Secured automation of the multicloud€¦ · ENHANCED NETWORK SERVICES DELIVERED ACROSS PRIVATE &...
Transcript of Secured automation of the multicloud€¦ · ENHANCED NETWORK SERVICES DELIVERED ACROSS PRIVATE &...
Secured automation of the multicloud
CONFIDENTIALITY AND LEGAL NOTICE
This material contains information that is confidential and proprietary to Juniper Networks, Inc. Recipient may not distribute, copy, or repeat information in the document.
This statement of product direction sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation.
Contrail program participants are subject to a license agreement that describes program terms and conditions.
MACRO TRENDS
C L O U DT R E N D S
Device Explosion
▪ Billions of connected / IOT devices
▪ Running applications in the cloud
Machine Learning & AI
▪ Device Explosion leads to data explosion
▪ ML / AI being key to monitor / detect / remediate issues (performance, security, etc.)
▪ NLP interfaces to devices
Cloud Migration
▪ Custom apps are being built in the Cloud
▪ Enterprises apps migrating to SaaS
Microservices / Scale-out Apps
▪ TTM of apps
▪ App portability & scalability
▪ Move from monolithic to microservices
OpenSource Adoption
▪ Proprietary software perceived as ‘vendor lock-in’
▪ All layers of stack are open-sourced
PUBLIC CLOUD
DISRUPTION IN ENTERPRISE
Developers
Deployers
SaaS
Enterprise Hosted Apps
Private Cloud
Monolithic Apps
Private / Colo
Private DC (IT)
IaaS / PaaS / Hybrid Cloud Usage
SaaS Usage
Time
Serv
ice
Cre
atio
n
Consumer of Services
Serv
ice
Co
nsu
mp
tio
n Enterprise Apps to SaaS
Monolithic to Scale-out Apps
Private / Colo to Hybrid Cloud
PaaS
IaaS
SER
VIC
E O
VER
LAY
UN
DER
LAY
MG
MT
CPE
Customer Branch
ENABLING & INTERCONNECTING MULTIPLE HETEROGENOUS ENVIRONMENTS
Multi-vendor Orchestration & Management
Multi-site DC / POP Private Clouds (VMs, BMS, Containers)Legacy (VLAN-based, VMware)
VMware VMs Bare Metal
VLAN
VMs
BMS
Containers
…
Public Cloud
FIREWALL
VNF / PNF
Private Cloud
Legacy (VMware, BMS) Interconnect
VMs & Containers
Multi-DC Interconnect
Hybrid Cloud (Public Cloud Interconnect)
SaaS Clouds
IaaS (VMs & Containers)
NFV & Service Chaining (Mobility, CDNaaS)
SDWAN
Connected Cars / IOTTelco CloudBMaaSPublic Cloud
SDN as a platform : Connect, secure, manage, operate
FABRIC AND MULTICLOUD
AUTOMATION
ENHANCED NETWORK SERVICES DELIVERED ACROSS PRIVATE & PUBLIC/HYBRID CLOUD
SDN CONTROLLER
(Config, Control, Analytics, Svr Mgmt)
Health Check
DDI FW LBL3 VNL2 VN
AnalyticsSvc Ch. Sec Policy QoS
NETWORK SERVICES
SDN GW
Seamless Security & Connectivity Solution for Hybrid Env.
TOR SwitchTOR Switch OR vRouter
VMs (ESXi, KVM)Containers Bare Metal Servers
vRouter
A Fabric is a system that delivers networking (L2/L3) across connected endpoints
A cloud delivers application services (logical networking , often called ‘overlay’) through cloud-native APIs , programming the networking behavior of the Fabric to connect endpoints according to the service logic
Fabric
Controller
API
User
plane
Multicloud networking controller as a Platform
Private cloud (physical/virtualized)
vpc
SDN/VPNGateway
TOR
DC
Computes
NativeContrailworkloads
Spine
vRouter
BareMetalworkloads
vRouter
PNF
Native Public cloud
vRouter-based images
Public cloud with Contrail
BMSEC2
inst
Docker
cntVM
Azure
lifecycle management
Contrail
Management
Control
Telemetry
Forwarding (extended IP Fabric)
Xm
pp,
netc
onf
rpc
Public cloud tenant SDN Controller
vRouter
Contrail controller federation
bgp
(ip,
evpn,
ipvpn_
Ip,
ipsec,,
evpn/v
xla
n
ipsec,
Tls
/dtls
rest/https
Ip,
ipsec
Xm
pp,
jflo
w,g
rpc
bgp
MULTI-CLOUD SECURITY
▪ Security is Perimeter based – but perimeter is everywhere▪ Explosion in # of apps, endpoints, environments on the one hand▪ Explosion in # of threats, malware, spyware, hacking, attacks, data leaks on the other hand▪ Results in Policy explosion – management complexity and nightmare▪ Manual, error prone and non-automated. Does not scale.
CHALLENGES OF TRADITIONAL SECURITY PARADIGM
What to protect
1. Applications2. Number of endpoints3. Environments – dev, prod, staging, on-
prem, public cloud, 4. …
What to protect against:
1. Data leaks2. DDoS3. Malware4. Hacks5. Viruses6. Spyware, etc
Policy explosion
The Security Scale Challenge
Applications, Tiers, Environments
Thre
ats,
Mal
war
es,
etc
…
PROBLEM STATEMENT – SIMPLIFY & EXTEND SECURITY FRAMEWORK
C u r r e n t B e h a v i o r D e s i r e d B e h a v i o r
Can we use one policy to be applied in all the different deployments ?
Web
App
db
App1, Deployment = Dev
Network Policy = P1
Web
App
db
App1, Deployment = Staging
Network Policy = P2
…
Web
App
db
App1, Deployment = Prod
Network Policy = P3 …
Web
App
db
App1, Deployment = Dev
Web
App
db
App1, Deployment = Staging
Web
App
db
App1, Deployment = Prod
Policy = P
1. Reduced Complexity (less # of policies)2. Simplified Manageability (change control,
etc. is much easier)3. Improved Scalability
Site = US
Consistent Intent-
Driven Policy
▪ How to extend the same set of policies to
Mesos, AWS, Kubernetes, Bare Metal
Servers → without policy rule explosion
Single policy
No Policy Rewrite …
Define Once → Enforce
Everywhere
Security
Admin
OpenStack
Application Policy Config
& Flow Visualization
▪ Offer visualization, analytics, and
orchestration for security configurations
▪ Provide reporting, troubleshooting and
compliance
Discover Inter- and Intra-application traffic
flows with/without enforcing policies
NEW SOLUTIONS - KEY REQUIREMENTS
▪ L4 Enforcement at the vRouter
(Kernel, DPDK, vCenter, Smart NIC)
▪ L7 enforcement at the L7 Firewall
Multiple Enforcement
Points
Web App DB
Host-Based FW
Controller
DE
FIN
ITIO
NE
NF
OR
CE
ME
NT
L4 L7
CONSISTENT POLICIES ACROSS ENVIRONMENTS
App Discovery, Tag based Policy & Visualization across heterogeneous and distributed environments (ESXi & KVM VMs, K8s / containers, bare-metal servers, Public Cloud, etc.)
consistent security policies and enforcement across different environments
Compute Nodes Compute Nodes
…
GW
Public or Private Internet or Direct Connect
…vRouter vRouter
Consistent Intent-driven Policy Configuration with Detailed Security Analytics / Prediction and Traffic Visualization along with compliance
Public Cloud VPC / VNPrivate Cloud DCPolicy-based Encryption
CONTROLLER
Virtual Networking connects multiple heterogenous environments
Distributed enforcement of policies at L4 and L7
INTENT-DRIVEN POLICIES
site = US site = EMEA
Web
App
App = Finance, Deployment = Dev
Web App
App = Finance, Deployment = Prod
Web
App
App = Finance, Deployment = Dev
Web App
App = Finance, Deployment = Staging
match deploymentallow TCP 80 tier=web > tier=app1
allow TCP 3036 tier=app > tier=db match site2
Dev
Pro
du
ctio
nSt
agin
g
Legacy Data (tier = db)
&& site
E n
f o
r c
e m
e n
tD
e f
n
Legacy Data (tier = db)
Note: The Concept of ‘match’ (patent-pending) is a big competitive differentiator (that reduces the # of policy rules even further than what competition can do …)
Conclusion - Controller key attributes & future
FABRIC MODES
▪ Multi-Site (Federated & Centralized Mgmt)▪ Multi-Cloud connectivity, security & operations (Project Kenai, Project Katmai)
MULTI-VENDOR
▪ Virtual (vRouter)▪ Physical and Virtual (TOR, vRouter/BMS)▪ Physical
▪ Open Source Product with a multi-vendor community▪ Standard based
▪ No vendor lock-in as Open Standards based (BGP, XMPP, etc.)
MULTI-CLOUD
▪ Industry standard CNI-based integration for Kubernetes, Mesos, OpenShift▪ Seamless extensibility of Virtual Networks across BM/VM/Container environmentsCONTAINER NETWORKING
OPEN
SCALE & PERFORMANCE▪ Significantly higher scale across computes, virtual networks, policies, service chains etc▪ High Performance capabilities such as SmartIO
Thank youThank you