security automation with vmware nsx and network … · 8 8 • purpose-built security solution with...
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
Security Automation with VMware NSX and Network Function Virtualization (NFV)
[NET1047BES]
VMworld 2017 Content: Not fo
r publication or distri
bution
2
• Fortinet in a Nutshell
• Fortinet’s SDDC Security Approach
• Fortinet and VMware’s SDDC Component Integration
• Fortinet’s FortiGate-VMX Licensing Model
SESSION OBJECTIVES
VMworld 2017 Content: Not fo
r publication or distri
bution
3
FORTINET : GLOBAL NETWORK SECURITY LEADER
4,700+
EMPLOYEES WORLDWIDE
100+OFFICESACROSSTHE GLOBE
395PATENTS
316 INPROCESS
ISSUED
3.3mSHIPPEDSECURITYDEVICES
320KCUSTOMERS
$1bnREVENUE
IN EXCESS OF
$1.46bnIN CASH
30%YEAR ON YEARGROWTH
2000FOUNDED IN
HEADQUARTERED IN
SUNNYVALECALIFORNIA
VMworld 2017 Content: Not fo
r publication or distri
bution
4
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
2009 2010 2011 2012 2013 2014 2015 2016
CONTINUED GROWTH – TAKING MARKET SHARENetwork Security Appliance Shipments
Fortinet Palo Alto Networks Cisco Check Point
IDC WW, 2016
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Security for VMware’s Software Defined Data Center
VMworld 2017 Content: Not fo
r publication or distri
bution
6
ADDED VALUE OF SECURITY INTEGRATION IN SDDC
Not just firewall, but advanced features
Micro-Segmentation and Zero Trust
Control of ‘east-west’ traffic, Inter and Intra VM
security, Logical Security Zone (multi-tier)
Integration, Orchestration and Automation
VMworld 2017 Content: Not fo
r publication or distri
bution
7
Manage
COMPONENTS FOR NSX FOR VSPHERE INTEGRATION
Third Party Solution
Service Manager
Service Appliance
ESXi Hosts
VMware
vCenter Server
v5.5 or v6.x
VMware vSphere
(Advanced license
v5.5 or v6.x)
REST APIFortinet Solution
FortiGate-VMX
Service Manager
FortiGate-VMX
Security ApplianceVMworld 2017 Content: N
ot for publicatio
n or distribution
88
• Purpose-built security solution
with VMware NSX for SDDC
which runs in between the VMs
• Full Next Generation security
functionality solution in one
platform
• Backed by FortiOS™ policy
configuration and FortiGuard™
for real time intelligence updates
• Proven multi-tenant capable
using virtual domains (VDOM)
Hypervisor
Group C
Traffic will be redirected through the
FortiGate-VMX based on applied policy
Group AGroup B
FortiGate-VMX Security Node
WHAT IS FORTIGATE-VMX?
VMworld 2017 Content: Not fo
r publication or distri
bution
9
FORTIGATE-VMX INTERACTION / WORKFLOW
VMware Kernel VMware Kernel
vDistributed Switch
1. Register Fortinet as security service with NSX Manager
2. A
uto
-dep
loy F
ort
iGa
te-V
MX
to
all
hosts
in
se
cu
rity
clu
ste
r
3. F
ort
iGa
te-V
MX
co
nn
ects
with
Fort
iGa
te-V
MX
Se
rvic
e M
ana
ge
r
4. License verification and configuration
synchronization with FortiGate-VMX
5. R
edire
ction
po
licy r
ule
s u
pd
ate
d fo
r
ena
ble
me
nt o
f F
ort
iGa
te-V
MX
se
curity
se
rvic
e
6. Real-time updates of object database
7. P
olic
y s
yn
chro
niz
ation
to
all
Fort
iGa
te-V
MX
dep
loye
d in
clu
ste
r
FortiGate-VMX Service
Manager
NSX Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
10
VMware KerneldvSwitch
FORTIGATE-VMX AND VMWARE NSX FILTER DRIVER INTERACTION
1 Define NGFW Firewall Policies
2
FGT-VMX
NetX NSX Filter Driverint
ext
Packet Flow1. From VM to NSX Filter Driver
2. NSX Filter Driver Forward to Third
party Solution (FGT-VMX)
3. FGT-VMX applies Security and
sends packet back to NSX Filter
Driver
4. NSX Filter Driver can do service
chaining or send packet to
destination
FortiGate-VMX
Service Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
11
COMPETITIVE ADVANTAGES
Real Multi-tenancy (VDOM) support
Virtual Domain (VDOM) dedicated per tenant or individual security feature
Redirection Policy based on FortiGate VDOM ensure proper segmentation
VMworld 2017 Content: Not fo
r publication or distri
bution
12
COMPETITIVE ADVANTAGES
Real Multi-tenancy (VDOM) support
- Virtual Domain (VDOM) dedicated per tenant or individual security feature
- Redirection Policy based on FortiGate VDOM to ensure proper segmentation
- VDOMs can be used for different use cases
VMworld 2017 Content: Not fo
r publication or distri
bution
13
COMPETITIVE ADVANTAGES
Real Multi-tenancy (VDOM) support
OVF footprint < 40 MB
Automatic import and update of objects from NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
14
FORTIMANAGER NSX OBJECTS AND SERVICE MANAGER INTEGRATION
dvSwitch
FortiGate-VMX
Service Manager
FGT-VMX FGT-VMX
FortiManager
NSX
Objects
NSX
Objects
NSX
ObjectsNSX
Objects
NSX
ObjectsNSX
Objects
FortiGate
FortiGate
FortiGate
FortiGate
NSX
Objects
NSX
Objects
NSX
Objects
NSX
Objects
▪ NSX Security Groups Objects
imported in FortiManager using
Dynamic Objects
▪ FortiManager sends to FortiGate
reference to Dynamic Object
▪ Dynamic Objects automatically
updated from NSX Manager
▪ NSX Security Groups available in
hybrid environment for East-West
and North-South security
VMworld 2017 Content: Not fo
r publication or distri
bution
15
CONFIGURE FIREWALL POLICY FROM FORTIMANAGER
VMworld 2017 Content: Not fo
r publication or distri
bution
16
NSX SECURITY GROUP DEFINITION AND USAGE
Service Groups created in NSX
Manager automatically get sent
to the FortiGate-VMX and are
available for Policy Creation
Policy created in FortiGate-VMX
using Exchanged Security Group
FortiGate-VMX NSX Manager
Web-SG
Web-SG
VMworld 2017 Content: Not fo
r publication or distri
bution
17
▪ Configuration is done on the FortiGate-VMX Service Manager
▪ Logs are relayed from the FortiGate-VMX to the FortiGate-VMX Service Manager
FORTIGATE-VMX LOGS TO FORTIANALYZER
VMworld 2017 Content: Not fo
r publication or distri
bution
18
▪ Configuration is done on the FortiGate-VMX Service Manager
▪ Logs are relayed from the FortiGate-VMX to the FortiGate-VMX Service Manager
▪ Only the FortiGate-VMX Service Manager serial number is reported on FortiAnalyzer
FORTIGATE-VMX LOGS TO FORTIANALYZER
VMworld 2017 Content: Not fo
r publication or distri
bution
19
FORTIGATE-VMX LICENSE MODEL
2 FGT-VMX
Licenses3 FGT-VMX
LicensesHypervisor with 2 sockets
2 vCPU
4 GB
Hypervisor with 1 socket
4 vCPU
8 GB
Hypervisor with 2 sockets
32 vCPU
16 GB
▪ One license for the FortiGate-VMX Service Manager
▪ Simple license based on number of FGT-VMX Security Appliance deployed
▪ One FortiGate-VMX license per ESXi host
▪ No limits placed on resources (virtual or hardware), nor number of protected VM
workloads
VMworld 2017 Content: Not fo
r publication or distri
bution
© Copyright Fortinet Inc. All rights reserved.
NextGen Firewall use case at KPN
Use case, proof of concept and the next stepsSeptember 12th 2017, VMworld Barcelona
VMworld 2017 Content: Not fo
r publication or distri
bution
21
Albert W. Alberts:
▪ Working at KPN since 1999:
▪ Started as Software Engineer
▪ KPN patents
▪ Currently Architect
Let me introduce myself …
https://www.linkedin.com/in/albertalberts/@[email protected]
VMworld 2017 Content: Not fo
r publication or distri
bution
22
▪ KPN (Koninklijke PTT Nederland)
▪ Dutch landline and mobile telecommunications company
▪ 4G, 5G, LoRa
▪ Internet Services Provider
▪ TV
▪ ICT-services
KPN, the company
VMworld 2017 Content: Not fo
r publication or distri
bution
23
▪ 15.000 employees
▪ 6.3 million fixed-line telephone customers
▪ 33 million subscribers in Netherlands, Germany, Belgium, France
and Spain
▪ 2.1 million Internet access customers
▪ 1 of 15 worldwide VMware showcase partners
KPN, the company
VMworld 2017 Content: Not fo
r publication or distri
bution
26
CloudNL features:
• Services are delivered from KPN datacenters within the Netherlands;
• Operational maintenance from within the Netherlands under Dutch law and regulations;
• Assurance through the Cloud Compliance Framework (CCF).
VMworld 2017 Content: Not fo
r publication or distri
bution
27
Cloud features:
• Self-service management• Create own infrastructure• Manage own infrastructure
• Scalable• Per-per-use
VMworld 2017 Content: Not fo
r publication or distri
bution
28
CloudNL VMware, based on VMware technology
• vRealize Automation; • vRealize Orchestration;• NSX;• vCenter & vSphere.
VMworld 2017 Content: Not fo
r publication or distri
bution
29
How does a customer get it?Interfaces
vRealizeAutomation
vRealizeOrchestration
Computeresources
Networkingresources
Storageresources
CloudNL VMware
Portal
ReST API
RubyGo
Python
C#
VMworld 2017 Content: Not fo
r publication or distri
bution
30
What does a customer get?
Tenant ATenant Aprivate IP private IP
NSX Edge pair
public IPpublic IP
Tenant
ESG
Tenant
ESG
Perimeter
ESG
Perimeter
ESG
default GW
Perimeter
ESG
Perimeter
ESG
Distributed
Logical
Router
Tenant A
ESG
Tenant A
ESG
Distributed
Logical
Router
VM VM VM VM
VM VMVM VM
transport network
default GW
default
GW
default
GW
transport network
public network,
without NAT(ting)
private network,
with sNAT(ting)
Internet
Datacenter 1 Datacenter 2
Default network setup:
front-end & back-end
VMworld 2017 Content: Not fo
r publication or distri
bution
31
What does a customer get?Default network setup:
front-end & back-end
Tenant
ESG
Distribute
d Logical
Router
Tenant B
ESG
transport network
Tenant A
Tenant
ESG
Distribute
d Logical
Router
Tenant B
ESG
transport network
Tenant A
private IP
public IP
Perimeter
ESG
default GW
Perimeter
ESG
VM VM
VM VM
default
GW
transport network
Internet
Tenant
ESGTenant A
ESG
Distribute
d Logical
Router
Datacenter 1 Datacenter 2
private IP
public IP
Perimeter
ESG
default GW
Perimeter
ESG
VM VM
VM VM
default
GW
transport network
Tenant
ESGTenant A
ESG
Distribute
d Logical
Router
VMworld 2017 Content: Not fo
r publication or distri
bution
Next Gen FirewallProof-of-concept at KPN CloudNL VMware
VMworld 2017 Content: Not fo
r publication or distri
bution
33
Next Gen Firewall PoC
Platform requirements:
▪ Integration with NSX
▪ Multi-tenancy within NSX
▪ Multi-tenant self-service portal
▪ Multi-tenant API
▪ Integration with vRealize
Client requirement:
▪ Next Gen Firewall
VMworld 2017 Content: Not fo
r publication or distri
bution
34
KPN CloudNL VMware, default tenant network
private IP private IP
NSX Edge pair
public IPpublic IP
Core
Router
Tenant
ESG
Tenant
ESG
Perimete
r ESG
Perimete
r ESG
default GW
Perimeter
ESG
Perimeter
ESG
Distributed
Logical
Router
Tenant
ESG
Tenant
ESG
Distributed
Logical
Router
Core
Router
Core
RouterCore
Router
VM VM VM VM
VM VMVM VM
transport network
default GW
default
GW
default
GW
restriction of
10 connections
transport network
public network,
without NAT(ting)
private network,
with sNAT(ting)
Datacenter 1 Datacenter 2
internetinternet
Management network
NSX Manager
config
Management network
NSX Manager
config
VMworld 2017 Content: Not fo
r publication or distri
bution
35
KPN CloudNL VMware, default tenant network
private IP private IP
NSX Edge pair
public IPpublic IP
Core
Router
Tenant
ESG
Tenant
ESG
Perimete
r ESG
Perimete
r ESG
default GW
Perimeter
ESG
Perimeter
ESG
Distributed
Logical
Router
Tenant
ESG
Tenant
ESG
Distributed
Logical
Router
Core
Router
Core
RouterCore
Router
VM VM VM VM
VM VMVM VM
transport network
default GW
default
GW
default
GW
restriction of
10 connections
transport network
public network,
without NAT(ting)
private network,
with sNAT(ting)
internetinternet
Management network
NSX Manager
config
Fortigate SVM
config
Fortigate-VMX
Security Node
Management network
NSX Manager
config
Fortigate SVM
config
Fortigate-VMX
Security Node
Datacenter 1 Datacenter 2
VMworld 2017 Content: Not fo
r publication or distri
bution
36
Fortinet SVM
vRealize expected user interface
NSX Manager
vRealize
Orchestration
GUI only for KPN
administrators
API only via vRO
vRA portal as single “pane of glass”
= API
= GUI
vRealize
Automation
Fortigate Service
Manager
Management plane
SVM per datacenter
Advanced multi-cloud configuration tasks
Common configuration tasks
Fortigate-VMX
Security Node
Fortigate-VMX
Security Node
Control plane
VMX per vSphere
No easy integration with
vRealize AutomationVMworld 2017 Content: N
ot for publicatio
n or distribution
37
Fortinet SVM
vRealize actual user interface
NSX Manager
vRealize
Orchestration
GUI only for KPN
administrators
API only via vRO
A Fortigate Service Manager GUI for each datacenter
= API
= GUI
vRealize
Automation
Fortigate Service
Manager
Management plane
SVM per datacenter
Fortigate-VMX
Security Node
Fortigate-VMX
Security Node
Control plane
VMX per vSpherePossible but not preferred
Interface to Fortigate Service Manager in datacenter 1
Interface to Fortigate Service Manager in datacenter 2
VMworld 2017 Content: Not fo
r publication or distri
bution
38
Fortinet SVM
vRealize preferred user interface
NSX Manager
FortiManager
vRealize
Orchestration
GUI only for KPN
administrators
API only via vRO
vRA portal for simple tasks, FortiManager GUI for more advanced tasks
= API
= GUI
vRealize
Automation
Fortigate Service
Manager
Management plane
SVM per datacenter
⋙
⋙Advanced multi-cloud configuration tasks
Common configuration tasks
Fortigate-VMX
Security Node
Fortigate-VMX
Security Node
Control plane
VMX per vSphere
FortiManager solves the dual interface problem
but was not available during the Poc.
Current status is beta
VMworld 2017 Content: Not fo
r publication or distri
bution
39
Platform requirements:
▪ Integration with NSX
▪ Multi-tenancy within NSX
▪ Multi-tenant self-service portal
▪ Multi-tenant API
▪ Integration with vRealize
Next Gen Firewall PoC results
✓
✗ no, this requires developer effort
✓
✓ but two self-service portals
✓ but two interfacesVMworld 2017 Content: N
ot for publicatio
n or distribution
40
Platform requirements:
▪ Integration with NSX
▪ Multi-tenancy within NSX
▪ Multi-tenant self-service portal
▪ Multi-tenant API
▪ Integration with vRealize
Next Gen Firewall expected PoC results with FortiManager
✓
✗ plans to build it for most used configs
✓
✓
✓VMworld 2017 Content: N
ot for publicatio
n or distribution