fortinet & vmware integration
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
Fortinet & VMware IntegrationVMUGIT Meeting RomaAntonio GentileSystems Engineer, [email protected]/09/2016
Agenda• Fortinet Cloud & SDN Vision• Fortinet NSX Integration• Use Cases• Demonstration
3
End-to-End Global Cybersecurity PlatformCoverage from Endpoint to Edge to Core to Data Center to Cloud
Client Security
Secure Access
Network Segmentation
Application Security
Cloud Security
Control & Visibility
Security Services & Framework
USERSNETWORK
DATA CENTER
FortiGate
FortiManager FortiAnalyzer
FortiGatefor AWS
FortiGateVMX
FortiClient
4
Fortinet Cloud & SDN VisionNetwork Security as Agile and Elastic Underlying Infrastructure
Virtualization SDN Cloud (IaaS) Cloud (SaaS)
vSphere
XenServerHyper-V
NSX
Physical & VirtualSecurityAppliances FortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC FortiDDoSFortiWifiFortiMail
5
Security for the Cloud
VirtualizationHypervisor Port
Hypervisor
Private CloudSDDC - SDN - Orchestration Integration
Public CloudOn-Demand
IaaS Cloud
Connector API
East-West
NGFW WAF Management Reporting APT
SaaS Cloud
ProxyCASI
BrokerAPI
Hybrid
6
Security Across all of the Network - Global and Local
App Control Antivirus Anti-spam
IPS Web App Database
WebFiltering
VulnerabilityManagement
Botnet MobileSecurity
CloudSandbox
DeepApp Control
PartnerFortiWebFortiMailFortiClient FortiGate
Threat Researchers
Threat Intelligence Exchange
FortiSandbox
7
Fortinet Virtualized (Guests) Security Solutions
• FortiGate-VM• Unified Threat Management
• FortiManager-VM• Centralized Management
• FortiAnalyzer-VM• Logging and Reporting
• FortiWeb-VM• Web Application Security
• FortiMail-VM• Messaging Security
• FortiAuthenticator-VM• User Identity Management
• FortiADC-VM• Application Delivery
• FortiCache-VM• Content Caching
• FortiVoice-VM• Complete Business Phone Systems
• FortiRecorder-VM• Video Security
• FortiSanbox-VM• Advanced Threat Detection
8
Fortinet Virtualized (Guests) Security Solutions
• FortiGate-VM• Unified Threat Management
• FortiManager-VM• Centralized Management
• FortiAnalyzer-VM• Logging and Reporting
• FortiWeb-VM• Web Application Security
• FortiMail-VM• Messaging Security
• FortiAuthenticator-VM• User Identity Management
• FortiADC-VM• Application Delivery
• FortiCache-VM• Content Caching
• FortiVoice-VM• Complete Business Phone Systems
• FortiRecorder-VM• Video Security
• FortiSanbox-VM• Advanced Threat Detection
Guest-VMs
9
Virtual Appliance Platforms – Private and Public Cloud
Virtual ApplianceVMware Citrix Open Source Amazon Microsoft
vSphere v4.0, 4.1 vSphere v5.0 vSphere
v5.1, 5.5 vSphere v6.0Xen
Serverv5.6 SP2
XenServer v6.0 Xen KVM AWS Hyper-V
2008 R2Hyper-V
2012
FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiAuthenticator-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiADC-VM ✔ ✔ ✔
FortiCache-VM ✔ ✔ ✔ ✔
FortiVoice-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiRecorder-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiSandbox-VM ✔ ✔
FortiPrivateCloud ✔ ✔
*
* Also available as pay-as-you-go licensing option
*
10
Virtual Data Center Security Challenges
§ Difficult configuration to have security within the same vSwitch and/or forward domain
§ Perimeter-centric network security has proven insufficient§ Use fine-grained network segmentation approach - wrap security control around much smaller
groups of resources§ Best practice approach from a security perspective, but difficult to apply in traditional
environments
§ Two key operational barriers » throughput capacity » operations/change management East-West
Micro-Segmentation Zero-Trust East-West ControlTrust No One – Not Even Your End Users
FortiGate VMX with VMware NSX
12
Added Value of Security integration in SDDC
Requirements Solution
Not just firewall, but advanced features
Micro-Segmentation and Zero Trust
Control of ‘east-west’ traffic, Inter and Intra VM security, Logical Security Zone (multi-tier)
Integration, Orchestration and Automation
13
Key Cloud Security Use Cases Segment End-to-End Traffic Within and Across the Hybrid Cloud or Intra-VM
Mitigate increasing concentration of data and risk in consolidated data centers, and across private and public cloud
Security Requirements
Whitelist-based policy model
Fine-grained honeycomb based on user, role, apps, devices
Deployable into flat, open networks without disruption
Monitor and restrict VPN and data connection between on-premise and public clouds
Internet
Cloud
Internal Network(100 Gbps+)
PrivateCloud
EdgeGateway
Data Center
ISFW
ISFWISFW
ISFWISFW
External
Internal
Hypervisor
ISFW
SG3
SG2
SG1
FortiGate-VMXSecurityNode
14
Manage
Components for NSX Integration
Mandatory Components for NSX Integration
Third Party Solution
Service Manager
Service Appliance
ESXi Hosts
VMwarevCenter Server
V5.5 or v6.0
VMware vSphere(Enterprise Plus license
v5.5 or v6.0)
REST APIFortinet Solution
FortiGate-VMX Service Manager
FortiGate-VMX Security Appliance
15
FortiGate-VMX and NSX Integration/Interactions
dvSwitchFGT-VMX FGT-VMX
Push
pol
icy
sync
hron
izat
ion
to a
ll Fo
rtiG
ate-
VMX
depl
oyed
in c
lust
er
7
Register Fortinet as security service with NSX Manager1Au
to-d
eplo
y Fo
rtiG
ate-
VMX
to a
ll ho
sts
in s
ecur
ity c
lust
er
2
Forti
Gat
e-VM
X co
nnec
ts
with
For
tiGat
e-VM
X Se
rvic
e M
anag
er
3
License verification & configuration synchronization with FortiGate-VMX
4
NSX
Sec
urity
Pol
icy
defin
e ne
twor
k in
trosp
ectio
n ru
les
to re
dire
ct tr
affic
5
Real-time updates of object database6
FortiGate-VMX Service Manager
16
FortiGate-VMX and NSX Manager Setup
Adding VMware NSX details on FortiGate Service Manager
FortiGate VMX Service on NSX Manager
17
FGT-VMX imports NSX Security Groups
§ On NSX create Security Groups and assign “Objects”
Security Groups defined on NSX are automatically created on FGT-VMX
18
FGT-VMX imports NSX Security Groups
§ On NSX create Security Groups and assign “Objects”§ FortiGate VMX automatically imports the Security Groups as a dynamic firewall
addresses with the VMs IP address
Security Groups defined on NSX are automatically created on FGT-VMX
19
NSX Security Group definition and usage
Server SG
FortiGate-VMX NSX Manager
Service Groups created on NSX Manager automatically get sent to the FortiGate-VMX and are available for Policy Creation
Policy Created on FortiGate-VMX using Exchanged Security Group
20
VMware KerneldvSwitch
FGT-VMX and VMWARE NSX Filter Driver Interaction
1 Define NGFW Firewall Policies
2FGT-VMX
NetX NSX Filter Driverint
ext
Packet Flow1. From VM to NSX Filter Driver2. NSX Filter Driver Forward to Third
party Solution (FGT-VMX)3. FGT-VMX applies Security and
sends packet back to NSX Filter Driver
4. NSX Filter Driver can do service chaining or send packet to destination
FortiGate-VMX Service Manager
21
Policy Creation
§ Firewall Policy is now IP independent
Policy created based on Security Group
Internal External
Dis
tribu
ted
Virtu
al
Switc
h
22
FortiGate-VMX License Model
§ One license for the FortiGate-VMX Service Manager§ Simple license based on number of FGT-VMX Security Appliance deployed
» One FortiGate-VMX license per ESXi host» No limits placed on resources (virtual or hardware), nor number of protected VM
workloads
Hypervisor with 2 sockets Hypervisor with 1 socket 2 FGT-VMX Licenses
3 FGT-VMX Licenses
Hypervisor with 2 sockets
Central license server with auto decrement
23
Multiple Services/Customers
§ Real Multi-tenancy (VDOM) support» Virtual Domain (VDOM) dedicated per tenant or individual security feature» Service Profile and Groups ensure proper segmentation
24
Resource Monitoring
§ Per Security Appliance instance Resource monitor
25
CLOUD SECURITY
Use Cases
27
TELCO – Use Case – Dedicated Customer Firewall (FortiGate-VM)
Web Servers Application Servers Database Servers
vSwitch APP
Hypervisor
vSwitch DBvSwitch WEB
vSwitch External
Internet
•Customer Managed Firewall•Orchestrated Customer Creation•FortiGate-VM to control east-west application traffic• Traffic is required to flow through the FortiGate-VM (L2 or L3) to secure traffic• Intra-VM security requires L2 VDOMs and inter-VDOM link configuration• Physical FortiGate to control north-south traffic
App Control Antivirus Anti-spam
IPS Web App WebFiltering
Botnet
CloudSandbox
28
ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs
SecurityGroupD
SecurityGroupC
SecurityGroupB
VDOM1:IPS
VDOM2:URLFiltering
VDOM3:AppControl
VDOM5:Anti-Virus
VDOM6:Antispam
nsx VDOM(onbydefault):NGFW,IPS,URLFiltering,Anti-Virusetc..SecurityGroupA
• Segmented groups can have unique feature set applied
• Provides performance benefits as all groups don’t have identical security requirements
• Each department eg.. Human Resources, Legal, Marketing etc. can have it’s own VDOM and it’s own security feature set
• Fortinet Patented Virtual Domain Technology
• Only Security Vendor to support Virtual Segmentation by Function for Security.
VDOM4:WebApplication
Firewall
29
ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs
SecurityGroupD
SecurityGroupC
SecurityGroupB
VDOM1:IPS
VDOM2:URLFiltering
VDOM3:AppControl
VDOM5:Anti-Virus
VDOM6:Antispam
nsx VDOM(onbydefault):NGFW,IPS,URLFiltering,Anti-Virusetc..SecurityGroupA
VDOM4:WebApplication
Firewall
Demo!!
31
Multi-Tier Application Diagram
web-01 web-02
Web-0110.0.1.0/24
.11 .12
External192.168.195.0/23
App-01
.11
.1
.1
.1
.2
App-02
.12
App-0110.0.2.0/24
DB-01
.11
.1
DB-0110.0.3.0/24
Transit-01172.16.1.0/24
.2
VIP-Web: 192.168.195.143:80 (Web-01:80+Web-02:80)VIP-App: 172.16.1.6:80 (App-01:80+App-02:80)
Client to Web: HTTP (80)1
Web to App: HTTP (80)2
App to DB: mysql (3306)3
32
Demonstration - Use Cases 1
§ Security Policies for Multi-Tier Application Segmentation» Web Tier allowed to receive request from outside and generate
requests to App Tier only» App Tier allowed to receive requests from Web Tier and generate
requests to BD Tier only» DB Tier allowed to receive requests from App Tier and not allowed to
generate requests
App-02
App-01
Web-02
Web-01
DB-01
IPS Web AppApp Control IPS
Antivirus
Questions??