Professional Documents
Culture Documents
2013 Riverbed Technology. All rights reserved. Riverbed, Cloud Steelhead, Granite, Interceptor, RiOS, Steelhead, Think Fast, Virtual Steelhead, Whitewater, Mazu, Cascade, Shark, AirPcap, BlockStream, SkipWare, TurboCap, WinPcap, Wireshark, TrafficScript, FlyScript, WWOS, and Stingray are trademarks or registered trademarks of Riverbed Technology, Inc . in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. This documentation is furnished AS IS and is subject to change without notice and should not be constr ued as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to mili tary agencies. This documentation qualifies as commercial computer software documentation and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation.
Contents
PREFACE ................................................................................................................................................................................................................... 3 About This Guide .................................................................................................................................................................................................. 3
Audience .................................................................................................................................................................................... 3
Contacting Riverbed ............................................................................................................................................................................................. 3
PREFACE
Welcome to the Steelhead and Palo Alto Networks Firewall Solution Guide. Read this preface for an overview of the information provided in this guide and contact information. This preface includes the following sections: About This Guide Contacting Riverbed
Contacting Riverbed
This section describes how to contact departments within Riverbed. Internet You can learn about Riverbed products through the company Web site: http://www.riverbed.com. Technical Support If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States. You can also go to https://support.riverbed.com. Professional Services Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, email proserve@riverbed.com or go to http://www.riverbed.com/us/products/professional_services/.
Why Riverbed?
RiOS was created to solve application acceleration challenges in a very different way than caches. Caching was created as protocol-specific architecture, essentially only dealing with data in the application silo that they understand. RiOS, on the other hand, accelerates applications on three levels simultaneously: 1. 2. 3. Data Streamlining: Data Reduction for All TCP Applications Transport Streamlining: TCP Optimizations for All Applications Application Streamlining: Application-Specific Optimizations
Each of these approaches happens independently in RiOS, meaning that all enterprise applications can benefit from data reduction and transport layer acceleration. Application layer acceleration is treated as one piece of the puzzle in this architecture, while in the caching architecture it is a requirement that the cache understand the application protocol. The applicationindependent optimizations in RiOS mean that email, file sharing, document management, ERP applications, CAD applications, network-based backup, software distribution, web-based applications, and even custom-built applications see benefits. The result of this approach enables massive acceleration for all applications that run over TCP users see up to 100 times faster application speed and up to 95% less bandwidth utilization at the same time. The system is designed to intelligently accelerate applications while not creating the management problems that caches have created in todays networks.
Solution Architecture
This section describes the traffic flow when deploying Steelhead appliances alongside Palo Alto Networks Firewall appliances. In the outbound direction, traffic originating from clients is first sent to the Palo Alto Networks Firewall for security policies to be applied. Traffic the firewall allows through is then sent through the Steelhead appliance to be optimized. The optimized traffic is then sent back through the same Palo Alto Networks Firewall for encryption before being sent out to the WAN. Figure 1-1 lays out the packet flow logically. Figure 1-1 Logical layout of Steelhead appliance alongside Palo Alto Networks Firewall
WAN Router
WAN
Client Devices
Palo Alto Networks Firewall Palo Alto Networks Firewall
Palo Alto firewalls have a technology called App-ID to classify traffic based on application. App-ID allows you to apply policies at an application level, rather just to ports and IPs as in a traditional firewall. This prevents applications from, for example, sneaking around the firewall by using port 80. App-ID works by looking for signatures in traffic to identify it as belonging to a particular application. For App-ID to work properly the Palo Alto Networks Firewall must operate on unoptimized traffic by being deployed on the LAN side of the Steelhead appliance. The Steelhead appliance alters the signature of the traffic in order to optimize it which results in Steelhead optimized traffic being classified as riverbed-rios by PAN-OS, rather than as belonging to the original application. . Positioning the Palo Alto Networks Firewall on the LAN side of the Steelhead appliance has a few limitations however: The Steelhead appliance is left unprotected by the firewall The firewall cannot encrypt traffic. Encrypted traffic is random and not optimizable by the Steelhead appliance
In order for the Palo Alto Networks Firewall to perform its full functionality, it must see traffic both before and after optimization. The subsequent chapters in this solution guide describe different methods of deploying Steelhead appliances alongside Palo Alto Networks Firewall appliances.
Deployment Topology
Figure 2-1 Virtual Wire Deployment Topology
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead LAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/4 to the WAN
Deployment Prerequisites
The following items should be completed before beginning the deployment. The physical wiring should be completed as in Figure 2-1 The default gateway of the Steelhead appliance In-Path interface should be set to the IP Address of the WAN router
For details, see Create Two Virtual Wires Create three Security Zones of type virtual-wire Create three security zones, all three with Type of virtual-wire. This deployment requires an additional Steelhead zone. Trusted The trusted networked the clients are on. This includes interface ethernet1/1. Steelhead For traffic going to and coming from the Steelhead appliance. This includes interfaces ethernet1/2 and ethernet1/3. Untrusted For the internet facing network. This includes interface ethernet1/4.
For details, see Create Three Security Zones Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies
Configure Interfaces
Interfaces can be configured by navigating to Network -> Interfaces in the Palo Alto web interface. All four interfaces should be configured with an Interface Type of Virtual Wire. Figure 2-1 Screenshot of completed Interface configuration for Virtual Wire deployment
Deployment Topology
Figure 3-1 Routed Deployment Topology
192.168.12.1/24
192.168.10.3/24
192.168.10.1/24
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead LAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/4 to the WAN
10
Deployment Prerequisites
Before deployment, the physical wiring should be completed as in Figure 3-1. In this deployment the default gateway for the clients will be ethernet1/3 of the Palo Alto Networks Firewall.
For details, see Create Four Security Zones Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies Steelhead appliance Set the In-Path Gateway IP of the Steelhead In-Path interface to the IP address of ethernet1/3. (Optional) If configuring NAT on the Palo Alto Networks Firewall, configure Full Transparency and OOB Transparency on the Steelhead appliance. To set the In-Path Gateway IP, navigate to Configure -> Networking -> In-Path Interfaces. Full Transparency and OOB Transparency on the Steelhead appliance is needed for proper operation with NAT. For details, see Configure Full Transparency and OOB Transparency
11
12
A route to the next hop in your network should be added to the Virtual Router, as in the Figure 3-5 below. Figure 3-5 Screenshot of Virtual Router default route
13
14
Deployment Topology
Figure 4-1 Policy Based Fowarding Topology
192.168.11.51/24
192.168.11.1/24
192.168.12.1/24
192.168.10.3/24
192.168.10.1/24
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead WAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port back to ethernet1/2 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/3 to the WAN
15
Deployment Prerequisites
The following items should be completed before beginning the deployment. The physical wiring should be completed as in Figure 4-1 The default gateway for the clients will be ethernet1/1 of the Palo Alto Networks Firewall. Enable PBF support on the Steelhead appliance by navigating to Configure -> Optimization -> General Service Settings and checking Enable L4/PBR/WCCP/Interceptor Support. Restart the optimization service by navigating to Configure -> Maintenance -> Services and clicking Restart.
For details, see Create Three Security Zones for PBF Deployment Create a Packet Based Forwarding Policy Create a Packet Based Forwarding Policy to forward all traffic to the Steelhead appliance. For details, see Configure Policy Based Forwarding Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies Steelhead appliance Set the In-Path Gateway IP of the Steelhead In-Path interface to the IP address of ethernet1/2. (Optional) If configuring NAT on the Palo Alto Networks Firewall, configure Full Transparency and OOB Transparency on the Steelhead appliance. To set the In-Path Gateway IP, navigate to Configure -> Networking -> In-Path Interfaces. Full Transparency and OOB Transparency on the Steelhead appliance is needed for proper operation with NAT. For details, see Configure Full Transparency and OOB Transparency
16
A route to the next hop in your network should be added to the Virtual Router, as in the Figure 4-4 below.
17
18
The Fowarding for the rule should be configured to forward traffic to the Steelhead In-Path IP address through ethernet1/2. A monitor should be configured to bypass the Steelhead in the event of failure. This is depicted in Figure 4-7 below. Figure 4-7 Screenshot of Forwarding rule
19
Packet Capture
Both the Steelhead appliance and the Palo Alto Networks Firewall appliance can capture packets and save them to a file that can be analyzed by Wireshark. To capture packets on the Steelhead appliance navigate to Reports -> Diagnostics -> TCP Dumps and click on Add a New TCP Dump. To capture packets on the Palo Alto Network Firewall navigate to Monitor -> Packet Capture.
20
OOB Transparency must also be configured for NAT to work properly with the Steelhead appliance. To enable OOB transparency enter the follwing in the Steelhead Command line interface after entering conf t. in-path peering oobtransparency mode "destination"
21
Outbound Traffic For outbound traffic two changes are needed. The first is an additional policy to allow optimized traffic originating from the Steelhead appliance, illustrated in the Steelhead to WAN policy in Figure A-2 below. The policy should be created with the following parameters: Source Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Destination Zone Untrusted Action Allow As traffic from is now flowing from the Trusted zone to the Steelhead zone (or Steelhead LAN zone in the Chapter 3 Routed Deployment) before going to the Untrusted zone, the second change is that existing or new policies will need to be written with a Destination zone of Steelhead (or Steelhead LAN in the Chapter 3 Routed Deployment). This is illustrated in the LAN to Steelhead policy in Figure A-2 below. Figure A-2 Screenshot of policy to allow all outbound traffic
Inbound Traffic For inbound traffic two changes are need. The first is an additional policy to allow optimized traffic originating from the peer Steelhead appliance, illustrated in the WAN to Steelhead policy in Figure A-3 below. The policy should be created with the following parameters: Source Zone Untrusted Destination Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Action Allow As traffic from is now flowing from the Untrusted zone to the Steelhead zone (or Steelhead WAN zone in the Chapter 3 Routed Deployment) before going to the Trusted zone, the second change is that existing or new policies will need to be written with a Source zone of Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment). This is illustrated in the Steelhead to LAN policy in Figure A-3 below.
22
23
Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com
Riverbed Technology Ltd. One Thames Valley Wokingham Road, Level 2 Bracknell. RG42 1NG United Kingdom Tel: +44 1344 31 7100
Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400
Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990
24