@cloudops_ www.cloudops.com
Enterprise Grade Security and SSL termination in ACS 4.3
December 3rd, 2013
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Introductions
• Will Stevens – Lead Developer @ CloudOps
• CloudOps builds and operates clouds of all shapes and sizes
• Develops cloud infrastructure solutions and operational models• 24x7x365 managed service for
CloudStack based cloud infrastructures• Customers are global• Based in Montreal, Canada
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
To be covered…
• Palo Alto Networks firewall appliance integration– Feature overview– Challenges and decisions
• SSL Termination added to ACS and implemented for NetScaler– Certificate management– SSL Termination overview
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Motivations for Palo Alto integrationCloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
More reasons why
• Customer driven - Palo Alto is an increasingly popular enterprise security product
• Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection)
• Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Resulting network services
• CloudStack Virtual Router– DHCP– DNS
• Palo Alto Service Provider– Source NAT– Firewall Rules (Ingress & Egress)– Static NAT– Port Forwarding
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Overview of the implementation
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device• Setup a Virtual Router on the Palo
Alto to handle the routing of the Public traffic
• Setup a Static Route for the next hop
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device• Setup the Public and Private
interfaces on the PA
• Pre-configure the Public interface according to the Public IP range in CS
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider• Add the PA device as
a guest network service provider
• Enable the provider
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA througha network offering
• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services
• Enable the new offering
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service offering
• Launch a VM on the new network
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
What actually happened• A Source NAT IP is allocated on ‘ae1’• A guest network has been setup on
‘ae2’
• A Source NAT rule now connects the guest network to the public IP
• A policy isolates the guest network
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Support for Palo Alto profiles
• Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’
• Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule
• Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
PA VM Appliance Support
• Special considerations to support the Palo Alto virtual appliance
• Simplify the implementation to the lowest common denominator
• Using sub-interfaces instead of ‘vsys’ for configuration isolation
• Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Known limitations
• Requires some initial configuration, it is not entirely plug and play (yet)
• Currently only supports a single Public IP range
• Public IP usage tracking is currently not handled
• Fine grain control of ICMP is currently not handled
• Not validating SSL certificates when ACS communicates with the Palo Alto device
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Changing gears…
Next up: SSL Termination in ACS…
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
SSL Termination in ACS
• Developed by Syed Ahmed @ CloudOps
• To be released in ACS 4.3
• Added Certificate management– Supports certificate verification
– Supports certificate trust chains
– Supports self-signed certificates
– Supports encrypted private keys
• Added a generic SSL Termination implementation to ACS for external load balancers
• Added SSL Termination support for the NetScaler by extending the existing NetScaler plugin
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
SSL Termination workflow
Add SSL Termination1) To create an SSL vserver on the NetScaler, use
createLoadBalancerRule with the lb_protocol parameter set to SSL.
2) Upload the certificate to ACS using UploadSslCert(cert, key, chain, password_for_key)
3) Assign the certificate to the load balancer rule AssignCertToLoadBalancer(cert_id, lb_rule_id)
Remove SSL Termination4) Remove the cert from the load balancer
removeFromLoadBalance(cert_id, lb_rule_id)
5) Remove the certificate deleteSslCert(cert_id)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Associated APIs
• Certificate Management– uploadSSLCert– deleteSSLCert– listSSLCerts
• Load Balancer changes/additions– createLoadBalancerRule• use ‘lb_protocol=SSL’ to enable SSL
termination
– assignToLoadBalancerRule– removeFromLoadBalancerRule
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Additional notes
• The implementation is not yet available in the UI, only via the API
• Each certificate can be bound to multiple load balancer rules
• Each load balancer rule can only be bound to one certificate– The bound certificate can be part of a
chain
• Does not support revocation lists (yet)
FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Questions
Will Stevenswww.cloudops.com@cloudops_
?