Building a Secure, App-Enabled Cloud Network

Building a Secure, App
-
Enabled
Cloud Network

Yves
Sivuilu
, Enterprise System Engineer, Citrix

Von Nguyen, Solutions Architect, Palo Alto Networks

Department A

Department B

Legacy Networking

The Ages
O
f
T
he Enterprise Data Center

Legacy

Silo era

Single OS server

App runs on single Server

Each ADC serves single
important Apps

Virtualized Computing era

Multiple OS’s per server

App runs on one instance
of server

ADC serves single
important Apps / server

Cloud Networking era

On demand OS’s and
Servers

App spans multiple
servers

One or more NetScaler
serves all Apps

Legacy three layer
Hierarchical network

Legacy three layer
Hierarchical network

Flat super fast
software
definable network

High
CapEx

&
OpEx

Expensive Scaling

True Cloud Scalability

Low
CapEx

&
OpEx

Lower
CapEx

1
-

2
-

3
-

4
-

5
-

6
-

7
-

The Next Big Turn : Bringing Application
-
Awareness to SDN

Programmable
Elements

Control

WAN Opt

ADC

Data

Cloud Bridging

Firewall

Mobility

Physical
Switches

Virtual
Switches

Application

Network Control

Cisco 1000V

Nicira

Big Switch

…


Application
Control

(
NetScaler

SDX)


Application Model

Orchestration

Orchestration

1

2

4

3

1

2

4

3

Leverage “existing”

App
c
ontrol real estate
(e.g. NetScaler, ByteMobile)

“Top Down”
a
pp
-
centric

d
esign of new networks

Holistic orchestration
across L2
-
7

Integrate
a
pp
awareness into L2
-
3
SDN Controllers

Application Aware SDN

Visibility

….

Cloud Infrastructure

Enterprise Datacenter

Citrix
NetScaler

Optimizing Delivery of Apps and Services

Availability &
Performance

Cloud Scale

Infinite
Flexibility


Any User

Any Device

Any Location

Any Application

Any Data / Information

Security &
Visibility

•
Safely enables applications
regardless of ports, protocol,
evasive technique or
encryption

•
Protects against known and
unknown data center threats
at scale

Secure High
-
Performance Application Delivery

•
Application delivery with
advanced load balancing,
acceleration and caching

•
Application
availability in the
event of failure, DC outage
and traffic loads




Industry’s
leading service
and application delivery
technology

Industry’s leading next
-
generation
f
irewall

Securing the Cloud Network

1,800

4,700

9,000

0
2,000
4,000
6,000
8,000
10,000
Jul
-
10

Jul
-
11

$13

$49

$255

$119

$0
$50
$100
$150
$200
$250
$300
FY09
FY10
FY11
FY12
Palo Alto Networks at a Glance

Corporate Highlights

Disruptive Network Security Platform

Safely Enabling Applications

Able to Address All Network Security Needs

Exceptional Growth and Global Presence

Experienced Technology and Management Team

800+ Employees

Revenue

Enterprise Customers

$MM

FYE July

Page
8

|

© 2012 Palo Alto Networks. Proprietary and Confidential.

Jul
-
12

Securing Next
-
Generation Cloud Network

DB

Web

App

Traditional

Data Center

Current

Data Center

DB

Web

App

Future

Data Center

Security
Challenges:

•
Gaining visibility into East
-
West traffic

•
Tracking movement of virtual machines

•
Keeping pace with automated
workflows

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page
9

|

But Your Existing Challenges Didn’t Go Away

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page
10

|

Internal employees

Enterprise
boundary

Mobile and
remote users

Partners &
Contractors

Distributed Enterprise

New Application
Landscape

Modern Attacks

Attackers

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page
11

|

A New Paradigm for Security is Needed

•
Deliver all the features that are table stakes:

-
Safe app enablement, threat protection, flexible integration

•
Must become more dynamic

-
Security policy must be there when VM is created

-
Security policy must follow VM movement

-
Security workflows must be automated//orchestrated so it doesn’t slow
down the data center

•
Consistent, centralized management


-
Centralized management is critical

-
Must be consistent for all environments
-

physical, hybrid, mixed

Safely Enable All Traffic in the DC

WHO

WHERE

WHAT

HOW

User/Group/Device

Server/Hardware

Application

Exploits,
malware,
spyware

Content

Security
Profile

Segment applications by function, trust levels, and compliance needs


Inspect all traffic between security zones by default

Manage unknown traffic

•
© 2012 Palo Alto Networks. Proprietary and Confidential.

•
Page
12

|

Enabling Applications, Users and Content


Applications:
Safe enablement begins with
application classification by
App
-
ID.




Users:
Tying users and devices, regardless of
location, to applications with
User
-
ID

and
GlobalProtect
.




Content
:

Scanning
content
and
p
rotecting
against all threats
–

both known and unknown;
with
Content
-
ID

and
WildFire
.

•
© 2012 Palo Alto Networks. Proprietary and Confidential.

•
Page
13

|

NGFW Platforms for the Data Center

PA
-
5000 Series


Just because your network is running faster than ever, doesn’t mean
you have to give up security and visibility


All Palo Alto Networks next
-
generation firewalls support App
-
ID, User
-
ID, Content
-
ID


The PA
-
5000 Series brings app, user, and content visibility and
control to 20
Gbps

networks


Unmatched performance


Extended parallel processing hardware architecture


Enterprise
-

and service provider
-
specific hardware features

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page
15

|

NGFW Platforms for the Data Center

Introducing the
VM
-
Series


Next
-
generation firewall in a virtual form factor

C
onsistent features
as hardware
-
based next
-
generation firewall

Inspects and
safely enables intra
-
host communications
(East
-
West traffic)

Tracks VM creation and movement
with dynamic address objects

Initial support on VMware platform
-

ESXi

4.1 and
ESXi

5.0

Available in 3 models (VM
-
100, VM
-
200, VM
-
300), and supports 2, 4, 8 CPU cores

Licensing by firewall capacity
–

Individual, Enterprise, Service
-
Provider

VM
-
100

VM
-
200

VM
-
300

50,000 sessions

100,000

sessions

250,000 sessions

250 rules

2,000 rules

5,000 rules

10 security zones

20 security zones

40 security zones

Dynamic Address Objects

Tie Policy to Dynamic VM Environment


One of the biggest benefits of virtualization is
the simplicity of adds, moves, and changes of
compute (VMs) as
needed


Dynamic objects link security to that benefit

•
© 2012 Palo Alto Networks. Proprietary and Confidential.

•
Page
16

|

Tie Security into Orchestration Environment


Orchestration systems are aware of everything going on in the data center


Security infrastructure also needs to be aware


PAN
-
OS and Panorama provide APIs that facilitate the integration of security
into the orchestration environment

17

| ©2012,

Palo Alto Networks. Confidential and Proprietary.

PAN
-
OS

Data Center Orchestration

Virtual Machine
Deployment

Network Configuration

Security Policy
Configuration

API

VM
-
Series
Deployment/
Interfaces

VLAN/Zone Provisioning,
Dynamic Objects

Policies, Profiles, App
-
IDs

Context

Context

API

API

Inter
-
host
Segmentation

Intra
-
host
Segmentation

Physical Servers

V
irtualized servers

HA

Physical Firewalls

Virtualized Firewalls

Security

Network

Application

Orchestration
systems

Flexible Deployments to Protect East
-
West Traffic

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page
18

|

Citrix and Palo Alto Networks
Joint Solutions

Secure, High
-
performance Application Deployments

•
Validated deployment guides
–

SharePoint, Exchange,
Lync

•
Accommodates complex
deployments

•
Safely enables applications

•
Delivery optimized and cost
-
effective


Secure, High
-
Performance
XenApp

Applications

Remote User

Branch Office

Home Office

Tablet

Access Gateway

Deskto
p
Deliver
y
Control
ler

HQ Office

XenDesktop
Farm

XenServer Resource
Pool

Active
Directo
ry

Data
Store
License
Server

DH
CP

Infrastructure

Virtual Desktop 1

Personalization: User A

Apps: Office

OS: Vista

Virtual Desktop 2

Personalization: User B

Apps: Office

OS: XP

Virtual Desktop 3

Personalization:

Apps:

OS:

Deskto
p
Deliver
y
Control
ler

Data

Collect
or

Web

Interfa
ce

Firewall

malwar
e

botnets

exploits

•
Validated deployment
guide: virtual desktop
applications

•
Safely enables
applications

•
Secures access

•
App
-
and user
-
based policies

•
Prevents threats

•
Secured, optimized,
and highly available

For More Information


www.citrix.com/netscaler/paloaltonetworks


www.paloaltonetworks.com/citrix


o
Deployment Guides Securing and
Accelerating:

o
Microsoft Exchange

o
Microsoft
Lync

o
Microsoft SharePoint

o
XenDesktop


o
Video

o
WhitePaper


Demo