How to protect your Virtual Datacenter
Michiel van den Bos
Security challenges in the cloud
Physical firewalls may not see the East-West traffic
MS-SQL
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
SharePoint
Web Front End

Firewalls placement is designed
around expectation of layer 3
segmentation

Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex

Ability to transparently insert
security into the traffic flow is
needed
Security challenges in the cloud
Incomplete security features on existing virtual security solutions
MS-SQL
SharePoint
Web Front End
In the cloud, applications of different trust levels now run on a single server

VM-VM traffic (East-West) needs to be inspected

Port and protocol-based security is not sufficient

Virtualized next-generation security is needed to:

Safely enable application traffic between VMs

Protect against against cyber attacks
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security challenges in the cloud
Static policies cannot keep pace with dynamic workload deployments
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Provisioning of applications can occur
in minutes with frequent changes

Security approvals and configurations
may take weeks/months

Dynamic security policies that
understand VM context are needed
VMware and Palo Alto Networks solution
Cloud security challenges
Solution
Manual networking configuration to steer traffic to
security appliance
Automated, transparent services insertion of VMSeries with VMware NSX
Incomplete security capabilities
Virtualized security appliance supporting PAN-OSTM
Static policies cannot keep up with virtual machine
changes
Dynamic security policies with VM context
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applying Zero Trust concepts in the data center
All resources are accessed in a secure
manner regardless of location.
Access control is on a “need-to-know”
basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Segmentation for all data center traffic
Application
corporate network/DMZ
Network
Security
Virtualized servers
Physical servers
Segment North South (physical) and East West (virtual) traffic
Tracks virtual application provisioning and changes via dynamic address groups
Automation and orchestration support via REST-API
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VM-Series for east-west traffic inspection
• Next-generation firewall in a virtual form factor
• Consistent features as hardware-based next-generation
firewall
• Inspects and safely enables intra-host communications (EastWest traffic)
• Tracks VM creation and movement with dynamic address
groups
• New model will be released to support VMware NSX
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Dynamic address groups
Database
Database
IP: 14.28.56.112
12.12.12.12
22.22.22.22
33.33.33.33
Policies
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Windows
• Dynamic Address Groups delivers policy abstraction layer for
physical and virtual security appliances
• Replaces static object definitions with dynamic data
• Dynamic Address Groups replaces Dynamic Address Objects:
• Supports multiple tags representing VM attributes
• Increased maximum of registered IP addresses per object and
per system
• Multiple tags can be resolved for policy
(Example: Policy for VMs with “DB” & “windows O/S” tags)
Power of dynamic address groups
PAN-OS Dynamic Address Groups
VMware vCenter or ESXi
Name
IP
Guest OS
Container
web-sjc-01
10.1.1.2
Ubuntu 12.04
Web
sp-sjc-04
10.1.5.4
Win 2008 R2
SharePoint
web-sjc-02
10.1.1.3
Ubuntu 12.04
Web
exch-mia-03
10.4.2.2
Win 2008 R2
Exchange
exch-dfw-03
10.4.2.3
Win 2008 R2
Exchange
sp-mia-07
10.1.5.8
Win 2008 R2
SharePoint
db-mia-01
10.5.1.5
Ubuntu 12.04
MySQL
db-dfw-02
10.5.1.2
Ubuntu 12.04
MySQL
db-mia-05
10.5.1.9
Ubuntu 12.04
MySQL
Name
Tags
Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
“sp”
10.1.5.4
10.1.5.8
MySQL Servers
MySQL
Ubuntu 12.04
“db”
10.5.1.5
10.5.1.2
10.5.1.9
Miami DC
“mia”
10.4.2.2
10.1.5.8
10.5.1.5
San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
10.1.1.2
10.1.1.3
PAN-OS Security Policy
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source
Destination
Action
SharePoint
Servers
San Jose Linux
Web Servers
✔
MySQL
Servers
Miami DC

Panorama centralized management and policy automation
Integration With
Orchestration Vendors
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Global, centralized management of security policies
for all Palo Alto Networks datacenter firewalls,
physical or virtual platforms

Centralized logging and reporting

Deploy virtually or via M-100 physical appliance

Scalability to manage up to 1,000 firewalls

Automatically provision security policies together with
your existing orchestrated tasks

RESTful XML API over SSL connection enables
integration with leading orchestration vendors

Derive management efficiencies via orchestrated:
 Application/service/tenant resource allocations
 Service state tracking
 Policy mapping
How The Joint Integration Works
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
VM-1000-HV
VMware NSX and Palo Alto Networks integration
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Meeting the needs of both infrastructure and security
Cloud
Security
• Accelerate app deployments
and unlock cloud agility
• Increase visibility and protection
against cyber attacks
• Meet expectations of security in
new operating model
• Maintain consistent security
controls for all DC traffic
For more information on the integration, visit
www.paloaltonetworks.com/partners/vmware.html
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.