lessons from 5 years of network function virtualization | interop ny presentation from chris swan
Post on 08-Aug-2015
149 Views
Preview:
TRANSCRIPT
copyright 2013
Lessons from 5 Years of Network Function VirtualizationChris Swan, CTO - CohesiveFT@cpswan
1
Tuesday, October 8, 13
copyright 2013
AgendaIntroducing Network Function Virtualization (NFV)The Networking Declaration of IndependenceBusiness use cases:• Wave 1 - bursting and containment• Wave 2 - hubs and spokes• Wave 3 - winning back control
Technical use cases
Summary2
Tuesday, October 8, 13
copyright 2013
What isNetwork Function Virtualization?
3
Tuesday, October 8, 13
copyright 2013
NFV is a networking Swiss Army knife
Firewall
Dynamic & Scriptable
SDN
Protocol Redistributor
IPsec/SSL VPN concentrator
Router Switch
NFV
Hybrid virtual
device able to extend to multiple
sites
Application SDN (Software Defined Network) Appliances • Allow control, mobility & agility by separating network location and
network identity • Control over end to end encryption, IP addressing and network topology
4
Tuesday, October 8, 13
copyright 2013
A technical use case overview
5
Customer Data CenterCustomer Remote Office
NFV
Overlay NetworkSubnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec Tunnel192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec Cisco 5505
Firewall / IPsecCisco 5585
Data Center Server
Data Center Server
LAN IP: 192.168.4.50 LAN IP: 192.168.4.100
User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USARemote Subnet: 192.168.3.0/24
London, UKRemote Subnet: 192.168.4.0/24
Public IP: 184.73.174.250Overlay IP: 172.31.1.250
Public IP: 54.246.224.156Overlay IP: 172.31.1.246
Public IP: 192.158.29.143Overlay IP: 172.31.1.242
Peered Peered
US East 1 EMEA
NFV
NFV
APAC
Tuesday, October 8, 13
copyright 2013
Providers and Customers have different concerns
Layer 0
Layer 4
Layer 3
Layer 2
Layer 1
Layer 5
Layer 7
Layer 6
Virtualization Layer
Hardware Ownership
Layer
Limits of access, control, & visibility
Application Layer
Provider Control
Use
r C
ontr
ol
Service Provider SDN starts at the bottom of the network with the "device" and network flows.
Application SDN (using NFV) begins at the top of the network with the enterprise application, its owner and their collective technical and organizational demands.
6
Tuesday, October 8, 13
copyright 2013
Positioning - NFV and SDN
7
Tuesday, October 8, 13
copyright 2013
Networking Declarationof Independence
8
Tuesday, October 8, 13
copyright 2013
Nicira’s “declaration of independence” from metal,freed NFV from OpenFlow
9
+
http://nicira.com/sites/default/files/docs/Nicira%20-%20The%20Seven%20Properties%20of%20Virtualization.pdf
Tuesday, October 8, 13
copyright 2013
These same properties free NFV from the“constraints” of OpenFlow (technology, timing and target)
10
Nicira defined the 7 Properties of network virtualization as:
1. Independence from network hardware2. Faithful reproduction of the physical
network service model3. Follow operational model of compute
virtualization4. Compatible with any hypervisor
platform5. Secure isolation between virtual
networks, the physical network, and the control plane
6. Cloud performance and scale7. Programmatic networking provisioning and control
Tuesday, October 8, 13
copyright 2013
With VM-based network devices you can use the cloud network as “bulk transport” and are indifferent to all else.
Independence from network hardware
11
Customer Data Center
NFVStandard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public CloudRegion 1
IP: 192.168.1.xx LAN
Cloud Server Cloud Server
Overlay Network
Tuesday, October 8, 13
copyright 2013
NFV devices “look” and “feel” like the same networking devices customers have used for ever, without boundaries
Reproduction of physical network model
12
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public CloudRegion 1
Overlay Network
Data Center Servers
Cloud Server
NFV
Tuesday, October 8, 13
copyright 2013
Follow operational model of compute virtualization
13
NFV NFV NFV NFV
NFV functions can be dynamically brought on-line, up to the elastic limits of the total infrastructure available (!!)
Tuesday, October 8, 13
copyright 2013
Compatible with any hypervisor platform
14
NFV does more than “follow” the model of compute virtualization, it exists via compute virtualization.
Public Clouds
Virtual Infrastructure Private CloudsCloud
Tuesday, October 8, 13
copyright 2013
Secure isolation
15
Isolation takes many forms: from underlying infra, allow my protocols, keep my “chattiness” in, keep others out, etc..
Public CloudRegion 1
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 3
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 2
Cloud Server Cloud Server
Overlay Network
Public CloudRegion 4
Cloud Server Cloud Server
Overlay Network
Tuesday, October 8, 13
copyright 2013
Secure isolation
16
Isolation takes many forms: from underlying infra, allow my protocols, keep my “chattiness” in, keep others out, etc..
User Workstation User Workstation
Data Center Server
Tuesday, October 8, 13
copyright 2013
Cloud performance and scale
17
Where NFV really shines today, create a WAN in minutes, use cloud as points of presence for your business
Customer Data CenterCustomer Remote Office
NFV
Overlay NetworkSubnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec Tunnel192.168.4.0/24 - 172.31.1.0/24192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec Cisco 5505
Firewall / IPsecCisco 5585
Data Center ServerData Center ServerLAN IP: 192.168.4.50 LAN IP: 192.168.4.100User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USARemote Subnet: 192.168.3.0/24
London, UKRemote Subnet: 192.168.4.0/24
Public IP: 184.73.174.250Overlay IP: 172.31.1.250
Public IP: 54.246.224.156Overlay IP: 172.31.1.246
Public IP: 192.158.29.143Overlay IP: 172.31.1.242
Peered Peered
US East 1 EMEA APAC
NFV
NFV
Tuesday, October 8, 13
copyright 2013
Programmatic networking provisioning & control
18
+http://maxoffsky.com/code-blog/building-restful-api-in-laravel-start-here/
Cloud Compute and Network APIs + NFV Device APIs allow previously unimaginable flexibility and power
Public Clouds
Virtual Infrastructure Private Clouds
Cl
Tuesday, October 8, 13
copyright 2013
Business Use Cases
19
Tuesday, October 8, 13
copyright 2013
Wave 1Bursting and Containment
20
Tuesday, October 8, 13
copyright 2013
Mutual fund securely extends HPC grid resource
Highlights:
Automatically flex existing HPC solution up and down by bursting into public cloud.
Image management tool configured and contextualized nodes in custom cloud environment.
Used existing workload manager / grid engine software / vendor to extend their grid.
Significantly reduced infrastructure costs, while increasing flexibility and responsiveness.
The Goals: Large Mutual Fund (LMF) must reduce the time to results. They seek an on-demand, lower cost capacity expansion.
Security & Compliance:
• Guaranteed customer control of the network layer
• Visibility, insight and control over the infrastructure
• Swapped out physical infrastructure with IaaS on a pay as you go basis
• Vendor neutral, more than one cloud
• Natural look and feel of a existing grid extension
• Encrypted data in motion, end-to-end
LMF needed more security and control than public cloud to “extend” their existing grid on the same IP network.
Outcome:LMF seamlessly flexes their grid up and down with an overlay network for the EC2 grid compute nodes with NFV.
Fund bursts into public cloud to extend HPC
Private Data Center
NFV
US-east-1
Active IPsec Tunnels
Firewall / IPsec
Data Center Node
Boston, USA
Node
US-west-1
Overlay Network
Peered
Node
Node
NFV
21
Tuesday, October 8, 13
copyright 2013
Mobile provider creates secure dev/test environments
Highlights:
Wanted speed for dev/test but couldn’t sacrifice security
Challenged to improve quality and amount of testing with multiple vendors
Telco had insufficient hardware resources and lacked initial install media
Guaranteed consistency with identical topologies in virtual network
The Challenge: Our customer needed a solution when traditional dev/test processes created a 3 month bottle neck in getting services to market.
The customer wanted to use cloud for dev/test environments on-demand, and to migrate 10 year old Oracle, Stellent Tibco, and Websphere images to AWS and VMware environments.
They needed to securely connect two developer offices and dev partners in a third office.
The Outcome:Functionally equivalent multi-tier distributed system ran both in AWS and VMware to give testing capacity on demand from a public cloud and production on premise.
Ensured consistent topologies within secure virtual networks.
AD Configuration with Dual NIDs
Developer Office
NFV
US-east-1
Active IPsec Tunnels192.168.4.0/24 - 172.31.1.0/24
Firewall / IPsec
USA
User WorkstationUser Workstation
Partner Data Center
Firewall / IPsec
Data Center Servers
Private Cloud
Peered
Hybrid Network
Virtual MachineVirtual Machine
NFV
22
Tuesday, October 8, 13
copyright 2013
UK non-profit reduces CO2 with IBM SmartCloud
Highlights:
Energy Savings Trust (EST) needs to analyse data while keeping costs to a minimum
Must gather, analyse, and compute big data sets and graphically display usage
Non-profit securely connects and automates in Smart Cloud
"The services we provide […] make it possible to achieve energy efficiency targets faster and at less cost." - Will Rivers, Housing Data Manager, Energy Saving Trust
The Challenge: EST has over 20 years of energy data with 250M data points on 25M households, and wanted to both grown compute resource while saving costs.
“IBM SmartCloud means that the services we can offer are no longer constrained by the limitations of our on-site hardware,” Simon Elam, Programme Manager, Energy Saving Trust
The Goals:
• Encourage energy efficiency through real-time data and energy maps
• Collect and analyst large sets of public utility and energy data
• Create maps with geographic information system (GIS)
• Grow without impacting performance
Outcome:CohesiveFT and Assimil8, both IBM Business Partners, helped migrate and connect EST’s IBM software running in IBM SmartCloud Enterprise.
Energy Savings Trust analyzes data in SmartCloud
On-Site Hardware
NFV
Active IPsec Tunnel
UK
Firewall / IPsec
Data Center Servers
Virtual MachineCloud Server
Ehningen
23
Tuesday, October 8, 13
copyright 2013
US Sports Association flexes up and down during large annual events
Highlights:
Added capacity without the hardware, overhead and management costs
Wanted to scale and control capacity
Secure communication with partners, customers and media members with a cloud-based solution
Secure, encrypted data in motion and access to data center with NFV
The Situation: A US National Sports Association looked to public cloud to expand capacity for an annual live, international sporting event.
Challenge: For a few days a year, the network and servers must react, scale quickly without any outages.
Information could not be unsecured beyond the DMZ - data in plain text was not an option.
Solution Featured:
• Scalable with the capacity needed around global events
• Encryption for all data in motion• Overlay network on top of public cloud
infrastructure• Perpetual license to accommodate scaling needs
Capacity expansion: meeting game day demand
Main Offices
NFVActive IPsec Tunnels
New York, NY USA
Data Center
Virtual MachineCloud Server
us-east-1
Media Partners
Firewall / IPsec
EMEA, & US & ANZ
Workstations
24
Tuesday, October 8, 13
copyright 2013
SaaS vendor reaches customers without on-site data centers or physical networks
Highlights:
Large independent logistics firm wanted to move to SaaS delivery model without burdening clients
Removed migration complexity without changing the business model or operations
Solved end client’s issues with on-site data centers and large software clients
Overlay network allows customer to deploy to any public cloud provider
The Situation: Mobile banking solution provider wanted to connect many financial institution customers to a cloud-based common platform to connect partners and customers
Challenges:
• Limited multi-tenant environments for customers to pass industry-standards tests
• Connectivity without the hurdles of traditional networks, data centers and enterprise rules
• Managing apps across different public and private clouds
• End customer security concerns
Outcome:The customer can offer a SaaS version of their BPMS where end customers can access it as if it were a subnet on their network.
The solution guarantees data in motion encryption.
The BPMS firm can now connect their clients’ software to cloud-based data centers without up-front, capital intense processes.
BPMS-as-a-SaaS without traditional complexity
Home Data Center
NFVActive IPsec Tunnels
Firewall / IPsec
Boston, MA USA
us-east-1
Customer Data Center 2
Peered
Federated CloudOverlay Network
NFV
Virtual MachineVirtual Machine
Customer Data Center 1
Cloud-based SaaS tool
Failover IPsec
Private CloudData Center Servers
us-west-2
Berlin, DELondon, UK
25
Tuesday, October 8, 13
copyright 2013
Wave 2Hubs and spokes
26
Tuesday, October 8, 13
copyright 2013
Connect customers in a shared, private environment.
Highlights:
Customer switched from on-premise to cloud-based data analysis SaaS for retail clients.
Needed additional resources with secure, shared infrastructure.
Offered multitenant cloud-based services to customers and partners.
Created secure connections with both IPsec edge connectivity and SSL/TLS VPN
A retail data analysis firm wanted to expand cloud-hosted resources while securely link customers to a new cloud-based service.
Challenges:
• Guaranteed encryption for all data in motion and at rest.
• Overlay network to federate across any public cloud provider.
• Secure connections with both IPsec edge connectivity and SSL/TLS VPN
• Customer created a true Cloud WAN network with overlays and cloud providers.
Customer now manages more than 100 cloud environments across a mix of dev, internal IT, and customer implementation categories in a seamless “single network” mix.
Cloud “Meet Me Room”
Data Center
NFV
Active IPsec Tunnels
US
Firewall / IPsec
Data Center Servers
Virtual Machine
Customer Network UK
Browser-basedportal access
SaaS App
eu-west-1
Federated Multicloud Network
Cloud Server
27
Tuesday, October 8, 13
copyright 2013
Firm extended offerings with global cloud points of presence
Highlights:
Offered global redundancy at dramatically lower cost than traditional infrastructure.
Needed secure connections to existing data centers and networks.
Access critical infrastructure “in region” without delays or capital of physical resources.
Global reach for products and global redundancy for security.
A global end point threat prevention company wanted to have global reach for cloud-based threat protection and virus scanning system.
Additionally, they wanted to ensure global redundancy using multiple cloud providers.
Customer Required:
• Working with multiple cloud providers and cloud regions
• Connections across clouds and down to existing physical data centers and networks
Outcome:• Guaranteed encryption for all
data in motion and at rest• Overlay network to
federate across any public cloud provider
• End customers can access critical resources without waiting for inter-continental lag times, at much lower costs.
Cloud WAN for global reach and redundancy
Data Center
Active IPsec Tunnels
Frankfurt, Germany
Firewall / IPsec
Data Center Server
Customer 2Tokyo, Japan
Workstations
APAC-1
Cloud W
AN
Peered
US East Coast
NFVPeered
OfficeLondon, UK
Data Center Server
NFV NFV
Netherlands
28
Tuesday, October 8, 13
copyright 2013
Cloud WAN connectivity without the expensive assets or contracts.
Highlights:
Global reach for products and global redundancy for security.
Needed secure connections to existing data centers and networks.
Access critical infrastructure “in region” without physical resources.
Offered global redundancy at dramatically lower cost.
A pharmaceutical information systems firm wanted to integrate US-based offices together and to integrate offices to their cloud infrastructure.
Challenges:Offices had different hardware and software, networks and data needs. The firm did not want to invest in assets or long term contracts with vendors.
Solution Featured:
• Guaranteed encryption for all data in motion and at rest
• Overlay network federates across public cloud providers
• IPsec and data in motion encryption
• Customer created a true Cloud WAN with overlays and cloud provider edges.
Outcome: Each office connected to the cloud-based systems and also connected to each other using the cloud as network backbone.
Pharmaceutical system federates infrastructure
Data Center
Active IPsec Tunnels
New York, USA
Firewall / IPsec
Data Center Server
Medical Office 2
San Francisco, USA
US-west-1
Cloud W
AN
PeeredNFV
Peered
Medical Office 1
CustomerHospitalBoston, USA
Data Center Server
NFV
US-east-1
Salt Lake City, USA
Private Cloud
SaaS portal SaaS portal
29
Tuesday, October 8, 13
copyright 2013
Connecting mobile banking customers to a common cloud-based infrastructure
Highlights:
Online & mobile banking company needed connectivity solution to meet regulatory requirements.
Financial customers could use a "security lattice" approach, encrypting all critical data in motion
Enabled customer to server end customers from a common platform.
Multitenancy model allowed customer to pass along cloud economies of scale.
The Situation: Mobile banking solution provider wanted to connect many financial institution customers to a cloud-based common platform to connect partners and customers
Challenges:Multi-tenant infrastructure required secure connectivity with minimal complexity and manpower expense.
Public cloud flexibility and savings plus additional security and connectivity.
Solution featured:
• Connections with standard IPsec equipment
• A connection “edge” to customer deployments and cloud infrastructure
• Encrypted data in motion
Outcome:Cloud-base banking platform brought customers online quickly at lower cost.
Multitenant cloud-based partner network
Data Center Server
Home Network
NFVEncrypted IPsec Tunnels
USA
Firewall / IPsec
Data Center Server
Virtual Machine
Customer Data Center 2
USA
Customer Data Center 1
UK
Data Center Server
Virtual Machine
Mobile Banking Platform
US-west-1
30
Tuesday, October 8, 13
copyright 2013
Mobile provider improved quality in secure dev/test environments
Highlights:
Wanted speed for dev/test but couldn’t sacrifice security
Challenged to improve quality and amount of testing with multiple vendors
Image management helped move existing images and templates into production-ready environments
Guaranteed consistency with identical topologies in virtual network
Problem: Customer needed solution when traditional testing an dev/test created a three month bottle neck while getting services to market.
Solution: The customer used the cloud for dev/test environments on demand by migrating 10 year old Oracle, Stellent Tibco, Websphere images to AWS and VMware, and securely connected two developer offices and dev partners in a third office.
Outcome: Functionally equivalent multi-tier distributed system ran both in AWS and VMware to give testing capacity on demand from a public cloud and production on premise.
The customer moved existing images and templates into production-ready environments.
Leading global mobile telco service provider
NFV
EMEA
Active IPsec Tunnel
Firewall / IPsec
Overlay Network
Peered
Private Cloud
Partner Data CenterLondon, UK
Dev/Test 2
Data Center Servers
Data Center Servers
Dev/Test 1Boston, USA
Data Center Servers
Cloud Server Virtual Machine
NFV
London, UK
31
Tuesday, October 8, 13
copyright 2013
Scalable, pay as you go solution connects cloud-based apps to partner networks.
Highlights:
Connected telco partners with partners’ exact IP addresses.
Concerns over keeping customer and partner traffic separate and secure
Needed to quickly scale up and down, with a price package to match
Overlay network segmented partners to take control of security, addressing, and connection
The Situation: A telco with mobile app needed to connect cloud-based app servers to APAC partners on the partners’ exact IP addresses.
The solution required:
•Overlay networks• Instance-based solution using pay-
as-you-go virtual appliances• Customer-defined address pools• Guarantee encryption for all
data in motion, including customer session tokens and payment information
Outcome:Customer was able to create POPs in multiple regions with attestable security.
The network can be abstracted from the cloud vendors’ address schemes to create a scalable, pay as you go solution to match their business model.
Mobile app developer connects on overlay
Data Center Server
Virtual Network
NFV
Dedicated IPsec Tunnels
Firewall / IPsec
London, UK
Partner LAN 1
Cloud-based SaaS tool
Data Center Servers
Virtual Machine
Ehningen
Partner LAN 2
NFV
Customer Site
Virtual Machine
Peered
Osaka, JapanHong Kong
Asia Pacific (Tokyo)
32
Tuesday, October 8, 13
copyright 2013
Research groups connect to location-independent infrastructure
Highlights:
US-based research groups have global observatories and collaborations
Platform would speed research, enhance collaboration
Location-independent data collection and analysts
NFV and image management helped the group create common, shared infrastructure
Challenge:needed to create a new computing architecture based on virtualization to support collaborative efforts through multiple layers of research groups.
The research groups had to have control over final output quality and virtual devices in complex sensor platform.
Solution New computing architecture needed to use virtualization, multiple separate research groups, and virtual devices in complex platform.
Outcome With NFV and image management, the customer created a common shared infrastructure that was location independent.
Scientific research groups connect, migrate to cloud
Research CampusPalo Alto, CA USA
Observatory 2Marshall Islands, USA
NFV
Observatory 1Honalulu, HI USA
Active IPsec Tunnels
Firewall / IPsec
Global Overlay Network
WorkstationsWorkstations
Virtual MachineVirtual Machine
Node
US-west-1
33
Tuesday, October 8, 13
copyright 2013
Wave 3Winning back control
34
Tuesday, October 8, 13
copyright 2013
Overlay between public & private cloud
Public IP: 194.42.93.145 Public IP: 194.42.93.146 Public IP: 194.42.93.147 Public IP: 194.42.93.148 Public IP: 194.42.93.149 Public IP: 194.42.93.150
Public IP: 194.42.93.151 Public IP: 194.42.93.152 Public IP: 194.42.93.153 Public IP: 194.42.93.154
Public IP: 5.23.25.66
Cloud Servers
Peered
Location 1
Cloud Servers
Peered
Location 2
Cloud Servers
Peered
Location 3
Cloud Servers
Peered
Location 4
Cloud Servers
Peered
Location 5 PeeredPublic IP: 5.23.25.12
Region: Europe-1
NFV Overlay Network172.31.0.0/24
PeeredPeered
Peered
Peer
ed Peered
Peered
• Not technically very different from bursting, but motivation is different
• Get network (re)configured in minutes rather than
waiting weeks for a change request to be implemented by the (outsourced) NOC
• No need for new hypervisor or networking equipment
35
Tuesday, October 8, 13
copyright 2013
The first “process” customizable cloud transport network device
NFV allows customers to embed features and functions provided by other vendors - or developed in house, safely and securely into cloud networks
• Not just a scripting interpreter that allows control over known, existing features• Completely new functions, processes, computation delivered to the core of the
customer cloud network (patent pending)
36
NFV
Customer controlled, and co-created, for
the best hybrid cloud experience
Router
ReverseProxy
ContentCaching
LoadBalancing
IntrusionDetection More....
Switch Firewall IPsec/SSL VPNConcentrator
ProtocolRedistributor
Dynamic & Scriptable
SDN
Proxy
Tuesday, October 8, 13
copyright 2013
Encrypted Overlay network in VPC
NFV as a converged device gateway into cloud
37
NFV +
Web App 2Web App 1 Web App 3
Single IP address
• Customer created a customized reverse proxy application (NGINX) inside the NFV appliance
• NFV provides end-to-end encryption, private address control, firewalling, and port forwarding
• NGINX configuration files are completely customer controlled
• NGINX app sits at the transport layer inside the NFV appliance
• Runs on the encrypted overlay network in VPC
Tuesday, October 8, 13
copyright 2013
NFV Technical Capabilities
38
Tuesday, October 8, 13
copyright 2013
Problem:
• Applications may be hard wired to specific IP addresses
• Cloud providers cannot provide portability of internal IPs
Cloud Address Control
Customer Data Center
NFV
Standard IPsec Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public CloudRegion 1
IP: 192.168.1.xx LAN
NFV Solution:
• Control static addressing
• Local Area Network (LAN) address extension to the cloud
• Servers and Topologies behave as though the are running locally
• Application centric network is portable
Cloud Server Cloud Server
Overlay Network
39
Tuesday, October 8, 13
copyright 2013
Problem:
• Enterprise software uses multicast protocols for service election and service discovery
• Most public cloud providers block multicast
NFV Solution:
• Send multicast traffic via NFV based overlay network before it is rejected by underlying network infrastructure
Cloud Protocol Control: Multicast
Standard IPsec Tunnel
Public CloudRegion 1
Customer Data Center
Data Center Servers
LAN
Cloud Server Cloud Server
Firewall / IPsec Device
Overlay Network
NFV
40
Tuesday, October 8, 13
copyright 2013
Cloud Security Control: IPsec Tunneling
Data Center
Standard IPsec Tunnel
Data Center Servers
Public CloudRegion 1
LAN
Cloud Server Cloud Server
NFV
Firewall / IPsec Device
Overlay Network
41
Problem:
• Public Cloud is accessed via Internet
• HTTPS is fine for web apps and services but isn't always appropriate for other use cases
NFV Solution:
• Connect networks with industry standard IPsec
• Use existing network edge security appliances (Cisco, Juniper, Netscreen, SonicWall etc.)
• Use existing secure communication methods/practices - the same as currently used to connect offices, data centers or partners/customers
Tuesday, October 8, 13
copyright 2013
Cloud Security Control: Multiple IPsec
Standard IPsec Tunnel
Public CloudRegion 1
Cloud Server Cloud Server
NFV
Overlay Network
42
Problem:
• Cloud providers limit the number of IPsec connections
NFV Solution:
• NFV Manager enables multiple IPsec connections to a cloud-based overlay network segment
• Serves as user-controlled, virtualized switch/router inside the provider cloud
• Cloud deployed servers can communicate with multiple IPsec gateways via endpoint-to-endpoint encrypted connections
Customer Site N
Multiple IPsec Devices
Customer Site 2
Customer Site 1
Tuesday, October 8, 13
copyright 2013
Problem:
• Cloud deployments cannot be connected to existing network operations center
Use Existing Monitoring Tools
NFV Solution:
• Use your existing monitoring tools for cloud deployments
• NFV allows the use of an existing NOC to monitor and manage devices in the data center and the cloud
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public CloudRegion 1
Overlay Network
Data Center Servers
Cloud Server
NFV
Firewall / IPsec Device
43
Tuesday, October 8, 13
copyright 2013
Problem:
• Securely connect customers, partners or branches to specific servers in shared infrastructure
Customer-Partner Networks in Public Cloud
NFV Solution:
• Industry standard secure connectivity to isolated servers in public cloud
• Data in motion in the public cloud is encrypted
Partner Data CenterEMEA
Customer 2USA
Customer 1APAC
Active IPsec Tunnels
Firewall / IPsec
Customer - Partner Network
Phsyical Data CenterPrivate Cloud ServerNode
Cloud Deployment
Public CloudRegion 1
NFV
44
Tuesday, October 8, 13
copyright 2013 45
Summary
Tuesday, October 8, 13
copyright 2013 46
NFV allows networks to be built out of the cloud
Users get control over their:• addressing• topology• security• protocols
When you give people a networking Swiss Armyknife to run in the cloud they do all kinds ofstuff that you might not have expected
Summary
Tuesday, October 8, 13
copyright 2013
Questions?
CohesiveFT AmericasChicago, IL USAContactMe@cohesiveft.com 888.444.3962
CohesiveFT EuropeLondon, UK ContactMe@cohesiveft.com +44 208 144 0156
47
Tuesday, October 8, 13
top related