CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer VIRTUALIZATION CHALLENGES 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MEGA TREND – SERVER VIRTUALIZATION Millions Installed Servers 80 Physical Server Installed Base (Millions) Logical Server Installed Base (Millions) 60 Capital Savings 40 20 0 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Source: IDC 3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network VM1 VM2 VM3 ESX/ESXi Host Virtual Switch HYPERVISOR Firewall/IDS Sees/Protects All Traffic between Servers 4 Copyright © 2011 Juniper Networks, Inc. Physical Security Is “Blind” to Traffic between Virtual Machines www.juniper.net THE ISOLATION CHALLENGE IN THE VSWITCH VM Isolation Challenge vSwitches provide only basic 5 connectivity VMs plugged into the same vSwitch have direct access via the hypervisor Port groups that are assigned VLAN IDs need a layer 3 device for routing Distributed vSwitches don’t realistically address security VM admins can assign vNICs to any network (even accidentally) Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPROACHES TO SECURING VIRTUAL NETWORKS 1 VLANs & Physical Segmentation VM1 VM2 2 VM3 VM2 3 VM2 VM3 Virtual Security Layer VS HYPERVISOR HYPERVISOR Regular Thick Agent for FW & AV 6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ESX/ESXi Host VS Purpose Built Virtual Security VM1 VM3 ESX/ESXi Host HYPERVISOR VM1 ESX/ESXi Host VS Traditional Security Agents THE GOAL IS SECURE CLOUD COMPUTING Virtual Security Layer Virtual Security Layer ESX 1 ESXi 4 Virtual Security Layer Virtual Security Layer ESXi 2 Hosted ESX 5 Public, Private, Hybrid Clouds Virtual Security Layer Virtual Security Layer Remote ESX 3 ESXi 6 Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe! 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOLUTION OVERVIEW 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net THE VGW PURPOSE-BUILT APPROACH Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA) 1 Virtual Center Security Design for vGW VM 2 VM1 VM2 VM3 “Secure VMotion” scales to Partner Server (IDS, SIM, Syslog, Netflow) 3 Packet Data THE vGW ENGINE VMWARE API’s Granular, Tiered Defense Any vSwitch (Standard, DVS, 3rd Party) Stateful firewall, integrated IDS, and AV Flexible Policy Enforcement – zone, VM group, VM, individual vNIC 9 Copyright © 2011 Juniper Networks, Inc. HYPERVISOR www.juniper.net VMware Kernel 1,000+ hosts “Auto Secure” detects/protects new VMs ESX or ESXi Host Virtualization-aware TIGHT INTEGRATION WITH VCENTER No manual synchronization Complete VM inventory pulled from vCenter Security synchs with changes to virtual infrastructure VMs identified by their vCenter UUID No need to trust weak associations Differentiate between a VM and its clones Maintain correct policy and monitoring throughout change Validate infrastructure configuration Prevent “backdoor channels” Ensure configuration integrity Automate deployment Deploy firewalls programmatically Simplify HA setup by cloning management VMs 10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net KEY FEATURES AND BENEFITS 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW MODULES Main Firewall Dashboard view of the virtual system threats (including VM quarantine view) 12 Firewall policy management and logs AntiVirus Full AV protection for VMs Compliance Out-of-box and custom rules engine alerts on VM/host config changes Network IDS Introspection Reports Visibility of inter-VM traffic flows Centralized view of IDS alerts and ability to drill-down on attacks Centralized VM view (includes OS, apps, hot fixes, etc.) Automated reports for all functional modules Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – NETWORK VISIBILITY All VM traffic flows stored in database and available for analysis Benefits: Visibility to all VM communications Ability to spot design issues with security policies Single click to more detail on VMs Connections tab shows open traffic flow Custom time interval for troubleshooting Left-hand tree selection navigates right-hand pane 13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM Benefits: Extremely flexible protection down to the vNIC NEW! Ability to automatically assign policies to VMs Ability to quarantine VMs for immediate isolation Kernel implementation isolates connection table and rule base NEW! Define a quarantine policy for use on AV, Compliance or Image Enforcer violations 14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected to different vSwitches or even the same vSwitch! Configuration: Enable the pper vNIC option in Settings -> Install Settings Configure the policy via the rule editor for each vNIC NEW! vNICs show up for VMs Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC) 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – IDS Send selectable traffic flows to internal IDS engine for deeppacket analysis against dynamic signature set. Security rule filters what is IDS inspected Review IDS Alerts by Targets and Sources Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data Click on Alert Type to get further details about the Signature that triggered the Alert 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – ANTIVIRUS NEW! AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation) On-Demand and OnAccess Scan Configurations AV Dashboard for quick status understanding File Quarantine 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s installed – OS, SP, Applications, Registry Values NEW! Benefits: 18 Know exactly what’s installed in a VM and automatically attach relevant security policy! Categorize discovered values and easily determine install states (Application and VM views) Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time Works for Windows and Linux NEW! Copyright © 2011 Juniper Networks, Inc. www.juniper.net NEW! VGW – COMPLIANCE The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules. Benefits: Define rules on any VM or VM group (alerts and reports for compliance rule violations) NEW! Automatically quarantine VMs into an isolated network if they violate a rule NEW! Rules relevant to both VM and host configuration NEW! Enhanced rule editor for intuitive manipulation of attributes Classifications of checks (VMware best practices, etc.) Easily see rule violations 19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – REPORTS Pre-defined and customizable reports covering all of solution modules Benefits: Generate reports in PDF or CSV formats Automatically send scheduled reports via email or store directly in vGW management center Scoping mechanism isolates contents (Customer/Dept A’s VMs never show up in Customer/Dept B’s report) NEW! AntiVirus Reports NEW! Report on Image Enforcer profiles 20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ARCHITECTURE AND SCALABILITY 21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTEGRATED WITH JUNIPER DATA CENTER SECURITY VM1 VM2 VM3 ALTOR vGW Policies Central Policy Management vGW VMware vSphere Firewall Event Syslogs Netflow for Inter-VM Traffic Zone Synchronization Traffic Mirroring to IPS STRM Network Juniper EX Switch 22 Juniper SRX with IDP Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX SERIES INTEGRATION Firewall zones integration (zone synchronization between SRX Series and vGW) Benefits: Guarantee integrity of zones on hypervisor Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness 23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX AND VGW – MICRO-SEGMENTATION BLUE VMs BELONG TO CUSTOMER “A” IN ZONE 1 = VLAN 221 ESX-1 1 CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221 VGW 2 Data Center Switching ESX-2 VGW 3 24 TELL VGW ABOUT SRX AND CUSTOMER “A” SRC ANY CREATE A SRX ZONE POLICY DST ACTION ZONE “A” REJECT SRX5800 4 REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION 5 CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP INTEGRATION Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1). Benefits: Choice between using integrated vGW IDS or Juniper physical IDP Combination of devices can be used to optimize performance (rules based flow direction) 25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SUMMARY Management and Security Services Security Design Virtual Control Physical STRM Security Threat Response Manager Services Firewall IPS DoS Virtual VM VM VM VM vGW Series Hypervisor DoS Protection AppSecure vGW Virtual Gateway SRX Series 26 Copyright 2011 Juniper Networks, www.juniper.net Copyright © 2011©Juniper Networks, Inc. Inc. www.juniper.net