Upload
piers-barnett
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
CONNECTED VIRTUALISATIONWESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012
Dennis de Leest
Security Systems Engineer
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION CHALLENGES
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MEGA TREND – SERVER VIRTUALIZATION
Source: IDC
CapitalSavings
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
20
40
60
80 Physical Server Installed Base (Millions) Logical Server Installed Base (Millions)
MillionsInstalledServers
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION
Physical Network Virtual Network
Physical Security Is “Blind” to Traffic between Virtual Machines
VM1 VM2 VM3
ES
X/E
SX
i Host
Firewall/IDS Sees/ProtectsAll Traffic between Servers
HYPERVISOR
Virtual Switch
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE ISOLATION CHALLENGE IN THE VSWITCH
VM Isolation Challenge vSwitches provide only basic
connectivity VMs plugged into the same
vSwitch have direct access via the hypervisor
Port groups that are assigned VLAN IDs need a layer 3 device for routing
Distributed vSwitches don’t realistically address security
VM admins can assign vNICs to any network (even accidentally)
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Purpose Built Virtual Security
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security Agents
VLANs & Physical Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISORHYPERVISOR
HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
1 2 3
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE GOAL IS SECURE CLOUD COMPUTING
Remote ESX 3
ESXi 2
ESX 1
ESXi 6
Hosted ESX 5
ESXi 4
Virtual Security Layer
Virtual Security Layer
Virtual Security Layer Virtual Security Layer
Virtual Security Layer
Virtual Security Layer
Public, Private, Hybrid Clouds
Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOLUTION OVERVIEW
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA)
Virtualization-aware “Secure VMotion” scales to
1,000+ hosts “Auto Secure” detects/protects
new VMs
Granular, Tiered Defense Stateful firewall, integrated IDS,
and AV Flexible Policy Enforcement – zone,
VM group, VM, individual vNIC
THE VGW PURPOSE-BUILT APPROACH
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE API’s
Any vSwitch (Standard, DVS, 3rd Party)
HYPERVISOR
VM
ware K
ernel
ES
X or E
SX
i Host
Security Design
for vGW
12
3
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TIGHT INTEGRATION WITH VCENTER
No manual synchronization Complete VM inventory pulled from vCenter Security synchs with changes to virtual infrastructure
VMs identified by their vCenter UUID No need to trust weak associations Differentiate between a VM and its clones Maintain correct policy and monitoring
throughout change
Validate infrastructure configuration Prevent “backdoor channels” Ensure configuration integrity
Automate deployment Deploy firewalls programmatically Simplify HA setup by cloning management VMs
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
KEY FEATURES AND BENEFITS
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW MODULES
NetworkVisibility of inter-VM traffic flows
IDS Introspection ReportsCentralized view of IDS alerts and ability to drill-down on attacks
Centralized VM view (includes OS, apps, hot fixes, etc.)
Automated reports for all functional modules
MainDashboard view of the virtual system threats (including VM quarantine view)
Firewall AntiVirus ComplianceFirewall policy management and logs
Full AV protection for VMs
Out-of-box and custom rules engine alerts on VM/host config changes
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – NETWORK VISIBILITY
Left-hand tree selection navigates right-hand pane
Connections tab shows open traffic flow
Custom time interval for troubleshooting
All VM traffic flows stored in database and available for analysis
Benefits: Visibility to all VM communications Ability to spot design issues with security policies Single click to more detail on VMs
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM
Benefits: Extremely flexible protection down to the vNIC Ability to automatically assign policies to VMs Ability to quarantine VMs for immediate isolation Kernel implementation isolates connection table and rule base
Define a quarantine policy for use on AV, Compliance or Image Enforcer violations
NEW!
NEW!
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected
to different vSwitches or even the same vSwitch!
Configuration: Enable the pper vNIC option in Settings -> Install Settings Configure the policy via the rule editor for each vNIC
New!
Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC)
vNICs show up for VMs
NEW!
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – IDS
Send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set.
Security rule filters what is IDS inspected
Review IDS Alerts by Targets and Sources
Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data
Click on Alert Type to get further details about the Signature that triggered the Alert
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation)
VGW – ANTIVIRUSNEW!
AV Dashboard for quick status understanding
File Quarantine
On-Demand and On-Access Scan Configurations
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s
installed – OS, SP, Applications, Registry Values Benefits:
Know exactly what’s installed in a VM and automatically attach relevant security policy!
Categorize discovered values and easily determine install states (Application and VM views)
Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time
Works for Windows and Linux
NEW!
NEW!
NEW!
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – COMPLIANCE
The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules.
Benefits:
Define rules on any VM or VM group (alerts and reports for compliance rule violations)
Automatically quarantine VMs into an isolated network if they violate a rule
Rules relevant to both VM and host configuration
Enhanced rule editor for intuitive manipulation of attributes
NEW!
NEW!
NEW!
Classifications of checks (VMware best practices, etc.)
Easily see rule violations
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW – REPORTS
Pre-defined and customizable reports covering all of solution modules
Benefits: Generate reports in PDF or CSV formats Automatically send scheduled reports via email or store directly in vGW
management center Scoping mechanism isolates contents (Customer/Dept A’s VMs never
show up in Customer/Dept B’s report)
AntiVirus Reports
Report on Image Enforcer profiles
NEW!
NEW!
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ARCHITECTURE AND SCALABILITY
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STRM
INTEGRATED WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR
vGW
VMware vSphere
Network
Juniper SRX with IDP
Juniper EXSwitch
Policies
Central Policy Management
Zone SynchronizationTraffic Mirroring to IPS
vGW
Firewall Event SyslogsNetflow for Inter-VM Traffic
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX SERIES INTEGRATION
Firewall zones integration (zone synchronization between SRX Series and vGW)
Benefits: Guarantee integrity of zones on hypervisor Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX AND VGW – MICRO-SEGMENTATION
Data Center Switching
SRX5800
VGW
ESX-1
VGW
ESX-2
CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221
BLUE VMs BELONG TOCUSTOMER “A” IN ZONE 1 = VLAN 221
CREATE A SRX ZONE POLICYSRC DST ACTIONANY ZONE “A” REJECT
2
TELL VGW ABOUT SRX AND CUSTOMER “A”
REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION
CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs
1
3 4
5
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDP INTEGRATION
Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1).
Benefits: Choice between using integrated vGW IDS or Juniper physical IDP Combination of devices can be used to optimize performance
(rules based flow direction)
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX Series
Physical
Hypervisor
vGW Series
VM
vGW Virtual Gateway
Management and Security Services
Security Design
Security Threat Response ManagerSTRM
Services Virtual
Firewall
IPS
DoS Protection
AppSecure
DoS
SUMMARY
Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Virtual Control
VM VM VM