Transcription
WHITEPAPERWHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORKThe Fortinet SDN Security FrameworkAgile Security for Software-Defined Networks andData CentersSDN and the Transformation of the Software-Defined Data CenterSoftware-Defined Networking (SDN) is starting to have a profound impact on notjust the data center network, but network security as well. As networking vendorsare now hitting the market with programmable switches, network controllers andorchestration tools, the initial early hype around is now giving way to real andimplementable solutions. As SDN becomes a strategic topic for IT networking andinfrastructure teams, it shouldn’t be planned in isolation, but instead as a componentof a larger data center evolution.This transformation started a decade ago with x86 hypervisors delivering greater ITefficiency through server virtualization. But as cloud computing drove further evolutionof Infrastructure-as-a-Service (IaaS) with greater agility and elasticity, those conceptshave spilled over network virtualization and SDN, as well as into Software-DefinedStorage, Software-Defined WAN, etc. Many analysts and pundits have variously termedSoftware-Defined Data Center (SDDC), or SDI/SDx (SD Infrastructure/Anything).“SDx is a collectiveterm that encapsulatesthe growing marketmomentum for improvedstandards for infrastructureprogrammability and datacenter interoperability drivenby automation inherent tocloud computing” –GartnerResearchNetwork security is also being impacted. Firewalls, intrusion prevention, and othersecurity appliances have traditionally been deployed as hardware devices at discretepoints in the physical network, such as the ingress/egress point at the network edge.But as security needs to increasingly be deployed throughout the network to counteragainst advanced threats inside the perimeter, there are challenges maintainingvisibility and control with dynamic and logical network flows in increasingly softwaredefined environments. With the profound and fundamental changes to data centerinfrastructure, constricting traffic through a few fixed static inspection points wouldnegate many of the benefits of Infrastructure-as-a-Service agility.1www.fortinet.com
WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORKIntroducing the SDN Security FrameworkNetwork security needs to evolve as well. Fortinet’s vision isthat security is itself a fundamental layer of IT infrastructure,as essential as compute, storage, and networking; henceSecurity needs to transform to become “Software-Defined”as well – in other words as agile and elastic as other datacenter infrastructure. Fortinet is introducing the SDN SecurityFramework to define how security solutions need to evolve forSoftware-Defined Networks and Data Centers.While integration with the SDN controller or platform is one keymeans of achieving agile network security, it is equally importantto be able integrate with hypervisors, cloud management, andintelligence and analytics tools.Virtual firewalls can be deployed down at the virtual switchinglayer even closer to the VM workloads to gain more visibility toeast-west VM traffic and data, and also can be more flexiblydeployed as the data center grows. As the data center extendsto the hybrid cloud, virtual appliances are also the only option tobring network security to public cloud providers where physicalappliances are not allowed.Hardware appliances, while still needing to be deployed inadvance, can gain some flexibility through Virtual Domains(VDOM) and VLAN’s. With scale-up hardware achieving highlycost-effective throughput of above 100Gbps to 1Tbps andbeyond, service providers and others can more flexibly manageever growing capacity with up to thousands of logical VDOMinstances per physical device.Platform Orchestration and AutomationThe security platform needs to be able to support dynamicchanges in the compute, networking or other infrastructurelayers, such as for the onboarding of a tenant or adding a newserver instance to an existing workload. The benefits of usingon-demand cloud services, for example, would be negated if ittakes days or weeks to manually provision security via humanadministrators, or even worse, putting data and services intoproduction without secure and compliant controls.The SDN Security Framework fundamentally evolves networksecurity in each of the conceptual layers of network architecture– the data plane, control plane, and management planerespectively:nnVirtualAppliances/Services – Augment runtime securityenforcement with flexible virtualized appliances andservices (Data Plane)nnPlatformOrchestration and Automation - Enable agility andelasticity by coordinating with underlying networking andinfrastructure platforms (Control Plane)nnSinglePane-of-Glass Management: Provide unifiedmanagement of policy, events and analytics across physical,virtual and cloud infrastructure (Management Plane)Virtual Appliances & ServicesAside from firewalls and other network security evolving tobigger and faster hardware, security engines and functionsneed to be delivered as virtual appliances as well. Virtualizedappliances essentially encapsulate L4-L7 services such asfirewall or load balancers as software engines within a VMcontainer, enabling a hypervisor to deliver many of the samevirtualization benefits as for web servers and other applications.2A better model is that these administrative changes canbe automated by orchestrating security management withhypervisors, SDN controllers and other infrastructure platforms.For example, for a highly elastic cloud application, when a newVM instance is spun up on a virtualization host, the hypervisorcan notify the SDN controller to set up the appropriate switchports and VLAN’s, and also dynamically route the flows througha virtual or physical firewall that has been notified to apply theproper security policies for that workload.Single Pane-of-Glass ManagementAs data center workloads become more dynamic, there canbe protection or compliance gaps if a different security postureis applied depending on whether the workload is physicalor virtual, or running in a private cloud or public cloud, orwhether it is protected by a physical or virtual firewall. Securitymanagement needs to be able to ensure a single pane-of-glassview of security policies and events across the hybrid cloud,regardless of where a workload is running and how it isbeing protected.Security management itself can be delivered more as a serviceas well, such as by running policy and logging engines in virtualmachines or even hosted as a SaaS application in the cloud.www.fortinet.com
WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORKPlatform Extensibility & Ecosystem IntegrationSecurity appliances and management products can no longerbe isolated from the rest of the infrastructure, but must becognizant of realtime changes in the data center. Securitysolutions therefore must be built on an extensible platformthat can integrate and communicate with other infrastructurethrough programmable API’s and other interface points. Thesecould either be through open standards or proprietary interfaces– both have their pros and cons historically for interoperability,time-to-market, and other considerations.Security vendors and their ecosystem partners must ideallydeliver out-of-box security solutions for leading infrastructureplatforms that can be easily configured and deployed bymost enterprises without custom programming or other glue.However, vendors should also look to make their platformsflexible for service providers, more advanced enterprises andother technology partners to be able to integrate other SDNcontrollers, orchestration platforms, cloud management, andvisibility and analytics tools of their choice.However, as web server VM’s and other infrastructure are beingspun up and down to scale quickly, IT also needs to ensurethat firewalls and other protections are applied with appropriatepolicies to ensure privacy and confidentiality of sensitive user orcorporate data, lest thy risk alienating the very constituenciesthat organizations are trying to reach more closely. But inorder to secure infrastructure transparently without slowingdown or disrupting the business, IT organizations are lookingto automate the deployment and provisioning of securityengines and policies seamlessly with the provisioning ofvirtual machines, virtual ports, and other software-definedinfrastructure.Securing East-West Traffic in Virtual EnvironmentsUse Cases for SDN SecuritySDN Security defines a generalized security architectureframework that can be applied to a variety of business andIT use cases, but a few key ones are emerging commonly forenterprises and service providers deploying virtualization, cloudand SDN technologies.Auto-Scaling/Auto-Provisioning Protection forElastic WorkloadsMany organizations are looking to accelerate their business byconnecting more closely with customers or consumers throughsocial media or web-based initiatives. These mobile, socialand multimedia applications need to be able to be deployedrapidly and scale virally in response to end-user demand, henceinternal IT teams and cloud service providers alike are beingdriven to deliver highly elastic IaaS services to line-of-businessdevelopment teams.3Studies have shown that in modern data centers up to 7580% of data center traffic is east-west rather than north-south,as VMware ESX and other hypervisors began to leveragevirtual networking not just for allocating network bandwidth,but also for load-balancing, high-availability, and other valueadded benefits. In addition, much of that east-west traffic isvirtual inter-VM traffic that may stay on in the vswitch ratherthan leaving the physical host, making it increasingly difficult toinspect traffic with hardware security appliances that sit higherup in the physical network.Organizations are increasingly looking to virtualized firewalls andsecurity appliances that can sit on the vswitch and be inline toinspect virtual traffic, and that can follow VM’s across the virtualdata center, such as maintaining stateful inspection duringlive VM migration or having distributed firewall rules that workacross host clusters and irrespective of changes to logical IP’s,ports or MAC addresses.Network virtualization and SDN are further abstracting thenetwork and exacerbating visibility and control challenges, suchas tunneling VXLAN or other overlay/underlay traffic, makingLAN traffic invisible to physical Layer 3 security gateways, orspanning traffic across clouds and out of the control ofon-premise security devices.www.fortinet.com
WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORKEnabling Micro-Segmentation in ConsolidatedData CentersData center consolidation is increasing IT efficiency throughthe use of technologies like server virtualization and networkvirtualization, but aggregating more sensitive data and usersin shared and increasingly multi-tenant environments. This isconcentrating risk and potential exposure, particularly as IT islooking adopt flatter and more open networks that enable morescalable infrastructure.Organizations are looking to micro-segmentation approachesthat can provide fine-grained firewalling across flat networksbut without disrupting application and users. SDN platformsare increasingly adding policy-based consoles that can definehigher-level policies based on users, roles and other meta-data,which can then be orchestrated with security management totransparently deploy a “honeycomb” of fine-grained trust zonesin coordination with the software-defined network flows.Network Function Virtualization (NFV)Network Function Virtualization (NFV) takes the notion ofvirtual firewalls load-balancing, and other L4-L7 network andsecurity appliances – aka virtualized network functions (VNF)- several steps further to support provider requirements forcommoditization and service manageability. Firewalls and othersecurity VNF’s must be able to support service insertion andservice chaining interoperable on more commoditized NFVhardware, leading to lower costs, higher scalability, and bettermanageability. These benefits lower provider capex and opexcosts, enable efficiency and savings that can also be passeddown to provider tenants and clients.On-Demand Self ServiceEnabling Security-as-a-Service for ServiceProvidersTelco’s and managed security service providers (MSSP)’s havelong delivered network security solutions as managed serviceseither from centralized provider networks or as customerpremise equipment (CPE). But they are increasingly lookingto deliver managed security with IaaS-based characteristics– i.e. security-as-a-service – whether as standalone securityservices or integrated seamlessly with public clouds and cloudmarketplace offerings.Service providers have been not only the earliest adopters ofSDN, but also are key stakeholders in the evolution of SDNSecurity. Thus Fortinet has defined extensions to the SDNSecurity Framework that build on the specific needs of IaaSservice providers.4Service providers are being increasingly driven by enterprisetenants to not only provide elastic infrastructure, but alsooffer services on an on-demand, pay-as-you-go basis. Henceproviders are looking to offer security and network servicesthrough self-service catalogs and marketplaces and chargeby hourly, monthly or other metering schemes. In addition, todeliver a seamless tenant experience, security provisioningshould be seamlessly orchestrated into tenant virtual networkswith transparent deployment, metering and billing.SaaS Multi-TenancyAs cloud services and managed services are increasingly beingdelivered from efficient and elastic multi-tenant infrastructure,rather than from dedicated or customer premise equipment(CPE), management tools and platforms need to becomemulti-tenant aware. Security policy and event managementcan be delegated to each tenant to reduce cloud admin costs,ideally through online web interfaces to fulfill a more SaaSlike experience. Provider admins must also be able to have aglobal provider view, in addition to being able to troubleshootdelegated administrative views for a single tenant.www.fortinet.com
WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORKSecure the Private Cloud with FortinetFortinet has been delivering solutions for both physical andvirtual networks for several years, and is investing aggressivelyin a comprehensive strategy for SDN Security. Fortinetleverages a scale-up and scale-out data center approachcombining the benefits of both high-performance hardware andvirtual appliances with common FortiOS consolidated securityplatform and FortiGuard threat research and content services.hardware appliances – Scale-up hardware withproprietary ASIC architecture to keep up with increasingcore network speeds up to the largest provider andhyperscale networks. Virtual domain technology allowsfirewall capacities of up to 1.2Tbps to be flexibly managedand delegated as virtual services to up to 3000 tenantVDOM’s per device.nnFortiGatevirtual appliances – Scale-out virtualappliances that provide firewall, IPS and consolidatednetwork security that support all leading hypervisors as wellas major public cloud platforms.nnFortiGate-VMExtend the Fortinet Security Fabric to the CloudThe Fortinet Security Fabric is the communications interfacethat delivers seamless security across the entire attack surface.It enables organizations to securely and elastically scaleprotection to their private cloud infrastructure and workloads,and to segment both within the cloud and between endpoints,enterprise networks, and the cloud as follows:highly elastic FortiGate and FortiWebprotection that is orchestrated to automatically scale withprivate cloud workloads and applications.nnScalable—provideswith underlying private cloudinfrastructure to be agile and provide protection that isseamless with changes to the underlying environment.nnAware—integratedFortiGuard threat intelligence globally tosegment the data center across private and hybrid cloud,and between the cloud and the endpoint and network inan organization.into SIEM and other analyticsin the data center and cloud, with ability to orchestratechanges to FortiGate and other Fortinet security policy/posture automatically in response to incidents and events.GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: 1.408.235.7700www.fortinet.com/salesFor example, the physical or virtual firewalls interface andnetwork with the communication and collaboration elementscontained in the Fortinet Security Fabric to determine whatnetwork intelligence is shared across the enterprise.Fortinet SDN Security PortfolioFortinet’s SDN Security solution unifies the FortiGate platformtogether with a broad portfolio of products, technologies andservices into a cohesive solution for securing SDN and SDDCenvironments, including:SDN integration – Out-of-the-box solutionswith leading SDN platforms, such as FortiGate-VMX forVMware and integration with Cisco’s Application-CentricInfrastructure (ACI)nnFortiGateand FortiAnalyzer management solutions –Centralized policy for physical, virtual and cloud environments,that can be deployed on-premise or in the cloud.nnFortiManagerand FortiPrivateCloud – SaaS-based centralmanagement solutions for enterprises and service providersnnFortiCloudDeveloper Network (FNDN) – ExtensibleFortiManager API’s provide programmable interfaces forcustom orchestration and automation with SDN controllersand other infrastructure, with staffed development supportvia an online resource Actionable—integratedon a highly extensible platform withprogrammatic APIs (REST and JSON) and other interfacesto integrate with hypervisors, SDN controllers, cloudmanagement, orchestration tools and software-defineddata center.nnOpen—builtProgrammable Network PartnershipEcosystem – Dozens of technology partners workingwith Fortinet’s SDN Security platform to integrate SDNcontrollers, orchestration platforms, programmableswitches, and centralized policy and analytics solutionsnnOtherFortinet Security Solutions – Additional networkingand security solutions available as both physical and virtualappliances, including FortiWeb-VM web security, FortiMailmail security, FortiSandbox-VM advanced threat detection,and FortiADC-VM application delivery controllersEMEA SALES OFFICE905 rue Albert EinsteinValbonne06560, Alpes-Maritimes,FranceTel 33 4 8987 0500APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: 65.6513.3730LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600México D.F.Tel: 011-52-(55) 5524-8428Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common lawtrademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and otherresultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, insuch event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internallab tests. Fortinet disclaims in full any covenants, represent
WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORK Enabling Micro-Segmentation in Consolidated Data Centers Data center consolidation is increasing IT efficiency through the use of technologies like server virtualization and network virtualization, but aggregating more sensitive data and us
