Download pptx - Enterprise grade firewall and ssl termination to ac by will stevens

@cloudops_ www.cloudops.com

Enterprise Grade Security and SSL termination in ACS 4.3

December 3rd, 2013

@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com

Introductions

• Will Stevens – Lead Developer @ CloudOps

• CloudOps builds and operates clouds of all shapes and sizes

• Develops cloud infrastructure solutions and operational models• 24x7x365 managed service for

CloudStack based cloud infrastructures• Customers are global• Based in Montreal, Canada


To be covered…

• Palo Alto Networks firewall appliance integration– Feature overview– Challenges and decisions

• SSL Termination added to ACS and implemented for NetScaler– Certificate management– SSL Termination overview


Motivations for Palo Alto integrationCloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.

Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise


More reasons why

• Customer driven - Palo Alto is an increasingly popular enterprise security product

• Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection)

• Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise


Resulting network services

• CloudStack Virtual Router– DHCP– DNS

• Palo Alto Service Provider– Source NAT– Firewall Rules (Ingress & Egress)– Static NAT– Port Forwarding


Overview of the implementation


Pre-configure the Palo Alto device• Setup a Virtual Router on the Palo

Alto to handle the routing of the Public traffic

• Setup a Static Route for the next hop


Pre-configure the Palo Alto device• Setup the Public and Private

interfaces on the PA

• Pre-configure the Public interface according to the Public IP range in CS


Add the PA as a service provider• Add the PA device as

a guest network service provider

• Enable the provider


Create a Network Offering

• Expose the PA througha network offering

• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services

• Enable the new offering


Use the Palo Alto

• Add a network using the service offering

• Launch a VM on the new network


What actually happened• A Source NAT IP is allocated on ‘ae1’• A guest network has been setup on

‘ae2’

• A Source NAT rule now connects the guest network to the public IP

• A policy isolates the guest network


Egress firewall rules


Ingress firewall rules


Static NAT rules


Port Forwarding rules


Support for Palo Alto profiles

• Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’

• Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule

• Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering


PA VM Appliance Support

• Special considerations to support the Palo Alto virtual appliance

• Simplify the implementation to the lowest common denominator

• Using sub-interfaces instead of ‘vsys’ for configuration isolation

• Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta)


Known limitations

• Requires some initial configuration, it is not entirely plug and play (yet)

• Currently only supports a single Public IP range

• Public IP usage tracking is currently not handled

• Fine grain control of ICMP is currently not handled

• Not validating SSL certificates when ACS communicates with the Palo Alto device


Changing gears…

Next up: SSL Termination in ACS…


SSL Termination in ACS

• Developed by Syed Ahmed @ CloudOps

• To be released in ACS 4.3

• Added Certificate management– Supports certificate verification

– Supports certificate trust chains

– Supports self-signed certificates

– Supports encrypted private keys

• Added a generic SSL Termination implementation to ACS for external load balancers

• Added SSL Termination support for the NetScaler by extending the existing NetScaler plugin


SSL Termination workflow

Add SSL Termination1) To create an SSL vserver on the NetScaler, use

createLoadBalancerRule with the lb_protocol parameter set to SSL.

2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key)

3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id)

Remove SSL Termination4) Remove the cert from the load balancer

removeFromLoadBalance(cert_id, lb_rule_id)

5) Remove the certificate deleteSslCert(cert_id)


Associated APIs

• Certificate Management– uploadSSLCert– deleteSSLCert– listSSLCerts

• Load Balancer changes/additions– createLoadBalancerRule• use ‘lb_protocol=SSL’ to enable SSL

termination

– assignToLoadBalancerRule– removeFromLoadBalancerRule


Additional notes

• The implementation is not yet available in the UI, only via the API

• Each certificate can be bound to multiple load balancer rules

• Each load balancer rule can only be bound to one certificate– The bound certificate can be part of a

chain

• Does not support revocation lists (yet)

FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support

https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support

https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support


Questions

Will Stevenswww.cloudops.com@cloudops_

?

http://www.cloudops.com/