Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NextGen Firewall use case at KPN

NextGen Firewall use case at KPN

Joint Fortinet / KPN presentation at VMworld Europe 2017

Albert W. Alberts

September 12, 2016
Tweet

More Decks by Albert W. Alberts

Other Decks in Technology

Transcript

  1. © Copyright Fortinet Inc. All rights reserved. NextGen Firewall use

    case at KPN Use case, proof of concept and the next steps September 12th 2017, VMworld Barcelona
  2. 2 Albert W. Alberts: § Working at KPN since 1999:

    § Started as Software Engineer § KPN patents § Currently Architect Let me introduce myself … https://www.linkedin.com/in/albertalberts/ @a_w_alberts [email protected]
  3. 3 § KPN (Koninklijke PTT Nederland) § Dutch landline and

    mobile telecommunications company § 4G, 5G, LoRa § Internet Services Provider § TV § ICT-services KPN, the company
  4. 4 § 15.000 employees § 6.3 million fixed-line telephone customers

    § 33 million subscribers in Netherlands, Germany, Belgium, France and Spain § 2.1 million Internet access customers § 1 of 15 worldwide VMware showcase partners KPN, the company
  5. 6

  6. 7 CloudNL features: • Services are delivered from KPN datacenters

    within the Netherlands; • Operational maintenance from within the Netherlands under Dutch law and regulations; • Assurance through the Cloud Compliance Framework (CCF).
  7. 8 Cloud features: • Self-service management • Create own infrastructure

    • Manage own infrastructure • Scalable • Per-per-use
  8. 9 CloudNL VMware, based on VMware technology • vRealize Automation;

    • vRealize Orchestration; • NSX; • vCenter & vSphere.
  9. 10 How does a customer get it? Interfaces vRealize Automation

    vRealize Orchestration Compute resources Networking resources Storage resources CloudNL VMware Portal ReST API Ruby Go Python C#
  10. 11 What does a customer get? Tenant A Tenant A

    private IP private IP NSX Edge pair public IP public IP Tenant ESG Tenant ESG Perimeter ESG Perimeter ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant A ESG Tenant A ESG Distributed Logical Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW transport network public network, without NAT(ting) private network, with sNAT(ting) Internet Datacenter 1 Datacenter 2 Default network setup: front-end & back-end
  11. 12 What does a customer get? Default network setup: front-end

    & back-end Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Internet Tenant ESG Tenant A ESG Distribute d Logical Router Datacenter 1 Datacenter 2 private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Tenant ESG Tenant A ESG Distribute d Logical Router
  12. 14 Next Gen Firewall PoC Platform requirements: § Integration with

    NSX § Multi-tenancy within NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Client requirement: § Next Gen Firewall
  13. 15 KPN CloudNL VMware, default tenant network private IP private

    IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) Datacenter 1 Datacenter 2 internet internet Management network NSX Manager config Management network NSX Manager config
  14. 16 KPN CloudNL VMware, default tenant network private IP private

    IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) internet internet Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Datacenter 1 Datacenter 2
  15. 17 Fortinet SVM vRealize expected user interface NSX Manager vRealize

    Orchestration GUI only for KPN administrators API only via vRO vRA portal as single “pane of glass” = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere No easy integration with vRealize Automation
  16. 18 Fortinet SVM vRealize actual user interface NSX Manager vRealize

    Orchestration GUI only for KPN administrators API only via vRO A Fortigate Service Manager GUI for each datacenter = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere Possible but not preferred Interface to Fortigate Service Manager in datacenter 1 Interface to Fortigate Service Manager in datacenter 2
  17. 19 Fortinet SVM vRealize preferred user interface NSX Manager FortiManager

    vRealize Orchestration GUI only for KPN administrators API only via vRO vRA portal for simple tasks, FortiManager GUI for more advanced tasks = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter ⋙ ⋙ Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere FortiManager solves the dual interface problem but was not available during the Poc. Current status is beta
  18. 20 Platform requirements: § Integration with NSX § Multi-tenancy within

    NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall PoC results ✓ ✗ no, this requires developer effort ✓ ✓ but two self-service portals ✓ but two interfaces
  19. 21 Platform requirements: § Integration with NSX § Multi-tenancy within

    NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall expected PoC results with FortiManager ✓ ✗ plans to build it for most used configs ✓ ✓ ✓