40
© Copyright Fortinet Inc. All rights reserved. Software Defined Networking (SDN) Software Defined Security Kurt Knochner Fortinet Senior Systems Engineer [email protected]
© Copyright Fortinet Inc. All rights reserved.
Software Defined Networking (SDN) Software Defined Security Kurt Knochner Fortinet Senior Systems Engineer [email protected]
2
How to describe the (IT) world of 2015
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness..
Charles Dickens A Tale of Two Cities
3
Challenges in the Datacenter 2015
Increasing Complexity Increasing Network Speed Increasing Security Challenges Increasing levels of Virtualization
4
Increasing Complexity
Sorry, we can’t help you with this … All we can say: It’s going to get worse ;-) HOWEVER: We are committed to NOT add complexity to your environment, by keeping the management of our products as simple and effective as possible!
5
Increasing Network Speed / Security Challenges
Fortinet is best know for it’s HIGH SPEED and SECURE appliances, so don’t be afraid, we will be there to support you !!
Source : IEEE 802.3 Industry Connections Ethernet Bandwidth Assessment July 2012
1,000,000,000
100,000
10,000
1,000
100 1995 2000 2005 2010 2015 2020
100 Gigabit
10 Gigabit
Gigabit
Rat
e M
b/s
Server I/O Doubling ~24 mos
Core Networking Doubling ~18 mos
1 Terabit
6
Increasing levels of Virtualization
That’s what I’m going to talk today.
7
To sum it up ….
Virtual Appliances & VDOM’s Provide Scale-Out Elasticity
Scale-Out
Performance Boundary
Benefits
Scal
e-U
p
Elastic Firewall Capacity
East-West Traffic Visibility
Deployable in Public Clouds
vSphere
XenServer
Hyper-V
Software Defined Datacenter and SDN
10
Software Defined Data Center
Decoupling/Abstraction
Orchestration
VM
OS
Netw
ork
Com
pute
Storage
Security
Network Compute Storage Security Physical
SD
VM VM
OS OS OS
App App App
11
SDDC - The Big Picture
Orchestration
Network
Storage
Compute
Physical Virtual
Applications Services
Security
Software Defined Networks
Software Defined Compute
Software Defined Storage
12
SDDC - The Big Picture
Orchestration
Network
Storage
Compute
Physical Virtual
Applications Services
Security
Software Defined Networks
Software Defined Security
Software Defined Compute
Software Defined Storage
13
Virtual Data Center Challenges
High Availability
Live Migration
Securing flows within the same vSwitch
No auto-import of object
Manual or scripted automation and orchestration
Challenges
14
Fortinet Software Defined Security Framework
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
15
Fortinet Software Defined Security Framework
Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
16
Fortinet Software Defined Security Framework
Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure
Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
17
Fortinet Software Defined Security Framework
Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure
Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director
Single Pane-of-Glass management » Management (FortiManager) » Reporting & visibility (FortiAnalyzer)
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
18
Fortinet Software Defined Security Framework
Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure
Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director
Single Pane-of-Glass management » Management (FortiManager) » Reporting & visibility (FortiAnalyzer)
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
Integration with external ecosystem » Open Source » Commercial » Open - OpenFlow, JASON, RESTful API, XML
19
Complete security ecosystem
Security optimized orchestration
Single Pane-of-Glass management
FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE
Fortinet Software Defined Security Framework – CSP Extensions
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
Integration with external ecosystem
NFV On-Demand Self - Service
Sec-aaS Multi -Tenancy
20
Complete security ecosystem
Security optimized orchestration
Single Pane-of-Glass management
FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE
Utility based consumption » Licensing
» Provisioning
» Metering
» Billing
Fortinet Software Defined Security Framework – CSP Extensions
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
Integration with external ecosystem
NFV On-Demand Self - Service
Sec-aaS Multi -Tenancy
21
Complete security ecosystem
Security optimized orchestration
Single Pane-of-Glass management
FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE
Utility based consumption » Licensing
» Provisioning
» Metering
» Billing
FortiPrivateCloud
» Security-aaS portal
Fortinet Software Defined Security Framework – CSP Extensions
Virtual x86 Containers
Hardware-Based Platforms
Virtual Appliances/
Services
Platform Orchestration & Automation
Single Pane-of-Glass Management
Data Plane Control Plane Mgmt. Plane
Platform Extensibility
Integration with external ecosystem
NFV On-Demand Self - Service
Sec-aaS Multi -Tenancy
22
Fortinet Programmable Networking Partnership Ecosystem
ORCHESTRATION PLATFORMS
PROGRAMMABLE SWITCHING
ACI vCNS certified NSX Partner program NSX Manager Full NSX
CENTRALIZED POLICY & ANALYTICS
Platform
Extensibility
23
Cisco ACI #1 SDN platform sought by enterprise customers Joint PR - Integration of FortiGate into Cisco ACI deployment Joint demo at Interop (April 2015) – ACI service insertion Product launch Q3 2015
Cisco ACI Integration
24
OpenStack Integration
Open Source OpenStack »ML2 plugin »FWaaS plugin »VTEP support
Commercial OpenStack »HP Helion Fortinet announced HP AllianceOne partnership FortiGate certified HP Helion Ready Integration with HP VAN Controller and SDN switches FortiSDN Demo application for HPs enterprise SDN ecosystem
»PlumGrid ONS integration
FortiGate-VMX NSX Integration
27
Fortinet SDDC Positioning
NSX integration is part of a Three Steps Program Currently Fortinet solution uses NSX Manager with limited NetX APIs functionality
vSphere v5.5u2 vCNS integration certified
vSphere v5.5 u2 vCNS integration NSX Compatible
NSX new SDK integration
Released Q4 2014 Support for vSphere v5.5 Update 2 Certified with vCNS Manager and NetX API
Released January 2015 Support for vSphere v5.5 Update 2 Certified compatible with NSX Manager and NetX API
Support for new NSX Manager Will only work with NSX deployments Advanced NSX NetX functionality for tighter control of traffic
Q4 2014 January 2014 2015 Q1 2015
vCNS (Q4 2014) NSX Compatible (Q1 2015) NSX (2015)
28
4. F
ortiG
ate-
VMX
con
nect
s w
ith F
ortiG
ate-
VMX
Ser
vice
M
anag
er
FortiGate and NSX Integration/Interactions
1. Initiate communication with vCenter Server
2. Register Fortinet as security service with NSX Manager
dvSwitch
3. A
uto-
depl
oy F
ortiG
ate-
VMX
to a
ll ho
sts
in s
ecur
ity c
lust
er
5. License verification and configuration synchronization with FortiGate-VMX
6. K
erne
l age
nt c
reat
ion
and
defa
ult r
e-di
rect
ion
rule
s fo
r eac
h ho
st in
clu
ster
7. Real-time updates of object database
8. P
ush
polic
y sy
nchr
oniz
atio
n to
al
l For
tiGat
e-VM
X d
eplo
yed
in
clus
ter
FGT-VMX FGT-VMX
FortiGate-VMX Service Manager
29
VMware Kernel dvSwitch
FGT-VMX and VMWARE Kernel Agent Interaction
Kernel Agent Kernel
Agent Kernel Agent Kernel
Agent
Kernel Agent Kernel
Agent Kernel Agent Kernel
Agent
1 Define NGFW Firewall Policies
2 FGT-VMX
fsw tsw
Packet Flow 1. From VM to Kernel Agent 2. Kernel Agent always Forward to
Third party Solution (FGT-VMX) 3. FGT-VMX applies Security and
sends packet back to Kernel Agent 4. Kernel Agent can do service
chaining or send packet to destination
FortiGate-VMX Service Manager
30
FortiGate-VMX SVM Widget Information
31
FortiGate-VMX License Model
One license for the FortiGate-VMX Service Manager Stackable license for the FGT-VMX Agents based on the number of Agents deployed
2 FGT-VMX Licenses
Hypervisor with 2 Sockets Hypervisor with 4 Sockets Hypervisor with 2 Sockets 3 FGT-VMX Licenses
32
FortiGate-SVM Initial Configuration
33
FGT-VMX Service Manager Policy Creation
34
FGT-SVM Policy Creation
All FOS NGFW functionalities are available on FGT-VMX
Inbound and Outbound Policies
35
NSX Integration - What’s Next?
1. Service Composer a. Define Security Tag Based on Workflow requirements b. Security Tag imported on FortiGate-VMX to define Firewall Policy c. Set and Unset Tags to Workflow VM based on Security Requirements
New Feature with Full NSX Integration
Firewall Policy =
Why Fortinet?
37
Why Fortinet?
Committed to Security Committed to High Performance Committed to Virtualization
38
Fast growing business
39
No comment …
40
“ We take care of security so you can take care of business.
“ Ken Xie
CEO & Chairman of the Board
41
Ein letztes Zitat…
“Wir stecken keine Mark in die Werbung, sondern jede Mark in die Schoklade”
Aplia Schokolade Springer & Jacoby
Kurt Knochner [email protected]
