multi-cloud network 환경의 슬기로운보안적용방안
TRANSCRIPT
© 2020 Juniper Networks 1
Security Specialist / Juniper Networks Korea
Multi-Cloud Network 환경의슬기로운보안적용방안
박달수이사 ([email protected])
© 2020 Juniper Networks 2
Agenda
• Network Security in Cloud
• Leveraging Meta Data for
Multi-Cloud
• Contrail Security
• Container Firewall
© 2020 Juniper Networks 3
Pets vs Cattle
Datacenter Cloud
Pets Cattle
© 2020 Juniper Networks 4
Cloud security concerns
Cloud Attack 의증가!
• (Gartner) Cloud 서비스시장은 2020년 17%
성장할것으로예상
• (New York Times) 2019년에 20만이넘는
기업들이 Ransomware 공격으로피해를입었으며
2018년대비 41% 증가
• (Verizon 2019 Data Breaches Report) 69%의
공격자는외부로부터유입. 이메일서버와같은
Cloud기반의어플리케이션에대한해킹이증가
APAC service providers must scale up and scale out
security infrastructure to meet demands of distributed
clouds.
© 2020 Juniper Networks 5
The Cloud shared responsibility model
Pizza-as-a-Service Cloud Services
Reference: O’Reilly Media, Practical Cloud Security by Chris Dotson Chapter 1.5
© 2020 Juniper Networks 6
Network Security in the Cloud
• Applying Network Controls
– White List, Black List, ACL, NACL
– VPC
– Proxy
• Encryption
– TLS
– Certificates
• Firewall and Network Segmentation
– DMZ
– NAT
– Security Groups
• Administrative Access
– Jump Host / Bastion Host
– VPN
• DDoS
• Egress Filtering
• Application Security
– IDS / IPS
– AppID
– Security Intelligence
© 2020 Juniper Networks 7
메타데이터를활용한
멀티클라우드보안
© 2020 Juniper Networks 8
Public Cloud Private CloudOn-Premise
© 2020 Juniper Networks 9
KEY CHALLENGE FOR CISO & SECURITY ADMINS
Support business agility while mitigating cybersecurity risk
AI, Blockchain
IOT, Serverless
Active Directory
On-Prem
Juniper Contrail
© 2020 Juniper Networks 10
Introduction to Labels/Metadata
Tag/Label (Customer Defined Key Value Pair)
리소스에대한검색과필터링이쉬움
Tagging은모든 Public Cloud 서비스에서활용
가능하며 , 주니퍼의 NSX Platform과콘트레일 ,
K8S 에서도가능 (Metadata/Labels)
Used by many groups and for many capabilities:
• Technical
• Automation
• Business
• Security
10
Picture Here
Tagging
Cloud
Vendor
Feature Name
AWS Tags
Microsoft
Azure
Tags
Compute
Platform
Labels and Network Tags
IBM Cloud Tags
© 2020 Juniper Networks 11
IT 운영모델의진화
전통적인 IT (Waterfall) Model 클라우드 Operational 모델
개발팀Builds the application(s)
서버운영팀 : Procure Servers
네트웍운영팀 : Provision Network
보안운영팀 : Secure Application
스토리지팀 : Provision Storage
OPERATIONS TEAM
Launch and Operate Apps & Infra
2-6
WEEK
S
개발팀Builds the application(s)
CLOUD (SECURITY) TEAM
모든어플리케이션에대한blueprint 와 template 제공(meta-data 기반)
DEV/OPS TEAM
Launch and Operate Apps & Infra
Rep
ea
t fo
r ea
ch a
pplic
ation
Re
pe
at
© 2020 Juniper Networks 12
다양한플랫폼에일관된정책적용
Cross Platforms
Multi-Point Enforcement
Multi Cloud 환경에서의보안
• L4 정책은 컨트롤러의 vRouter 에서적용
• L7 정책은 호스트기반 L7 Firewall 에서적용
Site = US
• 동일한정책세트를 Mesos, AWS, Kubernetes, Bare
Metal Servers로확장
Single policy
No Policy Rewrite …
Define Once → Enforce
Everywhere
보안관리자
Web App DB
Host-Based FW
Controller
DEFIN
ITIO
NEN
FO
RC
EM
EN
T
L4 L7
어플리케이션 Flow 가시성& 정책설정
• 보안 설정을위한가시성 , 분석그리고오케스트레이션을제공
• 레포팅 , 트러블슈팅및컴플라이언스제공
정책적용전각어플리케이션트래픽플로우를탐지 (Inter or Intra application)
OpenStack
vRouter
© 2020 Juniper Networks 13
Web App db
App1, Deployment = Dev-AWS
…
Web App db
App1, Deployment = Dev
Web App db
App1, Deployment = Staging
Web App db
App1, Deployment = Prod
Web App db
App1, Deployment = Dev-K8s
Web App db
App1, Deployment = Dev-Mesos
Web App db
App1, Deployment = Staging-BMS
B a r e M e t a l S e r v e r s
Policy
▪ 보안정책수를줄여서복잡성을획기적으로감소▪ 변경최소화로간소화된관리▪ 향상된확장성▪ Define, review, approve 한번으로 apply everywhere
No policy rewrite
A consistent policy on multiple platforms
© 2020 Juniper Networks 14
Policy Enforcer – 보안정책구축을위한메타데이터추출
CONTRAIL
CONTROLLER
Web UI OpenStack Other Orch.
Bare Metal
Server
Compute with vRouter
(Kernel / DPDK, vCenter)Smart NIC vRouter
Public Cloud
Instance
L4 & L7 redirect policy
configurations
운영자
Multiple policy
enforcement
points for both
L4 and L7
firewalls focused
on compatibility
& performance
Policy 정의
Policy Enforcer
Labels, Groups
동기화
Host-Based L7
Firewall
Juniper SRXvRouter에서는 L4 기반 policy를처리하고 ,
Advanced 보안서비스에대해서는 L7 FW로트래픽을 Steering
AnalyticsConfig
Apps
vRouter
vRouter
© 2020 Juniper Networks 15
Clear Application Flow and Alarms
Label the resources,Easy to monitor
© 2020 Juniper Networks 16
Advantage: 데이터의위치와관계없이일관된정책
Single policy across all deployments
Leverage tags instead of
traditional IP in security policies
Automated workload and metadata discovery
Quarantine infected workloads to
specific security group
Faster application deployments
with reduced overhead
© 2020 Juniper Networks 17
SRC DEST ACTION
STAGE=DEVTEST
STAGE=PROD
<AND>
PCI = TRUE
DENY
적용예제
Benefits:1. Better fit for workflow view
2. Contextual picture about each end point in the network
3. Portable policy across different domains
Name IP Address META-DATA
Foo 70.20.1.6STAGE=DEVTEST
PCI=FALSE
Bar 80.10.2.4 STAGE=PROD
Attribute Possible Values
STAGEDEVTEST, STAGING,
PROD
PCI TRUE, FALSE
<custom> <custom>
1. Tag 정의 3. Security 적용2. Policy 정의
Security Team DevOps Team
SRX
Rules with DAG
DAG UpdatesDo not require commit
© 2020 Juniper Networks 18
적용예제 : Metadata to define operation security
NORMAL
ACCESS POLICY
ENABLE
ADDITIONAL
LOGGING & IPS
DISABLE
SERVICE ACCESS
SRC DEST CONDITION ACTIONS
EMPLOYEES INTERNET VIDEOTHREAT LEVEL =
GREENPERMIT
THREAT LEVEL =
ORANGE
PERMIT
LOG
IPS
THREAT LEVEL =
REDDENY
Manual
settingsCorrespondin
g action
Benefits:1. Security policy that dynamically adapts to ever changing security environment
2. pre-defined policy sets with 1 click of button to swap
3. Huge OpEx savings
© 2020 Juniper Networks 19
No label, multiple platform, different policy, hard to manage.
No label, no consistent security report
Multiple groups and devices like FW, Switch, Routers.
적용후 : Automatic, Fast
다양한워크로드리소스를관리하고보안적용
명확한 Reporting
멀티클라우드환경에서일관된보안정책
Incident Response
Net-Sec Operations
EndpointSecurity
Malware Found
TKT
TKT
Feed
Feed
적용전 : Manual, Slow
Benefit with Juniper’s security solution
© 2020 Juniper Networks 20
CloudWatch and Security Hub Integration
A cloud agent runs on the vSRX
• Collects metrics data from daemons/ services in vSRX
• Sends to CloudWatch at a configured interval
• Collects Security alerts and imports the alerts to Security Hub in Security Finding format
Metrics exported to CloudWatch include (not
limited to)
1. CPU Utilization (both Control and Data plane)
2. Memory Utilization (Control and Data plane)
3. Input/ output pps and kbps
Security Hub findings are from:
• IDP
• IPSEC-VPN
• SCREEN
• Session (session-close/session-create/session-deny)
• TCP-SYS-FLOOD
• UTM (anti-spam/anti-virus/web-filter/content-filter)
© 2020 Juniper Networks 21
Adv. Threat Detection
Automation
Orchestration
Juniper의 ‘Connected Security’
DDoS Prevention
Anomaly Detection
Behavioral Intelligence
Zero Day
User & Application Controls
Micro-Segmentation
Securing Micro-Services
Public & Private Workloads
Identity
APT
ComplianceDNS Security
Switches RoutersAccess Points FirewallsDevices
© 2020 Juniper Networks 22
인프라전체에대한자동화된격리(Isolation)
No need to look up IP address or other
details
No need to update each system
No need to wait for the threat to move
through a security system
Juniper works with the network and
infrastructure.
© 2020 Juniper Networks 23
Container 방화벽
© 2020 Juniper Networks 24
컨테이너(Container)와가상머신(VM) 비교
Source: https://www.docker.com/resources/what-container#/package_software
© 2020 Juniper Networks 25
cSRX – 컨테이너기반방화벽
• Docker 기반의최초의 Containerized Firewall
• L3 모드또는 “Bump in the wire”로동작
• 기본방화벽기능외에다양한보안기능제공
(AppFW, IPS , UTM, NAT, UserFW.. etc)
• NetConf , SDN Controller, Management
Applications 등을통한관리
25
cSRX*
© 2020 Juniper Networks 26
VSRX (VM) and CSRX (container) 비교
26
vSRX cSRX
Use Cases Integrated routing, security, NAT,
VPN, high performance
L4-L7 security, low footprint
vCPU Requirement Minimum 2 static reservation No reservation. 2 vCPUs required
Memory Requirement 4GB minimum 1GB minimum
NAT Yes Yes
Dynamic Routing Yes No
IPSec VPN Yes No
Boot-Up Time ~minutes <1second
Host Requirement Must support KVM/ VMWare HVs Must support Docker containers
© 2020 Juniper Networks 27
Secure-wire mode
27
Implemented as a “bump in the wire” in
secure-wire mode
Only two interfaces configurable (no IP
addresses)
© 2020 Juniper Networks 28
Contrail security – host-based FW with CSRX
X86 Compute
Linux Kernel Linux Kernel
cSRX Workloads
Workload-to-workload
encryption
Workloads
Contrail vRouter
cSRX
Containerized NGFW on every host, integrated into datapath (out of
box).
© 2020 Juniper Networks 2929
Use Case
Use Case Feature Description Benefit
Microsegmentation,
East/West Protection
cSRX integration with Contrail
vRouter
Contrail Use cases have added L4-L7 security
Application Protection cSRX support for Kubernetes
(K8s)
K8s is the de facto standard for container
orchestration
5G Edge Network, Cloud Protection of 5G container
based applications
Dynamic scaling and offer Layer 7
protection.
© 2020 Juniper Networks 30
Everything Moved to the Cloud
© 2020 Juniper Networks 31
감사합니다