How to protect your Virtual Datacenter

Michiel van den Bos
Security challenges in the cloud
Physical firewalls may not see the East-West traffic
 Firewalls placement is designed
around expectation of layer 3
segmentation
 Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
 Ability to transparently insert
security into the traffic flow is
needed


MS-SQL SharePoint Web Front End
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security challenges in the cloud
Incomplete security features on existing virtual security solutions

In the cloud, applications of different trust levels now run on a single server
 VM-VM traffic (East-West) needs to be inspected
 Port and protocol-based security is not sufficient
 Virtualized next-generation security is needed to:
 Safely enable application traffic between VMs
 Protect against against cyber attacks
MS-SQL SharePoint Web Front End
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security challenges in the cloud
Static policies cannot keep pace with dynamic workload deployments
 Provisioning of applications can occur
in minutes with frequent changes
 Security approvals and configurations
may take weeks/months
 Dynamic security policies that
understand VM context are needed


4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VMware and Palo Alto Networks solution
Cloud security challenges Solution
Manual networking configuration to steer traffic to
security appliance
Automated, transparent services insertion of VM-
Series with VMware NSX
Incomplete security capabilities Virtualized security appliance supporting PAN-OS
TM

Static policies cannot keep up with virtual machine
changes
Dynamic security policies with VM context
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applying Zero Trust concepts in the data center
All resources are accessed in a secure
manner regardless of location.
Access control is on a “need-to-know”
basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Segmentation for all data center traffic
Virtualized servers Physical servers
corporate network/DMZ
Security
Network
Application

Segment North South (physical) and East West (virtual) traffic
Tracks virtual application provisioning and changes via dynamic address groups
Automation and orchestration support via REST-API
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VM-Series for east-west traffic inspection

• Next-generation firewall in a virtual form factor
• Consistent features as hardware-based next-generation
firewall
• Inspects and safely enables intra-host communications (East-
West traffic)
• Tracks VM creation and movement with dynamic address
groups
• New model will be released to support VMware NSX
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Dynamic address groups
• Dynamic Address Groups delivers policy abstraction layer for
physical and virtual security appliances
• Replaces static object definitions with dynamic data
• Dynamic Address Groups replaces Dynamic Address Objects:
• Supports multiple tags representing VM attributes
• Increased maximum of registered IP addresses per object and
per system
• Multiple tags can be resolved for policy
(Example: Policy for VMs with “DB” & “windows O/S” tags)
Policies


Database
Database
IP: 14.28.56.112
12.12.12.12
22.22.22.22
33.33.33.33

Windows
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VMware vCenter or ESXi
Power of dynamic address groups
Name IP Guest OS Container
web-sjc-01 10.1.1.2 Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3 Ubuntu 12.04 Web
exch-mia-03 10.4.2.2 Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange
sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint
db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL
PAN-OS Security Policy
Source Destination Action
PAN-OS Dynamic Address Groups
Name Tags Addresses
SharePoint
Servers



MySQL Servers



Miami DC



San Jose Linux
Web Servers



Name Tags Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
“sp”
MySQL Servers
MySQL
Ubuntu 12.04
“db”
Miami DC “mia”



San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
Name Tags Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
“sp”
10.1.5.4
10.1.5.8
MySQL Servers
MySQL
Ubuntu 12.04
“db”
10.5.1.5
10.5.1.2

Miami DC “mia”
10.4.2.2
10.1.5.8
10.5.1.5
San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
10.1.1.2
10.1.1.3
IP
10.1.1.2
10.1.5.4
10.1.1.3
10.4.2.2
10.4.2.3
10.1.5.8
10.5.1.5
10.5.1.2
Name
SharePoint
Servers
MySQL Servers
Miami DC
San Jose Linux
Web Servers
Source Destination Action
SharePoint
Servers
San Jose Linux
Web Servers

MySQL
Servers
Miami DC

db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9


10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Panorama centralized management and policy automation
 Global, centralized management of security policies
for all Palo Alto Networks datacenter firewalls,
physical or virtual platforms
 Centralized logging and reporting
 Deploy virtually or via M-100 physical appliance
 Scalability to manage up to 1,000 firewalls
 Automatically provision security policies together with
your existing orchestrated tasks
 RESTful XML API over SSL connection enables
integration with leading orchestration vendors
 Derive management efficiencies via orchestrated:
 Application/service/tenant resource allocations
 Service state tracking
 Policy mapping
Integration With
Orchestration Vendors
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
How The Joint Integration Works
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VMware NSX and Palo Alto Networks integration
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
V
M
-
1
0
0
0
-
H
V

Meeting the needs of both infrastructure and security
• Accelerate app deployments
and unlock cloud agility
• Meet expectations of security in
new operating model
• Increase visibility and protection
against cyber attacks
• Maintain consistent security
controls for all DC traffic
Cloud Security
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
For more information on the integration, visit
www.paloaltonetworks.com/partners/vmware.html