Enterprise Cloud and Transformation
Juniper Employee , Juniper Employee Juniper Employee
Enterprise Cloud and Transformation
Microservices and Cloud-Native Apps Need a Security Revolution. Contrail Security Delivers.
Aug 29, 2017

Enterprise applications are rapidly evolving while embracing modern “cloud-native” or “cattle” architectures such as microservices and becoming more dynamic and distributed. These applications are frequently the centerpiece of updated corporate strategies, generating new business and revenue. As these applications are disassembled, distributed, and redesigned for dynamic scaling, new techniques for managing policies, enforcing security, and assuring compliance are essential. These capabilities must be deployed across multiple clouds, private and public infrastructure, over multiple workloads (VMs or bare metal servers with or without containers), and across various geographies.


The security challenges of this endeavor are real, with damages from breaches, ransomware, and DDoS attacks likely reaching hundreds of billions of dollars. Enterprise developers, architects, and security and compliance teams must come together and address these challenges.  Unfortunately, the disparate cloud technologies, differing public cloud capabilities and APIs, and the fragmented networking and security landscapes have made this nearly impossible—until now. Today, many are gravitating towards a cluster of technologies that abstract the underlying infrastructure, providing more advanced application management and deployment techniques.


At the compute layer, technologies like Docker and Kubernetes are managing to solve these application management and deployment problems. At the network layer, SDN technologies such as Contrail Networking are solving the “cross-cloud” and “VM to bare metal” abstraction problems. When combined, container technology and SDN seem like an ideal way to establish a uniform cloud-agnostic and portable infrastructure. All that is missing is the security piece. 


Enter Contrail Security.

Contrail Security leverages existing Contrail Networking technology, the world’s #1 SDN solution. Contrail Security is designed to address the security short-comings of distributed applications in a number of ways by providing:


  1. Application traffic discovery and visualization.
  2. Consistent intent-driven policies.
  3. Scalable and high-performance multipoint enforcement.
  4. Operator assistance for anomaly detection and analytics.
  5. APIs and automation everywhere.


Most importantly, because it leverages Contrail Networking, Contrail Security provides these capabilities across all clouds (public or private), bare metal servers or VMs, within or without containers, and across arbitrary data centers.


Excited yet? We are. Let’s dig in further.


Getting to Know Contrail Security.

Contrail Security is a new product from Juniper Networks designed for security admins, CISOs, and security practitioners that provides the granular level of security that distributed cloud-native applications running in hybrid or multi-cloud environments demand. Although fairly new, it leverages the scalable, performant, and battle-tested components of Contrail Networking (i.e. the scalable API-server and Controller, the high-performance vRouter, and the analytics module). For more details on Contrail Networking features, please refer to this blog we published earlier this year.



The goal of Contrail Security is to minimize risks to applications running in these multi-cloud environments from lateral (i.e. east-west) threats by offering the following capabilities:


1. Application traffic discovery and visualization: Before provisioning complex policies, security operators and developers must first learn how applications interact and communicate with each other. It is impossible to develop a cohesive, comprehensive, yet concise security policy without knowing how the different components of an application interact. Contrail Security provides detailed inter-and -intra-application traffic visualization, giving operators more context and information about applications running in their environment. This increases transparency and allows the development of tighter, more effective policies.


2. Consistent intent-driven policies: With this increased transparency, operators and developers can create consistent, intent-driven policies to allow or block inter-and-intra-application flows. What do we mean by “consistent?” Contrail Security allows operators to define a single policy once and apply it across multiple heterogeneous environments without modification.

For example, if a policy has been defined for some applications in a Kubernetes environment, it can easily be extended to the same or other applications in an OpenStack environment, in public clouds (e.g. Amazon Web Services), in a Mesos/Marathon environment, or even an existing legacy environment running on bare metal.


What do we mean by “intent-driven?” The policy framework allows expressing intent using tags, such as “allow web-traffic tier=web > tier=app,” without using virtual networks, IP addresses, etc. within the policy rule. This intent-driven framework allows a define-once-and-apply-everywhere approach.


Intent-driven policies also allow the use of advanced algorithmic techniques that dramatically reduce the overall number of security policies. In our testing, security policies not only became more effective, but simpler, even while being distributed across many environments. We have seen reductions of 10-20x in size, which dramatically simplifies management, compliance, and audits.


Finally, and most importantly, intent-driven policies allow for taking the next step beyond “microsegmentation.”  Whether you call it “nanosegmentation” or something else, the Contrail Security policy framework, using tags, allows operators to create intelligent, multi-dimensional, fine-grained workload segmentation. This, in turn, allows the environment to be sliced and diced in arbitrary ways by tenants, workloads, containers, interfaces, or all of them at once. Simple, yet powerful. We believe this is the future of policy implementation and enforcement.TechnicalBlog-Pic1.png 

3. Scalable and high-performance multipoint enforcement: Once intent is expressed, the Contrail Security controller translates these high-level policies into distributed enforcement logic and sends them to the data plane. For L4 policies, there is a data plane component that sits on every host (server) or public cloud instance and provides enforcement. Running this data plane component next to the workload enables the distributed security model that modern applications require. At the same time, running them in the server as opposed to inside every workload ensures data plane scalability. This L4 security enforcement component can further redirect traffic to a Juniper or third-party L7 firewall whenever additional advanced security (e.g. malware detection, IDS, antivirus, etc.) is required.


Maintaining performance in this type of architecture can be a challenge. Of course, the control and management plane scales out and the forwarding plane can run within the kernel or user space, but that isn’t always enough. Contrail Security is designed to be accelerated using Intel’s DPDK technology, or hardware accelerated with technologies such as “smart NICS.”  These techniques can provide dramatic improvements in performance and latency by an order of magnitude.


4. Operator assistance for anomaly detection and analytics: Operators need to monitor, report, troubleshoot, and generate alerts from their environments. Contrail Security delivers these table stakes. The Contrail Security Analytics module collects telemetry from all enforcement points, analyzes the data, and presents it to the user in the form of detailed visualization. Contrail Security takes this a step further by using machine learning techniques to drive anomaly detection for operator assistance. It learns normal behavior of traffic flows, packets on interfaces, and so on, and then creates a baseline. Abnormal traffic patterns, in the form of deviation from the baseline, trigger events notifying operators and allowing them to proactively quarantine suspect workloads.


5. APIs and automation everywhere: In this dynamic cloud era, automation is absolutely essential, but it’s not always a first-class citizen. Contrail Security goes further than others by focusing on simplified provisioning, an API-centric operational model, and easy integration with existing security tools. Every component of Contrail Security is API enabled, and the API layer has been designed for scalability. This API layer allows for easier deployment and management while enabling third-party integration to SIEM tools, firewalls, and more.


Best of all, for customers who would like Juniper to provide both connectivity and security, Contrail Security has been enabled as an add-on to Contrail Networking, which means no need for a separate deployment. As of the latest version, both Contrail Networking and Contrail Security ship in the form of Kubernetes-enabled containers, allowing for easy deployments, scaling, and self-healing of the control plane itself.TechnicalBlog-Pic2.png


Contrail Security Enables Distributed Microservices.

Modern applications are more and more microservices-based, dynamic, distributed, and running across many environments. Contrail Security is designed to ensure that your security policies are applied across all environments in a consistent manner, following your applications as they scale, move, and adapt. It leverages components from the world’s #1 commercial SDN solution, Contrail Networking, which has been proven at scale by some of the world’s largest service providers, enterprises, and SaaS companies. This combination provides a unique solution that sets a new security standard for cloud-native, multi-cloud applications. But this is only the beginning.


We are very excited and to announce this new product and we look forward to showcasing its innovative power and introducing continued features in the future.