Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise grade firewall and ssl termination to ac by will stevens

CloudOps has add support for enterprise grade security products in ACS. CloudOps has developed an integration with the Palo Alto Networks firewall appliance to enable ACS to orchestrate network features such as network creation, Source NAT, Static NAT, Port Forwarding and Firewall rules on the Palo Alto device. Additionally, CloudOps has extended ACS to support SSL certificate management as well as SSL termination by external load balancers. The existing ACS NetScaler plugin has been improved to support this new SSL termination functionality. The talk will cover the features added as well as a basic overview of how they are used.

Will Stevens is the Lead Developer at CloudOps. He has been directly involved in extending ACS to support more enterprise grade security functionality. Will has over 10 years experience as a software developer and is primarily focused on cloud integrations at CloudOps.

  • Login to see the comments

Enterprise grade firewall and ssl termination to ac by will stevens

  1. 1. Enterprise Grade Security and SSL termination in ACS 4.3 December 3rd, 2013 @cloudops_
  2. 2. Introductions • Will Stevens – Lead Developer @ CloudOps • CloudOps builds and operates clouds of all shapes and sizes • Develops cloud infrastructure solutions and operational models • 24x7x365 managed service for CloudStack based cloud infrastructures • Customers are global • Based in Montreal, Canada @cloudops_
  3. 3. To be covered… • Palo Alto Networks firewall appliance integration – Feature overview – Challenges and decisions • SSL Termination added to ACS and implemented for NetScaler – Certificate management – SSL Termination overview @cloudops_
  4. 4. Motivations for Palo Alto integration CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise @cloudops_
  5. 5. More reasons why • Customer driven - Palo Alto is an increasingly popular enterprise security product • Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection) • Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise @cloudops_
  6. 6. Resulting network services • CloudStack Virtual Router – DHCP – DNS • Palo Alto Service Provider – Source NAT – Firewall Rules (Ingress & Egress) – Static NAT – Port Forwarding @cloudops_
  7. 7. Overview of the implementation @cloudops_
  8. 8. Pre-configure the Palo Alto device • Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic • Setup a Static Route for the next hop @cloudops_
  9. 9. Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA • Pre-configure the Public interface according to the Public IP range in CS @cloudops_
  10. 10. Add the PA as a service provider • Add the PA device as a guest network service provider • Enable the provider @cloudops_
  11. 11. Create a Network Offering • Expose the PA through a network offering • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services • Enable the new offering @cloudops_
  12. 12. Use the Palo Alto • Add a network using the service offering • Launch a VM on the new network @cloudops_
  13. 13. What actually happened • A Source NAT IP is allocated on ‘ae1’ • A guest network has been setup on ‘ae2’ • A Source NAT rule now connects the guest network to the public IP • A policy isolates the guest network @cloudops_
  14. 14. Egress firewall rules @cloudops_
  15. 15. Ingress firewall rules @cloudops_
  16. 16. Static NAT rules @cloudops_
  17. 17. Port Forwarding rules @cloudops_
  18. 18. Support for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’ • Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule • Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering @cloudops_
  19. 19. PA VM Appliance Support • Special considerations to support the Palo Alto virtual appliance • Simplify the implementation to the lowest common denominator • Using sub-interfaces instead of ‘vsys’ for configuration isolation • Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta) @cloudops_
  20. 20. Known limitations • Requires some initial configuration, it is not entirely plug and play (yet) • Currently only supports a single Public IP range • Public IP usage tracking is currently not handled • Fine grain control of ICMP is currently not handled • Not validating SSL certificates when ACS communicates with the Palo Alto device @cloudops_
  21. 21. Changing gears… Next up: SSL Termination in ACS… @cloudops_
  22. 22. SSL Termination in ACS • Developed by Syed Ahmed @ CloudOps • To be released in ACS 4.3 • Added Certificate management – – – – Supports Supports Supports Supports certificate verification certificate trust chains self-signed certificates encrypted private keys • Added a generic SSL Termination implementation to ACS for external load balancers • Added SSL Termination support for the NetScaler by extending the existing NetScalerplugin @cloudops_
  23. 23. SSL Termination workflow Add SSL Termination 1) To create an SSL vserver on the NetScaler, use createLoadBalancerRule with the lb_protocol parameter set to SSL. 2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key) 3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id) Remove SSL Termination 1) Remove the cert from the load balancer removeFromLoadBalance(cert_id, lb_rule_id) 2) Remove the certificate @cloudops_ deleteSslCert(cert_id)
  24. 24. Associated APIs • Certificate Management – uploadSSLCert – deleteSSLCert – listSSLCerts • Load Balancer changes/additions – createLoadBalancerRule • use ‘lb_protocol=SSL’ to enable SSL termination – assignToLoadBalancerRule – removeFromLoadBalancerRule @cloudops_
  25. 25. Additional notes • The implementation is not yet available in the UI, only via the API • Each certificate can be bound to multiple load balancer rules • Each load balancer rule can only be bound to one certificate – The bound certificate can be part of a chain • Does not support revocation lists (yet) FS: mination+Support @cloudops_
  26. 26. Questions ? Will Stevens @cloudops_ @cloudops_