{"id":112678,"date":"2020-06-17T04:59:45","date_gmt":"2020-06-17T11:59:45","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=112678"},"modified":"2020-08-07T15:17:36","modified_gmt":"2020-08-07T22:17:36","slug":"network-cn-series","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/06\/network-cn-series\/","title":{"rendered":"Announcing CN-Series: The Industry\u2019s First NGFW for Kubernetes"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Container adoption is on a serious rise, <\/span><span style=\"font-weight: 400;\">which is why we\u2019re releasing <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/cn-series\"><span style=\"font-weight: 400;\">CN-Series<\/span><\/a><span style=\"font-weight: 400;\">, the containerized version of our ML-Powered Next-Generation Firewall (NGFW), designed specifically for Kubernetes environments. It\u2019s a significant development because, according to <\/span><a href=\"https:\/\/www.gartner.com\/smarterwithgartner\/6-best-practices-for-creating-a-container-platform-strategy\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Gartner<\/span><\/a><span style=\"font-weight: 400;\">, in the next three years,<\/span><span style=\"font-weight: 400;\"> the vast majority of organizations will be running multiple containerized applications in production.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As Unit 42 \u2013 the threat research arm of Palo Alto Networks \u2013 notes, these growing threats include <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub\/\"><span style=\"font-weight: 400;\">Graboid: First-Ever Cryptojacking Worm<\/span><\/a><span style=\"font-weight: 400;\"> and other <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/rootless-containers-the-next-trend-in-container-security\"><span style=\"font-weight: 400;\">new vulnerabilities that could be exploited over the network<\/span><\/a><span style=\"font-weight: 400;\">. For example, our researchers deployed a containerized version of Drupal 8 fully secured by cloud-native security tools in a public cloud. The container was compromised in 45 minutes. You can read more about this particular attack in our whitepaper, <\/span><a href=\"https:\/\/start.paloaltonetworks.com\/5-major-security-threats.html\"><span style=\"font-weight: 400;\">\u201cFive Major Security Threats and How to Stop Them.\u201d<\/span><\/a><span style=\"font-weight: 400;\"> Incidents like this are just the beginning. As enterprises adopt containers, the number of potential threats to apps running on Kubernetes will only continue to grow.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h6><b>How Palo Alto Networks addresses critical container security requirements<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">We believe that complete container security requires the following protections:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Vulnerability Management \u2013 Manage vulnerabilities and prioritize risk at runtime, as well as implement container images scanning and enforcement as part of build and deploy workflows.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Runtime security \u2013 Protect running containers and the host OS by building a baseline of application behavior to alert on and prevent anomalous or unwanted activity.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Identity-based microsegmentation \u2013 Reduce your attack surface by limiting east-west traffic based on the machine and application identity.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Layer 7 inspection and threat protection \u2013 Use full layer-7 network security and threat protection capabilities delivered by NGFWs to protect the allowed connections from threats, exploits, malware and data exfiltration.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h6><b>Layer 7 NGFW capabilities round out complete container security stack<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">The release of CN-Series is part of our ongoing commitment to <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/05\/network-cloud-native-applications\/\"><span style=\"font-weight: 400;\">securing cloud applications<\/span><\/a><span style=\"font-weight: 400;\">. We acquired the world's best container security company Twistlock and <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/11\/cloud-prisma-cloud-compute-edition\/\"><span style=\"font-weight: 400;\">integrated it into Prisma Cloud<\/span><\/a><span style=\"font-weight: 400;\"> to provide shift-left and runtime protection capabilities for hosts, containers and serverless. Then in December of 2019, we acquired Aporeto and are integrating identity-based microsegmentation capabilities into Prisma Cloud as well. <\/span><span style=\"font-weight: 400;\">And today, we are launching CN-Series, a containerized form factor of our industry-leading NGFW and the industry\u2019s first next-gen firewall for Kubernetes. This ensures our customers have access to a complete container security stack.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As the industry\u2019s first NGFW built specifically for Kubernetes environments, CN-Series firewalls leverage deep container context to protect inbound, outbound and east-west traffic between container trust zones (i.e. between namespaces, or between PCI-infected apps and non-PCI apps), along with other components of enterprise IT environments.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h6><b>Container connections shouldn\u2019t open infrastructure-wide vulnerabilities<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">As enterprises speed their adoption of containers, risks also keep growing because containerized applications don't live on an isolated island. As these apps go into production, they start connecting to critical, non-containerized applications such as Active Directory and shared databases still running on legacy systems. This means that if attackers break into a containerized application, they can also break into critical databases by propagating laterally using allowed connections.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As the risk and compliance needs of the container environments increase, network security teams need to secure Kubernetes environments with the same rigor used to protect the rest of the infrastructure. Using familiar approaches won\u2019t work. For example, network security teams may attempt to deploy a traditional NGFW at the edge of a Kubernetes cluster. However, this edge firewall is limited to cluster-level visibility and control \u2013\u00a0 it\u2019s impossible for the edge firewall to identify the specific container pod from which application traffic originates.\u00a0<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:49.89%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter wp-image-112679 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/cluster-vm.png\" alt=\"The container cluster shown here helps to illustrate how CN-series firewalls function. \" width=\"900\" height=\"449\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">This means that layer-7 network security and threat protection policies cannot be enforced between applications or namespaces within a container cluster. Plus, in a shared cluster, policies must be enforced for the entire cluster or not at all, rather than for specific applications within the cluster. What network security teams really need is an NGFW they can integrate natively into Kubernetes to gain layer-7 visibility for thousands of applications and enforce protection policies more granularly at the application or namespace level within a cluster.<\/span><\/p>\n<figure id=\"attachment_112692\" aria-describedby=\"caption-attachment-112692\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:54.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112692 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/cluster-pn.png\" alt=\"CN-Series container firewalls deployed on each node in the environment for maximum visibility and control. Panorama provides management.\" width=\"900\" height=\"489\" \/><\/span><\/div><figcaption id=\"caption-attachment-112692\" class=\"wp-caption-text\">CN-Series container firewalls deployed on each node in the environment for maximum visibility and control. Panorama provides management.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h6><b>Newfound visibility and protection closes container security gaps<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">It is for this visibility and protection we have built the CN-Series Container Next-Generation Firewall. By containerizing our industry-leading next-gen firewall, the CN-Series container firewall natively deploys into Kubernetes environments.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Deploying natively allows network security teams to get layer-7 visibility and apply full NGFW protection for all inbound, east-west and outbound traffic at a namespace or even a pod level. CN-Series can be used to protect critical applications against known vulnerabilities and known or unknown malware and threats, until patches can be applied to secure the underlying compute resource. What\u2019s more, URL filtering capabilities can be used to prevent the cloud native applications from connecting to potentially malicious websites or code repositories.\u00a0<\/span><\/p>\n<figure id=\"attachment_112705\" aria-describedby=\"caption-attachment-112705\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:54.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112705 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/shared-cluster.png\" alt=\"CN-Series firewalls protect east-west traffic between pods in different trust zones, such as between two namespaces (green arrows), east-west traffic between containers and other workload types (green arrows), inbound traffic from the internet to a containerized application (yellow arrow) and outbound traffic from a containerized application to developer resources (blue arrow).\" width=\"900\" height=\"489\" \/><\/span><\/div><figcaption id=\"caption-attachment-112705\" class=\"wp-caption-text\">CN-Series firewalls protect east-west traffic between pods in different trust zones, such as between two namespaces (green arrows), east-west traffic between containers and other workload types (green arrows), inbound traffic from the internet to a containerized application (yellow arrow) and outbound traffic from a containerized application to developer resources (blue arrow).<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">CN-Series can deliver full next-gen firewall protection regardless of where apps are hosted. In an on-prem data center, this can be Kubernetes or Red Hat OpenShift. In a public cloud, this far-reaching protection also includes Kubernetes and Red Hat OpenShift \u2013 and is extended to Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS), and\u00a0 Amazon\u2019s Elastic Kubernetes Service (EKS).<\/span><\/p>\n<p>&nbsp;<\/p>\n<h6><b>Ease and speed matches need<\/b><\/h6>\n<p><span style=\"font-weight: 400;\">Because CN-Series deployment and configuration is completely native to Kubernetes, the container firewall can be deployed with simple Kubernetes commands and easily integrated into existing DevOps workflows for fast, repeatable deployments. For development teams that use Helm to manage their Kubernetes applications, a community-supported <\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/cn-series-helm\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">CN-Series Helm Chart<\/span><\/a><span style=\"font-weight: 400;\"> has been created to simplify firewall deployment and management.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">And to ensure network security consistency and accuracy throughout the infrastructure, Panorama security management provides centralized administration across physical, virtual and containerized environments. Features such as a brand new Panorama K8s plugin allows customers to enforce context-aware policies in CN-Series as well as in other members of our ML-powered firewall platform: VM-Series virtual firewalls and PA-Series hardware firewalls.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Make container adoption real \u2013 and find more details about <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/cn-series\"><span style=\"font-weight: 400;\">getting serious about Kubernetes security<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Intelligent Network Security: LinkedIn Live Broadcast.<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">AJ Shipley, vice president of product, and Paul Calatayud, Americas CSO, appeared on LinkedIn Live to answer questions about the industry\u2019s first ML-Powered NGFW. <\/span><a href=\"https:\/\/www.linkedin.com\/video\/live\/urn:li:ugcPost:6681933905844584448\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Watch the event on-demand<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CN-Series helps keep cloud native applications nimble and secure with deep layer 7 container traffic visibility and control.<\/p>\n","protected":false},"author":663,"featured_media":112724,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768,6765],"tags":[7150,6504,6703,151,6731,810,111],"coauthors":[7128],"class_list":["post-112678","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","category-secure-the-enterprise","tag-cn-series","tag-container-security","tag-containers","tag-firewalls","tag-kubernetes","tag-network-security","tag-ngfw","net_sec_category-hybrid-cloud-data-center","net_sec_category-next-generation-firewalls"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Sapporo_Event_Social_NGFW_1200x628_Responsive.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=112678"}],"version-history":[{"count":8,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112678\/revisions"}],"predecessor-version":[{"id":117368,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112678\/revisions\/117368"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/112724"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=112678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=112678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=112678"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=112678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}