Post event, the presenters took questions from the audience resulting in the below Nuage Networks Security Report Webinar Q&A. Read the below post to further explore the topics of software-defined networking, security and policy.
What is the advantage of integrating with both physical and virtual firewall appliances in an SDN overlay network? Aren’t most of the deployments going to virtual appliances everywhere?
Nuage Networks: While many cloud networks are proliferating virtual appliances, there is still a strong requirement to work with either existing physical network devices/appliances or to leverage performance and capabilities which may only be available in the physical appliance. Nuage Networks sees that we have to provide that flexibility to customers rather than force them into a purely virtual solution or to lock them into a particular type of solution. One of the main advantages that Nuage enjoys over other SDN vendors is the ability to integrate both physical and virtual devices and workloads, as well as to direct traffic to security appliances independent of location to support microsegmentation policies.
Is the service insertion and traffic steering technology Nuage Networks uses with Palo Alto open or standardized? Can it be used with either other security products or other SDN platforms? Is there a relevant industry standard in this area, or is it important to standardize since this is a key integration technology?
Nuage Networks: Service insertion, or adding devices like Palo Alto Networks NGFWs into a virtual network, is indeed a key cloud networking capability and a key point of integration between two vendors like the two of us presenting today. There have been attempts to standardize protocols in this area, but its a fairly complex area, and can have dependencies on each product involved, so there isn’t an obvious industry standard to leverage today. As a result, we at Nuage, are leveraging a common model to integrate other services like Citrix application delivery controllers in the same way to reduce development and integration costs. We also look to integrate with OpenStack in a similar manner across solutions.
How does this integrated SDN security solution work with cloud orchestration platforms like OpenStack?
Nuage Networks: We actually have a blog that touches on the integration of Nuage Networks and Palo Alto Networks with Mirantis OpenStack here: http://www.nuagenetworks.net/blog/ignite-2016/ In a nutshell, as you define application and network policies in OpenStack, consistency is maintained for security and network policies in both Nuage and PAN platforms. In turn, security policy consistency is maintained between PAN and Nuage through the Nuage SDN controller and the Panorama management console.
Are there any overhead and performance degradation related with mirroring the traffic and analysing it?
Nuage Networks: Good question – There two actions that can be taken, “mirroring” and “redirection”. Mirroring, does not impact performance of the datapath as we just send copies of packets to a mirror destination, which is a valid use-case for monitoring. In the case of redirection, we are basically adding an additional hop for that specific traffic that is being inspected, and that hope is a firewall. There is a slight hit due to that insertion and additional processing, however, this is not that different from what happens today in legacy networks. The Nuage Networks VSP supports connecting Virtual FWs as well as Physical FWs, and Palo Alto Networks offers both form factors as well. Therefore, it would depend on the scale/design of the network on what fits, but you have full freedom to mix and match appliance form factors and placement of those appliances to minimize the impact
Isn’t the traffic steering question above using OVS (open vSwtich) technology and the standards around it?
Nuage Networks: The Nuage Networks VSP leverages OVS (no kernel modifications) and makes modifications in the (user space) to enable distributed routing as well as switching. The insertion concept includes inserting any device (container, VM or Baremetal server) into the path of any workload (containers, VM and BM) on any hypervisor (KVM, ESXi and Hyperv), all done with a single platform that is API driven and in a way that abstracts the “network” from the “application”. You can simply define app tiers, insert a security appliance between tiers then the platform would translate that into networking constructs. Furthermore, performance, which is an important factor needs to be able to drive large amounts of traffic. In summary, the insertion is easier and more dynamic.
What is the max throughput of a VM Palo Alto?
Nuage Networks: Feel free to check all the VM-Series performance number. Today, we offer 3 VM-Series models and the max throughput (with App-ID enabled) is 1G.
Are there any throughput limitations incurred when inserting the VM series?
Nuage Networks: From a Nuage Networks prospective, the solution can get close to line rate. Insertion does not have differ from regular traffic forwarding.
So this won’t work in a 10GB environment?
Nuage Networks: The sizing approach towards choosing VM-Series or a Physical Security appliance will be vary on specific requirements for each and every enterprise. For example, we have some organizations which exclusively leverage multiple VM-Series and scale horizontally to meet their performance needs. we also have organizations leveraging high performance physical appliance to achieve high scalability and performance needs. We did a detailed analysis on the sizing approaches for East-West implementations. You can contact Nuage Networks at firstname.lastname@example.org and Palo Alto Networks for details.
Can you provide links to docs on horizontal scaling?
Nuage Networks: We are working on a technical whitepaper to address the above. Stay tuned and look for it being posted on our website www.paloaltonetworks.com next month.