NextGen Firewall use case at KPN

Transcript

1. © Copyright Fortinet Inc. All rights reserved. NextGen Firewall use

   case at KPN Use case, proof of concept and the next steps September 12th 2017, VMworld Barcelona

2. 2 Albert W. Alberts: § Working at KPN since 1999:

   § Started as Software Engineer § KPN patents § Currently Architect Let me introduce myself … https://www.linkedin.com/in/albertalberts/ @a_w_alberts [email protected]

3. 3 § KPN (Koninklijke PTT Nederland) § Dutch landline and

   mobile telecommunications company § 4G, 5G, LoRa § Internet Services Provider § TV § ICT-services KPN, the company

4. 4 § 15.000 employees § 6.3 million fixed-line telephone customers

   § 33 million subscribers in Netherlands, Germany, Belgium, France and Spain § 2.1 million Internet access customers § 1 of 15 worldwide VMware showcase partners KPN, the company

5. KPN CloudNL VMware

6. 6

7. 7 CloudNL features: • Services are delivered from KPN datacenters

   within the Netherlands; • Operational maintenance from within the Netherlands under Dutch law and regulations; • Assurance through the Cloud Compliance Framework (CCF).

8. 8 Cloud features: • Self-service management • Create own infrastructure

   • Manage own infrastructure • Scalable • Per-per-use

9. 9 CloudNL VMware, based on VMware technology • vRealize Automation;

   • vRealize Orchestration; • NSX; • vCenter & vSphere.

10. 10 How does a customer get it? Interfaces vRealize Automation

    vRealize Orchestration Compute resources Networking resources Storage resources CloudNL VMware Portal ReST API Ruby Go Python C#

11. 11 What does a customer get? Tenant A Tenant A

    private IP private IP NSX Edge pair public IP public IP Tenant ESG Tenant ESG Perimeter ESG Perimeter ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant A ESG Tenant A ESG Distributed Logical Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW transport network public network, without NAT(ting) private network, with sNAT(ting) Internet Datacenter 1 Datacenter 2 Default network setup: front-end & back-end

12. 12 What does a customer get? Default network setup: front-end

    & back-end Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Internet Tenant ESG Tenant A ESG Distribute d Logical Router Datacenter 1 Datacenter 2 private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Tenant ESG Tenant A ESG Distribute d Logical Router

13. Next Gen Firewall Proof-of-concept at KPN CloudNL VMware

14. 14 Next Gen Firewall PoC Platform requirements: § Integration with

    NSX § Multi-tenancy within NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Client requirement: § Next Gen Firewall

15. 15 KPN CloudNL VMware, default tenant network private IP private

    IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) Datacenter 1 Datacenter 2 internet internet Management network NSX Manager config Management network NSX Manager config

16. 16 KPN CloudNL VMware, default tenant network private IP private

    IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) internet internet Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Datacenter 1 Datacenter 2

17. 17 Fortinet SVM vRealize expected user interface NSX Manager vRealize

    Orchestration GUI only for KPN administrators API only via vRO vRA portal as single “pane of glass” = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere No easy integration with vRealize Automation

18. 18 Fortinet SVM vRealize actual user interface NSX Manager vRealize

    Orchestration GUI only for KPN administrators API only via vRO A Fortigate Service Manager GUI for each datacenter = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere Possible but not preferred Interface to Fortigate Service Manager in datacenter 1 Interface to Fortigate Service Manager in datacenter 2

19. 19 Fortinet SVM vRealize preferred user interface NSX Manager FortiManager

    vRealize Orchestration GUI only for KPN administrators API only via vRO vRA portal for simple tasks, FortiManager GUI for more advanced tasks = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter ⋙ ⋙ Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere FortiManager solves the dual interface problem but was not available during the Poc. Current status is beta

20. 20 Platform requirements: § Integration with NSX § Multi-tenancy within

    NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall PoC results ✓ ✗ no, this requires developer effort ✓ ✓ but two self-service portals ✓ but two interfaces

21. 21 Platform requirements: § Integration with NSX § Multi-tenancy within

    NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall expected PoC results with FortiManager ✓ ✗ plans to build it for most used configs ✓ ✓ ✓

22. Questions?

23. None