securely dynamic networks: the “other": sdn
TRANSCRIPT
Copyright 2013 Alcatel-Lucent. All rights reserved. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Securely Dynamic Networks: the “other: SDN
Wim Henderickx Director Consulting Engineering/PLM EMEA [email protected]; @WHenderickx
April, 2016
Nuage Networks Overview
Nuage is based in Silicon Valley with a team around the world
An Alcatel-Lucent/Nokia venture focused on data center and branch office network
evolution for the cloud era
Leverage Nokia infrastructure and key technologies
Creation of an Abstraction & Automation layer between networking features and
hardware equipment
Policy-driven networking design reflecting business directives, not network protocols
May 1, 2014
3
Compute
Storage
☐ Network X
Virtualized, instantly available, easily consumable
Dat
ace
nte
r In
fras
tru
ctu
re
Cumbersome, constrained & inefficient
DYNAMICALYY AUTOMATED SERVICES SCORECARD
STATIC MANUAL NETWORKS HIGHLY AUTOMATED NETWORKS
AUTOMATION ABSTRACTION
CONTROL VISIBILITY
✓
✓ ✓
✓ The SDN Framework For Highly Automated
Networks
CUSTOM COMPLEX
COSTLY CLOSED
The Networking Shift
Management Plane
Control Plane
Data Plane VRS
VSD
VSC
HYPERVISOR
HYPERVISOR
HYPERVISOR
Virtualized Services Directory (VSD)
Virtualized Services Controller (VSC)
Virtual Routing & Switching (VRS)
Nuage Networks Virtualized Services Platform (VSP)
IP Fabric
HYPERVISOR
HYPERVISOR
HYPERVISOR
Nuage Networks Overview
Network Automation through Policy
Application Orchestration
Service velocity is not hindered by manual network process
Compute Management
Networking
Security/ Compliance
Policy Templates
Nuage Networks VSP
Auto-instantiation
Compute request completed in minutes
IP address
WAN interconnect
Policy / Security Zones
L2 /L3 Service AD
Service chaining
Policy Instantiation • IP address 10.x.y.z • VLAN configuration • WAN configuration • Security / FW settings • QoS parameters • …
Network change completed automatically
00:01
00:01
Integrated solution combining VSP and Fortinet
Management Plane
Control Plane
Data Plane VRS
VSD
VSC
HYPERVISOR
HYPERVISOR
HYPERVISOR
Virtualized Services Directory (VSD)
Virtualized Services Controller (VSC)
Virtual Routing & Switching (VRS)
Nuage Networks Virtualized Services Platform (VSP)
IP Fabric
ReST APIs
HYPERVISOR
HYPERVISOR
HYPERVISOR
Certified with Fortinet
Nuage Networks & Fortinet Overview: Network & Security Automation
FortiManager
FortiGate FortiGate
Deployments
Physical or Virtual
Central or distributed
Perimeter security or micro-segmentation
Nuage & Fortinet Deployment Models
May 1, 2014
8
HYPERVISOR
VSD
VSC
API calls Event & Policy Synchronization
VRS VSG
HYPERVISOR
VRS-G
Hypervisors Supported: KVM, XEN, ESXi, Hyper-V Containers
Fort
iMan
age
r
FortiGate FortiGate VPX VPX
Control Center
Any cloud management system
Automated Perimeter Security
May 1, 2014
9
Internal
Network
External
Network
App01 Web
Servers
FortiGate
App01
Load
Balancer
FortiGate
App02
Load
Balancer
VIP App01 172.16.2.100
App02 Web
Servers
App 01 Client
App 02 Client synchronization
TCP 80 iPerf
FWD Rule
TCP 80
Fortin
et
Firew
all
VSD Controller Fort
iMan
ager
X
Automated Perimeter Security
May 1, 2014
10
Internal
Network
External
Network
App01 Web
Servers
FortiGate
App01
Load
Balancer
FortiGate
App02
Load
Balancer
VIP App01 172.16.2.100
App02 Web
Servers
App 01 Client
App 02 Client synchronization
TCP 80 iPerf
FWD Rule
TCP 80
Fortin
et
Firew
all
VSD Controller Fort
iMan
ager
X
Micro-Segmentation Prevents Lateral Movement of Malware
Micro-Segmentation contains security breaches to smaller set of servers / fault domains
VLAN / Subnet
Ap
p 1
Ap
p 2
DB
2
Web
1
Web
2
DB
1
Micro-segmentation
FortiGate FortiGate
VRS
FortiGate
App VM
Actual Business Results – Large Bank Case Study
50% Reduction in Operational Expense
10x Improvement in turn-up response time, Reduction in configuration errors
40% Increase in asset utilization & flexibility
Source: Alcatel-Lucent Analysis, customer survey feedback 2013-2014
Deployment Example: MSPP
Extensions of MPLS VPN network using Security Services
Next-generation Firewall
Application Visibility
Modern malware protection
IPS, DOS/DDOS attack protection and Anti-virus
Dynamic instantiation and automation of security service instantiation through self service Web portal
Virtual and physical appliances
MPLS
VPN
Branch
Branch
Branch VSP
Nuage VSP
FortiManager
FortiGate
FortiGate
FortiGate
FortiGate
7750 SR
7750 SR
7750 SR
7750 SR
Goal:
From a manual and constrained DC to an automated and agile DC
Perimeter security and micro-segmentation with advanced security fucntionality
Physical and virtual workloads across multiple datacenters
Private DC interworking with public clouds
Multiple Hypervisors: ESXi, KVM, Hyper-V and moving to containers
Deployment Example: DC Consolidation
May 1, 2014
14
DCI BGP-
EVPN/Optical-IP
Bare Metal workloads
SW Workloads Multi-HV: ESXi, KVM, Hyper-V,
etc PaaS:
Kube/openshift
Bare Metal workloads
SW Workloads Multi-HV: ESXi, KVM, Hyper-V,
etc PaaS:
Kube/openshift
WAN: MPLS VPN, Internet
WAN GW DCI GW DC GW WAN GW
VSP VSP
FortiManager
FortiManager
FortiGate FortiGate
FortiGate FortiGate
Deployment Example: DC Consolidation
May 1, 2014
15
VSD
Virtual Networks Compute, storage
F5 BigIQ
Load-balancing Firewalls
IPAM/ DNS/ DHCP
DC Fabric
vCenter
SW VTEP
HW VTEP
Infr
astr
uct
ure
Res
ou
rces
VSC
API
API
OVSDB
FortiGate
FortiManager
FortiGate
We can leverage information gathered from end-points (Forti-Client/Forti-gate/VRS) to isolate the source of the attack
Allows to prevent and isolate thread sources automatically by leveraging network intelligence to the policy framework
Next Steps/Evolution: Dynamic Thread Protection
May 1, 2014
16
Endpoint Analytics
Nuage VSP
FortiManager
FortiGate VRS
FortiClient
Besides the DC, Nuage also has a SD-WAN solution.
With the BW growth and evolution of SaaS application, guest-WIFI we need to protect the branch in a more advanced way
Fortinet + Nuage Networks are ideal to resolve this.
Next Steps/Evolution: Branch Protection
May 1, 2014
17
INTERNET MPLS VPN
INTERNET
3G/4G
Headquarters
LAN
DC
Headquarters
LAN
DC Branch
Branch
Branch
BYOD hardware
SW Image = OS
SW Image = VM
BYOD hardware
Physical Appliance
NUAGE hardware
Physical Appliance
NUAGE hardware
Physical Appliance
NUAGE hardware
Nuage VSP
In Conclusion
Integrated & certified joined solutions between
Nuage Networks and Fortinet providing automated
network and security services
Enabling Private/Public/Hybrid Clouds with
Virtual or Physical appliances
Perimeter Security
Micro-segmentation
Reduce OPEX, Faster deployment & optimized CAPEX
4/20/2016
19
www.nuagenetworks.com @nuagenetworks
THANK YOU
www.fortinet.com @Fortinet