Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Enterprise Grade Security and SSL
termination in ACS 4.3
December 3rd, 2013

@cloudops_

www.cloudops.com
Introductions
• Will Stevens – Lead Developer @ CloudOps
• CloudOps builds and operates clouds of
all shapes and sizes
• D...
To be covered…
• Palo Alto Networks firewall appliance
integration
– Feature overview
– Challenges and decisions

• SSL Te...
Motivations for Palo Alto integration
CloudStack virtual router:
For Advanced Networking it often handles
NAT, LB, FW, VPN...
More reasons why
• Customer driven - Palo Alto is an
increasingly popular enterprise security
product
• Many enterprises r...
Resulting network services
• CloudStack Virtual Router
– DHCP
– DNS

• Palo Alto Service Provider
– Source NAT
– Firewall ...
Overview of the implementation

@cloudops_

www.cloudops.com
Pre-configure the Palo Alto device
• Setup a Virtual Router on the Palo Alto to
handle the routing of the Public traffic

...
Pre-configure the Palo Alto device
• Setup the Public and Private interfaces on
the PA

• Pre-configure the Public interfa...
Add the PA as a service provider
• Add the PA device as
a guest network
service provider

• Enable the provider

@cloudops...
Create a Network Offering
• Expose the PA through
a network offering
• PA provides: Source NAT,
Static NAT, Port Forwardin...
Use the Palo Alto
• Add a network using the service offering
• Launch a VM on the new network

@cloudops_

www.cloudops.co...
What actually happened
• A Source NAT IP is allocated on ‘ae1’
• A guest network has been setup on ‘ae2’

• A Source NAT r...
Egress firewall rules

@cloudops_

www.cloudops.com
Ingress firewall rules

@cloudops_

www.cloudops.com
Static NAT rules

@cloudops_

www.cloudops.com
Port Forwarding rules

@cloudops_

www.cloudops.com
Support for Palo Alto profiles
• Added support for Palo Alto Networks
‘Security Profile Groups’ and ‘Log
Forwarding Profil...
PA VM Appliance Support
• Special considerations to support the Palo
Alto virtual appliance
• Simplify the implementation ...
Known limitations
• Requires some initial configuration, it is
not entirely plug and play (yet)
• Currently only supports ...
Changing gears…

Next up: SSL Termination in ACS…

@cloudops_

www.cloudops.com
SSL Termination in ACS
• Developed by Syed Ahmed @ CloudOps
• To be released in ACS 4.3
• Added Certificate management
–
–...
SSL Termination workflow
Add SSL Termination
1) To create an SSL vserver on the NetScaler, use
createLoadBalancerRule with...
Associated APIs
• Certificate Management
– uploadSSLCert
– deleteSSLCert
– listSSLCerts

• Load Balancer changes/additions...
Additional notes
• The implementation is not yet available
in the UI, only via the API
• Each certificate can be bound to ...
Questions

?
Will Stevens
www.cloudops.com
@cloudops_

@cloudops_

www.cloudops.com
Prochain SlideShare
Chargement dans…5
×

Enterprise grade firewall and ssl termination to ac by will stevens

948 vues

Publié le

CloudOps has add support for enterprise grade security products in ACS. CloudOps has developed an integration with the Palo Alto Networks firewall appliance to enable ACS to orchestrate network features such as network creation, Source NAT, Static NAT, Port Forwarding and Firewall rules on the Palo Alto device. Additionally, CloudOps has extended ACS to support SSL certificate management as well as SSL termination by external load balancers. The existing ACS NetScaler plugin has been improved to support this new SSL termination functionality. The talk will cover the features added as well as a basic overview of how they are used.

Will Stevens is the Lead Developer at CloudOps. He has been directly involved in extending ACS to support more enterprise grade security functionality. Will has over 10 years experience as a software developer and is primarily focused on cloud integrations at CloudOps.

Publié dans : Technologie
  • Soyez le premier à commenter

Enterprise grade firewall and ssl termination to ac by will stevens

  1. 1. Enterprise Grade Security and SSL termination in ACS 4.3 December 3rd, 2013 @cloudops_ www.cloudops.com
  2. 2. Introductions • Will Stevens – Lead Developer @ CloudOps • CloudOps builds and operates clouds of all shapes and sizes • Develops cloud infrastructure solutions and operational models • 24x7x365 managed service for CloudStack based cloud infrastructures • Customers are global • Based in Montreal, Canada @cloudops_ www.cloudops.com
  3. 3. To be covered… • Palo Alto Networks firewall appliance integration – Feature overview – Challenges and decisions • SSL Termination added to ACS and implemented for NetScaler – Certificate management – SSL Termination overview @cloudops_ www.cloudops.com
  4. 4. Motivations for Palo Alto integration CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise @cloudops_ www.cloudops.com
  5. 5. More reasons why • Customer driven - Palo Alto is an increasingly popular enterprise security product • Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection) • Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise @cloudops_ www.cloudops.com
  6. 6. Resulting network services • CloudStack Virtual Router – DHCP – DNS • Palo Alto Service Provider – Source NAT – Firewall Rules (Ingress & Egress) – Static NAT – Port Forwarding @cloudops_ www.cloudops.com
  7. 7. Overview of the implementation @cloudops_ www.cloudops.com
  8. 8. Pre-configure the Palo Alto device • Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic • Setup a Static Route for the next hop @cloudops_ www.cloudops.com
  9. 9. Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA • Pre-configure the Public interface according to the Public IP range in CS @cloudops_ www.cloudops.com
  10. 10. Add the PA as a service provider • Add the PA device as a guest network service provider • Enable the provider @cloudops_ www.cloudops.com
  11. 11. Create a Network Offering • Expose the PA through a network offering • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services • Enable the new offering @cloudops_ www.cloudops.com
  12. 12. Use the Palo Alto • Add a network using the service offering • Launch a VM on the new network @cloudops_ www.cloudops.com
  13. 13. What actually happened • A Source NAT IP is allocated on ‘ae1’ • A guest network has been setup on ‘ae2’ • A Source NAT rule now connects the guest network to the public IP • A policy isolates the guest network @cloudops_ www.cloudops.com
  14. 14. Egress firewall rules @cloudops_ www.cloudops.com
  15. 15. Ingress firewall rules @cloudops_ www.cloudops.com
  16. 16. Static NAT rules @cloudops_ www.cloudops.com
  17. 17. Port Forwarding rules @cloudops_ www.cloudops.com
  18. 18. Support for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’ • Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule • Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering @cloudops_ www.cloudops.com
  19. 19. PA VM Appliance Support • Special considerations to support the Palo Alto virtual appliance • Simplify the implementation to the lowest common denominator • Using sub-interfaces instead of ‘vsys’ for configuration isolation • Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta) @cloudops_ www.cloudops.com
  20. 20. Known limitations • Requires some initial configuration, it is not entirely plug and play (yet) • Currently only supports a single Public IP range • Public IP usage tracking is currently not handled • Fine grain control of ICMP is currently not handled • Not validating SSL certificates when ACS communicates with the Palo Alto device @cloudops_ www.cloudops.com
  21. 21. Changing gears… Next up: SSL Termination in ACS… @cloudops_ www.cloudops.com
  22. 22. SSL Termination in ACS • Developed by Syed Ahmed @ CloudOps • To be released in ACS 4.3 • Added Certificate management – – – – Supports Supports Supports Supports certificate verification certificate trust chains self-signed certificates encrypted private keys • Added a generic SSL Termination implementation to ACS for external load balancers • Added SSL Termination support for the NetScaler by extending the existing NetScalerplugin @cloudops_ www.cloudops.com
  23. 23. SSL Termination workflow Add SSL Termination 1) To create an SSL vserver on the NetScaler, use createLoadBalancerRule with the lb_protocol parameter set to SSL. 2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key) 3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id) Remove SSL Termination 1) Remove the cert from the load balancer removeFromLoadBalance(cert_id, lb_rule_id) 2) Remove the certificate @cloudops_ deleteSslCert(cert_id) www.cloudops.com
  24. 24. Associated APIs • Certificate Management – uploadSSLCert – deleteSSLCert – listSSLCerts • Load Balancer changes/additions – createLoadBalancerRule • use ‘lb_protocol=SSL’ to enable SSL termination – assignToLoadBalancerRule – removeFromLoadBalancerRule @cloudops_ www.cloudops.com
  25. 25. Additional notes • The implementation is not yet available in the UI, only via the API • Each certificate can be bound to multiple load balancer rules • Each load balancer rule can only be bound to one certificate – The bound certificate can be part of a chain • Does not support revocation lists (yet) FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Ter mination+Support @cloudops_ www.cloudops.com
  26. 26. Questions ? Will Stevens www.cloudops.com @cloudops_ @cloudops_ www.cloudops.com

×