FortiADC, FortiGate-VMX Sicurezza e Bilanciamento per il Datacenter Heros Deidda System Engineer Sidin
FortiADC, FortiGate-VMX Sicurezza e
Bilanciamento per il Datacenter Heros Deidda
System Engineer Sidin
AGENDA:
• VMware NSX:
Virtualizzare il
networking
• Fortigate-VMX
• FortiADC:
Bilanciamento in
Datacenter
La Visione di VMware
“Network provisioning is slow. The
current operational model has
resulted in slow, manual, error-prone
provisioning of network services to
support application deployment [..]
The solution to these challenges is to
virtualize the network. Do for
networking the same thing that has
been done for compute and storage”
SDDC: Software Defined DataCenter
• Abilita all’erogazione di ambienti IaaS completamente isolati
• Microsegmentazione della rete
• Possibilità di Realizzare Network Virtuali vere e proprie attraverso il concetto di Overlay Network
• Le “reti virtuali” si muovono fra gli host coerentemente alle VM cui appartengono.
• La gestione di networking e sicurezza può essere realizzata sfruttando la visibilità sugli oggetti definiti all’interno del datacenter (es:nome dell VM)
http://www.vmware.com/files/it/pdf/products/nsx/VMware-NSX-Network-Virtualization-Platform-WP.pdf
Cosa è NSX?
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
• La piattaforma VMware NSX è costituita da cinque componenti di base:
https://www.sdxcentral.com/resources/vmware/what-is-vmware-nsx/
• La piattaforma VMware NSX è costituita da cinque componenti di base:
• Distribuito Fisicamente – Centralizzato “logicamente” – sistema altamente disponibile
responsabile per il deployment delle reti virtuali su tutta l’architettura
• “Istruisce” I distributed virtual switch dell’hypervisor ed i Gateway
• Accetta Richieste API da piattaforme di management north-bound (ES: vCloud,
OpenStack)
• Completamente out-of-band, non gestisce mai direttamente I pacchetti o il dataplane
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
Cosa è NSX?
• Fornisce una web-based GUI per l’interazione con la componente VMware
NSX controller cluster API. Permette la configurazione del sistema,
l’amministrazione ed il troubleshooting
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
• La piattaforma VMware NSX è costituita da cinque componenti di
base:
Cosa è NSX?
• Ogni hypervisor ha un vSwitch in-kernel con un data plane programmabile L2-
L4
• Il controller dinamicamente gestisce I tunnel che incapsulano il traffico
(VXLAN ) tra gli hypervisor, disaccoppiando lo spazio di indirizzi IP delle reti
virtuali dalla rete fisica
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
• La piattaforma VMware NSX è costituita da cinque componenti di base:
Cosa è NSX?
http://blogs.vmware.com/cto/geneve-vxlan-network-virtualization-encapsulations/
• La piattaforma VMware NSX è costituita da cinque componenti di base:
• Permette l’erogazione di servizi che connettono le virtual networks all’interno
di VMware NSX con host non virtuali, siti remoti e reti esterne
• Fornisce Routing IP di base, MPLS, NAT, Firewall L4, VPN, e bilanciamento
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
Cosa è NSX?
• Piattaforma che abilita I partner a registrare servizi fino al layer 7 con il
controller VMware NSX e trasparentemente inserisce queste capability nelle
virtual network.
Controller Cluster NSX Manager vSwitches Gateways Partner
Ecosystem
• La piattaforma VMware NSX è costituita da cinque componenti di base
Cosa è NSX?
Fortigate-VMX
Approccio Tradizionale: FortiGate-VM
Web Servers Application Servers Database Servers
vSwitch APP
Hypervisor
vSwitch DB vSwitch WEB
vSwitch External
Internet
• FortiGate-VM usata per controllare il traffico east-west
• E’ necessario che il traffico passi per la Fortigate-VM affinchè possa essere filtrato
• aggiungere un filtro di sicurezza fra le VM richiede la configurazione di VDOMs L2 e relativi inter vdom link
• L’appliance Fortigate fisica viene utilizzata per controllare il traffico nord-sud
4. F
ort
iGat
e-V
MX
co
nn
ects
wit
h
Fort
iGat
e-V
MX
Ser
vice
Man
ager
FortiGate-VMX: Overview
vCenter Server
vCloud Networking &
Security Manager
FortiGate-VMX Service Manager
1. Initiate communication with vCenter Server
2. Register Fortinet as security service with vCNS Manager
dvSwitch
3. A
uto
-dep
loy
Fort
iGat
e-V
MX
to
all
ho
sts
in s
ecu
rity
clu
ster
5. License verification and configuration synchronization with FortiGate-VMX
6. K
ern
el a
gen
t cr
eati
on
an
d d
efau
lt r
e-d
irec
tio
n r
ule
s fo
r ea
ch h
ost
in c
lust
er
7. Real-time updates of object database
8. P
ush
po
licy
syn
chro
niz
atio
n t
o a
ll Fo
rtiG
ate
-V
MX
dep
loye
d in
clu
ster
FGT-VMX FGT-VMX
FortiGate-VMX: Overview
Demo Registrata qui: https://attendee.gotowebinar.com/recording/5042467342819671042
FortiGate-SVM Initial Configuration
http://www.fortinet.com/products/fortigate/vmware-virtual-appliance.html
FGT-VMX Service Manager Policy Creation
FGT-SVM Policy Creation
All FOS NGFW functionalities are available on FGT-VMX
Inbound and Outbound Policies
Fortigate-VMX: Vantaggi
East-West
• HA attraverso VMware
• Live Migration coerente
• Ispezione del traffico fra VM
nello stesso vSwitch (micro
segmentazione)
• Automation e Orchestration
effettuato da VMware
• Visibilità degli oggetti definiti
sul Virtual Center (VM e reti)
unificata
http://blogs.vmware.com/networkvirtualization/files/2014/06/VMware-SDDC-Micro-Segmentation-White-Paper.pdf
FortiADC: Bilanciamento in
Datacenter
Perchè un Application Delivery Controller?
• Scalabilità delle applicazioni – Server Load Balancing
• Ottimizzazione del Traffico applicativo – Content-
based Routing
• Secure Application Acceleration – SSL Offloading
• Disaster Recovery/Multi-Site Load Balancing – GSLB
• Application Availability – Link Load Balancing
..& More
Server Load Balancing
Metodi Di Bilanciamento
• Methods: Round Robin, Least
Connection, Shortest Response
Server Persistence
• Persistence methods: Persistent
IP, Rewrite Cookie, Embedded
Cookie, Hash IP, Insert Cookie,
Persistent Cookie, Hash Cookie
Monitor Health Checks
• Probes & Health Checks: ICMP,
HTTP, HTTPS, TCP, TCP Echo,
DNS and RADIUS
• Configure interval, timeout Down
and Up retry
Distribuisce le Connessioni
attraverso diversi metodi
Mantiene la persistenza delle
connessioni fra client e server
Verifica che I server reali siano
pronti a rispondere sulla rete
Content Routing
Content Routing
• L4 and L7 routing capabilities
• Route traffic based on HTTP
Host, Request URL, Referrer,
Source IP
• Regular Expression support
• Condition table allows for
complex routing requirements
Ruota il traffico ai server sulla base
di innumerevoli criteri dal layer 4 al
layer 7 Content Routing for both L4 and L7
abc.example.com
example.com/xyz
example.com/abc
xyz.example.com
SSL Offload
Alte Performance
• Offload CPU intensive SSL
processing from servers
• Accelerate performance and
overall user experience
• Dramatic increase in transaction
processing
Semplifica l’Integrazione con le
applicazioni
• Full Certificate Management
• Advanced certification verification
and revocation capabilities
http://www.example.com https://www.example.com
Global Server
Load Balancing
Global Server Load Balancing
Resilienza Geografica
• Share load across multiple
geographically separated
datacenters and diverse ISPs
• Distribute traffic based on
proximity to datacenter
• Failover on datacenter failure
Performance e Scalabilità
• Increase delivery capacity
• Deliver content locally
• Increase performance and reduce
latency
• Increase application
responsiveness
• Increase customer satisfaction
US Data Center
European Data Center
*Requires units to be of the same platform (D or E)
Link Load Balancing
Features
• Manage inbound and outbound traffic
• Routes traffic to best performing ISPs
• Up to 16 links can be added for capacity
or redundancy
• Multiple point link health check support
• SNAT and Policy Routes for routing
flexibility
Benefits
• Reduce congestion and improve
user experience
• Dynamic ability to add capacity
• Improve application availability
and ensure business continuity
• Reduce costs by routing traffic
to lower cost providers
ISP 1
ISP 2
ISP 3
Pe
rfo
rma
nc
e &
Sc
ala
bil
ity
L4 <10GB 10 – 30GB 30 – 50GB
SSL Software ASIC ASIC
Ports GE GE/10GE GE/10GE
FortiADC Product Lineup
FAD-200E
FAD-100E
FAD-200D
FAD-1000E
FAD-600E
FAD-1500D
FAD-4000D
FAD-2000D
FAD-300E
FAD-400E
FAD-700D
FortiADC Virtual Appliance
Soluzione Enterprise di Virtual ADC • Supporta VMware ESXi / ESX 5.0 / 5.1 / 5.5
Technical Specifications
FortiADC VM01
FortiADC VM02
FortiADC VM04 FortiADC VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) 2GB 4GB 8GB 16GB
Network Interface Support
10 10 10 10
Storage Support (Min / Max)
50MB / 1TB 50MB / 1TB 50MB / 1TB 50MB / 1TB
FortiADC Product Matrix
100E 200E 200D 300E 400E 600E 700D 1000E 1500D 2000D 4000D
L4 /7 SLB P P P P P P P P P P P
Advanced L7 Traffic Mgmt.
P P P P P P P P P P P
L4 T-put (Gbps) 1.0 2.7 2.7 4.8 8.0 12.0 15.0 15.0 20.0 30.0 50.0
LLB P P P P P P P P P P P
GSLB Included Included Included Included Included Included Included Included Included Included Included
Gzip Compression P P P P P P P P P P P
Caching P P P P P P P P P P P
Quality of Service N/a N/a P N/a N/a N/a P N/a P P P
IP Reputation P P P P P P P P P P P
Firewall/DoS P P P P P P P P P P P
Scripting/ Automation
Auto Auto n/a Auto Auto Auto n/a Auto n/a n/a n/a
VDOM n/a n/a n/a n/a n/a n/a P n/a P P P
Ethernet Connectivity
4 GigE 4 GigE 4 GigE 6 GigE 8 GigE 8 GigE, 2 10GE
8 GbE, 4 10GE
8 GigE, 2 10GE
8 GbE, 4 10GE
16 GbE, 4 10GE
16 GbE, 8 10GE
Power Supply Single Single Single Single Single Single Single Dual Dual Dual Dual
FortiDirector: Cloud-based GSLB
Hosted Server FortiADC
Single
Server
3rd Party ADC
• Cloud-based Global Server Load Balancer
• Pay-as-you-go Infrastructure as a Service (IaaS)
• Basic server load balancing to complex multi-site routing
• Sets up in minutes and supports any protocol with DNS routing
• Advanced health checking and customizable rules based routing
FortiDirector
Prodotti Correlati
• FortiWeb Web Application Firewall
– Protezione avanzata applicativa su servizi web
– PCI compliance
• FortiDirector Cloud-based Global Server Load Balancing
– Servizio di Load balancing interamente nel cloud con bilanciamento
geografico
• FortiWAN Link Load Balancer
– Advanced Link Load Balancing fino a 50 link
– Tunnel Routing proprietario
DOMANDE?
[email protected] System Engineer Sidin