3 Panw VM Series

How to protect your Virtual Datacenter
Michiel van den Bos

Security challenges in the cloud
Physical firewalls may not see the East-West traffic
Firewalls placement is designed
around expectation of layer 3
segmentation
Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
Ability to transparently insert
security into the traffic flow is
needed

MS-SQL SharePoint Web Front End
2 | 2014, Palo Alto Networks. Confidential and Proprietary.
Incomplete security features on existing virtual security solutions

In the cloud, applications of different trust levels now run on a single server
VM-VM traffic (East-West) needs to be inspected
Port and protocol-based security is not sufficient
Virtualized next-generation security is needed to:
Safely enable application traffic between VMs
Protect against against cyber attacks
MS-SQL SharePoint Web Front End
Static policies cannot keep pace with dynamic workload deployments
Provisioning of applications can occur
in minutes with frequent changes
Security approvals and configurations
may take weeks/months
Dynamic security policies that
understand VM context are needed

VMware and Palo Alto Networks solution
Cloud security challenges Solution
Manual networking configuration to steer traffic to
security appliance
Automated, transparent services insertion of VM-
Series with VMware NSX
Incomplete security capabilities Virtualized security appliance supporting PAN-OS
TM

Static policies cannot keep up with virtual machine
changes
Dynamic security policies with VM context
Applying Zero Trust concepts in the data center
All resources are accessed in a secure
manner regardless of location.
Access control is on a need-to-know
basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
Segmentation for all data center traffic
Virtualized servers Physical servers
corporate network/DMZ
Security
Network
Application

Segment North South (physical) and East West (virtual) traffic
Tracks virtual application provisioning and changes via dynamic address groups
Automation and orchestration support via REST-API
VM-Series for east-west traffic inspection

Next-generation firewall in a virtual form factor
Consistent features as hardware-based next-generation
firewall
Inspects and safely enables intra-host communications (East-
West traffic)
Tracks VM creation and movement with dynamic address
groups
New model will be released to support VMware NSX
Dynamic address groups
Dynamic Address Groups delivers policy abstraction layer for
physical and virtual security appliances
Replaces static object definitions with dynamic data
Dynamic Address Groups replaces Dynamic Address Objects:
Supports multiple tags representing VM attributes
Increased maximum of registered IP addresses per object and
per system
Multiple tags can be resolved for policy
(Example: Policy for VMs with DB & windows O/S tags)
Policies

Database
Database
IP: 14.28.56.112
12.12.12.12
22.22.22.22
33.33.33.33

Windows
VMware vCenter or ESXi
Power of dynamic address groups
Name IP Guest OS Container
web-sjc-01 10.1.1.2 Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3 Ubuntu 12.04 Web
exch-mia-03 10.4.2.2 Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange
sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint
db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL
PAN-OS Security Policy
Source Destination Action
PAN-OS Dynamic Address Groups
Name Tags Addresses
SharePoint
Servers

MySQL Servers

Miami DC

San Jose Linux
Web Servers

Name Tags Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
sp
MySQL Servers
MySQL
Ubuntu 12.04
db
Miami DC mia

San Jose Linux
Web Servers
sjc
web
Ubuntu 12.04
Name Tags Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
sp
10.1.5.4
10.1.5.8
MySQL Servers
MySQL
Ubuntu 12.04
db
10.5.1.5
10.5.1.2

Miami DC mia
10.4.2.2
10.1.5.8
10.5.1.5
San Jose Linux
Web Servers
sjc
web
Ubuntu 12.04
10.1.1.2
10.1.1.3
IP
10.1.1.2
10.1.5.4
10.1.1.3
10.4.2.2
10.4.2.3
10.1.5.8
10.5.1.5
10.5.1.2
Name
SharePoint
Servers
MySQL Servers
Miami DC
San Jose Linux
Web Servers
Source Destination Action
SharePoint
Servers
San Jose Linux
Web Servers

MySQL
Servers
Miami DC

db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9

Panorama centralized management and policy automation
Global, centralized management of security policies
for all Palo Alto Networks datacenter firewalls,
physical or virtual platforms
Centralized logging and reporting
Deploy virtually or via M-100 physical appliance
Scalability to manage up to 1,000 firewalls
Automatically provision security policies together with
your existing orchestrated tasks
RESTful XML API over SSL connection enables
integration with leading orchestration vendors
Derive management efficiencies via orchestrated:
Application/service/tenant resource allocations
Service state tracking
Policy mapping
Integration With
Orchestration Vendors
How The Joint Integration Works
VMware NSX and Palo Alto Networks integration
V
M
-
1
0
0
0
-
H
V

Meeting the needs of both infrastructure and security
Accelerate app deployments
and unlock cloud agility
Meet expectations of security in
new operating model
Increase visibility and protection
against cyber attacks
Maintain consistent security
controls for all DC traffic
Cloud Security
For more information on the integration, visit
www.paloaltonetworks.com/partners/vmware.html

3 Panw VM Series

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3 Panw VM Series

Uploaded by

Copyright:

Available Formats

How to protect your Virtual Datacenter

Michiel van den Bos

You might also like