1.
Enterprise Grade Security and SSL
termination in ACS 4.3
December 3rd, 2013
@cloudops_
www.cloudops.com

2.
Introductions
• Will Stevens – Lead Developer @ CloudOps
• CloudOps builds and operates clouds of
all shapes and sizes
• Develops cloud infrastructure solutions
and operational models
• 24x7x365 managed service for CloudStack
based cloud infrastructures
• Customers are global
• Based in Montreal, Canada
@cloudops_
www.cloudops.com

3.
To be covered…
• Palo Alto Networks firewall appliance
integration
– Feature overview
– Challenges and decisions
• SSL Termination added to ACS and
implemented for NetScaler
– Certificate management
– SSL Termination overview
@cloudops_
www.cloudops.com

4.
Motivations for Palo Alto integration
CloudStack virtual router:
For Advanced Networking it often handles
NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for
horizontally scaled
commodity networking
services BUT can be a
bottleneck and a bit of a
black box security wise
@cloudops_
www.cloudops.com

5.
More reasons why
• Customer driven - Palo Alto is an
increasingly popular enterprise security
product
• Many enterprises require greater visibility
and advanced policies (i.e. content
filtering, heuristics, intrusion detection)
• Use cases: Enterprise private clouds, PCI
compliance, service providers to
enterprise
@cloudops_
www.cloudops.com

6.
Resulting network services
• CloudStack Virtual Router
– DHCP
– DNS
• Palo Alto Service Provider
– Source NAT
– Firewall Rules (Ingress & Egress)
– Static NAT
– Port Forwarding
@cloudops_
www.cloudops.com

7.
Overview of the implementation
@cloudops_
www.cloudops.com

8.
Pre-configure the Palo Alto device
• Setup a Virtual Router on the Palo Alto to
handle the routing of the Public traffic
• Setup a Static Route for the next hop
@cloudops_
www.cloudops.com

9.
Pre-configure the Palo Alto device
• Setup the Public and Private interfaces on
the PA
• Pre-configure the Public interface
according to the Public IP range in CS
@cloudops_
www.cloudops.com

10.
Add the PA as a service provider
• Add the PA device as
a guest network
service provider
• Enable the provider
@cloudops_
www.cloudops.com

11.
Create a Network Offering
• Expose the PA through
a network offering
• PA provides: Source NAT,
Static NAT, Port Forwarding
and Firewall services
• Enable the new offering
@cloudops_
www.cloudops.com

12.
Use the Palo Alto
• Add a network using the service offering
• Launch a VM on the new network
@cloudops_
www.cloudops.com

13.
What actually happened
• A Source NAT IP is allocated on ‘ae1’
• A guest network has been setup on ‘ae2’
• A Source NAT rule now connects the guest
network to the public IP
• A policy isolates the guest network
@cloudops_
www.cloudops.com

14.
Egress firewall rules
@cloudops_
www.cloudops.com

15.
Ingress firewall rules
@cloudops_
www.cloudops.com

16.
Static NAT rules
@cloudops_
www.cloudops.com

17.
Port Forwarding rules
@cloudops_
www.cloudops.com

18.
Support for Palo Alto profiles
• Added support for Palo Alto Networks
‘Security Profile Groups’ and ‘Log
Forwarding Profiles’
• Globally configured at the device level
(for now) and are associated with every
‘allow’ firewall rule
• Enables basic support for
IDS/IPS/Network AV threats, Wildfire
(Anti-Malware), Data Protection, URL
Filtering
@cloudops_
www.cloudops.com

19.
PA VM Appliance Support
• Special considerations to support the Palo
Alto virtual appliance
• Simplify the implementation to the
lowest common denominator
• Using sub-interfaces instead of ‘vsys’ for
configuration isolation
• Ensuring support for the Palo Alto VM
appliance enables support for Palo Alto
running on the NetScaler SDX (currently
in beta)
@cloudops_
www.cloudops.com

20.
Known limitations
• Requires some initial configuration, it is
not entirely plug and play (yet)
• Currently only supports a single Public IP
range
• Public IP usage tracking is currently not
handled
• Fine grain control of ICMP is currently not
handled
• Not validating SSL certificates when ACS
communicates with the Palo Alto device
@cloudops_
www.cloudops.com

21.
Changing gears…
Next up: SSL Termination in ACS…
@cloudops_
www.cloudops.com

22.
SSL Termination in ACS
• Developed by Syed Ahmed @ CloudOps
• To be released in ACS 4.3
• Added Certificate management
–
–
–
–
Supports
Supports
Supports
Supports
certificate verification
certificate trust chains
self-signed certificates
encrypted private keys
• Added a generic SSL Termination implementation
to ACS for external load balancers
• Added SSL Termination support for the NetScaler
by extending the existing NetScalerplugin
@cloudops_
www.cloudops.com

23.
SSL Termination workflow
Add SSL Termination
1) To create an SSL vserver on the NetScaler, use
createLoadBalancerRule with the lb_protocol
parameter set to SSL.
2) Upload the certificate to ACS using
UploadSslCert(cert, key, chain, password_for_key)
3) Assign the certificate to the load balancer rule
AssignCertToLoadBalancer(cert_id, lb_rule_id)
Remove SSL Termination
1) Remove the cert from the load balancer
removeFromLoadBalance(cert_id, lb_rule_id)
2) Remove the certificate
@cloudops_
deleteSslCert(cert_id)
www.cloudops.com

24.
Associated APIs
• Certificate Management
– uploadSSLCert
– deleteSSLCert
– listSSLCerts
• Load Balancer changes/additions
– createLoadBalancerRule
• use ‘lb_protocol=SSL’ to enable SSL termination
– assignToLoadBalancerRule
– removeFromLoadBalancerRule
@cloudops_
www.cloudops.com

25.
Additional notes
• The implementation is not yet available
in the UI, only via the API
• Each certificate can be bound to multiple
load balancer rules
• Each load balancer rule can only be
bound to one certificate
– The bound certificate can be part of a chain
• Does not support revocation lists (yet)
FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Ter
mination+Support
@cloudops_
www.cloudops.com

26.
Questions
?
Will Stevens
www.cloudops.com
@cloudops_
@cloudops_
www.cloudops.com