accelerated software-defined security with cisco aci · pdf filesolution highlights nnbetter...
TRANSCRIPT
SOLUTION BRIEF
ACCELERATED SOFTWARE-DEFINED SECURITYWITH CISCO APPLICATION CENTRIC INFRASTRUCTURE
Organizations are looking to deliver more agile private cloud infrastructure, from compute to storage to networking, to enable applications that can connect more easily and rapidly with end-users, customers, and partners. But networking and network security traditionally tied to rigid dedicated hardware increases OPEX costs and management complexity. Networking and Layer 4 through Layer 7 application services usually requires manual configuration and constant management updates to keep up with changes. In order to respond to agility requirements in the software-defined data center/private cloud paradigm shift, networking and application services also need to respond with automation based on predefined policies and on-demand orchestration.
Cisco® Application Centric Infrastructure (ACI) integrates Fortinet FortiGate appliances for the private cloud to deliver application-centric security automation in modern data centers.
The integration of Cisco ACI architecture with the FortiGate solutions provides automated, predefined policy-based security provisioning and security policy updates for NGFW, UTM and VPN services. The solution enables transparent security services insertion anywhere in the network fabric through a single-pane-of-glass management.
Cisco ACI provides the improvements in terms of forwarding packets. The network’s application-aware policy model is the foundation of security within Application Centric Infrastructure. It essentially “dictates what can talk to what on this network − it all gets enforced in appliances at the edge.
SOLUTION HIGHLIGHTS
nn Better visibility and security correlated with overlay/underlay networks
nn Lower TCO from reduced administrative OPEX Accelerated application and L4-L7 security deployment
nn Increased efficiency in service provisioning and network security segmentation
FIGURE 1: CISCO ACI AND FORTIGATE SOLUTION
WebEPG
DBEPG
NIC
FortiGate
ACI Fabric in Data CenterSpine Node Spine Node Spine Node
Leaf Node Leaf Node Leaf Node Leaf Node
APIC
VM
WebVM
FortiGate VM
1 2 3 4
ACI Domain Types1. VMM Domain
2. Physical Domain
3. External Layer 2
4. External Layer 3
SOLUTION BRIEF: ACCELERATED SOFTWARE-DEFINED SECURITY WITH CISCO APPLICATION CENTRIC INFRASTRUCTURE
Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales
EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500
APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730
LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990
February 21, 2018 4:54 PM
The integration of Cisco ACI and the Fortinet FortiGate solution comes with the following benefits:
nn Consistency and transparency across physical and virtual application workloads
nn Single-pane-of-glass management enablement from Cisco APIC with full visibility on security policy enforcement
nn Predefined security policies are deployed rapidly through complete application deployment lifecycle
HOW DOES IT WORK TOGETHER?
Fortinet Software Defined Security (SDS) framework provides the visionary integration path for software-defined networking (SDN), network function virtualization (NFV), and programmable switches platforms and enables service policy automation through RESTful APIs, scripting with JSON and XML data format.
The integration requires two components:
nn Fortinet FortiGate device packages to be uploaded to APIC
nn Cisco ACI-certified FortiGate appliances both physical and virtual
LAYER 4 AND LAYER 7 SERVICE INSERTION FLOW
IT administrators define the service policies like High Availability, virtual IP, port-forward and so on for different applications in APIC and creates service graphs to identify the set of network or service function that are needed by the applications. When a security policy is triggered during application deployment lifecycle, Cisco APIC will force the package to route through the Fortinet FortiGate for advanced firewall inspection without manual configuration.
The Cisco APIC integrates with Fortinet FortiGate appliances for the private cloud to simplify network security deployment. To connect the FortiGate appliance to the Cisco ACI fabric, the virtualization administrator simply needs to associate the predefined security policy with the virtual machine networks created by the Cisco APIC. Cisco ACI fabric is designed to provide overlay independence and can bridge frames to and from in the heterogeneous environments.
FIGURE 2: SERVICE GRAPH DESIGN IN APIC CONTROLLER SIMPLIFIES
LOGICAL APPLICATION FLOW
Device Model XML
Device Scripts
Supporting Text Files
Image File
Device Package zip file APIC
Policy Manager
Device Model XML Image File
Device Model XML Image File
Scriptwrapper Process
Linux name space for device package
REST/CLI Interface to Devices
Upload Device Package
FIGURE 3: DEVICE PACKAGE ARCHITECTURE