SECURING THE MULTICLOUD Bahul Harikumar and Ali Bidabadi Juniper Networks
This statement of direction sets forth Juniper Networks current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation. This presentation contains proprietary roadmap information and should not be discussed or shared without a signed non-disclosure agreement (NDA).
We are all living in the wonderful world of digital transformation. No matter the size of your company or the industry you re operating in, there s some company ready to completely disrupt what you re doing. -Richard L. Villars, VP DC & Cloud Research IDC 3
Raising to the Challenge Rapid IT Deployment Continuous Innovation Migrate Workloads Cloud Faster route to Market Reduced Costs 4
Enterprise IT Transformation XaaS Traditional DC PaaS Private Cloud IaaS Multicloud SaaS IaaS Public Cloud 5
6 Cloud Market
Cloud 2.0 Massive Adoption Cloud Adoption is a Strategic Imperative Enterprise IT organizations that will commit to multicloud architecture (IDC) 85% Enterprises identified Security Risks as the biggest barrier in recent IDC survey 7
Multicloud Security - Key Requirements Private Cloud Bare Metal Apps Internet SD & PE Public Cloud 1 Web Server App Server vsrx/csrx Virtualized Apps SRX4100/4200 SRX4600/4800 Transit VPC - vsrx Public Cloud 2 Web Server App Server Micro-Segmentation High performance Automation Visibility & Analytics Hypervisor Support Global Unified Policy Management Secure any-any Connectivity Compliance & Consistent Security Service Specific Clouds Multiple Cloud Integration Policy Automation 8
Juniper Security Portfolio for Multicloud Security Director SDSN Software Defined Secure Networks UNIFIED POLICY Create and centrally manage policy Sky ATP NETWORK WIDE ENFORCEMENT Automatically enforce policy across customer premises and cloud GLOBAL THREAT DETECTION Unify threat intelligence from multiple sources HIGH PERFORMANCE NGFW PHYSICAL & VIRTUAL SDSN ENFORCEMENT POINTS Reduces both opex and capex with better price performance Higher scale with IMIX firewall throughput from 1 Gbps to 320 Gbps Multiple Services: Application Security, IPS, Content Security, ATP SRX345 SRX340 SRX320 SRX300 Branch NGFW SRX4600 SRX4200 SRX4100 SRX1500 Mid-range NGFW SRX5800 SRX5600 SRX5400 High-End NGFW 4Gb/s (2 vcpu) 25Gb/s (16 vcpu) vsrx csrx Virtual & Container NGFW 9
Juniper Private Cloud Security Solution WAN Virtual Environment/Private Cloud SD & PE Ware Headquarters IP/MPLS SRX1K SRX4K SRX5K SRX Enterprise Applications DB APP Web vsrx Department 1 Other DB APP Web Other Department 2 vsrx Remote Office Remote Office Isolation DB vsrx vsrx APP Web Other DB APP Web Other Department 3 Department 4 Juniper Portfolio for Private Cloud Key Requirements Micro-segmentation - vsrx, NSX Integration, Contrail High performance vsrx multicore, SRX1500, SRX4100, SRX4200, SRX 5XXX, SRX4600 Automation SD/PE integration, REST/Netconf, Cheff/Puppet/Ansible, AppFormix Visibility & Analytics Security Director, Jweb, Juniper Secure Analytics (JSA) Hypervisor Support csrx/docker, Ware/NSX, K/Contrail Private Cloud 10
Juniper Public Cloud Security Solution SD & PE AWS Marketplace Internet Public Cloud 1 Web Server App Server Transit VPC - vsrx Azure Marketplace Public Cloud 2 Web Server App Server Juniper Portfolio for Public Cloud Key Requirements Platform Integration vsrx on AWS (BYOL & PAYG), vsrx on Azure (BYOL) Automation PE integration on public cloud, Cloud-Init, Transit VPC, Auto-Scale/ELB Visibility & Analytics Security Director, AppFormix Public Cloud 11
Licensing Based on Features and Throughput 60 Day Evaluation License vsrx - Juniper Virtual NGFW for Multicloud High performance NGFW - Scale up to 100 Gbps - Lowest TCO Rich Firewall Services Unified Threat Management Advanced Threat Prevention (ATP) Application Security Anti-virus Sky ATP Intrusion Prevention Web/Content Filtering GeoIP & Custom feeds User firewall Anti-spam Malware Detection Firewall Foundational Services Firewall VPN NAT Routing Centralized Management Reporting Analytics Automation 12
vsrx - Ideal form factor for Multicloud Ecosystem ware ESXi 5.x, 6.0 K - Centos & Ubuntu Microsoft HyperV ware vcenter Open Stack Plugin Contrail Service Orchestrator (CSO) Platforms Orchestration Amazon AWS Microsoft Azure Google Cloud* IaaS Policy & SDN Contrail Service Chaining ware NSX SD, CLI, Jweb, NetConf/REST API 13 *Roadmap
Juniper Multicloud Security Solution Private Cloud SD & PE Public Clouds Bare Metal Apps SRX1K/4K/5K vsrx/csrx Virtualized Apps Internet IPSec VPN vsrx Transit VPC Web Server App Server Juniper Portfolio for Multicloud Key Requirements Private Cloud Secure Connectivity vsrx in Public cloud (Transit VPC & Full Mesh VPN deployments), Physical/Virtual DC Edge SRX, vsrx Auto-Scale* Compliance & Consistent Security Portable security policies across private/public cloud Unified Management Security Director as single pane of security management Multicloud Public Cloud 14
Unified Management & User Intent Policy ENHANCED VISIBILITY & CONTROL - SD Application Visibility & Control, Firewall Policy, Threat Maps, Events & Logs, Dashboard Automate Operations and Rule Placement, Reduce User errors, Improves Response Time Reduce scope of work by 20x Finance vsrx Predefine Policy Amazon EC2 Security Director Security Director Operations Globally apply policy AWS Lamda Determine Condition SRX ADAPTIVE & AGILE SECURITY POLICY Meta Data Based Policy Allows to create user intent based policy using meta data and helps to be agile in the cloud (Avoids manual workflow) AWS Lamda based sync up of meta data and inventory in a VPC with SD DYNAMIC POLICY ACTIONS Agility of cloud can be preserved by deploying dynamic policy changes in response to a condition (such as an attack) 15
Automate Entire Security Life Cycle Ensure Consistent deployment in multicloud environment Reduces workload Build out from days to minutes Auto Remediation to improve Network Availability and reduces Mean Time To Repair BUILD Initial configuration Software upgrade Space discovery Zero Touch Provisioning CONFIGURE Pre/Post change checks Configuration generation Deployment Archive configurations OPERATE Event Scripts to check health Troubleshoot issues Auto Remediation 16
Multicloud Security Juniper Offerings - Summary Private Cloud Bare Metal Apps Internet SD & PE Public Cloud 1 Web Server App Server vsrx/csrx Virtualized Apps SRX4100/4200 SRX4600/4800 Transit VPC - vsrx Public Cloud 2 Web Server App Server vsrx Cloud Native Ware NSX Integration Contrail Security SRX Encryption IPSec High performance physical Firewalls Global Policy Management Security Director (SD) vsrx Transit VPC vsrx on AWS vsrx on Azure Adaptive Security Policy (Metadata based Policy) 17
Key Takeaways Comprehensive solution for Multicloud deployment helps customers to raise to the challenge of cloud adoption High-performance and scale of Juniper security lowers customers TCO Flexible licensing and business models to match varied customer requirements Unified Management and Network as Enforcement through SDSN 18
Use Cases Micro-segmentation Retail hosting virtual workloads in private DC Differentiated security across various application groups Security as agile as the workloads High performance security cannot be bottleneck to application traffic Compliance & Consistent Security Health Insurance running applications & partner services on AWS Consistent security between DC and public cloud Secure connectivity between VPCs across multiple regions Redundancy in connectivity Secure Connectivity Financial enterprise with a mix of on-prem and AWS assets Secure connectivity between VPCs across multiple regions Secure connectivity from DC to AWS VPCs IPS and Stateful packet inspection between VPCs NSX Integration, Contrail microsegmentation Encryption & Security everywhere, Unified management by SD, Multiple Availability Zones for Redundancy Transit VPC 19
Demo
Multi-region Deployments US West US East VPN gateway Amazon EC2 VPN gateway Amazon EC2 POP 21
Transit VPC Cross-region, cross-account VPCs can connect to the Transit VPC via IPSec tunnels VPC 1 VPC 2 VPC N BGP-based dynamic routing combined with multi-az deployment creates a robust network infrastructure AZ 1 vsrx AZ 2 vsrx Transit VPC Transit VPC can establish VPN connections to VGWs attached to Spoke VPCs automatically with zero touch VPN over Direct Connect Internet Backup VPN 22
Secure Connectivity US West US Central US East VPN gateway Amazon EC2 Amazon EC2 VPN gateway VPN gateway Amazon EC2 Transit VPC vsrx AZ1 vsrx AZ2 AWS Direct Connect 23
Juniper Transit VPC Architecture Deploys two vsrxs (highly available design) The VGW Poller function runs every minute looking for appropriately tagged VGWs A PUT event inside AWS S3 triggers the Juniper Configurator function to generate and push the required configurations to the vsrxs 24
Demo Topology US West (Oregon) US East (N. Virginia) Linux AMI Linux AMI IP Sec Tunnel IP Sec Tunnel vsrx1 vsrx2 25
Resources NXTWORK 2017 - SECURITY SESSIONS Zero Trust Security with Software-Defined Secure Networks (Technical Deep Dive) Security NOW: Stop Threats Faster. (Business Solutions) Extending Enterprise Security to Multicloud and Public Cloud (Technology Focus) BYOL Juniper Transit VPC is now in the Marketplace: https://aws.amazon.com/marketplace/pp/b077nr8g4q?qid=1512381707615&sr=0-6&ref_=srh_res_product_title Juniper Transit VPC implementation guide: https://www.juniper.net/assets/jp/jp/local/pdf/implementation-guides/8010096-en.pdf 26