Juniper Contrail Security

Contrail Security, a member of the Contrail product family, is a simple, open, fully distributed cloud security solution that allows users to protect applications running in any virtual environment. Policies based on known application attributes defined by tags, labels, and other grouping constructs can be universally applied in various environments without having to rewrite them every time. Contrail Security further enhances the security framework by providing critical insights into traffic flows, establishing a new security paradigm that reduces the overall number of policies, simplifies enforcement, and provides greater visibility into—and manageability across— hybrid cloud environments.

Contrail Security includes two key components: the Contrail Security Controller and the Contrail Security vRouter.

Contrail Security Controller The Contrail Security Controller provides a logically centralized but physically distributed control plane for the Contrail Security solution. The Contrail Security Controller provides an interface for defining and expressing security intent without relying on network coordinates for policy construct. The Security Controller will translate the abstract security description into lower level security constructs (such as access control lists), which are then propagated to enforcement elements on every host where the application workloads reside. The Contrail Security Controller includes northbound REST APIs that allow orchestrators and other management systems to interface with the Contrail Security solution. Contrail Security 2 Contrail Security Data Sheet The Contrail Security Controller is comprised of three software components:

• Configuration: The configuration component provides APIs to invoke Contrail Security functionality and functions as a compiler that translates high-level descriptions of security intent into lower level security constructs.

• Control: The control component implements the BGP speaker for peering with gateways, and it programs lower level security constructs into enforcement elements on hosts via Extensible Messaging and Presence Protocol (XMPP).

• Analytics: The analytics component provides a framework for collecting data such as traffic flows, statistics, logs, and other system state information over various ingestion channels such as GPB, IPFix, SNMP, Netflow, sFlow, syslog, and from enforcement elements on hosts via a protocol called Sandesh. All ingested data is stored in highly available Cassandra databases for querying via northbound REST APIs. Applications that derive meaning and insight from the collected data are also provided.

Contrail Security vRouter The Contrail Security vRouter is an enforcement element installed on every host where application workloads may be instantiated. The vRouter has full ownership of logical interfaces present on every workload, whether a VM or container, enabling the vRouter to enforce security policies inline. The vRouter can also route selected traffic to L7 firewalls. Each vRouter communicates with a pair of control nodes to optimize system resiliency.

Key Features

• Intent-driven policy: Contrail Security allows tenants and administrators to express security requirements in plain English, without relying on network coordinates to write policies.

• Tag workloads and expressions: Policy statements are written using tag expressions that describe application attributes, replacing the traditional method of using network coordinates. This relieves administrators and tenants of having to know and monitor dynamic, ever-changing network coordinates.

• Fully distributed firewall: Contrail Security deploys a vRouter enforcement component on every host where application workloads may be launched. The vRouter is embedded in the cloud infrastructure; there is no need for tenants to modify their applications to take advantage of Contrail Security. The vRouter provides up to L4 security in a fully distributed manner on every host.

• Redirect to L7 firewall: Contrail Security provides the ability to subject select traffic to L7 firewalls in a completely dynamic and programmatic fashion.

• Analytics: Contrail Security offers a rich framework for collecting various application, infrastructure, network, and security analytics over various supported ingestion protocols. Applications written on top of the analytics collection framework can extract meaningful insights from collected data.

• Visualization: Users can visualize traffic flows across different applications and application components, as well as associated security policies including adherence and violation status.

Key Benefits

• Multidimensional policy statements: Contrail Security provides the ability to write, review, and approve policies once and apply them universally in all environments, dramatically reducing the number of policy statements, simplifying manageability, and significantly containing security costs.

• Comprehensive security: Up to L7 security via connectivity and firewalling provides complete, end-to-end protection from a single pane of glass. Additionally, L4 through L7 security is fully distributed and available on every host, minimizing the attack surface as much as possible.

• Actionable insights, visibility, and visualization: Users gain complete visibility into various aspects of application, infrastructure, network (underlay and overlay), and security from a single pane of glass and via a single product.

• Lower risk, greater compliance: Contrail Security offers a complete, end-to-end, modern approach that defends against various lateral and external threats, lowering risk and significantly improving compliance.