Streamlined Security: Introducing Network Security Integration

Many Google Cloud customers have deep investments in third-party ISV security solutions such as appliances to secure their networks and enforce consistent policies across multiple clouds. However, integrating these security solutions into the cloud application environment comes with its own set of challenges:

• Network re-architecture: Integrating third-party appliances for traffic inspection often necessitates a network redesign to route application traffic through them. With the high rate of change in a cloud application environment, this process can be error-prone, add operational overhead, and slow down application deployment time. 

• High cost of operation: The inability to selectively route traffic to third-party appliances for inspection leads to overprovisioning and increased costs. Customers often invest in larger, more expensive appliances to handle all their traffic, regardless of applications’ security inspection needs. 

• Difficulty meeting compliance requirements: Meeting security and regulatory requirements for an application deployment can be complex and often requires customers to implement custom tooling.

Today, we’re pleased to announce Network Security Integration to address these challenges. Network Security Integration helps you integrate third-party network appliance or service deployments with your Google Cloud workloads while maintaining consistent policies across hybrid and multicloud environments — without changing your routing policies or network architecture. Network Security Integration also enables comprehensive workload traffic visibility, advanced network security, and application/network performance monitoring. It uses Generic Network Virtualization Encapsulation, a.k.a. Geneve tunneling, to securely deliver traffic to third-party inspection destinations without modifying the original packets.

Additionally, Network Security Integration helps accelerate application deployments and compliance with a producer/consumer model. This allows infrastructure operations teams to provide collector infrastructure as a service to application development teams, enabling dynamic consumption of infrastructure as a service. Support for the hierarchical firewall policy management helps enforce compliance without introducing delays.

Network Security Integration offers two primary modes:

• Out-of-band integration (GA): Mirrors desired traffic to a separate destination for offline analysis

• In-band integration (Preview): Directs specific traffic to a third-party security stack for inline inspection

Network Security Integration out-of-band

Running out-of-band, Network Security Integration transparently mirrors packets destined to and from the workload to a destination collector group. Geneve helps ensure secure transmission to the destination.

Running Network Security Integration out-of-band lends itself to the following use cases:

• Implementing advanced network security - Use advanced offline analysis to detect known attacks based on predetermined signature patterns, and also identify previously unknown attacks with anomaly-based detection. Granular filtering capabilities ensure that vulnerable workload traffic is mirrored for advanced inspection.

• Improve application availability and performance - Diagnose and analyze what's going on over the wire instead of relying only on application logs. Network traffic analysis tools leverage machine learning and analytics to inspect mirrored packet data, baselining the normal behavior of the network and then detecting anomalies that might indicate potential availability or performance issues.

• Support regulatory and compliance requirements - Finance and other regulated industries are required to capture and retain specific types of network traffic for a predetermined period to meet stringent requirements for auditing and forensic investigations.

Network Security Integration in-band

With in-band integration, traffic ingressing or egressing a workload can be intercepted and redirected to a security stack where the traffic is inspected for threats and compliance with security policy. The bump-in-the-wire implementation of in-band interception lets you inspect traffic between the VPC or even between different application components within the same VPC. With this, you can now shrink your security domain to as small as a workload, to deploy true Zero Trust security in your environment.

Choose to run Network Security Integration in-band for the following scenarios:

• Integrate natively with Cloud Next Generation Firewall (NGFW) and third-party firewall - Network Security Integration simplifies the deployment of Google Cloud NGFW and third-party security solutions. It allows you to deploy third-party security services for traffic that requires additional security controls, while using Cloud NGFW's distributed firewall features for optimized inspection.

• Insert your preferred network security solution into brownfield application environments - Network Security Integration in-band is an elegant solution for integrating third-party security appliances directly into your existing network infrastructure, without requiring any modifications to your current routing configuration. By implementing it in-band, you can introduce additional layers of security and protection to your application traffic, helping to ensure comprehensive safeguarding against potential network threats.

What our partners are saying

This is what major partners had to say about Google Cloud’s Network Security Integration.

Palo Alto Networks

“Our partnership with Google Cloud continues with strong momentum, and today marks another milestone. Palo Alto Networks is partnering with Google Cloud to deliver advanced inline security protection for cloud and AI applications, significantly enhancing customer usability with a new deployment option. By integrating Palo Alto Networks AI-Runtime Security and VM-Series Virtual Firewalls with Network Security Integration, customers can rapidly secure their Google Cloud environment and AI applications, applying granular security policies based on a zero trust architecture.” - Jaimin Patel, Senior Director of Product Management, Palo Alto Networks 

Fortinet

“Fortinet is partnering with Google Cloud to provide AI-powered threat intelligence for applications and workloads in Google Cloud by natively integrating with FortiGate next-generation firewalls. With the integration of Fortinet and Network Security Integration, customers are able to implement consistent cloud security policies and ensure faster and more reliable security response for their cloud networks.” - Vincent Hwang, Vice President of Cloud Security, Fortinet

Check Point

“We are excited to partner with Google Cloud to offer advanced threat prevention and secure connectivity across their global infrastructure. By securing the hybrid mesh with Network Security Integration and Check Point CloudGuard, our customers can stay free from cyber threats while automating management tasks and accelerating deployments across all Google Cloud regions.” - Kit Chee, Vice President, Global Strategic Partnerships, Check Point Software Technologies

 Corelight 

"Integrating with Google Cloud’s Network Security Integration empowers our customers to seamlessly adjust to the fluctuating demands of cloud environments. This integration enables our shared customers to expand the Corelight Network Detection and Response (NDR) value in the cloud, allowing comprehensive network visibility and threat detection. By adopting a straightforward, policy-driven strategy, organizations can effectively secure their Google Cloud deployments regardless of their scaling trajectory, optimizing both security and operational efficiency." - Todd Wingler, VP, Global Alliances and Channels, Corelight 

Trellix

“Trellix Virtual Intrusion Prevention System (vIPS) is a next-generation intrusion detection and prevention system (IDPS) that discovers and blocks sophisticated malware threats across the network. It uses advanced detection and emulation techniques, moving beyond traditional pattern matching to defend against stealthy attacks with a high degree of accuracy. Trellix has partnered with Google Cloud to integrate the Trellix vIPS with Network Security Integration. With the new architecture, Trellix and Google Cloud can meet the security challenges of the customers in a much faster and more scalable way and streamline the security adoption for our joint customers.” - Manish Kumar, Senior Software Architect, Trellix

cPacket

“cPacket is thrilled to partner with Google Cloud on their Network Security Integration rollout. When combined with cPacket’s Cloud Suite, customers can leverage best-in-class packet replication capabilities to multiple tools, powerful always-on packet capture and network analytics, and advanced visualization capabilities by utilizing these new in-band and out-of-band solutions delivered by Google Cloud.” - Trey Moczygemba, Sr. Cloud Product Manager, cPacket

Netscout

“NETSCOUT delivers actionable intelligence in Observability and Cybersecurity through real-time deep packet inspection (DPI). With NETSCOUT and Network Security Integration, customers gain powerful insights from end-to-end, packet-level visibility into their Google Cloud workloads and hybrid or multi-cloud connected applications, ensuring both performance and security.” - Tom Bienkowski, Senior Director, Security Product Marketing

An integrated security ecosystem 

At Google Cloud, we’re committed to delivering enhanced visibility and top-tier security for customers’ network traffic and their workloads. With Network Security Integration, you can continue to use your third-party security solutions in your cloud environment, with lower costs, tighter integration, increased compliance, and no routing configuration changes. To learn more, visit the documentation for Network Security Integration. For Network Security Integration in-band (preview), contact your Google representative for access. We also encourage you to explore Cloud Next Generation Firewall (NGFW), our cloud-native, fully-distributed stateful inspection firewall engine that secures your network at cloud scale, enforced at each workload.