FortiADC, FortiGate-VMX Sicurezza e Bilanciamento per il …passport.exclusive-networks.it/upload/workdoc/FortiGate... · 2015. 6. 5. · FortiADC Virtual Appliance Soluzione Enterprise

FortiADC, FortiGate-VMX Sicurezza e

Bilanciamento per il Datacenter Heros Deidda

System Engineer Sidin

AGENDA:

• VMware NSX:

Virtualizzare il

networking

• Fortigate-VMX

• FortiADC:

Bilanciamento in

Datacenter

La Visione di VMware

“Network provisioning is slow. The

current operational model has

resulted in slow, manual, error-prone

provisioning of network services to

support application deployment [..]

The solution to these challenges is to

virtualize the network. Do for

networking the same thing that has

been done for compute and storage”

SDDC: Software Defined DataCenter

• Abilita all’erogazione di ambienti IaaS completamente isolati

• Microsegmentazione della rete

• Possibilità di Realizzare Network Virtuali vere e proprie attraverso il concetto di Overlay Network

• Le “reti virtuali” si muovono fra gli host coerentemente alle VM cui appartengono.

• La gestione di networking e sicurezza può essere realizzata sfruttando la visibilità sugli oggetti definiti all’interno del datacenter (es:nome dell VM)

http://www.vmware.com/files/it/pdf/products/nsx/VMware-NSX-Network-Virtualization-Platform-WP.pdf

Cosa è NSX?

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

• La piattaforma VMware NSX è costituita da cinque componenti di base:

https://www.sdxcentral.com/resources/vmware/what-is-vmware-nsx/

• La piattaforma VMware NSX è costituita da cinque componenti di base:

• Distribuito Fisicamente – Centralizzato “logicamente” – sistema altamente disponibile

responsabile per il deployment delle reti virtuali su tutta l’architettura

• “Istruisce” I distributed virtual switch dell’hypervisor ed i Gateway

• Accetta Richieste API da piattaforme di management north-bound (ES: vCloud,

OpenStack)

• Completamente out-of-band, non gestisce mai direttamente I pacchetti o il dataplane

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

Cosa è NSX?

• Fornisce una web-based GUI per l’interazione con la componente VMware

NSX controller cluster API. Permette la configurazione del sistema,

l’amministrazione ed il troubleshooting

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

• La piattaforma VMware NSX è costituita da cinque componenti di

base:

Cosa è NSX?

• Ogni hypervisor ha un vSwitch in-kernel con un data plane programmabile L2-

L4

• Il controller dinamicamente gestisce I tunnel che incapsulano il traffico

(VXLAN ) tra gli hypervisor, disaccoppiando lo spazio di indirizzi IP delle reti

virtuali dalla rete fisica

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

• La piattaforma VMware NSX è costituita da cinque componenti di base:

Cosa è NSX?

http://blogs.vmware.com/cto/geneve-vxlan-network-virtualization-encapsulations/

• La piattaforma VMware NSX è costituita da cinque componenti di base:

• Permette l’erogazione di servizi che connettono le virtual networks all’interno

di VMware NSX con host non virtuali, siti remoti e reti esterne

• Fornisce Routing IP di base, MPLS, NAT, Firewall L4, VPN, e bilanciamento

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

Cosa è NSX?

• Piattaforma che abilita I partner a registrare servizi fino al layer 7 con il

controller VMware NSX e trasparentemente inserisce queste capability nelle

virtual network.

Controller Cluster NSX Manager vSwitches Gateways Partner

Ecosystem

• La piattaforma VMware NSX è costituita da cinque componenti di base

Cosa è NSX?

Fortigate-VMX

Approccio Tradizionale: FortiGate-VM

Web Servers Application Servers Database Servers

vSwitch APP

Hypervisor

vSwitch DB vSwitch WEB

vSwitch External

Internet

• FortiGate-VM usata per controllare il traffico east-west

• E’ necessario che il traffico passi per la Fortigate-VM affinchè possa essere filtrato

• aggiungere un filtro di sicurezza fra le VM richiede la configurazione di VDOMs L2 e relativi inter vdom link

• L’appliance Fortigate fisica viene utilizzata per controllare il traffico nord-sud

4. F

ort

iGat

e-V

MX

co

nn

ects

wit

h

Fort

iGat

e-V

MX

Ser

vice

Man

ager

FortiGate-VMX: Overview

vCenter Server

vCloud Networking &

Security Manager

FortiGate-VMX Service Manager

1. Initiate communication with vCenter Server

2. Register Fortinet as security service with vCNS Manager

dvSwitch

3. A

uto

-dep

loy

Fort

iGat

e-V

MX

to

all

ho

sts

in s

ecu

rity

clu

ster

5. License verification and configuration synchronization with FortiGate-VMX

6. K

ern

el a

gen

t cr

eati

on

an

d d

efau

lt r

e-d

irec

tio

n r

ule

s fo

r ea

ch h

ost

in c

lust

er

7. Real-time updates of object database

8. P

ush

po

licy

syn

chro

niz

atio

n t

o a

ll Fo

rtiG

ate

-V

MX

dep

loye

d in

clu

ster

FGT-VMX FGT-VMX

FortiGate-VMX: Overview

Demo Registrata qui: https://attendee.gotowebinar.com/recording/5042467342819671042

FortiGate-SVM Initial Configuration

http://www.fortinet.com/products/fortigate/vmware-virtual-appliance.html

FGT-VMX Service Manager Policy Creation

FGT-SVM Policy Creation

All FOS NGFW functionalities are available on FGT-VMX

Inbound and Outbound Policies

Fortigate-VMX: Vantaggi

East-West

• HA attraverso VMware

• Live Migration coerente

• Ispezione del traffico fra VM

nello stesso vSwitch (micro

segmentazione)

• Automation e Orchestration

effettuato da VMware

• Visibilità degli oggetti definiti

sul Virtual Center (VM e reti)

unificata

http://blogs.vmware.com/networkvirtualization/files/2014/06/VMware-SDDC-Micro-Segmentation-White-Paper.pdf

FortiADC: Bilanciamento in

Datacenter

Perchè un Application Delivery Controller?

• Scalabilità delle applicazioni – Server Load Balancing

• Ottimizzazione del Traffico applicativo – Content-

based Routing

• Secure Application Acceleration – SSL Offloading

• Disaster Recovery/Multi-Site Load Balancing – GSLB

• Application Availability – Link Load Balancing

..& More

Server Load Balancing

Metodi Di Bilanciamento

• Methods: Round Robin, Least

Connection, Shortest Response

Server Persistence

• Persistence methods: Persistent

IP, Rewrite Cookie, Embedded

Cookie, Hash IP, Insert Cookie,

Persistent Cookie, Hash Cookie

Monitor Health Checks

• Probes & Health Checks: ICMP,

HTTP, HTTPS, TCP, TCP Echo,

DNS and RADIUS

• Configure interval, timeout Down

and Up retry

Distribuisce le Connessioni

attraverso diversi metodi

Mantiene la persistenza delle

connessioni fra client e server

Verifica che I server reali siano

pronti a rispondere sulla rete

Content Routing

Content Routing

• L4 and L7 routing capabilities

• Route traffic based on HTTP

Host, Request URL, Referrer,

Source IP

• Regular Expression support

• Condition table allows for

complex routing requirements

Ruota il traffico ai server sulla base

di innumerevoli criteri dal layer 4 al

layer 7 Content Routing for both L4 and L7

abc.example.com

example.com/xyz

example.com/abc

xyz.example.com

SSL Offload

Alte Performance

• Offload CPU intensive SSL

processing from servers

• Accelerate performance and

overall user experience

• Dramatic increase in transaction

processing

Semplifica l’Integrazione con le

applicazioni

• Full Certificate Management

• Advanced certification verification

and revocation capabilities

http://www.example.com https://www.example.com

Global Server

Load Balancing

Global Server Load Balancing

Resilienza Geografica

• Share load across multiple

geographically separated

datacenters and diverse ISPs

• Distribute traffic based on

proximity to datacenter

• Failover on datacenter failure

Performance e Scalabilità

• Increase delivery capacity

• Deliver content locally

• Increase performance and reduce

latency

• Increase application

responsiveness

• Increase customer satisfaction

US Data Center

European Data Center

*Requires units to be of the same platform (D or E)

Link Load Balancing

Features

• Manage inbound and outbound traffic

• Routes traffic to best performing ISPs

• Up to 16 links can be added for capacity

or redundancy

• Multiple point link health check support

• SNAT and Policy Routes for routing

flexibility

Benefits

• Reduce congestion and improve

user experience

• Dynamic ability to add capacity

• Improve application availability

and ensure business continuity

• Reduce costs by routing traffic

to lower cost providers

ISP 1

ISP 2

ISP 3

Pe

rfo

rma

nc

e &

Sc

ala

bil

ity

L4 <10GB 10 – 30GB 30 – 50GB

SSL Software ASIC ASIC

Ports GE GE/10GE GE/10GE

FortiADC Product Lineup

FAD-200E

FAD-100E

FAD-200D

FAD-1000E

FAD-600E

FAD-1500D

FAD-4000D

FAD-2000D

FAD-300E

FAD-400E

FAD-700D

FortiADC Virtual Appliance

Soluzione Enterprise di Virtual ADC • Supporta VMware ESXi / ESX 5.0 / 5.1 / 5.5

Technical Specifications

FortiADC VM01

FortiADC VM02

FortiADC VM04 FortiADC VM08

vCPU Support (Max) 1 2 4 8

Memory Support (Max) 2GB 4GB 8GB 16GB

Network Interface Support

10 10 10 10

Storage Support (Min / Max)

50MB / 1TB 50MB / 1TB 50MB / 1TB 50MB / 1TB

FortiADC Product Matrix

100E 200E 200D 300E 400E 600E 700D 1000E 1500D 2000D 4000D

L4 /7 SLB P P P P P P P P P P P

Advanced L7 Traffic Mgmt.

P P P P P P P P P P P

L4 T-put (Gbps) 1.0 2.7 2.7 4.8 8.0 12.0 15.0 15.0 20.0 30.0 50.0

LLB P P P P P P P P P P P

GSLB Included Included Included Included Included Included Included Included Included Included Included

Gzip Compression P P P P P P P P P P P

Caching P P P P P P P P P P P

Quality of Service N/a N/a P N/a N/a N/a P N/a P P P

IP Reputation P P P P P P P P P P P

Firewall/DoS P P P P P P P P P P P

Scripting/ Automation

Auto Auto n/a Auto Auto Auto n/a Auto n/a n/a n/a

VDOM n/a n/a n/a n/a n/a n/a P n/a P P P

Ethernet Connectivity

4 GigE 4 GigE 4 GigE 6 GigE 8 GigE 8 GigE, 2 10GE

8 GbE, 4 10GE

8 GigE, 2 10GE

8 GbE, 4 10GE

16 GbE, 4 10GE

16 GbE, 8 10GE

Power Supply Single Single Single Single Single Single Single Dual Dual Dual Dual

FortiDirector: Cloud-based GSLB

Hosted Server FortiADC

Single

Server

3rd Party ADC

• Cloud-based Global Server Load Balancer

• Pay-as-you-go Infrastructure as a Service (IaaS)

• Basic server load balancing to complex multi-site routing

• Sets up in minutes and supports any protocol with DNS routing

• Advanced health checking and customizable rules based routing

FortiDirector

Prodotti Correlati

• FortiWeb Web Application Firewall

– Protezione avanzata applicativa su servizi web

– PCI compliance

• FortiDirector Cloud-based Global Server Load Balancing

– Servizio di Load balancing interamente nel cloud con bilanciamento

geografico

• FortiWAN Link Load Balancer

– Advanced Link Load Balancing fino a 50 link

– Tunnel Routing proprietario

DOMANDE?

[email protected] System Engineer Sidin