![Security Enforcement
Router (MX)
[stateless ACL L2-3]
5
Physical Firewall Appliance (SRX)
[Stateful L2-L7 firewall]
1
DC Spine Switch (QFX1000)
[Stateful ACL and/or L4-7 firewall]
3
DC Leaf Switch (QFX5100)
[Stateful ACL and/or L4-7 firewall]
4
VT-x
Hypervisor
VAVASDN
Virtualized Host with virtual
firewall
(dFW, Contrail vRouter, vSRX)
[Stateful ACL and/or L4-7 firewall]
2
SD
SPACE
ND VD
APIs & libraries exposed to operators,
orchestration, & automation platforms
To Device-specific APIs
Contrail
Central
Policy
Engine
Threat
Intelligence
Threat
Intelligence](https://image.slidesharecdn.com/guesslisa-embracingthecloud-160407010637/85/Lisa-Guess-Embracing-the-Cloud-28-320.jpg)
Lisa Guess - Embracing the Cloud
- 1. Embracing the Cloud How is the Cloud built and how do you Secure It? Lisa Guess VP Juniper Networks - Systems Engineering
- 4. Your business challenges How should I embrace the cloud? How do I secure the cloud? How do I innovate without disrupting business? What is my Return on Investment (ROI)?
- 5. IT Quickly Moving Toward Cloud Source: IDG Enterprise Cloud Computing Study 2014 Percentage of respondents utilizing different types of Cloud computing environments…….. Public Cloud Private Cloud Hybrid Cloud 19% 15% 5% 61% 25% 21% 7% 47% Private Cloud Public Cloud Hybrid Cloud Non-Cloud % OF TOTAL IT ENVIRONMENT IN THE CLOUD Current In 18 months
- 6. Applications Driving Design Change Network Virtualization ATTRIBUTES • Virtualized with Bare metal • Introduction of Network Overlays REQUIREMENTS • Physical to Virtual (P2V) integration • Overlay visualization & management Everything “As-a-Service” ATTRIBUTES • Scale-out • On-demand REQUIREMENTS • Multi-tenancy • Simple to operate, easy to scale Modern App Flows ATTRIBUTES • Increased Machine to Machine • East-West traffic REQUIREMENTS • Flatter Topology • High performance and consistent
- 7. Today You Are Here User IT Admin You Need to Be Here User CLICK HERE Orchestration? Security? Protocols?SDN? Support?Intelligence? Path to Success: Identify
- 8. Today You Are Here • Resources are in silos • Network services are on physical appliances • Tasks are not automated • Orchestration is decentralized • Security is an afterthought VLANS VLANS FINANCE HR MARKETING Firewalls Load-Balancer Physical Servers Local Hard Drives You Need to Be Here VIRTUALIZED HR MARKETINGFINANCE • Resources are pooled • Network services are virtualized and distributed • Moves/adds/changes are fully automated • Orchestration is completely centralized • Security is integrated Path to Success: Set Goals
- 9. Path to Success: Foundational Impediments Security is difficult Physical is the default Bottlenecks Automation is key Difficult to automate Box-by-box touch points Difficult to mine data Processes are manual Suboptimal topologies Inconsistent performance Disaggregated elements Network is complex
- 11. Portal: Data Sources: Applications: Employees Customers Partners Suppliers DevicesDatabase Transactions Sensors Inventory Devices Analysis Reporting CRM Database Administration InventoryHRPurchasing Analysis Reporting CRM Mail Order Processing InventoryHRPurchasing Network Devices Rich media New applications Digitized information Machine to MachineEmployees Customers Machines Suppliers Partners “Any to Any” Services Sharing, Flexibility, Velocity Employees CustomersFinance EDIMailERP Mail EDIERP >75%
- 12. Portal: Data Sources: Applications: Employees Customers Partners Suppliers DevicesDatabase Transactions Sensors Inventory Devices Analysis Reporting CRM Database Administration InventoryHRPurchasing Analysis Reporting CRM Mail Order Processing InventoryHRPurchasing Network Devices Rich media New applications Digitized information Machine to MachineEmployees Customers Machines Suppliers Partners Moving to the Cloud Legacy DC
- 13. Suppliers DevicesInventory Devices Database Administration Inventory Mail Order Processing Inventory Digitized information Machine to MachineSuppliers Partners Moving to the Cloud Legacy DC Virtualized DC Cloud DC Design for five 9s • Apps not resilient • High end x86 servers • Virtual machines • Shared storage - FC • L2 adjacency Design for 3 9s • Apps resilient • Commodity servers • Virtualization • NAS storage • L3 connectivity
- 14. Devices Database Inventory Digitized information Moving to the Cloud Legacy DC Virtualized DC Cloud DC Devices Mail Order Processing Inventory Suppliers Partners Devices Mail Inventory Suppliers Order Processing Partners Inventory
- 15. Devices Inventory Digitized information Moving to the Cloud Legacy DC Virtualized DC Cloud DC Devices Inventory Suppliers Order Processing Partners Inventory Mail Network Big Data - Hadoop
- 16. Agility – Time to Provision 2 Months Physical Server Time Virtual Server 2 WeeksNetwork 2 WeeksStorage 2 Minutes Orchestration, Automation,
- 17. Automation “Crushing Grapes” Orchestration “Making Wine” Automation ≠ Orchestration Speeding up “IT” Workflows at scale while eliminating errors Automation helps eliminate repeatable manual tasks through scripts or other software tools Orchestration is an extension of automation that groups automated tasks into coordinated workflows.
- 18. Path to the Cloud Self Provisioned Clouds Cloud DC 3 Optimization Greater Agility & Availability Virtualized DC 2 Consolidation Lower Cost Legacy DC 1 Server Virtualization Network, Automation Orchestration Public Private
- 19. MetaFabric VM VM VM Virtual Physical VM VM VM Virtual Physical VM VM VM Virtual Physical VM VM VM Virtual Physical My on-premises data center My hosted service provider My cloud service provider My managed service provider VM VM VM Virtual VM VM VM Virtual Architecture for building a coherent network within & between data centers
- 20. MetaFabric – Three Steps Automate Operations Orchestration Network automation and analytics Network virtualization MH Secure the NetworkNetwork security Simplify the Network Network infrastructure Data CenterDCIData Center
- 21. Simplify the network Old Model: Deploy individual network elements New Model: Deploy a coherent network • Data plane driven • Shared distributed control plane • Common management plane
- 22. Simplify the network Coherent architecture Building blocks Topology Tree Spine and Leaf Advantages: • Better, more consistent app performance • More agile - eliminates locality issues • Simpler to manage • Lower cost
- 23. Simplify the network Coherent architecture Building blocks Topology Access Spine Edge
- 24. Simplify the network Coherent architecture Building blocks Topology Access Spine Edge Coherent Network: Shared, distributed control plane Common management plane MC-LAGEthernet FabricIP Fabric w/ Open ClosCoherence beyond the edge
- 25. Coherent architectures Legacy and Virtualized data centers Private cloud data centers Public cloud data centers Virtual Network Fabric Overlay IP Fabric All L3 Multi-Tier w/ MC-LAG L2/L3 Ethernet Fabric L2/L3
- 26. MetaFabric – Three Steps Secure the NetworkNetwork security Simplify the Network Network infrastructure Data CenterDCIData Center Automate Operations Orchestration Network automation and analytics Network virtualization MH
- 27. Secure – a new model for the cloud Castle Model Hotel Model • Micro-perimeterization • Multiple enforcement points • Supported by the cloud
- 28. Security Enforcement Router (MX) [stateless ACL L2-3] 5 Physical Firewall Appliance (SRX) [Stateful L2-L7 firewall] 1 DC Spine Switch (QFX1000) [Stateful ACL and/or L4-7 firewall] 3 DC Leaf Switch (QFX5100) [Stateful ACL and/or L4-7 firewall] 4 VT-x Hypervisor VAVASDN Virtualized Host with virtual firewall (dFW, Contrail vRouter, vSRX) [Stateful ACL and/or L4-7 firewall] 2 SD SPACE ND VD APIs & libraries exposed to operators, orchestration, & automation platforms To Device-specific APIs Contrail Central Policy Engine Threat Intelligence Threat Intelligence
- 29. MetaFabric – Three Steps Automate Operations Orchestration Network automation and analytics Network virtualization MH Secure the NetworkNetwork security Simplify the Network Network infrastructure Data CenterDCIData Center
- 30. Automate operations Old Model: Manage network devices New Model: Automate the workflow of delivering the application
- 31. Automate Work Flows Build & Provision Operate & Monitor Orchestrate Benefits: Repeatability More reliable More agile Lower operating cost
- 32. The Automation Stack Junos Data Plane (PFE)Chassis XML-RPC PythonEZ Framework RubyEZ Library Ansible Python Scripts ChefPuppet Ruby Scripts Netconf Junoscript SNMP RO CLI Junos Platform Automation Stack
- 33. Chef Junos Data Plane (PFE)Chassis XML-RPC Netconf PythonEZ Framework RubyEZ Library PuppetAnsible Python Scripts Ruby Scripts Junoscript SNMP RO CLI Junos Platform Automation Stack Two Approaches Network Coherence BottomsUp Network Director Security Director Target top 20% of tasks – 80% of the effort
- 34. Two Approaches Network Coherence Build your own TopsDown Network Virtualization Network Director Security Director
- 35. Network Virtualization Network Virtualization Can we do for the network what we did for the server?
- 36. Network Virtualization VLANs A1 B1 A2 B2
- 37. Network Virtualization Promise of Overlays A1 B1 A2 B2
- 38. Network Virtualization Service Chaining A1 B1A2 B2 Virtual Network A Virtual Network B FW IDP LB NAT
- 39. MetaFabric – Three Steps Automate Operations Orchestration Network automation and analytics Network virtualization MH Secure the NetworkNetwork security Simplify the Network Network infrastructure Data CenterDCIData Center
- 40. Thank you
Editor's Notes
- #10: TALK TRACK: If the goal is automation and abstraction, there are multiple ways to get to that goal Among our customers we see very different types of cloud builders Some are hard core DIYers and will build entire toolsets from scratch rather than wait for the commercial marketplace to provide what they need. Others are also DIYers, but use the tools that are available from the open source community And others just want something that works—they will typically buy and end-to-end software stack from a large vendor. In that camp we see vmware as a very viable option for many customers. We are working closely with vmware and have 6 different engineering projects happening simultaneously Finally, there are two open areas of openstack and cloudstack. We see this as the next normal. This means that the largest cloud providers who do not want to do it themselves will overtime move into the openstack environment. There are different technology paths to get to SDN Software only approach using existing architectures and overlaying automation Hybrid approach – new physical infrastructure and new architecture (still no SDN controller) full overlay model – using controller The network needs to work for all these types of cloud builders
- #11: 10
- #12: 11
- #13: 12
- #14: 13
- #15: 14
- #16: 15
- #34: The further up the stack you go, the less complex it is for the end user to automate. However, along with it being less complex it is also less flexible. For instance, writing an application/script that interacts directly over netconf allows the user to do more (with more coding of course) than writing a playbook in Ansible. The underlying modules for Ansible have to support whatever the end user is trying to do. If the module doesn’t exist, there is the ability to build that module using the PyEZ framework and use it ad-infinitum for that particular task.
- #35: The further up the stack you go, the less complex it is for the end user to automate. However, along with it being less complex it is also less flexible. For instance, writing an application/script that interacts directly over netconf allows the user to do more (with more coding of course) than writing a playbook in Ansible. The underlying modules for Ansible have to support whatever the end user is trying to do. If the module doesn’t exist, there is the ability to build that module using the PyEZ framework and use it ad-infinitum for that particular task.