Protect your container applications running on Istio service mesh with CN-Series
We’re announcing the limited availability of CN-series Container Firewalls on Istio service mesh. With this release, customers can use the CN-Series container firewall to protect applications running on the Istio service mesh. Service mesh allows developers to transparently add observability, traffic management, and security to their applications. But why are customers considering service mesh and why do they need to care about the network security for applications running on the service mesh?
What is service mesh?
Service mesh is a dedicated infrastructure layer that developers can transparently add to their applications to get observability, traffic management, and security without the need to implement these features or add any code. By leveraging frameworks such as service mesh, developers can offload non-business logic and fully focus on building core functionality for the application and move it to the product as quickly as possible, thereby reducing the time it takes to roll out the applications. This is also great for platform teams because it aligns their responsibilities with their ownership.
How does service mesh work?
A service mesh is built into an application that controls service-to-service communication in a microservices architecture. It controls the delivery of service requests to other services, performs load balancing, encrypts data, and discovers other services.
Although developers can code the logic that governs communication directly into the microservices, a service mesh abstracts that logic into a parallel layer of infrastructure using a proxy called a sidecar, which runs alongside each service and also acts as a data plane. The control plane takes care of the management processes and is responsible for coordinating the proxies' behavior. Control plane also provides APIs to easily manage traffic control, network resiliency, security and authentication, and custom telemetry data for each service.
How container security meets a pressing network security problem:
With service mesh, developers are able to build the applications quickly and move them to production as soon as possible. However, to ensure a consistent security posture, the security team needs to make sure that the security policies that are enforced on the other containerized and non-containerized applications are also enforced on applications running on the service mesh. That’s where the CN-Series comes into the picture.
The Palo Alto Networks CN-Series containerized firewall is the best-in-class next-generation firewall purpose-built to secure the Kubernetes environment from network-based attacks. The CN-Series firewall enables network security teams to gain layer-7 visibility into Kubernetes environments, provide inline threat protection for containerized applications deployed anywhere, and dynamically scale security without compromising DevOps agility.
By running CN-series for Istio service mesh, you can ensure that applications running on the service mesh receive Always ON, Layer-7 runtime protection against unknown and unpatched vulnerabilities.
How CN-series supports Istio service mesh:
To ensure the applications running on service mesh receive Layer7 traffic protection, all the application traffic is redirected to CN-series before it hits the envoy proxy. CN-series will inspect this application traffic and then, the traffic will be redirected to the sidecar proxy for encryption as shown below.
As part of the preview, we are only supporting DaemonSet deployment mode and the solution will provide East-West traffic protection as well as the Outbound traffic protection. The support for other deployment modes including Kubernetes service mode and CNF mode will be added in the future, along with Inbound Threat Prevention.
In addition to that, we also plan to support the support for other service mesh solutions including Google Anthos, AWS AppMesh and AKS service mesh. To learn more about how CN-series can protect the applications running on Istio service mesh, please reach out to the Palo Alto Networks account team.