Juniper Networks has announced Contrail Security, a new software package designed to distribute security policy enforcement within private and public clouds. The product combines microsegmentation and intent-based policy to address security gaps exposed by cloud-native application architecture.
More and more applications are being built in private and public clouds using widely distributed components. These components themselves are often decoupled from physical nodes. While this provides flexibility and scale, it also makes it harder for security teams to understand and control how applications and their components interact.
At the same time, perimeter-based security devices often lack visibility into the lateral movement of traffic inside a data center or within a public cloud.
Contrail Security uses a microsegmentation model to distribute enforcement points throughout the cloud. Juniper claims this offers more visibility into how applications and their components communicate compared to a perimeter view.
It also lets administrators develop and deploy more fine-grained policies based on application type, potential risks, and other factors.
Juniper is also offering an intent-based policy language that lets administrators and operators express a desired outcome (i.e. allow traffic between the Web server and the application server), which the system then figures out how to configure.
The goal here is to reduce the time and effort required of humans to configure rules, and to reduce the overall number of policies that need to be created, maintained, and updated.
Juniper says it’s targeting SaaS providers that operate sprawling cloud infrastructures, and enterprises building applications to run in private, public, or hybrid clouds.
Contrail Security draws on Juniper’s work developing Contrail, an open-source SDN platform to provide virtualized network services.
How It Works
Contrail Security has several major pieces, including software enforcement points, a controller, and an intent-based modeling system.
Juniper uses its Contrail vRouter, which runs on servers or in a cloud instance, as a kind of firewall to enforce security basic policies (allow, deny, alert, log, redirect). Juniper says it will support richer policy options in future releases.
The vRouter also maps how different application components communicate to see how traffic moves among, for example, Web, application, and database tiers. It gathers this information and sends it back to the controller, which uses it to help construct appropriate security policies.
The vRouter can also redirect traffic to other security devices for deeper inspection, such as Juniper’s virtual SRX firewall or third-party security products.
The controller serves as a central repository for policies and is used to manage the vRouters.
The controller also has an analytics module that collects traffic flow information from the vRouters to visualize how applications interact. The analytics model uses this information to understand how to configure and enforce security policies.
Contrail Security uses an intent-based mechanism to allow operators and administrators to express a high-level outcome using a natural-language interface. The controller then configures the vRouters to enforce that outcome.
“The system figures out the interfaces and workloads, and then applies those policies for the different applications,” said Pratik Roychowdhury, senior director of product management for Contrail in an interview.
One goal is to enable policy portability among cloud environments. In other words, if a policy is written for a workload in AWS, the same high-level policy shouldn’t have to be re-written if you run that workload in Azure.
Roychowdhury said Juniper has a data model to map intent to actual configurations, but it isn’t using YANG. Instead, he noted that Juniper had acquired some patents and would release details about its modeling and policy language at a later date.
When asked if there was a mechanism to verify that policy goals are met, he pointed to the analytics module in the controller.
“The analytics model receives information from the forwarding plane component (the vRouter) to see if the intent has been carried out,” he said.
Contrail Security sounds a lot like VMware’s NSX and the startup Illumio’s Adaptive Security Platform. All three of these products have similar value propositions: move policy enforcement as close to cloudy workloads as possible, and provide deeper visibility into traffic patterns than you can get with a perimeter firewall or other network device.
One area where Contrail Security differentiates itself (at least for now) is the intent component. There’s certainly operational value in providing a mechanism for customers to express high-level outcomes while leaving the nitty-gritty details to software—assuming the software is smart enough to get it right, and then keep it right as the underlying applications and services change.
“Intent” is the new hotness, but it’s also hard to do, particularly if you’re trying to automate programming a variety of device types (routers, switches, firewalls, load balancers, etc.) from a variety of vendors.
My impression is that Juniper is trying to limit the scope of the complexity by limiting intent-based programming to its own vRouters. I presume that over time it will expand the scope of its intent-based capabilities.
Contrail Security is expected to be available later this year.