[Demo] Network Security integration with Fortinet

Network Security Integration with Fortinet on Google Cloud

Key Concepts:

• Network Security Integration (NSI): A framework for integrating third-party network security appliances into Google Cloud VPCs.
• Fortinet Firewall: A next-generation firewall used as the security appliance in this integration.
• Geneve Encapsulation: A tunneling protocol used to securely transport traffic to the security appliance without altering source/destination IPs.
• Producer VPC: The VPC hosting the third-party security appliances (Fortinet firewalls).
• Consumer VPC: The VPC hosting the workloads requiring security inspection.
• In-band Integration: Direct interception and processing of packets for inspection.
• Out-of-band Integration: Traffic mirroring for analysis without direct interception.
• Internal Pass-Through Network Load Balancer: Distributes traffic to the backend security appliances.
• Deep Packet Inspection (DPI): Examination of both packet headers and payload for detailed analysis.
• Terraform: Infrastructure as Code tool used for deployment.
• SSL Inspection/Decryption: Decrypting TLS encrypted traffic for application-level security policy enforcement.
• Application Control: Identifying and controlling network traffic based on application signatures.

1. Introduction & Challenges of Third-Party Security Appliance Integration

Harika introduces the video focusing on network security integrations with Fortinet on Google Cloud. A key challenge for enterprise customers using third-party security appliances like Fortinet firewalls is transparent integration without disrupting existing application network architecture. Traditional deployments often require extensive Network Address Translation (NAT), which can break application compatibility. The goal is to insert security without requiring network changes to application deployments.

2. Comprehensive Visibility & the Role of Network Appliances

Integrating specialized network appliances from Independent Software Vendors (ISVs) is crucial for achieving comprehensive visibility into Google Cloud Virtual Private Cloud (VPC) traffic and strengthening workload security. These appliances, equipped with Deep Packet Inspection (DPI) capabilities, analyze both packet headers and payloads. Deploying these in a “bump-in-the-wire” configuration provides superior network insight and advanced security without altering existing routing. Geneve encapsulation ensures secure traffic transmission to the appliances while preserving original source and destination addresses. Appliances can scale to inspect traffic from multiple VPCs, projects, and tenancies.

3. In-band vs. Out-of-band Integration

Network security integrations are categorized into two primary methods:

• Out-of-band: Utilizes traffic mirroring, sending a copy of traffic to the appliance for analysis. Packet mirroring uses firewall policy rules to clone traffic based on specified filtering criteria.
• In-band: Directly intercepts and processes packets for inspection, allowing real-time blocking of unauthorized access.

4. Producer-Consumer Model & Architecture

The NSI solution operates on a producer-consumer model:

• Producer VPC Network: Hosts the third-party network appliances (Fortinet firewalls) and is considered the service provider. It utilizes an internal forwarding rule as an ingress point for an internal pass-through network load balancer. The load balancer distributes traffic to backend instance groups (managed or unmanaged) containing the security appliances.
• Consumer VPC Network: Hosts the actual workloads (VMs, GKE nodes). Traffic redirection for inspection is controlled through firewall policies, specifying criteria like source/destination IP addresses, network tags, or service accounts.

When a network service deployment is created, the associated forwarding rule name is referenced, enabling NSI to route traffic for inspection to the producer deployment.

5. Traffic Redirection Workflow (In-band)

The video details the workflow of traffic redirection for deep packet inspection:

1. Consumer Firewall Policy: The consumer VPC configures a firewall policy with rules to redirect matching traffic to the producer.
2. Geneve Encapsulation: Matching packets are encapsulated using Geneve, preserving the original source and destination IP addresses and adding metadata for routing.
3. Intercept Endpoint Group: The encapsulated packet is sent to the consumer’s dedicated intercept endpoint group.
4. Producer Network Load Balancer: The intercept endpoint group transmits the packet to the producer’s VPC network, where an internal pass-through network load balancer receives it.
5. Deep Packet Inspection: The load balancer distributes the packet to a backend VM hosting the inspection appliance (Fortinet firewall).
6. Decapsulation & Forwarding: The appliance performs DPI and sends the packet back to the consumer’s network. The intercept endpoint group decapsulates the packet (removes the Geneve header) and forwards it to its original destination.

6. Fortinet Integration Demo: SSL Decryption & Application Control

Pravin demonstrates Fortinet integration with Google Cloud NSI in an in-band deployment. The deployment is automated using Terraform. Key elements include:

• Consumer Side: Endpoint groups and endpoint group associations identify traffic sources for redirection.
• Producer Side: Intercept deployments (load balancer, Fortigate, networking components) and intercept deployment groups provide scalability and high availability.
• Load Balancer: Configured to listen on port 6081 (Geneve protocol) with 48 backend instances.
• Firewall Policy: Rules configured for both ingress and egress traffic, referencing a security profile group for inspection.
• Geneve Configuration: Fortigate is configured with Geneve on port one.
• Application Control Profile: Utilizes Fortigate’s detailed application signatures to detect and block specific applications (e.g., YouTube streaming/download).
• SSL Inspection: Decrypts TLS encrypted traffic for application-level security policy enforcement.

The demo shows successful access to google.com and youtube.com, but blocks video playback on YouTube due to the application control policy. Fortinet firewall logs confirm the blocked access to YouTube play functionality.

7. Benefits of Network Security Integration with Fortinet

• Real-time Inspection: Deploying firewalls and intrusion detection systems directly in the traffic path.
• Transparent Traffic Redirection: Using Geneve headers preserves original packet information without changing routing policies.
• Scalability: Appliances can inspect traffic from multiple VPCs, projects, and tenancies.
• Seamless Enforcement: Application-level security policies are enforced without client-side changes.

8. Resources & Conclusion

The video concludes by directing viewers to documentation links in the description for further information on network security integration in-band. The main takeaway is that NSI with Fortinet provides a robust and scalable solution for enhancing security in Google Cloud environments without disrupting existing network infrastructure. The use of Geneve encapsulation and a producer-consumer model allows for flexible and transparent integration of third-party security appliances.