{"id":116948,"date":"2020-07-28T14:30:13","date_gmt":"2020-07-28T21:30:13","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=116948"},"modified":"2020-08-07T15:14:26","modified_gmt":"2020-08-07T22:14:26","slug":"network-cn-series-firewalls","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/07\/network-cn-series-firewalls\/","title":{"rendered":"CN-Series Firewalls: Comprehensive Network Security for Kubernetes"},"content":{"rendered":"

How can you and your organization deploy effective network security for containers? This question has become top of mind for network security teams as they sort through the complexities of traditional applications becoming increasingly containerized \u2013 and as they see cloud native applications rely on containers, serverless and platform as a service (PaaS) technologies. Last week\u2019s general availability of the Palo Alto Networks <\/span>CN-Series container firewall<\/span><\/a> answers these concerns, based on a <\/span>deep understanding<\/span><\/a> of customer challenges with Kubernetes.\u00a0<\/span><\/p>\n

 <\/p>\n

Consistent Security Remains a Big Kubernetes Security Concern<\/span><\/h2>\n

More and more organizations are discovering how Kubernetes and containers can be attractive options for application development. Containers can simplify development as they enable DevOps teams to move fast, deploy software efficiently and save compute resources.<\/span><\/p>\n

Kubernetes plays a critical role in these environments by orchestrating application development in an automated way using containers. But network traffic across hosts and between container pods can also present opportunities for attackers. What\u2019s more, containers frequently need to connect to mission-critical applications, which always need comprehensive network security.<\/span><\/p>\n

The <\/span>2019 Cloud Native Computing Foundation (CNCF) survey<\/span><\/a> indicates 78% of respondents are using Kubernetes in production \u2013 and security continues to be one of their key concerns. That overall concern was something I heard over and over from more than 50 customers I spoke with over the course of last year. They talked about their challenges in coming up with a consistent strategy for <\/span>securing containers in public and private clouds<\/span><\/a>.\u00a0<\/span><\/p>\n

In particular, customers were loud and clear about three primary container security challenges:\u00a0<\/span><\/p>\n

    \n
  1. DevOps teams deploying containers in infrastructure that network security teams are responsible for protecting \u2013 while having limited visibility into containers. This concern topped the list.\u00a0<\/span><\/li>\n
  2. Containers are increasingly being used with other workload types (such as virtual machines) and they need consistent network security to protect their workloads.\u00a0<\/span><\/li>\n
  3. Orchestrating security and firewalls with the rest of their containerized application stacks.<\/span><\/li>\n<\/ol>\n

     <\/p>\n

    Network Security in Kubernetes Has Unique Requirements<\/span><\/h2>\n

    Ensuring comprehensive security for Kubernetes starts with understanding how networking in Kubernetes works. <\/span>Container Network Interface<\/span><\/a> (CNI) is a CNCF project that defines a specification for allowing communication between containers. Kubernetes supports CNI plugins for the communication between pods. Firewalls need to be placed optimally in the network path so they can see the relevant traffic for inbound, outbound and east-west flows to and from the application pods, as seen below.\u00a0<\/span><\/p>\n

    \"The<\/span><\/div>
    Container Network Interface (CNI) and container firewall placement
    Source: Modified from CNCF CNI Documentation<\/figcaption><\/figure>\n

    This is where Palo Alto Networks CN-Series firewalls come in and leverage the CNI chaining capabilities. It\u2019s the industry\u2019s first containerized NGFW, and has been built so it can protect containerized applications in most Kubernetes-based environments like AWS EKS, Azure AKS, Google GKE and Openshift.\u00a0<\/span><\/p>\n

    CN-Series firewalls leverage deep container context to protect inbound, outbound and east-west traffic between container trust zones along with other components of enterprise IT environments. To keep pace with DevOps speed and agility, the CN-Series makes the most of native Kubernetes orchestration and is directly inserted into continuous integration\/continuous development (CI\/CD) processes.<\/span><\/p>\n

    \n
    \n
    \n
    \n
    \n
    \n
    \n
    Here\u2019s how it works: PAN-OS in CN-Series firewalls is split into two containers \u2013 one operates as the management plane, while the other operates as the data plane. The CNI chaining explained above ensures that traffic for application pods that need comprehensive security goes through the data plane. This ensures speed and simplicity vital for developer environments because a single command within Kubernetes is all that\u2019s needed for simultaneous CN-Series deployment on every node in a Kubernetes cluster.<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

    Understanding the identity of each application is key here: CN-Series has been tailored to fit into Kubernetes network architecture in ways that enable app-id, threat inspection, DNS security, WildFire, URL filtering and other critical security services. Please refer to the <\/span>CN-Series data sheet<\/span><\/a> for a complete list of supported environments.<\/span><\/p>\n

     <\/p>\n

    Security Should Follow Kubernetes Native Security Automation<\/span><\/h2>\n

    One of the primary benefits of containers is their automation capabilities. Because CN-Series firewalls are <\/span>themselves containerized<\/span><\/a>, ensuring that security extends to containers becomes very easy and network security teams can better work with their DevOps counterparts to plan for firewall provisioning in Kubernetes environments.\u00a0<\/span><\/p>\n

    For example, most Kubernetes experts use the command-line tool <\/span>Kubectl<\/span><\/a> directly. DevOps teams have also started using the <\/span>Helm<\/span><\/a> package manager extensively as it helps them define, install and upgrade complex Kubernetes<\/span><\/p>\n

    \"The<\/span><\/div>
    CN-Series and Kubernetes tools<\/figcaption><\/figure>\n

    applications. Customers already familiar with Terraform software can also use it in conjunction with Helm if they use Terraform for the rest of their infrastructure as code (IaC templates). To ease lifecycle management of firewalls for our customers, Palo Alto Networks has published community-supported <\/span>Helm Charts<\/span><\/a> and <\/span>Terraform templates<\/span><\/a>.\u00a0<\/span><\/p>\n

    In the cloud and containerized application space, selective traffic steering, which can be automated easily, is critical for ongoing operation and security. With CN-Series, application teams can indicate which apps need security with a single annotation in an app\u2019s YAML files. Checks can be added in the CI\/CD pipeline to make sure apps handling PCI data or that have other stringent network security requirements have NGFW security enabled. This allows for better coordination between DevOps and network security teams.<\/span><\/p>\n

     <\/p>\n

    It's All About Consistent Security Policies and Threat Prevention<\/span><\/h2>\n

    Most large enterprises have applications running in different workload form factors (VMs, bare metal, containers and so on) on the network \u2013 and want the ability to apply consistent policies for applications, regardless of hosting workload type.\u00a0<\/span><\/p>\n

    Our customers have built security policies for their existing firewalls and are excited about CN-Series allowing them to extend these policies to containerized workloads by leveraging labels from Kubernetes. Policies can be built using labels attached on namespaces, services, replicasets and pods. This means that policies don\u2019t need to be updated when apps scale.\u00a0<\/span><\/p>\n

    It\u2019s important to understand that most containerized apps have known and unknown vulnerabilities, both of which can be exploited on the network. The rich set of threat prevention capabilities in CN-Series helps reduce needed resources, complexity and latency by automatically blocking known malware, vulnerability exploits and C2 traffic. We continue to add threat coverage for components of containerized infrastructure such as Kubernetes, Docker and Openshift, as well as for most containerized apps including Redis, MongoDB, WordPress and Nginx. Automation of policies can be accomplished using the integration of Palo Alto Networks Cortex XSOAR and PAN-OS, as seen below.\u00a0<\/span><\/p>\n

    \"This<\/span><\/div>
    CN-Series policy automation and integration with Cortex XSOAR<\/figcaption><\/figure>\n

    Palo Alto Networks strongly believes container adoption demands comprehensive protection all the way from scanning container registries in the CI\/CD pipeline to network security in production deployments. We have built the most comprehensive suite of products in <\/span>Prisma Cloud<\/span><\/a> and in <\/span>CN-Series firewalls<\/span><\/a> to ensure security concerns do not remain a hindrance as you embark on the container adoption journey.\u00a0<\/span><\/p>\n

    So how can you and your organization deploy effective network security for containers? To discover in-depth technical details about how CN-Series has been designed to resolve burning container security questions, visit <\/span>CN-Series TechDocs<\/span><\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    Palo Alto Networks CN-Series firewalls are now generally available. See how they tackle three big Kubernetes network security concerns.<\/p>\n","protected":false},"author":663,"featured_media":112724,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768,6765],"tags":[7150,1815,6731,111],"coauthors":[7211],"class_list":["post-116948","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","category-secure-the-enterprise","tag-cn-series","tag-firewall","tag-kubernetes","tag-ngfw","net_sec_category-next-generation-firewalls"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Sapporo_Event_Social_NGFW_1200x628_Responsive.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=116948"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116948\/revisions"}],"predecessor-version":[{"id":117007,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116948\/revisions\/117007"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/112724"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=116948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=116948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=116948"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=116948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}