Building a Secure, App
-
Enabled
Cloud Network
Yves
Sivuilu
, Enterprise System Engineer, Citrix
Von Nguyen, Solutions Architect, Palo Alto Networks
Department A
Department B
Legacy Networking
The Ages
O
f
T
he Enterprise Data Center
Legacy
Silo era
Single OS server
App runs on single Server
Each ADC serves single
important Apps
Virtualized Computing era
Multiple OS’s per server
App runs on one instance
of server
ADC serves single
important Apps / server
Cloud Networking era
On demand OS’s and
Servers
App spans multiple
servers
One or more NetScaler
serves all Apps
Legacy three layer
Hierarchical network
Legacy three layer
Hierarchical network
Flat super fast
software
definable network
High
CapEx
&
OpEx
Expensive Scaling
True Cloud Scalability
Low
CapEx
&
OpEx
Lower
CapEx
1
-
2
-
3
-
4
-
5
-
6
-
7
-
The Next Big Turn : Bringing Application
-
Awareness to SDN
Programmable
Elements
Control
WAN Opt
ADC
Data
Cloud Bridging
Firewall
Mobility
Physical
Switches
Virtual
Switches
Application
Network Control
Cisco 1000V
Nicira
Big Switch
…
Application
Control
(
NetScaler
SDX)
Application Model
Orchestration
Orchestration
1
2
4
3
1
2
4
3
Leverage “existing”
App
c
ontrol real estate
(e.g. NetScaler, ByteMobile)
“Top Down”
a
pp
-
centric
d
esign of new networks
Holistic orchestration
across L2
-
7
Integrate
a
pp
awareness into L2
-
3
SDN Controllers
Application Aware SDN
Visibility
….
Cloud Infrastructure
Enterprise Datacenter
Citrix
NetScaler
Optimizing Delivery of Apps and Services
Availability &
Performance
Cloud Scale
Infinite
Flexibility
Any User
Any Device
Any Location
Any Application
Any Data / Information
Security &
Visibility
•
Safely enables applications
regardless of ports, protocol,
evasive technique or
encryption
•
Protects against known and
unknown data center threats
at scale
Secure High
-
Performance Application Delivery
•
Application delivery with
advanced load balancing,
acceleration and caching
•
Application
availability in the
event of failure, DC outage
and traffic loads
Industry’s
leading service
and application delivery
technology
Industry’s leading next
-
generation
f
irewall
Securing the Cloud Network
1,800
4,700
9,000
0
2,000
4,000
6,000
8,000
10,000
Jul
-
10
Jul
-
11
$13
$49
$255
$119
$0
$50
$100
$150
$200
$250
$300
FY09
FY10
FY11
FY12
Palo Alto Networks at a Glance
Corporate Highlights
Disruptive Network Security Platform
Safely Enabling Applications
Able to Address All Network Security Needs
Exceptional Growth and Global Presence
Experienced Technology and Management Team
800+ Employees
Revenue
Enterprise Customers
$MM
FYE July
Page
8
|
© 2012 Palo Alto Networks. Proprietary and Confidential.
Jul
-
12
Securing Next
-
Generation Cloud Network
DB
Web
App
Traditional
Data Center
Current
Data Center
DB
Web
App
Future
Data Center
Security
Challenges:
•
Gaining visibility into East
-
West traffic
•
Tracking movement of virtual machines
•
Keeping pace with automated
workflows
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page
9
|
But Your Existing Challenges Didn’t Go Away
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page
10
|
Internal employees
Enterprise
boundary
Mobile and
remote users
Partners &
Contractors
Distributed Enterprise
New Application
Landscape
Modern Attacks
Attackers
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page
11
|
A New Paradigm for Security is Needed
•
Deliver all the features that are table stakes:
-
Safe app enablement, threat protection, flexible integration
•
Must become more dynamic
-
Security policy must be there when VM is created
-
Security policy must follow VM movement
-
Security workflows must be automated//orchestrated so it doesn’t slow
down the data center
•
Consistent, centralized management
-
Centralized management is critical
-
Must be consistent for all environments
-
physical, hybrid, mixed
Safely Enable All Traffic in the DC
WHO
WHERE
WHAT
HOW
User/Group/Device
Server/Hardware
Application
Exploits,
malware,
spyware
Content
Security
Profile
Segment applications by function, trust levels, and compliance needs
Inspect all traffic between security zones by default
Manage unknown traffic
•
© 2012 Palo Alto Networks. Proprietary and Confidential.
•
Page
12
|
Enabling Applications, Users and Content
Applications:
Safe enablement begins with
application classification by
App
-
ID.
Users:
Tying users and devices, regardless of
location, to applications with
User
-
ID
and
GlobalProtect
.
Content
:
Scanning
content
and
p
rotecting
against all threats
–
both known and unknown;
with
Content
-
ID
and
WildFire
.
•
© 2012 Palo Alto Networks. Proprietary and Confidential.
•
Page
13
|
NGFW Platforms for the Data Center
PA
-
5000 Series
Just because your network is running faster than ever, doesn’t mean
you have to give up security and visibility
All Palo Alto Networks next
-
generation firewalls support App
-
ID, User
-
ID, Content
-
ID
The PA
-
5000 Series brings app, user, and content visibility and
control to 20
Gbps
networks
Unmatched performance
Extended parallel processing hardware architecture
Enterprise
-
and service provider
-
specific hardware features
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page
15
|
NGFW Platforms for the Data Center
Introducing the
VM
-
Series
Next
-
generation firewall in a virtual form factor
C
onsistent features
as hardware
-
based next
-
generation firewall
Inspects and
safely enables intra
-
host communications
(East
-
West traffic)
Tracks VM creation and movement
with dynamic address objects
Initial support on VMware platform
-
ESXi
4.1 and
ESXi
5.0
Available in 3 models (VM
-
100, VM
-
200, VM
-
300), and supports 2, 4, 8 CPU cores
Licensing by firewall capacity
–
Individual, Enterprise, Service
-
Provider
VM
-
100
VM
-
200
VM
-
300
50,000 sessions
100,000
sessions
250,000 sessions
250 rules
2,000 rules
5,000 rules
10 security zones
20 security zones
40 security zones
Dynamic Address Objects
Tie Policy to Dynamic VM Environment
One of the biggest benefits of virtualization is
the simplicity of adds, moves, and changes of
compute (VMs) as
needed
Dynamic objects link security to that benefit
•
© 2012 Palo Alto Networks. Proprietary and Confidential.
•
Page
16
|
Tie Security into Orchestration Environment
Orchestration systems are aware of everything going on in the data center
Security infrastructure also needs to be aware
PAN
-
OS and Panorama provide APIs that facilitate the integration of security
into the orchestration environment
17
| ©2012,
Palo Alto Networks. Confidential and Proprietary.
PAN
-
OS
Data Center Orchestration
Virtual Machine
Deployment
Network Configuration
Security Policy
Configuration
API
VM
-
Series
Deployment/
Interfaces
VLAN/Zone Provisioning,
Dynamic Objects
Policies, Profiles, App
-
IDs
Context
Context
API
API
Inter
-
host
Segmentation
Intra
-
host
Segmentation
Physical Servers
V
irtualized servers
HA
Physical Firewalls
Virtualized Firewalls
Security
Network
Application
Orchestration
systems
Flexible Deployments to Protect East
-
West Traffic
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page
18
|
Citrix and Palo Alto Networks
Joint Solutions
Secure, High
-
performance Application Deployments
•
Validated deployment guides
–
SharePoint, Exchange,
Lync
•
Accommodates complex
deployments
•
Safely enables applications
•
Delivery optimized and cost
-
effective
Secure, High
-
Performance
XenApp
Applications
Remote User
Branch Office
Home Office
Tablet
Access Gateway
Deskto
p
Deliver
y
Control
ler
HQ Office
XenDesktop
Farm
XenServer Resource
Pool
Active
Directo
ry
Data
Store
License
Server
DH
CP
Infrastructure
Virtual Desktop 1
Personalization: User A
Apps: Office
OS: Vista
Virtual Desktop 2
Personalization: User B
Apps: Office
OS: XP
Virtual Desktop 3
Personalization:
Apps:
OS:
Deskto
p
Deliver
y
Control
ler
Data
Collect
or
Web
Interfa
ce
Firewall
malwar
e
botnets
exploits
•
Validated deployment
guide: virtual desktop
applications
•
Safely enables
applications
•
Secures access
•
App
-
and user
-
based policies
•
Prevents threats
•
Secured, optimized,
and highly available
For More Information
www.citrix.com/netscaler/paloaltonetworks
www.paloaltonetworks.com/citrix
o
Deployment Guides Securing and
Accelerating:
o
Microsoft Exchange
o
Microsoft
Lync
o
Microsoft SharePoint
o
XenDesktop
o
Video
o
WhitePaper
Demo
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο