multi-cloud network 환경의 슬기로운보안적용방안

© 2020 Juniper Networks 1

Security Specialist / Juniper Networks Korea

Multi-Cloud Network 환경의슬기로운보안적용방안

박달수이사 ([email protected])


Agenda

• Network Security in Cloud

• Leveraging Meta Data for

Multi-Cloud

• Contrail Security

• Container Firewall


Pets vs Cattle

Datacenter Cloud

Pets Cattle


Cloud security concerns

Cloud Attack 의증가!

• (Gartner) Cloud 서비스시장은 2020년 17%

성장할것으로예상

• (New York Times) 2019년에 20만이넘는

기업들이 Ransomware 공격으로피해를입었으며

2018년대비 41% 증가

• (Verizon 2019 Data Breaches Report) 69%의

공격자는외부로부터유입. 이메일서버와같은

Cloud기반의어플리케이션에대한해킹이증가

APAC service providers must scale up and scale out

security infrastructure to meet demands of distributed

clouds.


The Cloud shared responsibility model

Pizza-as-a-Service Cloud Services

Reference: O’Reilly Media, Practical Cloud Security by Chris Dotson Chapter 1.5


Network Security in the Cloud

• Applying Network Controls

– White List, Black List, ACL, NACL

– VPC

– Proxy

• Encryption

– TLS

– Certificates

• Firewall and Network Segmentation

– DMZ

– NAT

– Security Groups

• Administrative Access

– Jump Host / Bastion Host

– VPN

• DDoS

• Egress Filtering

• Application Security

– IDS / IPS

– AppID

– Security Intelligence


메타데이터를활용한

멀티클라우드보안


Public Cloud Private CloudOn-Premise


KEY CHALLENGE FOR CISO & SECURITY ADMINS

Support business agility while mitigating cybersecurity risk

AI, Blockchain

IOT, Serverless

Active Directory

On-Prem

Juniper Contrail


Introduction to Labels/Metadata

Tag/Label (Customer Defined Key Value Pair)

리소스에대한검색과필터링이쉬움

Tagging은모든 Public Cloud 서비스에서활용

가능하며 , 주니퍼의 NSX Platform과콘트레일 ,

K8S 에서도가능 (Metadata/Labels)

Used by many groups and for many capabilities:

• Technical

• Automation

• Business

• Security

10

Picture Here

Tagging

Cloud

Vendor

Feature Name

AWS Tags

Microsoft

Azure

Tags

Google

Compute

Platform

Labels and Network Tags

IBM Cloud Tags


IT 운영모델의진화

전통적인 IT (Waterfall) Model 클라우드 Operational 모델

개발팀Builds the application(s)

서버운영팀 : Procure Servers

네트웍운영팀 : Provision Network

보안운영팀 : Secure Application

스토리지팀 : Provision Storage

OPERATIONS TEAM

Launch and Operate Apps & Infra

2-6

WEEK

S

개발팀Builds the application(s)

CLOUD (SECURITY) TEAM

모든어플리케이션에대한blueprint 와 template 제공(meta-data 기반)

DEV/OPS TEAM

Launch and Operate Apps & Infra

Rep

ea

t fo

r ea

ch a

pplic

ation

Re

pe

at


다양한플랫폼에일관된정책적용

Cross Platforms

Multi-Point Enforcement

Multi Cloud 환경에서의보안

• L4 정책은 컨트롤러의 vRouter 에서적용

• L7 정책은 호스트기반 L7 Firewall 에서적용

Site = US

• 동일한정책세트를 Mesos, AWS, Kubernetes, Bare

Metal Servers로확장

Single policy

No Policy Rewrite …

Define Once → Enforce

Everywhere

보안관리자

Web App DB

Host-Based FW

Controller

DEFIN

ITIO

NEN

FO

RC

EM

EN

T

L4 L7

어플리케이션 Flow 가시성& 정책설정

• 보안 설정을위한가시성 , 분석그리고오케스트레이션을제공

• 레포팅 , 트러블슈팅및컴플라이언스제공

정책적용전각어플리케이션트래픽플로우를탐지 (Inter or Intra application)

OpenStack

vRouter


Web App db

App1, Deployment = Dev-AWS

…

Web App db

App1, Deployment = Dev

Web App db

App1, Deployment = Staging

Web App db

App1, Deployment = Prod

Web App db

App1, Deployment = Dev-K8s

Web App db

App1, Deployment = Dev-Mesos

Web App db

App1, Deployment = Staging-BMS

B a r e M e t a l S e r v e r s

Policy

▪ 보안정책수를줄여서복잡성을획기적으로감소▪ 변경최소화로간소화된관리▪ 향상된확장성▪ Define, review, approve 한번으로 apply everywhere

No policy rewrite

A consistent policy on multiple platforms


Policy Enforcer – 보안정책구축을위한메타데이터추출

CONTRAIL

CONTROLLER

Web UI OpenStack Other Orch.

Bare Metal

Server

Compute with vRouter

(Kernel / DPDK, vCenter)Smart NIC vRouter

Public Cloud

Instance

L4 & L7 redirect policy

configurations

운영자

Multiple policy

enforcement

points for both

L4 and L7

firewalls focused

on compatibility

& performance

Policy 정의

Policy Enforcer

Labels, Groups

동기화

Host-Based L7

Firewall

Juniper SRXvRouter에서는 L4 기반 policy를처리하고 ,

Advanced 보안서비스에대해서는 L7 FW로트래픽을 Steering

AnalyticsConfig

Apps

vRouter

vRouter


Clear Application Flow and Alarms

Label the resources，Easy to monitor


Advantage: 데이터의위치와관계없이일관된정책

Single policy across all deployments

Leverage tags instead of

traditional IP in security policies

Automated workload and metadata discovery

Quarantine infected workloads to

specific security group

Faster application deployments

with reduced overhead


SRC DEST ACTION

STAGE=DEVTEST

STAGE=PROD

<AND>

PCI = TRUE

DENY

적용예제

Benefits:1. Better fit for workflow view

2. Contextual picture about each end point in the network

3. Portable policy across different domains

Name IP Address META-DATA

Foo 70.20.1.6STAGE=DEVTEST

PCI=FALSE

Bar 80.10.2.4 STAGE=PROD

Attribute Possible Values

STAGEDEVTEST, STAGING,

PROD

PCI TRUE, FALSE

<custom> <custom>

1. Tag 정의 3. Security 적용2. Policy 정의

Security Team DevOps Team

SRX

Rules with DAG

DAG UpdatesDo not require commit


적용예제 : Metadata to define operation security

NORMAL

ACCESS POLICY

ENABLE

ADDITIONAL

LOGGING & IPS

DISABLE

SERVICE ACCESS

SRC DEST CONDITION ACTIONS

EMPLOYEES INTERNET VIDEOTHREAT LEVEL =

GREENPERMIT

THREAT LEVEL =

ORANGE

PERMIT

LOG

IPS

THREAT LEVEL =

REDDENY

Manual

settingsCorrespondin

g action

Benefits:1. Security policy that dynamically adapts to ever changing security environment

2. pre-defined policy sets with 1 click of button to swap

3. Huge OpEx savings


No label, multiple platform, different policy, hard to manage.

No label, no consistent security report

Multiple groups and devices like FW, Switch, Routers.

적용후 : Automatic, Fast

다양한워크로드리소스를관리하고보안적용

명확한 Reporting

멀티클라우드환경에서일관된보안정책

Incident Response

Net-Sec Operations

EndpointSecurity

Malware Found

TKT

TKT

Feed

Feed

적용전 : Manual, Slow

Benefit with Juniper’s security solution


CloudWatch and Security Hub Integration

A cloud agent runs on the vSRX

• Collects metrics data from daemons/ services in vSRX

• Sends to CloudWatch at a configured interval

• Collects Security alerts and imports the alerts to Security Hub in Security Finding format

Metrics exported to CloudWatch include (not

limited to)

1. CPU Utilization (both Control and Data plane)

2. Memory Utilization (Control and Data plane)

3. Input/ output pps and kbps

Security Hub findings are from:

• IDP

• IPSEC-VPN

• SCREEN

• Session (session-close/session-create/session-deny)

• TCP-SYS-FLOOD

• UTM (anti-spam/anti-virus/web-filter/content-filter)


Adv. Threat Detection

Automation

Orchestration

Juniper의 ‘Connected Security’

DDoS Prevention

Anomaly Detection

Behavioral Intelligence

Zero Day

User & Application Controls

Micro-Segmentation

Securing Micro-Services

Public & Private Workloads

Identity

APT

ComplianceDNS Security

Switches RoutersAccess Points FirewallsDevices


인프라전체에대한자동화된격리(Isolation)

No need to look up IP address or other

details

No need to update each system

No need to wait for the threat to move

through a security system

Juniper works with the network and

infrastructure.


Container 방화벽


컨테이너(Container)와가상머신(VM) 비교

Source: https://www.docker.com/resources/what-container#/package_software

https://www.docker.com/resources/what-container#/package_software


cSRX – 컨테이너기반방화벽

• Docker 기반의최초의 Containerized Firewall

• L3 모드또는 “Bump in the wire”로동작

• 기본방화벽기능외에다양한보안기능제공

(AppFW, IPS , UTM, NAT, UserFW.. etc)

• NetConf , SDN Controller, Management

Applications 등을통한관리

25

cSRX*


VSRX (VM) and CSRX (container) 비교

26

vSRX cSRX

Use Cases Integrated routing, security, NAT,

VPN, high performance

L4-L7 security, low footprint

vCPU Requirement Minimum 2 static reservation No reservation. 2 vCPUs required

Memory Requirement 4GB minimum 1GB minimum

NAT Yes Yes

Dynamic Routing Yes No

IPSec VPN Yes No

Boot-Up Time ~minutes <1second

Host Requirement Must support KVM/ VMWare HVs Must support Docker containers


Secure-wire mode

27

Implemented as a “bump in the wire” in

secure-wire mode

Only two interfaces configurable (no IP

addresses)


Contrail security – host-based FW with CSRX

X86 Compute

Linux Kernel Linux Kernel

cSRX Workloads

Workload-to-workload

encryption

Workloads

Contrail vRouter

cSRX

Containerized NGFW on every host, integrated into datapath (out of

box).


Use Case

Use Case Feature Description Benefit

Microsegmentation,

East/West Protection

cSRX integration with Contrail

vRouter

Contrail Use cases have added L4-L7 security

Application Protection cSRX support for Kubernetes

(K8s)

K8s is the de facto standard for container

orchestration

5G Edge Network, Cloud Protection of 5G container

based applications

Dynamic scaling and offer Layer 7

protection.


Everything Moved to the Cloud


감사합니다

multi-cloud network 환경의 슬기로운보안적용방안

Documents