Introduction
As your organization embraces cloud-native technologies and Kubernetes, the complexity of securing your infrastructure grows exponentially. Traditional network security solutions often struggle to keep pace with the dynamic nature of containerized environments.
The challenge
- East-west traffic exposure: With microservices architecture, communication between services within your cluster (east-west traffic) becomes a significant security risk.
- Rapidly changing environments: Kubernetes clusters are highly dynamic, making it difficult to implement and maintain traditional security measures.
- Complex network configurations: Configuring network security policies in Kubernetes can be challenging and error prone.
The solution: cSRX and SUSE Rancher
By combining the power of Juniper’s cSRX and SUSE Rancher, you can effectively address these challenges and better safeguard your cloud-native infrastructure.
How it works
- Microsegmentation with cSRX:
a. Granular control: cSRX enables you to define fine-grained security policies at the container level, isolating workloads and limiting lateral movement.b.
Advanced security features: Protect your applications with a comprehensive suite of security services, including firewall, intrusion prevention, and application security. c. Dynamic adaptation: cSRX automatically adapts to changes in your Kubernetes environment, ensuring continuous protection.
- Simplified management with SUSE Rancher:
a.
Centralized visibility: Gain a unified view of your entire Kubernetes infrastructure, including security policies and alerts.b.
Streamlined deployment: Deploy and manage cSRX seamlessly within your Rancher environment, reducing operational overhead.c.
Automated policy enforcement: Automate the creation and enforcement of security policies, minimizing human error.
Key benefits
Enhanced security posture: Protect your applications from threats with advanced security features and granular control.
- Improved operational efficiency: Simplify network security management and reduce the time to respond to security incidents.
- Accelerated time to market: Rapidly deploy and secure new applications without compromising security.
- Reduced risk of data breaches: Mitigate the risk of data breaches by preventing unauthorized access to sensitive information.
By leveraging the combined power of cSRX and SUSE Rancher, you can build a robust and secure cloud-native infrastructure that empowers your business to innovate with confidence.
Validation environment
This blog details the validation activities performed with cSRX (Junos® versions 21.1R3.11 and 24.2R1.17) on SUSE Rancher RKE2 (v1.30.5+rke2r1).
The objective of this validation is to confirm the expected behavior of basic NGFW features delivered by the Juniper cSRX VNF on SUSE Rancher KE2. The L3/L4 Firewall rules are configured on the cSRX that acts as the default gateway for two Ubuntu pods located on different VNets (network-attachment-definition used MACVLAN in the scenario).
The single node SUSE Rancher RKE2 used during the validation activities is hosted on Azure:
The details of the SUSE Rancher RKE2 version used for the validation activities are listed below:
Validation scenario
The “k8s internal networks” scenario (described on the documentation available through the link below) has been used for the validation activities:
This figure details the validation architecture inside the RKE2 single nodecluster:
The same validation scenario has been used for cSRX validation on RedHat OpenShift:
Juniper cSRX validation on RedHat OpenShift
For more information about Juniper CNFs validation on RedHat OpenShift:
https://catalog.redhat.com/search?gs&q=juniper&searchType=software
Validation details
The configuration files used for the validation are available at:
https://github.com/ludovic-juniper/csrx-rke2
The k8s namespace cSRX contains three pods and two network-attachment-definitions using MACVLAN to connect cSRX with Ubuntu pods as detailed in the diagram above:
cSRX 21.1R3.11
cSRX configuration:
cSRX license:
cSRX 24.2R1.17
cSRX version:
cSRX configuration:
cSRX license:
Validation tests
iperf traffic is allowed from zone trust (private) to zone untrust (public)
cSRX 21.1R3.11
cSRX 24.2R1.17
TCP iperf is allowed but UDP iperf is denied by cSRX security policies:
cSRX 21.1R3.11
cSRX 24.2R1.17
ICMP ping traffic is allowed only from trust zone to untrust zone:
Same outputs with cSRX 21.1R3.11 and cSRX 24.2R1.17
Other traffic than iperf (TCP port 5001) and ICMP ping are rejected:
Same outputs with cSRX 21.1R3.11 and cSRX 24.2R1.17
Juniper is fully committed to encourage and support our clients and partners in the cloudification journey that includes adoption of security VNFs and CNFs on Kubernetes-based virtualization platforms such as SUSE Rancher.
The cSRX validation on SUSE Rancher detailed above and available at suse.com provides risk free deployment and full benefits of the Juniper cSRX hosted on SUSE Rancher cluster.
Please reach out to us at suse@juniper.net for any support requests related to the cSRX validation on SUSE Rancher.
