![Page 1: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/1.jpg)
CONNECTED VIRTUALISATIONWESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012
Dennis de Leest
Security Systems Engineer
![Page 2: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/2.jpg)
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION CHALLENGES
![Page 3: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/3.jpg)
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MEGA TREND – SERVER VIRTUALIZATION
Source: IDC
CapitalSavings
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
20
40
60
80 Physical Server Installed Base (Millions) Logical Server Installed Base (Millions)
MillionsInstalledServers
![Page 4: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/4.jpg)
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION
Physical Network Virtual Network
Physical Security Is “Blind” to Traffic between Virtual Machines
VM1 VM2 VM3
ES
X/E
SX
i Host
Firewall/IDS Sees/ProtectsAll Traffic between Servers
HYPERVISOR
Virtual Switch
![Page 5: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/5.jpg)
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE ISOLATION CHALLENGE IN THE VSWITCH
VM Isolation Challenge vSwitches provide only basic
connectivity VMs plugged into the same
vSwitch have direct access via the hypervisor
Port groups that are assigned VLAN IDs need a layer 3 device for routing
Distributed vSwitches don’t realistically address security
VM admins can assign vNICs to any network (even accidentally)
![Page 6: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/6.jpg)
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Purpose Built Virtual Security
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security Agents
VLANs & Physical Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISORHYPERVISOR
HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
1 2 3
![Page 7: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/7.jpg)
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE GOAL IS SECURE CLOUD COMPUTING
Remote ESX 3
ESXi 2
ESX 1
ESXi 6
Hosted ESX 5
ESXi 4
Virtual Security Layer
Virtual Security Layer
Virtual Security Layer Virtual Security Layer
Virtual Security Layer
Virtual Security Layer
Public, Private, Hybrid Clouds
Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!
![Page 8: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/8.jpg)
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOLUTION OVERVIEW
![Page 9: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/9.jpg)
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA)
Virtualization-aware “Secure VMotion” scales to
1,000+ hosts “Auto Secure” detects/protects
new VMs
Granular, Tiered Defense Stateful firewall, integrated IDS,
and AV Flexible Policy Enforcement – zone,
VM group, VM, individual vNIC
THE VGW PURPOSE-BUILT APPROACH
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE API’s
Any vSwitch (Standard, DVS, 3rd Party)
HYPERVISOR
VM
ware K
ernel
ES
X or E
SX
i Host
Security Design
for vGW
12
3
![Page 10: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/10.jpg)
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TIGHT INTEGRATION WITH VCENTER
No manual synchronization Complete VM inventory pulled from vCenter Security synchs with changes to virtual infrastructure
VMs identified by their vCenter UUID No need to trust weak associations Differentiate between a VM and its clones Maintain correct policy and monitoring
throughout change
Validate infrastructure configuration Prevent “backdoor channels” Ensure configuration integrity
Automate deployment Deploy firewalls programmatically Simplify HA setup by cloning management VMs
![Page 11: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/11.jpg)
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
KEY FEATURES AND BENEFITS
![Page 12: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/12.jpg)
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW MODULES
NetworkVisibility of inter-VM traffic flows
IDS Introspection ReportsCentralized view of IDS alerts and ability to drill-down on attacks
Centralized VM view (includes OS, apps, hot fixes, etc.)
Automated reports for all functional modules
MainDashboard view of the virtual system threats (including VM quarantine view)
Firewall AntiVirus ComplianceFirewall policy management and logs
Full AV protection for VMs
Out-of-box and custom rules engine alerts on VM/host config changes
![Page 13: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/13.jpg)
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – NETWORK VISIBILITY
Left-hand tree selection navigates right-hand pane
Connections tab shows open traffic flow
Custom time interval for troubleshooting
All VM traffic flows stored in database and available for analysis
Benefits: Visibility to all VM communications Ability to spot design issues with security policies Single click to more detail on VMs
![Page 14: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/14.jpg)
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM
Benefits: Extremely flexible protection down to the vNIC Ability to automatically assign policies to VMs Ability to quarantine VMs for immediate isolation Kernel implementation isolates connection table and rule base
Define a quarantine policy for use on AV, Compliance or Image Enforcer violations
NEW!
NEW!
![Page 15: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/15.jpg)
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected
to different vSwitches or even the same vSwitch!
Configuration: Enable the pper vNIC option in Settings -> Install Settings Configure the policy via the rule editor for each vNIC
New!
Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC)
vNICs show up for VMs
NEW!
![Page 16: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/16.jpg)
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – IDS
Send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set.
Security rule filters what is IDS inspected
Review IDS Alerts by Targets and Sources
Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data
Click on Alert Type to get further details about the Signature that triggered the Alert
![Page 17: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/17.jpg)
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation)
VGW – ANTIVIRUSNEW!
AV Dashboard for quick status understanding
File Quarantine
On-Demand and On-Access Scan Configurations
![Page 18: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/18.jpg)
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s
installed – OS, SP, Applications, Registry Values Benefits:
Know exactly what’s installed in a VM and automatically attach relevant security policy!
Categorize discovered values and easily determine install states (Application and VM views)
Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time
Works for Windows and Linux
NEW!
NEW!
NEW!
![Page 19: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/19.jpg)
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – COMPLIANCE
The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules.
Benefits:
Define rules on any VM or VM group (alerts and reports for compliance rule violations)
Automatically quarantine VMs into an isolated network if they violate a rule
Rules relevant to both VM and host configuration
Enhanced rule editor for intuitive manipulation of attributes
NEW!
NEW!
NEW!
Classifications of checks (VMware best practices, etc.)
Easily see rule violations
![Page 20: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/20.jpg)
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – REPORTS
Pre-defined and customizable reports covering all of solution modules
Benefits: Generate reports in PDF or CSV formats Automatically send scheduled reports via email or store directly in vGW
management center Scoping mechanism isolates contents (Customer/Dept A’s VMs never
show up in Customer/Dept B’s report)
AntiVirus Reports
Report on Image Enforcer profiles
NEW!
NEW!
![Page 21: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/21.jpg)
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ARCHITECTURE AND SCALABILITY
![Page 22: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/22.jpg)
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STRM
INTEGRATED WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR
vGW
VMware vSphere
Network
Juniper SRX with IDP
Juniper EXSwitch
Policies
Central Policy Management
Zone SynchronizationTraffic Mirroring to IPS
vGW
Firewall Event SyslogsNetflow for Inter-VM Traffic
![Page 23: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/23.jpg)
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX SERIES INTEGRATION
Firewall zones integration (zone synchronization between SRX Series and vGW)
Benefits: Guarantee integrity of zones on hypervisor Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness
![Page 24: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/24.jpg)
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX AND VGW – MICRO-SEGMENTATION
Data Center Switching
SRX5800
VGW
ESX-1
VGW
ESX-2
CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221
BLUE VMs BELONG TOCUSTOMER “A” IN ZONE 1 = VLAN 221
CREATE A SRX ZONE POLICYSRC DST ACTIONANY ZONE “A” REJECT
2
TELL VGW ABOUT SRX AND CUSTOMER “A”
REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION
CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs
1
3 4
5
![Page 25: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/25.jpg)
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDP INTEGRATION
Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1).
Benefits: Choice between using integrated vGW IDS or Juniper physical IDP Combination of devices can be used to optimize performance
(rules based flow direction)
![Page 26: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/26.jpg)
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX Series
Physical
Hypervisor
vGW Series
VM
vGW Virtual Gateway
Management and Security Services
Security Design
Security Threat Response ManagerSTRM
Services Virtual
Firewall
IPS
DoS Protection
AppSecure
DoS
SUMMARY
Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Virtual Control
VM VM VM
![Page 27: CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e365503460f94b257e1/html5/thumbnails/27.jpg)