Software Defined Networking (SDN) Software Defined …sommerforum.arrowecs.de/.../2015/Software_Defined_Networking_Fo… · Software Defined Networking (SDN) Software Defined Security

© Copyright Fortinet Inc. All rights reserved.

Software Defined Networking (SDN) Software Defined Security Kurt Knochner Fortinet Senior Systems Engineer [email protected]

2

How to describe the (IT) world of 2015

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness..

Charles Dickens A Tale of Two Cities

3

Challenges in the Datacenter 2015

Increasing Complexity Increasing Network Speed Increasing Security Challenges Increasing levels of Virtualization

4

Increasing Complexity

Sorry, we can’t help you with this … All we can say: It’s going to get worse ;-) HOWEVER: We are committed to NOT add complexity to your environment, by keeping the management of our products as simple and effective as possible!

5

Increasing Network Speed / Security Challenges

Fortinet is best know for it’s HIGH SPEED and SECURE appliances, so don’t be afraid, we will be there to support you !!

Source : IEEE 802.3 Industry Connections Ethernet Bandwidth Assessment July 2012

1,000,000,000

100,000

10,000

1,000

100 1995 2000 2005 2010 2015 2020

100 Gigabit

10 Gigabit

Gigabit

Rat

e M

b/s

Server I/O Doubling ~24 mos

Core Networking Doubling ~18 mos

1 Terabit

6

Increasing levels of Virtualization

That’s what I’m going to talk today.

7

To sum it up ….

Virtual Appliances & VDOM’s Provide Scale-Out Elasticity

Scale-Out

Performance Boundary

Benefits

Scal

e-U

p

Elastic Firewall Capacity

East-West Traffic Visibility

Deployable in Public Clouds

vSphere

XenServer

Hyper-V

Software Defined Datacenter and SDN

10

Software Defined Data Center

Decoupling/Abstraction

Orchestration

VM

OS

Netw

ork

Com

pute

Storage

Security

Network Compute Storage Security Physical

SD

VM VM

OS OS OS

App App App

11

SDDC - The Big Picture

Orchestration

Network

Storage

Compute

Physical Virtual

Applications Services

Security

Software Defined Networks

Software Defined Compute

Software Defined Storage

12

SDDC - The Big Picture

Orchestration

Network

Storage

Compute

Physical Virtual

Applications Services

Security

Software Defined Networks

Software Defined Security

Software Defined Compute

Software Defined Storage

13

Virtual Data Center Challenges

High Availability

Live Migration

Securing flows within the same vSwitch

No auto-import of object

Manual or scripted automation and orchestration

Challenges

14

Fortinet Software Defined Security Framework

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

15

Fortinet Software Defined Security Framework

Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

16

Fortinet Software Defined Security Framework

Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure

Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

17

Fortinet Software Defined Security Framework

Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure

Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director

Single Pane-of-Glass management » Management (FortiManager) » Reporting & visibility (FortiAnalyzer)

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

18

Fortinet Software Defined Security Framework

Complete security ecosystem » FW/NGFW (FortiGate) » Web Application Firewall (FortiWeb) » Secure Mail GW (FortiMail) » Application Delivery (FortiADC) » Sandboxing (FortiSandbox) » vSphere, HyperV, KVM, Citrix Xen » AWS, Microsoft Azure

Security optimized orchestration » SDN application » FortiSphere Security SDN controller » FortiCore SDN Security Director

Single Pane-of-Glass management » Management (FortiManager) » Reporting & visibility (FortiAnalyzer)

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

Integration with external ecosystem » Open Source » Commercial » Open - OpenFlow, JASON, RESTful API, XML

19

Complete security ecosystem

Security optimized orchestration

Single Pane-of-Glass management

FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE

Fortinet Software Defined Security Framework – CSP Extensions

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

Integration with external ecosystem

NFV On-Demand Self - Service

Sec-aaS Multi -Tenancy

20

Complete security ecosystem

Security optimized orchestration

Single Pane-of-Glass management

FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE

Utility based consumption » Licensing

» Provisioning

» Metering

» Billing

Fortinet Software Defined Security Framework – CSP Extensions

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

Integration with external ecosystem

NFV On-Demand Self - Service

Sec-aaS Multi -Tenancy

21

Complete security ecosystem

Security optimized orchestration

Single Pane-of-Glass management

FW NFV service chaining » ETSI Multi-Vendor PoC on D-NFV (CPE) » D-NFV Alliance – RAD V-CPE

Utility based consumption » Licensing

» Provisioning

» Metering

» Billing

FortiPrivateCloud

» Security-aaS portal

Fortinet Software Defined Security Framework – CSP Extensions

Virtual x86 Containers

Hardware-Based Platforms

Virtual Appliances/

Services

Platform Orchestration & Automation

Single Pane-of-Glass Management

Data Plane Control Plane Mgmt. Plane

Platform Extensibility

Integration with external ecosystem

NFV On-Demand Self - Service

Sec-aaS Multi -Tenancy

22

Fortinet Programmable Networking Partnership Ecosystem

ORCHESTRATION PLATFORMS

PROGRAMMABLE SWITCHING

ACI vCNS certified NSX Partner program NSX Manager Full NSX

CENTRALIZED POLICY & ANALYTICS

Platform

Extensibility

23

Cisco ACI #1 SDN platform sought by enterprise customers Joint PR - Integration of FortiGate into Cisco ACI deployment Joint demo at Interop (April 2015) – ACI service insertion Product launch Q3 2015

Cisco ACI Integration

24

OpenStack Integration

Open Source OpenStack »ML2 plugin »FWaaS plugin »VTEP support

Commercial OpenStack »HP Helion Fortinet announced HP AllianceOne partnership FortiGate certified HP Helion Ready Integration with HP VAN Controller and SDN switches FortiSDN Demo application for HPs enterprise SDN ecosystem

»PlumGrid ONS integration

FortiGate-VMX NSX Integration

27

Fortinet SDDC Positioning

NSX integration is part of a Three Steps Program Currently Fortinet solution uses NSX Manager with limited NetX APIs functionality

vSphere v5.5u2 vCNS integration certified

vSphere v5.5 u2 vCNS integration NSX Compatible

NSX new SDK integration

Released Q4 2014 Support for vSphere v5.5 Update 2 Certified with vCNS Manager and NetX API

Released January 2015 Support for vSphere v5.5 Update 2 Certified compatible with NSX Manager and NetX API

Support for new NSX Manager Will only work with NSX deployments Advanced NSX NetX functionality for tighter control of traffic

Q4 2014 January 2014 2015 Q1 2015

vCNS (Q4 2014) NSX Compatible (Q1 2015) NSX (2015)

28

4. F

ortiG

ate-

VMX

con

nect

s w

ith F

ortiG

ate-

VMX

Ser

vice

M

anag

er

FortiGate and NSX Integration/Interactions

1. Initiate communication with vCenter Server

2. Register Fortinet as security service with NSX Manager

dvSwitch

3. A

uto-

depl

oy F

ortiG

ate-

VMX

to a

ll ho

sts

in s

ecur

ity c

lust

er

5. License verification and configuration synchronization with FortiGate-VMX

6. K

erne

l age

nt c

reat

ion

and

defa

ult r

e-di

rect

ion

rule

s fo

r eac

h ho

st in

clu

ster

7. Real-time updates of object database

8. P

ush

polic

y sy

nchr

oniz

atio

n to

al

l For

tiGat

e-VM

X d

eplo

yed

in

clus

ter

FGT-VMX FGT-VMX

FortiGate-VMX Service Manager

29

VMware Kernel dvSwitch

FGT-VMX and VMWARE Kernel Agent Interaction

Kernel Agent Kernel

Agent Kernel Agent Kernel

Agent

Kernel Agent Kernel

Agent Kernel Agent Kernel

Agent

1 Define NGFW Firewall Policies

2 FGT-VMX

fsw tsw

Packet Flow 1. From VM to Kernel Agent 2. Kernel Agent always Forward to

Third party Solution (FGT-VMX) 3. FGT-VMX applies Security and

sends packet back to Kernel Agent 4. Kernel Agent can do service

chaining or send packet to destination

FortiGate-VMX Service Manager

30

FortiGate-VMX SVM Widget Information

31

FortiGate-VMX License Model

One license for the FortiGate-VMX Service Manager Stackable license for the FGT-VMX Agents based on the number of Agents deployed

2 FGT-VMX Licenses

Hypervisor with 2 Sockets Hypervisor with 4 Sockets Hypervisor with 2 Sockets 3 FGT-VMX Licenses

32

FortiGate-SVM Initial Configuration

33

FGT-VMX Service Manager Policy Creation

34

FGT-SVM Policy Creation

All FOS NGFW functionalities are available on FGT-VMX

Inbound and Outbound Policies

35

NSX Integration - What’s Next?

1. Service Composer a. Define Security Tag Based on Workflow requirements b. Security Tag imported on FortiGate-VMX to define Firewall Policy c. Set and Unset Tags to Workflow VM based on Security Requirements

New Feature with Full NSX Integration

Firewall Policy =

Why Fortinet?

37

Why Fortinet?

Committed to Security Committed to High Performance Committed to Virtualization

38

Fast growing business

39

No comment …

40

“ We take care of security so you can take care of business.

“ Ken Xie

CEO & Chairman of the Board

41

Ein letztes Zitat…

“Wir stecken keine Mark in die Werbung, sondern jede Mark in die Schoklade”

Aplia Schokolade Springer & Jacoby

Kurt Knochner [email protected]