juniper and vmware: taking data centre networks to the next level
DESCRIPTION
Kevin Piper's presentation from VForum Sydney on vGW architecture, functional modules and automation and customer examples.TRANSCRIPT
Juniper and VMware: Taking Data Centre Networks to the Next Level
Kevin Piper, Senior Product Line Manager for Virtual Security
Juniper Networks
2
AGENDA
Virtualization Market & Challenges 1
vGW Architecture Overview 2
vGW Functional Modules 3
Automation and Customer Examples 4
Virtual and Physical 5
3
Market summary & challenges
4
Market Dynamics
Cloud Computing Services, Virtualization Top CIO 2011 Priorities
–Forrester, Storage Choices for Virtual Server Environments, March 2011
–Infonetics, Security for Virtualized Infrastructure, April 2011
The top 3 drivers for deploying new security solutions for virtualized environments are preventing new threats specific to virtual environments, preventing inter-VM threats, and maintaining secure server configurations
91% of respondents told Forrester that they are using virtual servers for production workloads. That’s up dramatically from 78% in 2010
Virtualization 2.0 includes a host of new use cases that range from high
availability and DR to hosted clients and true utility computing
–Gartner, CIO Survey, January 2011
–IDS, Worldwide Virtual Machine Software Forecast, August 2011
“Data sprawl” was rated as a top security issue by the IT professionals surveyed on their opinions about server virtualization
–Kuppinger Cole, Virtualization Security Trends & Insights Surveys, November 2010
5
Security implication of virtualization
Physical Network Virtual Network
Physical Security Is “Blind” to
Traffic between Virtual Machines
VM1 VM2 VM3
ES
X/E
SX
i Host
Firewall/IDS Sees/Protects
All Traffic between Servers
HYPERVISOR
Virtual Switch
6
THE ISOLATION CHALLENGE IN THE VSWITCH
VM Isolation Challenge
• vSwitches provide only basic
connectivity
• VMs plugged into the same vSwitch
have direct access via the
hypervisor
• Port groups that are assigned
VLAN IDs need a layer 3 device for
routing
• Distributed vSwitches don’t
realistically address security
• VM admins can assign vNICs to
any network (even accidentally)
7
Integrated
Virtual Security
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security
Agents
VLANs & Physical
Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISOR
HYPERVISOR
HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
1 2 3
8
Vgw architecture OVERVIEW
9
INDUSTRY RECOGNITION OF VGW
Distinction
• 1st purpose-built virtual firewall
• Widely recognized innovation leader
Most Innovative Company RSA® Conference 2010
10
Service Provider & Enterprise Grade
• Three Tiered Model
• VMware Certified (signed binaries!)
• Protects each VM and the hypervisor
• Fault-tolerant architecture (i.e., HA)
Virtualization-aware
• “Secure VMotion” scales to
1,000+ hosts
• “Auto Secure” detects/protects
new VMs
Granular, Tiered Defense
• Stateful firewall, integrated IDS,
and AV
• Flexible Policy Enforcement – zone,
VM group, VM, individual vNIC
THE VGW PURPOSE-BUILT APPROACH
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE API’s
Any vSwitch (Standard, DVS, 3rd Party)
HYPERVISOR
VM
ware
Kern
el
ES
X o
r ES
Xi H
ost
Security Design for vGW
1 2
3
11
vGW Security Design VM Architecture
VMWARE VSWITCH OR CISCO 1000V
vGW Security Design
vCenter Server
Netflow Collector
SEIM/Syslog
Collector
Netflow &
Firewall Log DB Policy DB
Flow Statistics
Engine
VM Ownership
Processor
Policy
Processor
Engine
Management
Connector
(vGW Security VM)
VMware VI-API
Connector
SMTP
SNMP
Reporting
Engine
vGW Security Design Management
Web UI
XML – RPC
Connector
Firewall
Install
VM Inventory
& Status
Time Server
(NTP)
Admin/User
Admin/User
Provisioning server
Certificate
Authority
Netflow
Connector
Syslog
Connector
Alerting
Engine
Caching & DB Optimization Engine
12
vGW Svm and kernel Architecture
VMWARE VSWITCH OR CISCO 1000V
vGW Security Design
ESX/ESX(i) Host
vGW Security VM
Management
Connector
Policy Engine
(XML) AV & IDS
Signatures
Netflow
Connector
Syslog
Connector Control
Connector
ESX/ESX(i) Kernel
vGW VMsafe FastPath Control
Connector
Virtual Switch: VMware vSwitch, VMware dvSwitch, or 3rd Party
Span
Connector
Netflow
Collector
SEIM/Syslog
Collector
IDS/IPS
Server
Wireshark
Endpoint
Log
Distribution
VM-Firewall Engines
Connection
Table
VM-Firewall Engines
Connection
Table
Packet
Egress
Packet
Ingress
VMware DvFilter
13
VGW - PERFORMANCE
TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details
14
VGW – MANAGEMENT SCALABILITY & FLEXIBILITY
Complete isolation
of data centers
Select which objects
you want to sync
with delegate
centers
Multi-Center allows
linking of
configuration
information for
multiple Security
Design vGW VM’s
(‘linked-mode’)
Split-Center allows
you to divide one
vCenter into separate
logical entities for
different Security
Design vGW VMs.
15
Vgw functional modules
16
vGW modules
Network
Visibility of
inter-VM traffic flows
IDS Introspection Reports
Centralized view
of IDS alerts and
ability to drill-down
on attacks
Centralized VM
view (includes OS,
apps, hot fixes,
etc.)
Automated reports
for all functional
modules
Main
Dashboard view of
the virtual system
threats (including
VM quarantine view)
Firewall AntiVirus Compliance
Firewall policy
management
and logs
Full AV protection
for VMs
Out-of-box and
custom rules engine
alerts on VM/host
config changes
17
VGW – NETWORK VISIBILITY
Left-hand tree
selection
navigates
right-hand
pane
Connections
tab shows open
traffic flow
Custom time
interval for
troubleshooting
All VM traffic flows stored in database and available for analysis
Benefits:
• Visibility to all VM communications
• Ability to spot design issues with security policies
• Single click to more detail on VMs
18
VGW – FIREWALL
Complete firewall protection for any network traffic to or from a VM
Benefits:
• Extremely flexible protection down to the vNIC
• Ability to automatically assign policies to VMs
• Ability to quarantine VMs for immediate isolation
• Kernel implementation isolates connection table and rule base
Define a
quarantine
policy for use
on AV,
Compliance or
Image Enforcer
violations
19
VGW – IDS
Send selectable traffic flows to internal IDS engine for deep-packet
analysis against dynamic signature set.
Security rule filters what is
IDS inspected
Review IDS
Alerts by Targets
and Sources
Change “Time
Interval” to
expand time slot
or set “Custom
Time Period” to
review historical
data
Click on Alert
Type to get
further details
about the
Signature that
triggered the
Alert
20
AntiVirus components controlled centrally (scanner config, alert viewing,
infected file remediation)
VGW – ANTIVIRUS
AV Dashboard for quick
status understanding
File Quarantine
On-Demand
and On-
Access Scan
Configurations
21
VGW ANTIVIRUS PERFORMANCE
% Performance Degradation
(30 VMs – MS Office On-Access Execution Time)
VM Memory Usage (MB) VM Disk Usage (MB)
1
3 4
On-Demand File Scans
Run at ~5MB/second!!
2
22
VGW – INTROSPECTION
Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s
installed – OS, SP, Applications, Registry Values
Benefits:
• Know exactly what’s installed in a VM and automatically attach relevant security policy!
• Categorize discovered values and easily determine install states (Application and VM views)
• Use Image Enforcer to define a ‘”gold” image (template or VM) then discover how VMs deviate from this across time
• Works for Windows and Linux
23
VGW – COMPLIANCE
The compliance module includes pre-defined rules based on virtual security best
practices and an engine so customers can define their own rules.
Benefits:
• Define rules on any VM or VM group (alerts and reports for compliance rule violations)
• Automatically quarantine VMs into an isolated network if they violate a rule
• Rules relevant to both VM and host configuration
• Enhanced rule editor for intuitive manipulation of attributes
Classifications
of checks
(VMware best
practices, etc.)
Easily
see rule
violations
24
VGW – REPORTS
Pre-defined and customizable reports covering all of solution
modules
Benefits:
• Generate reports in PDF or CSV formats
• Automatically send scheduled reports via email or store directly in vGW
management center
• Scoping mechanism isolates contents (Customer/Dept A’s VMs never
show up in Customer/Dept B’s report)
AntiVirus
Reports
Report on Image
Enforcer profiles
25
automation AND CUSTOMER EXAMPLES
26
AUTOMATION - SMART GROUPS
Smart Groups allow for the use of attributes to create dynamic system
associations.
Benefits:
• Tie vGW product discoveries to Smart Group definitions.
• Tie vCenter and VM config attributes to Smart Group definitions
• Attributes are read real time so if a VM changes in vCenter, it’s instantly
updated in vGW
Priority and precedence level can
be defined to Tier Groups easily
Smart Groups help
capability allows
administrator to see
name, description
and values of
attributes
27
xerox implementation
Develop a multi-tenant virtualized data hosting cloud on VMware
Ability to secure each guest VM in a mixed workload environment
Utilize custom portal for customers (long term)
Resolved firewall complexity and increased network visibility
vGW was selected because of the tight integration with
vCenter, ability to dynamically apply policy to new VMs
(Smart Groups) and robust firewall feature set.
vGW enables complete control and compliance in the cloud
Customer
Goals
Why Juniper?
28
AUTOMATION - VGW CLOUD SECURITY SDK
Policy Automation of security
policy controls
• Security integration into VM
provisioning process
• Policy delegation to group admins or
end-users
• Multi-Tenant Policy Management
XML-RPC based API
• Programmatically control VM policy
configuration
• APIs for all functions done within UI
SDK Contains
• XML-RPC API Documentation
• Python scripts implementing APIs
• Web portal application – PoC user
delegated policy controls
Cloud SDK Download Location:
https://www.juniper.net/support/products/vgw/#sw
29
HOSTING.COM IMPLEMENTATION (POWERED BY VGW)
30
Virtual and physical INTEGRATION
31
STRM
Integrated with Juniper data center Security
VM1 VM2 VM3 ALTOR
vGW
VMware vSphere
Network
Juniper IDP Juniper SRX
Central Policy Management
Zone Synchronization
& Traffic Mirroring
vGW
Firewall Event Syslogs
Netflow for Inter-VM Traffic
32
SRX AND VGW – MICRO-SEGMENTATION
Data Center
Switching
SRX5800
VGW
ESX-1
VGW
ESX-2
CREATE A SRX ZONE “A” FOR
CUSTOMER “A” WITH VLAN 221
BLUE VMs BELONG TO
CUSTOMER “A” IN
ZONE 1 = VLAN 221
CREATE A SRX ZONE POLICY
SRC DST ACTION
ANY ZONE “A” REJECT 2
TELL VGW ABOUT SRX AND
CUSTOMER “A”
REFINE “SMART GROUPS” WITH
CUSTOMER “A” VM INFORMATION
CREATE VGW POLICY TO
SEGMENT WITHIN CUSTOMER “A”
VMs
1
3 4
5
33
CONCLUSION
vGW enables virtualization and clouds
• Purpose-built approach maximizes throughput, capacity and scale
• Industry benchmark for administrative ease and scale
• Innovation makes enforcement granular and dynamic
• Complete suite of security and visibility tools for virtual environments
vGW as part of Juniper data center security
• Comprehensive protection for all workloads
• Extended security through several points of integration