vGW Series 5.0 Technical overview

advertisement
CONNECTED VIRTUALISATION
WESTCON 5-DAAGSE / SALES
13 FEBRUARY 2012
Dennis de Leest
Security Systems Engineer
VIRTUALIZATION CHALLENGES
2
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
MEGA TREND – SERVER VIRTUALIZATION
Millions
Installed
Servers
80
Physical Server Installed Base (Millions)
Logical Server Installed Base (Millions)
60
Capital
Savings
40
20
0
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Source: IDC
3
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION
Physical Network
Virtual Network
VM1
VM2
VM3
ESX/ESXi Host
Virtual
Switch
HYPERVISOR
Firewall/IDS Sees/Protects
All Traffic between Servers
4
Copyright © 2011 Juniper Networks, Inc.
Physical Security Is “Blind” to
Traffic between Virtual Machines
www.juniper.net
THE ISOLATION CHALLENGE IN THE VSWITCH
VM Isolation Challenge
 vSwitches provide only basic




5
connectivity
VMs plugged into the same
vSwitch have direct access via
the hypervisor
Port groups that are assigned
VLAN IDs need a layer 3
device for routing
Distributed vSwitches don’t
realistically address security
VM admins can assign vNICs
to any network (even
accidentally)
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPROACHES TO SECURING VIRTUAL NETWORKS
1
VLANs & Physical
Segmentation
VM1
VM2
2
VM3
VM2
3
VM2
VM3
Virtual Security Layer
VS
HYPERVISOR
HYPERVISOR
Regular Thick Agent for FW & AV
6
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
ESX/ESXi Host
VS
Purpose Built
Virtual Security
VM1
VM3
ESX/ESXi Host
HYPERVISOR
VM1
ESX/ESXi Host
VS
Traditional Security
Agents
THE GOAL IS SECURE CLOUD COMPUTING
Virtual Security Layer
Virtual Security Layer
ESX 1
ESXi 4
Virtual Security Layer
Virtual Security Layer
ESXi 2
Hosted ESX 5
Public, Private, Hybrid
Clouds
Virtual Security Layer
Virtual Security Layer
Remote ESX 3
ESXi 6
Public, private, and hybrid clouds require dynamic and highly
integrated security mechanisms to keep information safe!
7
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SOLUTION OVERVIEW
8
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
THE VGW PURPOSE-BUILT APPROACH
Service Provider & Enterprise Grade
 Three Tiered Model
 VMware Certified (signed binaries!)
 Protects each VM and the hypervisor
 Fault-tolerant architecture (i.e., HA)
1
Virtual
Center
Security
Design
for vGW
VM
2
VM1
VM2
VM3
 “Secure VMotion” scales to
Partner Server
(IDS, SIM,
Syslog, Netflow)
3
Packet Data
THE vGW ENGINE
VMWARE API’s
Granular, Tiered Defense
Any vSwitch
(Standard, DVS, 3rd Party)
 Stateful firewall, integrated IDS,
and AV
 Flexible Policy Enforcement – zone,
VM group, VM, individual vNIC
9
Copyright © 2011 Juniper Networks, Inc.
HYPERVISOR
www.juniper.net
VMware Kernel
1,000+ hosts
 “Auto Secure” detects/protects
new VMs
ESX or ESXi Host
Virtualization-aware
TIGHT INTEGRATION WITH VCENTER
No manual synchronization
 Complete VM inventory pulled from vCenter
 Security synchs with changes to virtual
infrastructure
VMs identified by their vCenter UUID
 No need to trust weak associations
 Differentiate between a VM and its clones
 Maintain correct policy and monitoring
throughout change
Validate infrastructure configuration
 Prevent “backdoor channels”
 Ensure configuration integrity
Automate deployment
 Deploy firewalls programmatically
 Simplify HA setup by cloning management VMs
10
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
KEY FEATURES AND BENEFITS
11
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW MODULES
Main
Firewall
Dashboard view of
the virtual system
threats (including
VM quarantine view)
12
Firewall policy
management
and logs
AntiVirus
Full AV protection
for VMs
Compliance
Out-of-box and
custom rules engine
alerts on VM/host
config changes
Network
IDS
Introspection
Reports
Visibility of
inter-VM traffic flows
Centralized view
of IDS alerts and
ability to drill-down
on attacks
Centralized VM
view (includes OS,
apps, hot fixes,
etc.)
Automated reports
for all functional
modules
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – NETWORK VISIBILITY
All VM traffic flows stored in database and available for analysis
Benefits:
 Visibility to all VM communications
 Ability to spot design issues with security policies
 Single click to more detail on VMs
Connections
tab shows open
traffic flow
Custom time
interval for
troubleshooting
Left-hand tree
selection
navigates
right-hand
pane
13
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – FIREWALL
Complete firewall protection for any network traffic to or from a VM
Benefits:
 Extremely flexible protection down to the vNIC
NEW!
 Ability to automatically assign policies to VMs
 Ability to quarantine VMs for immediate isolation
 Kernel implementation isolates connection table and rule base
NEW!
Define a
quarantine
policy for use
on AV,
Compliance or
Image Enforcer
violations
14
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
POLICY MODEL DETAILS
Individual vNIC policy allows administrators to set different policies on vNICs connected
to different vSwitches or even the same vSwitch!
Configuration:
 Enable the pper vNIC option in Settings -> Install Settings
 Configure the policy via the rule editor for each vNIC
NEW!
vNICs show up
for VMs
Implement the security granularity you require!
(Global, Group, Individual VM, or even individual vNIC)
15
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – IDS
Send selectable traffic flows to internal IDS engine for deeppacket analysis against dynamic signature set.
Security rule filters what is
IDS inspected
Review IDS
Alerts by Targets
and Sources
Change “Time
Interval” to
expand time slot
or set “Custom
Time Period” to
review historical
data
Click on Alert
Type to get
further details
about the
Signature that
triggered the
Alert
16
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – ANTIVIRUS
NEW!
AntiVirus components controlled centrally (scanner config, alert viewing,
infected file remediation)
On-Demand
and OnAccess Scan
Configurations
AV Dashboard for quick
status understanding
File Quarantine
17
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – INTROSPECTION
Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s
installed – OS, SP, Applications, Registry Values NEW!
Benefits:
18

Know exactly what’s installed in a VM and automatically attach relevant security policy!

Categorize discovered values and easily determine install states (Application and VM views)

Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time

Works for Windows and Linux
NEW!
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
NEW!
VGW – COMPLIANCE
The compliance module includes pre-defined rules based on virtual security best
practices and an engine so customers can define their own rules.
Benefits:

Define rules on any VM or VM group (alerts and reports for compliance rule violations)
NEW!

Automatically quarantine VMs into an isolated network if they violate a rule
NEW!

Rules relevant to both VM and host configuration
NEW!

Enhanced rule editor for intuitive manipulation of attributes
Classifications
of checks
(VMware best
practices, etc.)
Easily
see rule
violations
19
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW – REPORTS
Pre-defined and customizable reports covering all of solution modules
Benefits:
 Generate reports in PDF or CSV formats
 Automatically send scheduled reports via email or store directly in vGW
management center
 Scoping mechanism isolates contents (Customer/Dept A’s VMs never
show up in Customer/Dept B’s report)
NEW!
AntiVirus
Reports
NEW!
Report on Image
Enforcer profiles
20
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
ARCHITECTURE AND SCALABILITY
21
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
INTEGRATED WITH JUNIPER DATA CENTER SECURITY
VM1
VM2
VM3
ALTOR
vGW
Policies
Central Policy Management
vGW
VMware vSphere
Firewall Event Syslogs
Netflow for Inter-VM Traffic
Zone Synchronization
Traffic Mirroring to IPS
STRM
Network
Juniper EX
Switch
22
Juniper SRX
with IDP
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX SERIES INTEGRATION
Firewall zones integration
(zone synchronization between SRX Series and vGW)
Benefits:
 Guarantee integrity of zones on hypervisor
 Automate and verify no “policy violation” of VMs
 Empower SRX Series with VM awareness
23
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX AND VGW – MICRO-SEGMENTATION
BLUE VMs BELONG TO
CUSTOMER “A” IN
ZONE 1 = VLAN 221
ESX-1
1
CREATE A SRX ZONE “A” FOR
CUSTOMER “A” WITH VLAN 221
VGW
2
Data Center
Switching
ESX-2
VGW
3
24
TELL VGW ABOUT SRX AND
CUSTOMER “A”
SRC
ANY
CREATE A SRX ZONE POLICY
DST
ACTION
ZONE “A”
REJECT
SRX5800
4
REFINE “SMART GROUPS” WITH
CUSTOMER “A” VM INFORMATION
5
CREATE VGW POLICY TO
SEGMENT WITHIN CUSTOMER “A”
VMs
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
IDP INTEGRATION
Send virtual network traffic to physical Juniper IDP for analysis.
Compatible with standalone or SRX integrated (11.2r1).
Benefits:
 Choice between using integrated vGW IDS or Juniper physical IDP
 Combination of devices can be used to optimize performance
(rules based flow direction)
25
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SUMMARY
Management and Security Services
Security
Design
Virtual
Control
Physical
STRM
Security Threat
Response Manager
Services
Firewall
IPS
DoS
Virtual
VM
VM
VM
VM
vGW Series
Hypervisor
DoS Protection
AppSecure
vGW Virtual Gateway
SRX Series
26
Copyright
2011 Juniper
Networks,
www.juniper.net
Copyright
© 2011©Juniper
Networks,
Inc. Inc.
www.juniper.net
Download