plnog14: firewalls in modern data centers - piotr wojciechowski
TRANSCRIPT
FIREWALLS IN MODERN DATA CENTERS Piotr Wojciechowski (CCIE #25543)
ABOUT ME ¢ Senior Network Engineer MSO at VeriFone Inc. ¢ Previously Network Solutions Architect at one of top polish IT
integrators ¢ CCIE #25543 (Routing & Switching) ¢ Blogger – http://ccieplayground.wordpress.com ¢ Administrator of CCIE.PL board
� The biggest Cisco community in Europe � About 7800 users � 3 admin, 3 moderators � Over 60 polish CCIEs as members, 20 of them actively posting � About 100 new topics per month � About 800 posts per month � English section available
AGENDA ¢ Facts about firewalls market and evolution ¢ Security challenges ¢ Next Generation Firewalls ¢ NGIPS ¢ Data Center Security Future
FACTS ABOUT FIREWALLS MARKET AND EVOLUTION
FACTS ABOUT FIREWALLS MARKET ¢ Virtualized versions of enterprise network
safeguards will not exceed 10% of unit sales by year-end 2016
¢ Through 2018, more than 75% of enterprises will continue to seek network security from a different vendor than their network infrastructure vendor
Source: Magic Quadrant for Enterprise Network Firewalls, Gartner, 14 April 2014
FACTS ABOUT FIREWALLS MARKET ¢ Less than 20% of enterprise Internet connections
today are secured using next-generation firewalls (NGFWs)
¢ By year-end 2014, this will rise to 35% of the installed base, with 70% of new enterprise edge purchases being NGFWs
¢ Fewer than 5% of enterprises will deploy all-virtual firewalls in data centers through 2016
Source: Magic Quadrant for Enterprise Network Firewalls, Gartner, 14 April 2014
FACTS ABOUT FIREWALLS MARKET ¢ Fewer than 5% of enterprises will deploy all-virtual
firewalls in data centers through 2016 ¢ Fewer than 2% of deployed enterprise firewalls will
have Web antivirus actively enabled on tchem through 2016
Source: Magic Quadrant for Enterprise Network Firewalls, Gartner, 14 April 2014
APPLICATIONS HAVE CHANGED – FIREWALLS HAVE NOT • The gateway at the trust border is the right place to enforce policy control
Ø Sees all traffic
Ø Defines trust boundary
Collaboration / Media SaaS Personal
• But applica;ons have changed Ø Ports ≠ Applica;ons
Ø IP addresses ≠ Users
Ø Headers ≠ Content
Source: PaloAlto, Palo Alto Networks Product Overview
FIREWALLS HISTORY
EVOLUTION OF DATA CENTER FABRIC ARCHITECTURES
SECURITY CHALLENGES
SECURITY CHALLENGES
SECURITY CHALLENGES
SECURITY CHALLENGES
SECURITY CHALLENGES
INFRASTRUCTURE AS A SERVICE (IAAS) ¢ Set of modular building blocks of underlying resources ¢ Services may be introduced either through dedicated appliances or
through virtual appliance implementations ¢ Cost-effective use of capital IT resources through co-hosting ¢ Better service quality through virtualization features ¢ Increased operation efficiency and agility through automation
SECURITY CHALLENGES IN DC ¢ There is a challenge between achieving business value and protecting
these highly prized targets
Source: Infonetics Research Report Experts: Data Center Security Strategies and Vendor
REQUIREMENTS FOR DC FIREWALLS ¢ Threat Prevention
� Protect against external attacks – including those routed through internal “secure” clients
¢ Data Leakage Prevention � Protect confidential and unauthorized content from leaving the network
¢ Access Control � Control access – by user or groups of users – to specific applications and
content ¢ Performance
� Minimize latency and maximize throughput to ensure business performance is not compromised
Source: PaloAlto, Palo Alto Networks Product Overview
COMPLEX PORTFOLIO
NEXT GENERATION FIREWALLS
SECURING TRAFFIC FLOW North-South From Access Layer to Aggregation and to Core
East-West Usually between servers in same layer
SECURITY COMPONENTS
SECURITY COMPONENTS
NEXT GENERATION FIREWALLS
NEXT GENERATION FIREWALLS
CONTENT AWARE SECURITY PORTFOLIO
URL FILTERING ¢ Block sites based on category or reputation ¢ Based on user or user group ¢ Allow administrators block websites with potentially harmful objects ¢ Allow blocking of non-business related sites ¢ Bandwidth control for designated categories ¢ Enforcing safe search ¢ Prevent file download/upload
APPLICATION VISIBILITY ¢ Identification of application using multiple factors not only port or IP
classification ¢ Allow administrators to deploy comprehensive application usage
control policies for both inbound and outbound network traffic
USER VISIBILITY ¢ Seamless integration with enterprise directory services
such as Active Directory, LDAP etc. ¢ Enables administrators to view and control application
usage based on individual users and groups of users, as opposed to just IP addresses
¢ User information is pervasive across all features including application and threat visibility, policy creation, forensic investigation, and reporting
CONTENT VISIBILITY ¢ Scanning engine that uses a uniform threat signature
format detects and blocks a wide range of threats and limits unauthorized transfer of files and sensitive data
¢ Comprehensive URL database controls non-work related web surfing
¢ IT departments can regain control over application and related threat traffic
FAILOVER
FAILOVER – REPLICATED STATES
FAILOVER – REPLICATED STATES ¢ Replicated features depends on vendor, used firmware and hardware –
check release notes for full list ¢ New features added with every release
MULTI-CONTEXT ¢ More often required by for
regulatory compliance ¢ Each context has separate
control-plane and data-plane, interfaces and config memory
¢ Some features are not supported in multi-context mode
CLUSTERING
CLUSTERING ¢ With new
approach it’s crucial to undestand the data flow within cluster in very scenario
¢ Lack of proper data and control plane can make more harm that lack of clustering
TRUSTSEC ¢ Provides the
ability to create policies to map end users, or consumers, to data center assets, or servers and applications
¢ AAA services for a variety of external actors
TRUSTSEC ¢ Policy in the
firewall has been expanded to include source and destination security groups that are downloaded from the ISE
NGIPS
NGIPS
Source: Gartner’s Magic Quadrant for Intrusion Prevention Systems Adam Hils, Greg Young, Jeremy D’Hoinne , 29 December 2014
NGIPS ¢ Some things remains unchanged:
� Tuning is the process of ‘defining’ protections that match the environment � Although most network provide standard services implementation creates
challenges � Failure to tune = failure to protect
NGIPS ¢ IPS are more and more context-aware ¢ Signatures are not the base for event correlation ¢ Events correlation happens on advanced monitoring systems – IPS
itself cannot perform this
NGIPS ¢ Many organizations have relied solely on access control lists and
enforcement as the only method of protecting the data center. ¢ A primary assumption is that the “authorized” user is really who they
say they are, or that the authorized user is in control of their device that is accessing the data center
NGIPS ¢ One of the easiest ways for a cyber attacker to get a foothold into an
enterprise organization’s network is by installing a rootkit onto a user’s end device.
¢ Security access control lists will allow the malware to traverse the network into the data center
NGIPS ¢ NGIPS requirements and imperatives:
� High Availability � Zero Downtime � Flow survivability � Hardware and link redundancy � Asymmetric packets flows expected and properly handled � Elastic scaling � Low latency � Manageability/visibility/orchestration � Security and regulatory compliance
NGIPS ¢ Event
NGIPS ¢ Event + network context
NGIPS ¢ Event + network context + user context
NGIPS ¢ In-Path deployment
NGIPS ¢ Off-Path deployment
DATA CENTER SECURITY FUTURE
DATA CENTER SECURITY FUTURE ¢ SDN will be a mainstream consideration for data center security
purchases by 2016
DATA CENTER SECURITY FUTURE ¢ Performance Demands vs. Security Concerns
FOCUS OF FUTURE ¢ Specific cloud service requirement and technical specification ¢ Cloud service requirements in specific market area ¢ Cloud networking ¢ Security requirements ¢ Cloud SLA ¢ Operation and maintenance
QUESTIONS?
THANK YOU