SDN and NFV Era
Showing results for 
Search instead for 
Do you mean 

Microservices and Cloud-Native Apps Need a Security Revolution. Contrail Security Delivers.

by Juniper Employee ‎08-29-2017 04:41 AM - edited ‎08-29-2017 08:29 AM

Enterprise applications are rapidly evolving while embracing modern “cloud-native” or “cattle” architectures such as microservices and becoming more dynamic and distributed. These applications are frequently the centerpiece of updated corporate strategies, generating new business and revenue. As these applications are disassembled, distributed, and redesigned for dynamic scaling, new techniques for managing policies, enforcing security, and assuring compliance are essential. These capabilities must be deployed across multiple clouds, private and public infrastructure, over multiple workloads (VMs or bare metal servers with or without containers), and across various geographies.


The security challenges of this endeavor are real, with damages from breaches, ransomware, and DDoS attacks likely reaching hundreds of billions of dollars. Enterprise developers, architects, and security and compliance teams must come together and address these challenges.  Unfortunately, the disparate cloud technologies, differing public cloud capabilities and APIs, and the fragmented networking and security landscapes have made this nearly impossible—until now. Today, many are gravitating towards a cluster of technologies that abstract the underlying infrastructure, providing more advanced application management and deployment techniques.


At the compute layer, technologies like Docker and Kubernetes are managing to solve these application management and deployment problems. At the network layer, SDN technologies such as Contrail Networking are solving the “cross-cloud” and “VM to bare metal” abstraction problems. When combined, container technology and SDN seem like an ideal way to establish a uniform cloud-agnostic and portable infrastructure. All that is missing is the security piece. 


Enter Contrail Security.

Contrail Security leverages existing Contrail Networking technology, the world’s #1 SDN solution. Contrail Security is designed to address the security short-comings of distributed applications in a number of ways by providing:


  1. Application traffic discovery and visualization.
  2. Consistent intent-driven policies.
  3. Scalable and high-performance multipoint enforcement.
  4. Operator assistance for anomaly detection and analytics.
  5. APIs and automation everywhere.


Most importantly, because it leverages Contrail Networking, Contrail Security provides these capabilities across all clouds (public or private), bare metal servers or VMs, within or without containers, and across arbitrary data centers.


Excited yet? We are. Let’s dig in further.


Getting to Know Contrail Security.

Contrail Security is a new product from Juniper Networks designed for security admins, CISOs, and security practitioners that provides the granular level of security that distributed cloud-native applications running in hybrid or multi-cloud environments demand. Although fairly new, it leverages the scalable, performant, and battle-tested components of Contrail Networking (i.e. the scalable API-server and Controller, the high-performance vRouter, and the analytics module). For more details on Contrail Networking features, please refer to this blog we published earlier this year.



The goal of Contrail Security is to minimize risks to applications running in these multi-cloud environments from lateral (i.e. east-west) threats by offering the following capabilities:


1. Application traffic discovery and visualization: Before provisioning complex policies, security operators and developers must first learn how applications interact and communicate with each other. It is impossible to develop a cohesive, comprehensive, yet concise security policy without knowing how the different components of an application interact. Contrail Security provides detailed inter-and -intra-application traffic visualization, giving operators more context and information about applications running in their environment. This increases transparency and allows the development of tighter, more effective policies.


2. Consistent intent-driven policies: With this increased transparency, operators and developers can create consistent, intent-driven policies to allow or block inter-and-intra-application flows. What do we mean by “consistent?” Contrail Security allows operators to define a single policy once and apply it across multiple heterogeneous environments without modification.

For example, if a policy has been defined for some applications in a Kubernetes environment, it can easily be extended to the same or other applications in an OpenStack environment, in public clouds (e.g. Amazon Web Services), in a Mesos/Marathon environment, or even an existing legacy environment running on bare metal.


What do we mean by “intent-driven?” The policy framework allows expressing intent using tags, such as “allow web-traffic tier=web > tier=app,” without using virtual networks, IP addresses, etc. within the policy rule. This intent-driven framework allows a define-once-and-apply-everywhere approach.


Intent-driven policies also allow the use of advanced algorithmic techniques that dramatically reduce the overall number of security policies. In our testing, security policies not only became more effective, but simpler, even while being distributed across many environments. We have seen reductions of 10-20x in size, which dramatically simplifies management, compliance, and audits.


Finally, and most importantly, intent-driven policies allow for taking the next step beyond “microsegmentation.”  Whether you call it “nanosegmentation” or something else, the Contrail Security policy framework, using tags, allows operators to create intelligent, multi-dimensional, fine-grained workload segmentation. This, in turn, allows the environment to be sliced and diced in arbitrary ways by tenants, workloads, containers, interfaces, or all of them at once. Simple, yet powerful. We believe this is the future of policy implementation and enforcement.TechnicalBlog-Pic1.png 

3. Scalable and high-performance multipoint enforcement: Once intent is expressed, the Contrail Security controller translates these high-level policies into distributed enforcement logic and sends them to the data plane. For L4 policies, there is a data plane component that sits on every host (server) or public cloud instance and provides enforcement. Running this data plane component next to the workload enables the distributed security model that modern applications require. At the same time, running them in the server as opposed to inside every workload ensures data plane scalability. This L4 security enforcement component can further redirect traffic to a Juniper or third-party L7 firewall whenever additional advanced security (e.g. malware detection, IDS, antivirus, etc.) is required.


Maintaining performance in this type of architecture can be a challenge. Of course, the control and management plane scales out and the forwarding plane can run within the kernel or user space, but that isn’t always enough. Contrail Security is designed to be accelerated using Intel’s DPDK technology, or hardware accelerated with technologies such as “smart NICS.”  These techniques can provide dramatic improvements in performance and latency by an order of magnitude.


4. Operator assistance for anomaly detection and analytics: Operators need to monitor, report, troubleshoot, and generate alerts from their environments. Contrail Security delivers these table stakes. The Contrail Security Analytics module collects telemetry from all enforcement points, analyzes the data, and presents it to the user in the form of detailed visualization. Contrail Security takes this a step further by using machine learning techniques to drive anomaly detection for operator assistance. It learns normal behavior of traffic flows, packets on interfaces, and so on, and then creates a baseline. Abnormal traffic patterns, in the form of deviation from the baseline, trigger events notifying operators and allowing them to proactively quarantine suspect workloads.


5. APIs and automation everywhere: In this dynamic cloud era, automation is absolutely essential, but it’s not always a first-class citizen. Contrail Security goes further than others by focusing on simplified provisioning, an API-centric operational model, and easy integration with existing security tools. Every component of Contrail Security is API enabled, and the API layer has been designed for scalability. This API layer allows for easier deployment and management while enabling third-party integration to SIEM tools, firewalls, and more.


Best of all, for customers who would like Juniper to provide both connectivity and security, Contrail Security has been enabled as an add-on to Contrail Networking, which means no need for a separate deployment. As of the latest version, both Contrail Networking and Contrail Security ship in the form of Kubernetes-enabled containers, allowing for easy deployments, scaling, and self-healing of the control plane itself.TechnicalBlog-Pic2.png


Contrail Security Enables Distributed Microservices.

Modern applications are more and more microservices-based, dynamic, distributed, and running across many environments. Contrail Security is designed to ensure that your security policies are applied across all environments in a consistent manner, following your applications as they scale, move, and adapt. It leverages components from the world’s #1 commercial SDN solution, Contrail Networking, which has been proven at scale by some of the world’s largest service providers, enterprises, and SaaS companies. This combination provides a unique solution that sets a new security standard for cloud-native, multi-cloud applications. But this is only the beginning.


We are very excited and to announce this new product and we look forward to showcasing its innovative power and introducing continued features in the future.


Juniper Networks Technical Books
About the Author
  • Prior to Juniper acquisition, Ankur was the Founder and CEO of Contrail Systems Inc - a pioneer in standards based network virtualization and scale-out networking software. Ankur has over 15 years of experience in building world-class networking products and leading high performance teams. Prior to Contrail, Ankur served as Chief Technology Officer and VP of Engineering at Aruba Networks, where he played critical roles in the rapid expansion of team, products, and global businesses. Before Aruba, Ankur helped drive Juniper’s initial entry into and expansion of the Ethernet Switching market. Ankur received his MSEE from Stanford University & BSEE from the University of Southern California.
  • David Noguer Bau is the head of Telco Vertical Marketing at the SP Strategic Marketing team in Juniper Networks. He has extensive experience in Service Provider network evolution and regularly runs executive sessions with technical and marketing teams of important telecom operators to accelerate the adoption of virtualisation. David is based in Barcelona and has over 15 years of experience in the telecommunications sector. Prior joining Juniper Networks, Mr. Noguer Bau spent seven years at Nortel where he was a Business Development Manager specializing in Carrier Ethernet and Broadband areas. Before Nortel he worked at Eicon-Dialogic as Technical Manager in Spain. David has been the Country Marketing Chair at Metro Ethernet Forum for Spain. Mr. Noguer has wide experience speaking at international Conferences. He was graduated as Computer Engineer by Universitat Autonoma de Barcelona (UAB) and has an executive MBA from EADA Barcelona and executive education at the Thunderbird School of Global Management (Arizona) and the Henley Business School (UK). The views expressed here are my personal opinions , have not been reviewed or authorized by Juniper Networks and do not necessarily represent the views of Juniper Networks.
  • Donyel Jones-Williams is the Director of Service Provider Product Marketing Management overseeing all of Juniper's Service Provider Products for Juniper Networks. In this role, he leads all of the internal and external marketing activities for Juniper with respect to routing, automation, SDN and NFV. Prior to joining Juniper Networks in January 2014, Donyel was a Senior Product Line Manager for Cisco Systems with in the High End Optical Routing Group managing product lifecycle for multiple products lines helping telecom providers operate efficiently and effectively including; ONS 155xx Product Family, ONS 15216, ONS 15454 MSTP, Carrier Packet Transport Product Family, ME 2600x, & ASR 9000v. He also negotiated favorable agreements with 3rd-party vendors furnishing components and parts and conducted both outbound and inbound marketing (webinars, case study-development, developed and delivered both business & technical at Cisco Live 2005-2012). Donyel graduated from California Polytechnic State University-San Luis Obispo with a Bachelor of Science in Computer Science. While attending Cal Poly SLO he was a collegiate student athlete playing football as a wide receiver and a key member of the National Society of Black Engineers. Donyel is now an active volunteer for V Foundation.
  • Remarkably organized stardust.
  • Jennifer Blatnik is vice president of cloud, security and enterprise portfolio marketing at Juniper Networks with focus on enterprise deployments of security, routing, switching, and SDN products, as well as cloud solutions. She has more than 20 years of experience helping enterprises solve network security challenges. Before joining Juniper, Jennifer served multiple roles at Cisco Systems, Inc., including directing product management for security technologies aimed at small to medium enterprises, as well as supporting managed services, cloud service architectures and go-to-market strategies. She holds a B.A. in Computer Science from University of California, Berkeley.
  • Jerry oversees all aspects of OpenLab which serves as a catalyst to spark the development of new innovative software applications or solutions that leverage the power of SDN/network programmability and intelligence. OpenLab is unique within Juniper and with its polished facility, globally accessible lab, and educational programs – such as the SDN “hackathons,” it serves as a tool for customer, partners, and academia. Prior to this position, Jerry led the development, management and marketing of the company’s strategic partnerships for video/unified communications, optical networking, and content/media delivery. In addition to handling the day-to-day oversight of the partnerships, he established new cross-partner go-to-market processes to drive and manage joint field opportunities. Before joining Juniper, Jerry led the Lucent Technologies application hosting/service provider marketing organization. He has over 25 years of experience in the data networking field with a focus on strategic alliance development, marketing, and technical field support. Jerry possesses a BS degree in Computer Science from St. John’s University in New York. He is active as a Juniper ambassador within the technology and academic community which includes advisory board positions with both NJIT and Rutgers in New Jersey.
  • I have been in the networking industry for over 35 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Twelve years in the US, over 25 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 I have been at Juniper, focusing on solutions and services: solving business problems via products and projects. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world! Follow me on Twitter: @JoeAtJuniper For more about me, go to my LinkedIn profile:
  • Mark Belk is the National Government Chief Architect at Juniper Networks
  • Mike Marcellin is Senior Vice President and Chief Marketing Officer, leading the global marketing team responsible for marketing Juniper’s product and services portfolio and stewarding the brand, driving preference for Juniper in the market, training our partners and account teams, and developing a differentiated information experience for our customers. Before joining the global marketing organization, Marcellin led business strategy and marketing for Juniper’s industry-leading portfolio of high-performance routing, switching and security products. Prior to joining Juniper in 2010, Marcellin served as Vice President of Global Managed Solutions for Verizon, where he oversaw product development and marketing of its managed IP networking, hosting, security and IT solutions for businesses around the world. He also served as Vice President of Global Product Marketing for Verizon Business, executive director of Verizon Business’ IP and Ethernet portfolio as well as leading the company’s eCRM marketing division. Marcellin began his career with MCI in 1994. Marcellin is a Board Member for the Telecommunications Industry Association and a Board Member of US Ignite, an NSF-sponsored initiative. Marcellin holds two patents and was a Rodman Scholar at the University of Virginia, where he received a bachelor of science degree with distinction in systems engineering. He is based in Sunnyvale, California.
  • I love the intracacy and intimacy of succesful communications. Why and how people engage with each other is fascinating. I am also consumed with the way IT changes behaviours, values and expectations in society. I bring this sense of wonder to my role in EMEA Service Provider Marketing Programs at Juniper Networks. Down time: My passions are music, reading, politics, Derby County and playing the guitar (and the harmonica). You can follow me elsewhere: twitter: @neilpound my personal blog: my LinkedIn account: Neil Pound
  • Paul Obsitnik is Vice President of Service Provider Marketing for Juniper Networks Platform Systems Division (PSD), responsible for the marketing of Juniper’s portfolio of high performance routing, switching, and data center fabric products to Service Providers globally. Paul's team is responsible for marketing strategy, product marketing, go-to-market planning, and competitive analysis worldwide for the Service Provider segment. Obsitnik has extensive experience in marketing, sales and business development positions with a proven track record in creating technology markets. He has served in senior marketing and sales management positions at several companies including BridgeWave Communications, ONI Systems, NorthPoint Communications and 3Com. Paul holds a Bachelor of Science with Honors in Electrical Engineering from the United States Naval Academy and a Master of Business Administration from the Harvard Graduate School of Business. Obsitnik is based in Sunnyvale, California.
  • Praful Lalchandani is a Product Manager at Juniper Networks focussing on the Data Center portfolio. Praful is a seasoned veteran in the networking industry, with experience spanning over 15 years building networking products and helping service providers, cloud providers and enterprises with their networking requirements.
  • Pratik Roychowdhury currently leads product management for Juniper's SDN and Cloud Software product namely Contrail. He has been with Juniper Networks for the last six years, leading product management activities for Juniper’s Network Virtualization and Network Programmability products and taking some of these products from concept to release. Overall, Pratik has spent 16+ years in the hi-tech industry assuming various roles including product development at Citrix, strategy & product management at early stage start-ups, and technology investment banking at UBS. Pratik has a B.Tech in Electrical Engineering from Indian Institute of Technology and an MBA from Univ of Michigan, Ann Arbor (Ross School of Business).
  • VP of engineering, Juniper Networks & founder, AppFormix Entrepreneur and founder with successful exits from two networking startups. Sumeet holds more than 20 patents with technologies implemented in shipping products and has received numerous awards from organizations as diverse as MIT and Interop. His AppFormix team at Juniper Networks is shipping an automated, real-time monitoring environment that uses AI and machine learning to autonomously mitigate application and network function issues before they impact QoS or user experience.