySQL Servers Miami DC  db-mia-0510.5.1.9Ubuntu 12.04MySQL 10.5.1.9 10 | ©2014, Palo Alto Networks. Confidential and Proprietary.

11 Panorama centralized management and policy automation  Global, centralized management of security policies for all Palo Alto Networks datacenter firewalls, physical or virtual platforms  Centralized logging and reporting  Deploy virtually or via M-100 physical appliance  Scalability to manage up to 1,000 firewalls  Automatically provision security policies together with your existing orchestrated tasks  RESTful XML API over SSL connection enables integration with leading orchestration vendors  Derive management efficiencies via orchestrated:  Application/service/tenant resource allocations  Service state tracking  Policy mapping Integration With Orchestration Vendors 11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

12 How The Joint Integration Works 12 | ©2014, Palo Alto Networks. Confidential and Proprietary.

13 VMware NSX and Palo Alto Networks integration 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. VM-1000-HV

14 Meeting the needs of both infrastructure and security Accelerate app deployments and unlock cloud agility Meet expectations of security in new operating model Increase visibility and protection against cyber attacks Maintain consistent security controls for all DC traffic CloudSecurity 14 | ©2014, Palo Alto Networks. Confidential and Proprietary. For more information on the integration, visit www.paloaltonetworks.com/partners/vmware.html

15


Download ppt "How to protect your Virtual Datacenter Michiel van den Bos."

Similar presentations


Ads by Google