O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Enterprise grade firewall and ssl termination to ac by will stevens

951 visualizações

Publicada em

CloudOps has add support for enterprise grade security products in ACS. CloudOps has developed an integration with the Palo Alto Networks firewall appliance to enable ACS to orchestrate network features such as network creation, Source NAT, Static NAT, Port Forwarding and Firewall rules on the Palo Alto device. Additionally, CloudOps has extended ACS to support SSL certificate management as well as SSL termination by external load balancers. The existing ACS NetScaler plugin has been improved to support this new SSL termination functionality. The talk will cover the features added as well as a basic overview of how they are used.

Will Stevens is the Lead Developer at CloudOps. He has been directly involved in extending ACS to support more enterprise grade security functionality. Will has over 10 years experience as a software developer and is primarily focused on cloud integrations at CloudOps.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Enterprise grade firewall and ssl termination to ac by will stevens

  1. 1. Enterprise Grade Security and SSL termination in ACS 4.3 December 3rd, 2013 @cloudops_ www.cloudops.com
  2. 2. Introductions • Will Stevens – Lead Developer @ CloudOps • CloudOps builds and operates clouds of all shapes and sizes • Develops cloud infrastructure solutions and operational models • 24x7x365 managed service for CloudStack based cloud infrastructures • Customers are global • Based in Montreal, Canada @cloudops_ www.cloudops.com
  3. 3. To be covered… • Palo Alto Networks firewall appliance integration – Feature overview – Challenges and decisions • SSL Termination added to ACS and implemented for NetScaler – Certificate management – SSL Termination overview @cloudops_ www.cloudops.com
  4. 4. Motivations for Palo Alto integration CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise @cloudops_ www.cloudops.com
  5. 5. More reasons why • Customer driven - Palo Alto is an increasingly popular enterprise security product • Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection) • Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise @cloudops_ www.cloudops.com
  6. 6. Resulting network services • CloudStack Virtual Router – DHCP – DNS • Palo Alto Service Provider – Source NAT – Firewall Rules (Ingress & Egress) – Static NAT – Port Forwarding @cloudops_ www.cloudops.com
  7. 7. Overview of the implementation @cloudops_ www.cloudops.com
  8. 8. Pre-configure the Palo Alto device • Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic • Setup a Static Route for the next hop @cloudops_ www.cloudops.com
  9. 9. Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA • Pre-configure the Public interface according to the Public IP range in CS @cloudops_ www.cloudops.com
  10. 10. Add the PA as a service provider • Add the PA device as a guest network service provider • Enable the provider @cloudops_ www.cloudops.com
  11. 11. Create a Network Offering • Expose the PA through a network offering • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services • Enable the new offering @cloudops_ www.cloudops.com
  12. 12. Use the Palo Alto • Add a network using the service offering • Launch a VM on the new network @cloudops_ www.cloudops.com
  13. 13. What actually happened • A Source NAT IP is allocated on ‘ae1’ • A guest network has been setup on ‘ae2’ • A Source NAT rule now connects the guest network to the public IP • A policy isolates the guest network @cloudops_ www.cloudops.com
  14. 14. Egress firewall rules @cloudops_ www.cloudops.com
  15. 15. Ingress firewall rules @cloudops_ www.cloudops.com
  16. 16. Static NAT rules @cloudops_ www.cloudops.com
  17. 17. Port Forwarding rules @cloudops_ www.cloudops.com
  18. 18. Support for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’ • Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule • Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering @cloudops_ www.cloudops.com
  19. 19. PA VM Appliance Support • Special considerations to support the Palo Alto virtual appliance • Simplify the implementation to the lowest common denominator • Using sub-interfaces instead of ‘vsys’ for configuration isolation • Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta) @cloudops_ www.cloudops.com
  20. 20. Known limitations • Requires some initial configuration, it is not entirely plug and play (yet) • Currently only supports a single Public IP range • Public IP usage tracking is currently not handled • Fine grain control of ICMP is currently not handled • Not validating SSL certificates when ACS communicates with the Palo Alto device @cloudops_ www.cloudops.com
  21. 21. Changing gears… Next up: SSL Termination in ACS… @cloudops_ www.cloudops.com
  22. 22. SSL Termination in ACS • Developed by Syed Ahmed @ CloudOps • To be released in ACS 4.3 • Added Certificate management – – – – Supports Supports Supports Supports certificate verification certificate trust chains self-signed certificates encrypted private keys • Added a generic SSL Termination implementation to ACS for external load balancers • Added SSL Termination support for the NetScaler by extending the existing NetScalerplugin @cloudops_ www.cloudops.com
  23. 23. SSL Termination workflow Add SSL Termination 1) To create an SSL vserver on the NetScaler, use createLoadBalancerRule with the lb_protocol parameter set to SSL. 2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key) 3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id) Remove SSL Termination 1) Remove the cert from the load balancer removeFromLoadBalance(cert_id, lb_rule_id) 2) Remove the certificate @cloudops_ deleteSslCert(cert_id) www.cloudops.com
  24. 24. Associated APIs • Certificate Management – uploadSSLCert – deleteSSLCert – listSSLCerts • Load Balancer changes/additions – createLoadBalancerRule • use ‘lb_protocol=SSL’ to enable SSL termination – assignToLoadBalancerRule – removeFromLoadBalancerRule @cloudops_ www.cloudops.com
  25. 25. Additional notes • The implementation is not yet available in the UI, only via the API • Each certificate can be bound to multiple load balancer rules • Each load balancer rule can only be bound to one certificate – The bound certificate can be part of a chain • Does not support revocation lists (yet) FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Ter mination+Support @cloudops_ www.cloudops.com
  26. 26. Questions ? Will Stevens www.cloudops.com @cloudops_ @cloudops_ www.cloudops.com