- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Cloud-native adoption is on the rise. According to Gartner, by the end of 2023, more than 75% of global organizations will be running containerized applications in production, up from less than 30% today.
Hardware and virtual firewalls can only be deployed outside the container environment. When the traffic leaves the Kubernetes cluster, it is Network Address Translated (NATed) to the node IP address. As a result, these firewalls sitting outside the Kubernetes cluster are blind to the actual source of the traffic. Customers interested in gaining Layer-7 visibility inside the Kubernetes cluster and enforcing granular policies at a Kubernetes namespace level are now adopting CN-series.
The Palo Alto Networks CN-Series firewall is the industry's first next-gen firewall (NGFW) for Kubernetes purpose-built to secure the Kubernetes environment from network-based attacks. With the CN-series firewall, you can:
To stop the lateral movement of threats between different applications running on the same Kubernetes cluster as well as to comply with regulatory standards such as HIPAA and PCI, large healthcare providers and online retailers have inserted CN-series between Web-server application facing the internet and the Database application holding the sensitive data. By doing so, the customers can ensure threats don’t move laterally between different applications and hence, comply with regulatory standards.
While Microsegmentation products provide granular protection at Layer 3 and 4 to block traffic between workloads that shouldn’t be able to communicate, CN-Series inspects and controls allowed traffic at layer 7 and stops threats that may be attempting to move laterally across the environment.
To get visibility inside the Kubernetes cluster at the application level and enforce the granular level policy as well as prevent data exfiltration, customers deploy CN-series in conjunction with URL filtering and DNS Security subscriptions.
By using CN-series, the customers have ensured the specific app (Jenkins for example) can communicate with only a specific URL that might be internal to the organization or on the internet. However, other apps running on the same Kubernetes cluster (App1 and App2) can talk to any other apps on the internet. Additionally, whenever a potentially malicious website/domain is detected by a DNS security subscription, all the apps stop communicating with the malicious domain and ensure customers’ sensitive data stays within the organization.
To protect against incoming threats and apply granular level policy at the application/namespaces level, large online retailers and banking customers are using CN-series in conjunction with Threat Prevention (TP) and Wildfire (WF) subscriptions. With CN-series, the customer can apply stricter policies for the specific applications only and protect against any file-based threats, including exploits, malware, spyware, and previously unknown threats, attempting to sneak through open ports.
Additionally, by taking advantage of the auto-scaling capabilities of Kubernetes to handle peak traffic, many customers have moved from the HW firewall to CN-series Firewall, enabling greater cost savings and improved operational efficiency.
To learn more about how CN-series can help you protect your containerized workloads, please visit:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |