Juniper Networks announced Contrail Security, a security and micro-segmentation offering designed to allow enterprises and SaaS cloud providers to protect applications running in multiple cloud environments. Contrail Security is intended to address the vulnerability of applications distributed across multiple clouds and the shortcomings of perimeter-based security policies as cloud blurs the enterprise perimeter.
SDN-based micro-segmentation has been a hot-button topic for a few years for exactly the reason Juniper cites: more application workloads are moving to the perimeter-less cloud, which renders perimeter-based security largely ineffective. Juniper joins a group that includes VMware's NSX, Cisco's ACI and Tetration Analytics, and Illumio's Adaptive Security Platform in policy-based micro-segmentation and security, and Juniper will garner a lot of attention from its cloud and service provider router customer base. But the competition is formidable and established, especially in the enterprise, and Juniper will have to articulate compelling differentiation to make inroads there.
Context
Sixty percent of enterprise workloads will be cloud-based by the end of the decade, according to recent surveys conducted by 451 Research. Enterprises are deploying applications across multiple public and private clouds for scale, agility and resource optimization.
But as these workloads are dispersed across multiple clouds, they are exposed to distributed vulnerabilities and an increased risk of a security breach. Also, cloud – especially multi-cloud – has no perimeter. So, the effectiveness of perimeter-based security policies is compromised as workloads extend beyond that perimeter.
This has created demand for policy-based micro-segmentation approaches that attach updated security profiles to workloads as they move from cloud to cloud. These approaches are designed to alleviate manual creation and management of scores of security policies across multiple environments that may obscure insight into application interaction.
Juniper acquired SDN controller maker Contrail Systems in 2012 for $176m to fill out its network virtualization and automation portfolio. Contrail had previous integrations with Juniper routers and switches, and Juniper invested in Contrail's sole $10m funding round. Contrail CTO Kireeti Kompella had been CTO and chief architect of the Junos operating system software at Juniper.
For its fiscal 2017 second quarter ended June 30, Juniper posted net revenue of $1.31bn, an increase of 7% year-over-year and sequentially. Net income was $179.8m, an increase of 28% year-over-year and 65% sequentially. The company expects revenue of $1.32bn, plus or minus $30m, for the fiscal 2017 third quarter ending Sept. 30.
Products
Juniper Contrail Security includes the Contrail SDN controller for policy definition and Contrail vRouter for Layer 4 policy enforcement. The vRouter and Contrail APIs alleviate the need to instrument applications and workloads with policy enforcement agents.
The Contrail controller enables administrators to define intent through templates and wizards, using terms that allow micro-segmentation across diverse cloud environments including OpenStack, Kubernetes, bare-metal servers and public clouds. These intent definitions are implemented as distributed security and networking policies, and a single policy can be applied across multiple environments using tags.
Contrail configuration APIs allow for automation and integration with other firewall management tools. Contrail's analytics APIs allow for integration with SIEM and other security management tools. The controller then orchestrates defense using multiple enforcement points. Layer 4 policies use the vRouter to protect workloads from inside threats, while Layer 7 policies redirect suspicious traffic to a next-generation firewall for advanced services, like intrusion prevention, deep packet inspection and anti-virus. Contrail Security also performs application-to-application flow discovery – with or without enforcing policies – for visualization, analytics and orchestration of security configurations across hybrid cloud environments. It uses machine learning to gain insight into application interactions and to detect anomalies, and provides reporting, troubleshooting and compliance.
Competition
As previously noted, Contrail Security will go up against other SDN-based micro-segmentation offerings from Cisco, VMware and Illumio.
Cisco's Tetration Analytics and Control offering works in heterogeneous and hybrid application systems without the need for integration with a specific cloud or networking infrastructure. It monitors network traffic by adding a very low-overhead agent to the operating system under the application code. Using this agent, Cisco Tetration Analytics can capture all flow traffic including the east/west traffic, and act as enforcer by controlling the internal firewall of the OS.
ACI's policy-based micro-segmentation capability relies on deployment of the company's Nexus 9000 series switches and ACI ASICs.
Micro-segmentation is a primary use case of VMware's NSX network virtualization platform. At VMworld in August, VMware announced NSX Cloud, a service designed to provide consistent networking and security for applications running in multiple private and public clouds, via a single management console and common API. Micro-segmentation security policy is defined once and applied to application workloads running across multiple clouds.
Illumio recently announced new capabilities in its Adaptive Security Platform that enhance visualization, application dependency mapping and security policy developments. The Explorer and Policy Generator extensions to ASP allow operations and security staff to ask 'questions' about their network traffic to determine where, for example, flows have gone over a specific period, and to generate micro-segmentation policies for every workload and application through analysis and without network details like IP addresses.
Juniper will also likely run into vArmour in application security and micro-segmentation. The company is a pioneer in infrastructure-agnostic micro-segmentation. Deploying vArmour requires integration with a customer's specific virtualization and cloud management infrastructure but enables security solutions that aren't dependent on any virtualization or specific network technology.
SWOT Analysis
Strengths
Juniper has a strong reputation and relationship with service providers, including cloud service providers, that build revenue-generating infrastructure on the company's routers.Weaknesses
Since acquiring firewall company NetScreen in 2004, Juniper's momentum in security has waned. Smaller companies like Palo Alto Networks (founded by former NetScreen CTO Nir Zuk) have since blazed the trail in next-generation firewalls.Opportunities
Micro-segmentation is an emerging market for application and workload security in the cloud. The need prompted VMware to acquire Nicira and NSX in 2012 for $1.26bn, and Cisco to develop not only ACI, but Tetration Analytics and Control. Illumio and vArmour began life as micro-segmentation-focused companies. It's a killer app for SDN.Threats
Companies like vArmour, Illumio, VMware and Cisco have been at this for years already, and are enhancing and extending existing products while Juniper is just jumping into the market. Juniper's differentiation will need to be compelling.
Jim Duffy
Senior Analyst, Networking
As an Associate Analyst for 451 Research, Teddy focuses on covering the multi-tenant datacenter market in the Asia-Pacific region, particularly mainland China.
Jean Atelsek
Analyst, Digital Economics
Jean Atelsek is an analyst for 451 Research’s Digital Economics Unit, focusing on cloud pricing in the US and Europe.
Speaker Name
Speaker Title
Sed ac purus sit amet nisl tincidunt tincidunt vel at dolor. In ullamcorper nisi risus, quis fringilla nibh mattis ac. Mauris interdum interdum eros, eget tempus lectus aliquet at. Suspendisse convallis suscipit odio, ut varius enim lacinia in. Lorem ipsum dolor sit amet, consectetur adipiscing elit.