27
SECURING THE MULTICLOUD Bahul Harikumar and Ali Bidabadi Juniper Networks

SECURING THE MULTICLOUD - · PDF fileAWS Marketplace Azure Marketplace ... Firewall VPN NAT Routing Application Security User firewall ... (Technical Deep Dive)

Embed Size (px)

Citation preview

SECURING THE MULTICLOUD

Bahul Harikumar and Ali Bidabadi

Juniper Networks

This statement of direction sets forth Juniper

Networks’ current intention and is subject to

change at any time without notice. No purchases

are contingent upon Juniper Networks delivering

any feature or functionality depicted in this

presentation.

This presentation contains proprietary roadmap

information and should not be discussed or shared

without a signed non-disclosure agreement (NDA).

3

We are all living in the wonderful world of digital transformation. No matter the size of your company or the industry you’re operating in, there’s some company ready to completely disrupt what you’re doing.

-Richard L. Villars, VP DC & Cloud Research IDC

4

Raising to the Challenge

Migrate WorkloadsCloud

Rapid IT Deployment

Continuous Innovation

Faster route to Market

Reduced Costs

5

Enterprise IT Transformation – XaaS

Traditional DCPrivate Cloud

Public Cloud

PaaS

IaaS

IaaS

SaaS

Multicloud

6

Cloud Market

7

Enterprise IT organizations that will commit to multicloud architecture

(IDC)85%

Cloud Adoption is a Strategic Imperative

Cloud 2.0 – Massive Adoption

Enterprises identified Security Risks as the biggest barrier in recent IDC survey

8

Multicloud Security - Key Requirements

SD & PE

Transit VPC - vSRX

Virtualized Apps

Bare Metal Apps

SRX4100/4200

SRX4600/4800

vSRX/cSRX

Private Cloud

Public Cloud 2

Public Cloud 1

Internet

App Server

Web Server

App Server

Web Server

• Micro-Segmentation

• High performance

• Automation

• Visibility & Analytics

• Hypervisor Support

• Global Unified Policy

Management

• Secure any-any Connectivity

• Compliance & Consistent

Security

• Service Specific Clouds

• Multiple Cloud Integration

• Policy Automation

9

Juniper Security Portfolio for Multicloud

Sky ATP

SDSN – Software Defined Secure Networks

Security Director

Virtual & Container NGFW

vSRX

4Gb/s (2 vCPU)25Gb/s (16 vCPU)

cSRX

Branch NGFW

SRX300

SRX320

SRX340

SRX345

Mid-range NGFW

SRX1500

SRX4100

SRX4200

SRX4600

High-End NGFW

SRX5400SRX5600

SRX5800

Mid-range NGFW

SRX1500

SRX4100

SRX4200

SRX4600

UNIFIED POLICYCreate and centrally manage policy

GLOBAL THREAT

DETECTIONUnify threat intelligence from multiple sources

NETWORK WIDE ENFORCEMENTAutomatically enforce policy across customer premises and cloud

HIGH PERFORMANCE NGFW –PHYSICAL & VIRTUAL SDSN ENFORCEMENT POINTS Reduces both opexand capex with better price performanceHigher scale with IMIX firewall throughput from 1 Gbps to 320 GbpsMultiple Services: Application Security, IPS, Content Security, ATP

10

Juniper Private Cloud Security Solution

Juniper Portfolio for Private Cloud Key Requirements

• Micro-segmentation - vSRX, NSX Integration, Contrail

• High performance – vSRX multicore, SRX1500, SRX4100, SRX4200, SRX 5XXX, SRX4600

• Automation – SD/PE integration, REST/Netconf, Cheff/Puppet/Ansible, AppFormix

• Visibility & Analytics – Security Director, Jweb, Juniper Secure Analytics (JSA)

• Hypervisor Support – cSRX/Docker, VMWare/NSX, KVM/Contrail

WAN

VM Isolation

Department 2Department 1

Department 3 Department 4

Other VM

Web VM

APPVM

DBVM

Other VM

Web VM

APPVM

DBVM

Other VM

Web VM

APPVM

DBVM

Other VM

Web VM

APPVM

DBVM

vSRX vSRX

vSRX vSRX

VMWare

Virtual Environment/Private Cloud

Enterprise Applications

SRX1K

SRX4K

SRX5K

SRX

SD & PE

Remote Office

Headquarters

Remote Office

IP/MPLS

Private Cloud

11

Juniper Public Cloud Security SolutionAWS Marketplace

Azure Marketplace

Juniper Portfolio for Public Cloud Key Requirements

• Platform Integration – vSRX on AWS (BYOL & PAYG), vSRX on Azure (BYOL)

• Automation – PE integration on public cloud, Cloud-Init, Transit VPC, Auto-Scale/ELB

• Visibility & Analytics – Security Director, AppFormix

Public Cloud

SD & PE

Transit VPC - vSRX

Public Cloud 2

Public Cloud 1

Internet

App

Server

Web

Server

App

Server

Web

Server

12

vSRX - Juniper Virtual NGFW for Multicloud

High performance NGFW - Scale up to 100 Gbps - Lowest TCO

Firewall Foundational Services

Rich Firewall Services

Firewall VPN NAT Routing

Application Security

User firewall

Unified Threat Management

Anti-virus

Intrusion Prevention Web/Content Filtering

Anti-spam

Advanced Threat Prevention

(ATP)

Sky ATP

GeoIP & Custom feeds

Malware Detection

Centralized Management Reporting Analytics Automation

Lic

en

sin

g B

ase

d o

n F

ea

ture

s

an

d

Thro

ugh

pu

t

60

Day E

valu

ation

Lic

en

se

13

• Contrail Service Chaining

• VMware NSX

• SD, CLI, Jweb, NetConf/REST API

• Amazon AWS

• Microsoft Azure

• Google Cloud*

• VMware – vCenter

• Open Stack – Plugin

• Contrail Service Orchestrator (CSO)

• VMware ESXi 5.x, 6.0

• KVM - Centos & Ubuntu

• Microsoft – HyperV

Platforms

IaaS Policy & SDN

Orchestration

vSRX - Ideal form factor for Multicloud Ecosystem

*Roadmap

14

Juniper Multicloud Security Solution

Internet

Public

Clouds

App Server

Web Server

Virtualized Apps

Bare Metal Apps IPSec VPN

SRX1K/4K/5K

vSRX

vSRX/cSRX

Private CloudSD & PE

Transit VPC

Juniper Portfolio for Multicloud Key Requirements

• Secure Connectivity – vSRX in Public cloud (Transit VPC & Full Mesh VPN deployments),

Physical/Virtual DC Edge SRX, vSRX Auto-Scale*

• Compliance & Consistent Security – Portable security policies across private/public cloud

• Unified Management – Security Director as single pane of security management

Private Cloud

Public Cloud

Multicloud

15

Unified Management & User Intent Policy

ENHANCED VISIBILITY & CONTROL - SD• Application Visibility & Control, Firewall Policy, Threat Maps, Events & Logs,

Dashboard• Automate Operations and Rule Placement, Reduce User errors , Improves

Response Time• Reduce scope of work by 20x

ADAPTIVE & AGILE SECURITY POLICY• Meta Data Based Policy –Allows to create user intent based policy using meta

data and helps to be agile in the cloud (Avoids manual workflow)• AWS Lamda based sync up of meta data and inventory in a VPC with SD

DYNAMIC POLICY ACTIONS• Agility of cloud can be preserved by deploying dynamic policy changes in response

to a condition (such as an attack)

SecurityDirector

Amazon EC2

Finance Operations

vSRX AWS Lamda

SecurityDirector

Predefine

Policy

DetermineCondition

SRXGlobally apply policy

16

Automate Entire Security Life CycleEnsure Consistent deployment in multicloud environment

Reduces workload Build out from days to minutes

Auto Remediation to improve Network Availability and reduces Mean Time To Repair

BUILD• Initial configuration• Software upgrade• Space discovery• Zero Touch Provisioning

CONFIGURE• Pre/Post change checks• Configuration generation• Deployment• Archive configurations

OPERATE• Event Scripts to check health• Troubleshoot issues• Auto Remediation

17

Multicloud Security – Juniper Offerings - Summary

SD & PE

Transit VPC - vSRX

Virtualized Apps

Bare Metal Apps

SRX4100/4200

SRX4600/4800

vSRX/cSRX

Private Cloud

Public Cloud 2

Public Cloud 1

Internet

App Server

Web Server

App Server

Web Server

• vSRX – Cloud Native

• VMWare NSX Integration

• Contrail Security

• SRX Encryption – IPSec

• High performance physical

Firewalls

• Global Policy Management –

Security Director (SD)

• vSRX Transit VPC

• vSRX on AWS

• vSRX on Azure

• Adaptive Security Policy

(Metadata based Policy)

18

Comprehensive solution for Multicloud deployment – helps customers to raise to the challenge of cloud adoption

High-performance and scale of Juniper security lowers customers TCO

Flexible licensing and business models to match varied customer requirements

Unified Management and Network as Enforcement through SDSN

Key Takeaways

19

Use Cases

Micro-segmentationRetail hosting virtual workloads in private DC

• Differentiated security across various application groups

• Security as agile as the workloads

• High performance security –cannot be bottleneck to application traffic

NSX Integration, Contrail micro-segmentation

Compliance & Consistent SecurityHealth Insurance running applications & partner services on AWS

• Consistent security between DC and public cloud

• Secure connectivity between VPCs across multiple regions

• Redundancy in connectivity

Encryption & Security everywhere, Unified management by SD, Multiple Availability Zones for Redundancy

Secure ConnectivityFinancial enterprise with a mix of on-prem and AWS assets

• Secure connectivity between VPCs across multiple regions

• Secure connectivity from DC to AWS VPCs

• IPS and Stateful packet inspection between VPCs

Transit VPC

Demo

21

POP

Amazon EC2

US West

Amazon EC2

US East

Multi-region Deployments

VPN gateway VPN gateway

22

• Cross-region, cross-account

VPCs can connect to the

Transit VPC via IPSec

tunnels

• BGP-based dynamic routing

combined with multi-AZ

deployment creates a robust

network infrastructure

• Transit VPC can establish

VPN connections to VGWs

attached to Spoke VPCs

automatically with zero touch

Transit VPC

vSRX vSRX

VPC 1 VPC 2 VPC N

Internet

Transit VPC

VPN overDirect Connect

Backup VPN

AZ 1 AZ 2

23

Amazon EC2

US West

Amazon EC2

US Central

Transit VPC

vSRX vSRX

Secure Connectivity

VPN gateway VPN gateway

Amazon EC2

US East

VPN gateway

AWS Direct Connect

AZ1 AZ2

24

• Deploys two vSRXs (highly

available design)

• The VGW Poller function runs

every minute looking for

appropriately tagged VGWs

• A PUT event inside AWS S3

triggers the Juniper

Configurator function to

generate and push the

required configurations to the

vSRXs

Juniper Transit VPC Architecture

25

Demo Topology

vSRX1

Linux AMI

IP Sec Tunnel

US East (N. Virginia)

Linux AMI

IP Sec Tunnel

US West (Oregon)

vSRX2

26

Resources

• BYOL Juniper Transit VPC is now in the Marketplace:https://aws.amazon.com/marketplace/pp/B077NR8G4Q?qid=1512381707615&sr=0-

6&ref_=srh_res_product_title

• Juniper Transit VPC implementation guide:https://www.juniper.net/assets/jp/jp/local/pdf/implementation-guides/8010096-en.pdf

• NXTWORK 2017 - SECURITY SESSIONS

• Zero Trust Security with Software-Defined Secure Networks (Technical Deep Dive) • Security NOW: Stop Threats Faster. (Business Solutions) • Extending Enterprise Security to Multicloud and Public Cloud (Technology Focus)