CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer

CONNECTED VIRTUALISATIONWESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012

Dennis de Leest

Security Systems Engineer

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

VIRTUALIZATION CHALLENGES


MEGA TREND – SERVER VIRTUALIZATION

Source: IDC

CapitalSavings

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

20

40

60

80 Physical Server Installed Base (Millions) Logical Server Installed Base (Millions)

MillionsInstalledServers


SECURITY IMPLICATION OF VIRTUALIZATION

Physical Network Virtual Network

Physical Security Is “Blind” to Traffic between Virtual Machines

VM1 VM2 VM3

ES

X/E

SX

i Host

Firewall/IDS Sees/ProtectsAll Traffic between Servers

HYPERVISOR

Virtual Switch


THE ISOLATION CHALLENGE IN THE VSWITCH

VM Isolation Challenge vSwitches provide only basic

connectivity VMs plugged into the same

vSwitch have direct access via the hypervisor

Port groups that are assigned VLAN IDs need a layer 3 device for routing

Distributed vSwitches don’t realistically address security

VM admins can assign vNICs to any network (even accidentally)


Purpose Built Virtual Security

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Virtual Security Layer

Traditional Security Agents

VLANs & Physical Segmentation

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Regular Thick Agent for FW & AV

HYPERVISORHYPERVISOR

HYPERVISOR

APPROACHES TO SECURING VIRTUAL NETWORKS

1 2 3


THE GOAL IS SECURE CLOUD COMPUTING

Remote ESX 3

ESXi 2

ESX 1

ESXi 6

Hosted ESX 5

ESXi 4



Virtual Security Layer Virtual Security Layer



Public, Private, Hybrid Clouds

Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!


SOLUTION OVERVIEW


Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA)

Virtualization-aware “Secure VMotion” scales to

1,000+ hosts “Auto Secure” detects/protects

new VMs

Granular, Tiered Defense Stateful firewall, integrated IDS,

and AV Flexible Policy Enforcement – zone,

VM group, VM, individual vNIC

THE VGW PURPOSE-BUILT APPROACH

THE vGW ENGINE

Virtual Center VM

VM1 VM2 VM3

Partner Server(IDS, SIM,

Syslog, Netflow)

Packet Data

VMWARE API’s

Any vSwitch (Standard, DVS, 3rd Party)

HYPERVISOR

VM

ware K

ernel

ES

X or E

SX

i Host

Security Design

for vGW

12

3


TIGHT INTEGRATION WITH VCENTER

No manual synchronization Complete VM inventory pulled from vCenter Security synchs with changes to virtual infrastructure

VMs identified by their vCenter UUID No need to trust weak associations Differentiate between a VM and its clones Maintain correct policy and monitoring

throughout change

Validate infrastructure configuration Prevent “backdoor channels” Ensure configuration integrity

Automate deployment Deploy firewalls programmatically Simplify HA setup by cloning management VMs


KEY FEATURES AND BENEFITS


VGW MODULES

NetworkVisibility of inter-VM traffic flows

IDS Introspection ReportsCentralized view of IDS alerts and ability to drill-down on attacks

Centralized VM view (includes OS, apps, hot fixes, etc.)

Automated reports for all functional modules

MainDashboard view of the virtual system threats (including VM quarantine view)

Firewall AntiVirus ComplianceFirewall policy management and logs

Full AV protection for VMs

Out-of-box and custom rules engine alerts on VM/host config changes


VGW – NETWORK VISIBILITY

Left-hand tree selection navigates right-hand pane

Connections tab shows open traffic flow

Custom time interval for troubleshooting

All VM traffic flows stored in database and available for analysis

Benefits: Visibility to all VM communications Ability to spot design issues with security policies Single click to more detail on VMs


VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM

Benefits: Extremely flexible protection down to the vNIC Ability to automatically assign policies to VMs Ability to quarantine VMs for immediate isolation Kernel implementation isolates connection table and rule base

Define a quarantine policy for use on AV, Compliance or Image Enforcer violations

NEW!

NEW!


POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected

to different vSwitches or even the same vSwitch!

Configuration: Enable the pper vNIC option in Settings -> Install Settings Configure the policy via the rule editor for each vNIC

New!

Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC)

vNICs show up for VMs

NEW!


VGW – IDS

Send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set.

Security rule filters what is IDS inspected

Review IDS Alerts by Targets and Sources

Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data

Click on Alert Type to get further details about the Signature that triggered the Alert


AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation)

VGW – ANTIVIRUSNEW!

AV Dashboard for quick status understanding

File Quarantine

On-Demand and On-Access Scan Configurations


VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s

installed – OS, SP, Applications, Registry Values Benefits:

Know exactly what’s installed in a VM and automatically attach relevant security policy!

Categorize discovered values and easily determine install states (Application and VM views)

Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time

Works for Windows and Linux

NEW!

NEW!

NEW!


VGW – COMPLIANCE

The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules.

Benefits:

Define rules on any VM or VM group (alerts and reports for compliance rule violations)

Automatically quarantine VMs into an isolated network if they violate a rule

Rules relevant to both VM and host configuration

Enhanced rule editor for intuitive manipulation of attributes

NEW!

NEW!

NEW!

Classifications of checks (VMware best practices, etc.)

Easily see rule violations


VGW – REPORTS

Pre-defined and customizable reports covering all of solution modules

Benefits: Generate reports in PDF or CSV formats Automatically send scheduled reports via email or store directly in vGW

management center Scoping mechanism isolates contents (Customer/Dept A’s VMs never

show up in Customer/Dept B’s report)

AntiVirus Reports

Report on Image Enforcer profiles

NEW!

NEW!


ARCHITECTURE AND SCALABILITY


STRM

INTEGRATED WITH JUNIPER DATA CENTER SECURITY

VM1 VM2 VM3 ALTOR

vGW

VMware vSphere

Network

Juniper SRX with IDP

Juniper EXSwitch

Policies

Central Policy Management

Zone SynchronizationTraffic Mirroring to IPS

vGW

Firewall Event SyslogsNetflow for Inter-VM Traffic


SRX SERIES INTEGRATION

Firewall zones integration (zone synchronization between SRX Series and vGW)

Benefits: Guarantee integrity of zones on hypervisor Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness


SRX AND VGW – MICRO-SEGMENTATION

Data Center Switching

SRX5800

VGW

ESX-1

VGW

ESX-2

CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221

BLUE VMs BELONG TOCUSTOMER “A” IN ZONE 1 = VLAN 221

CREATE A SRX ZONE POLICYSRC DST ACTIONANY ZONE “A” REJECT

2

TELL VGW ABOUT SRX AND CUSTOMER “A”

REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION

CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs

1

3 4

5


IDP INTEGRATION

Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1).

Benefits: Choice between using integrated vGW IDS or Juniper physical IDP Combination of devices can be used to optimize performance

(rules based flow direction)


SRX Series

Physical

Hypervisor

vGW Series

VM

vGW Virtual Gateway

Management and Security Services

Security Design

Security Threat Response ManagerSTRM

Services Virtual

Firewall

IPS

DoS Protection

AppSecure

DoS

SUMMARY

Copyright © 2011 Juniper Networks, Inc. www.juniper.net

Virtual Control

VM VM VM

Documents

CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer