Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

• 1.
  www.paloaltonetworks.com www.cloudops.com Palo AltoNetworks firewall orchestration using CloudStack June 25th, 2013 Brian Torres-Gil Ian Rae
• 2.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Overview Introto speakers Project objectives Approach Solution overview Demo (demo gods permitting) FAQ Next Steps
• 3.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Who? IanRae Founder and CEO CloudOps Brian Torres-Gil Solutions Architect Palo Alto Networks
• 4.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com CloudOpsOverview • CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid) • Unique expertise with load balancing built over 14 years of experience • Unique expertise with EUEM and APM from Coradiant background • Develops best-in-class cloud architectures and operational models • Customers in Canada, US and Europe • Based in Montreal, Canada
• 5.
  www.paloaltonetworks.com www.cloudops.com Palo AltoNetworks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally
• 6.
  www.paloaltonetworks.com www.cloudops.com Palo Alto- Safe application enablement • Identify, control, and safely enable all applications by user • Inspect content for known and unknown threats in real time • High throughput and performance • Simplify infrastructure and reduce TCO • Enable diverse deployment scenarios Our fundamentally new approach:
• 7.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Why? CloudStackvirtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
• 8.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com MoreWhy. Some clouds have important security requirements not met by CS-VR There is often a need for greater visibility and advanced security services (i.e. content filtering) Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
• 9.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com What? ProjectObjectives • Support of CloudStack advanced network topology. • Support of multiple Palo Alto Networks firewalls. • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler). • Configuration of connectivity with Palo Alto Networks firewall through CloudStack UI and persistence of this information. • Allow the selection of Palo Alto firewall when defining CloudStack network service offering for: – Firewall (Ingress & Egress) – Source NAT – Static NAT – Port forwarding • Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs. • Proper display of Palo Alto connectivity status in CloudStack UI. • Functional/Integration testing on PA-3020 platform (version 5.0.0) • Full documentation of the solution (architecture, design, APIs)
• 10.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How?
• 11.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Exampleexternal device NSP
• 12.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How,in a picture. Solution overview Note: VRs are not actually “inline”
• 13.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Pre-configurethe Palo Alto device • Setup the Public and Private interfaces on the PA. • Pre-configure the Public interface according to the Public IP range in CS.
• 14.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Addthe PA as a service provider • Add the PA device as a guest network service provider. • Enable the provider.
• 15.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Createa Network Offering • Expose the PA through a network offering. • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services. • Enable the new offering.
• 16.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Usethe Palo Alto • Add a network using the service offering. • Launch a VM on the new network.
• 17.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Checkwhat happened on the PA • A Source NAT IP is allocated on ‘ae1’. • A guest network has been setup on ‘ae2’. • A Source NAT rule now connects the guest network to the public IP. • A policy isolates the guest network.
• 18.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Egressfirewall rules
• 19.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com StaticNAT rules
• 20.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com PortForwarding rules
• 21.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Ingressfirewall rules
• 22.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com FAQ Q:Is it open source? A: Yes - will be contributed to CloudStack. Q: What is it based on? A: Current dev is based on 4.2 Master branch circa a few weeks ago Q: Which release of CS will it be included in A: Depending on the next steps and funding, probably 4.3 Q: What’s planned next? A: Glad you asked
• 23.
  www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com MoreInformation Documentation is here! https://cwiki.apache.org/CLOUDSTACK/pal o-alto-firewall-integration.html Code is here: https://github.com/cloudops/cs_palo_alto /tree/palo_alto Contact: @ianrae and @CloudOps_