Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer.

Published byPiers Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer."— Presentation transcript:

1 CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer

2 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION CHALLENGES

3 3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MEGA TREND – SERVER VIRTUALIZATION Source: IDC Capital Savings

4 4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network Physical Security Is “Blind” to Traffic between Virtual Machines VM1VM2VM3 ESX/ESXi Host Firewall/IDS Sees/Protects All Traffic between Servers HYPERVISOR Virtual Switch

5 5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net THE ISOLATION CHALLENGE IN THE VSWITCH VM Isolation Challenge  vSwitches provide only basic connectivity  VMs plugged into the same vSwitch have direct access via the hypervisor  Port groups that are assigned VLAN IDs need a layer 3 device for routing  Distributed vSwitches don’t realistically address security  VM admins can assign vNICs to any network (even accidentally)

6 6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Purpose Built Virtual Security VM1VM2VM3 VS ESX/ESXi Host Virtual Security Layer Traditional Security Agents VLANs & Physical Segmentation VM1VM2VM3 VS ESX/ESXi Host VM1VM2VM3 VS ESX/ESXi Host Regular Thick Agent for FW & AV HYPERVISOR APPROACHES TO SECURING VIRTUAL NETWORKS 123

7 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net THE GOAL IS SECURE CLOUD COMPUTING Remote ESX 3ESXi 2ESX 1 ESXi 6 Hosted ESX 5 ESXi 4 Virtual Security Layer Public, Private, Hybrid Clouds Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!

8 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOLUTION OVERVIEW

9 9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Service Provider & Enterprise Grade  Three Tiered Model  VMware Certified (signed binaries!)  Protects each VM and the hypervisor  Fault-tolerant architecture (i.e., HA) Virtualization-aware  “Secure VMotion” scales to 1,000+ hosts  “Auto Secure” detects/protects new VMs Granular, Tiered Defense  Stateful firewall, integrated IDS, and AV  Flexible Policy Enforcement – zone, VM group, VM, individual vNIC THE VGW PURPOSE-BUILT APPROACH THE vGW ENGINE Virtual Center VM VM1VM2VM3 Partner Server (IDS, SIM, Syslog, Netflow) Packet Data VMWARE API’s Any vSwitch (Standard, DVS, 3 rd Party) HYPERVISOR VMware Kernel ESX or ESXi Host Security Design for vGW 1 2 3

10 10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TIGHT INTEGRATION WITH VCENTER No manual synchronization  Complete VM inventory pulled from vCenter  Security synchs with changes to virtual infrastructure VMs identified by their vCenter UUID  No need to trust weak associations  Differentiate between a VM and its clones  Maintain correct policy and monitoring throughout change Validate infrastructure configuration  Prevent “backdoor channels”  Ensure configuration integrity Automate deployment  Deploy firewalls programmatically  Simplify HA setup by cloning management VMs

11 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net KEY FEATURES AND BENEFITS

12 12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW MODULES Network Visibility of inter-VM traffic flows IDSIntrospectionReports Centralized view of IDS alerts and ability to drill-down on attacks Centralized VM view (includes OS, apps, hot fixes, etc.) Automated reports for all functional modules Main Dashboard view of the virtual system threats (including VM quarantine view) FirewallAntiVirusCompliance Firewall policy management and logs Full AV protection for VMs Out-of-box and custom rules engine alerts on VM/host config changes

13 13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – NETWORK VISIBILITY Left-hand tree selection navigates right-hand pane Connections tab shows open traffic flow Custom time interval for troubleshooting All VM traffic flows stored in database and available for analysis Benefits:  Visibility to all VM communications  Ability to spot design issues with security policies  Single click to more detail on VMs

14 14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM Benefits:  Extremely flexible protection down to the vNIC  Ability to automatically assign policies to VMs  Ability to quarantine VMs for immediate isolation  Kernel implementation isolates connection table and rule base Define a quarantine policy for use on AV, Compliance or Image Enforcer violations NEW!

15 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected to different vSwitches or even the same vSwitch! Configuration:  Enable the pper vNIC option in Settings -> Install Settings  Configure the policy via the rule editor for each vNIC Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC) vNICs show up for VMs NEW!

16 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – IDS Send selectable traffic flows to internal IDS engine for deep- packet analysis against dynamic signature set. Security rule filters what is IDS inspected Review IDS Alerts by Targets and Sources Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data Click on Alert Type to get further details about the Signature that triggered the Alert

17 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation) VGW – ANTIVIRUS NEW! AV Dashboard for quick status understanding File Quarantine On-Demand and On- Access Scan Configurations

18 18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s installed – OS, SP, Applications, Registry Values Benefits:  Know exactly what’s installed in a VM and automatically attach relevant security policy!  Categorize discovered values and easily determine install states (Application and VM views)  Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time  Works for Windows and Linux NEW!

19 19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – COMPLIANCE The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules. Benefits:  Define rules on any VM or VM group (alerts and reports for compliance rule violations)  Automatically quarantine VMs into an isolated network if they violate a rule  Rules relevant to both VM and host configuration  Enhanced rule editor for intuitive manipulation of attributes NEW! Classifications of checks (VMware best practices, etc.) Easily see rule violations

20 20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW – REPORTS Pre-defined and customizable reports covering all of solution modules Benefits:  Generate reports in PDF or CSV formats  Automatically send scheduled reports via email or store directly in vGW management center  Scoping mechanism isolates contents (Customer/Dept A’s VMs never show up in Customer/Dept B’s report) AntiVirus Reports Report on Image Enforcer profiles NEW!

21 21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ARCHITECTURE AND SCALABILITY

22 22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STRM INTEGRATED WITH JUNIPER DATA CENTER SECURITY VM1VM2VM3ALTOR vGW VMware vSphere Network Juniper SRX with IDP Juniper EX Switch Policies Central Policy Management Zone Synchronization Traffic Mirroring to IPS vGW Firewall Event Syslogs Netflow for Inter-VM Traffic

23 23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX SERIES INTEGRATION Firewall zones integration (zone synchronization between SRX Series and vGW) Benefits:  Guarantee integrity of zones on hypervisor  Automate and verify no “policy violation” of VMs  Empower SRX Series with VM awareness

24 24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX AND VGW – MICRO-SEGMENTATION Data Center Switching SRX5800 VGW ESX-1 VGW ESX-2 CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221 BLUE VMs BELONG TO CUSTOMER “A” IN ZONE 1 = VLAN 221 CREATE A SRX ZONE POLICY SRCDSTACTION ANYZONE “A” REJECT 2 TELL VGW ABOUT SRX AND CUSTOMER “A” REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs 1 34 5

25 25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP INTEGRATION Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1). Benefits:  Choice between using integrated vGW IDS or Juniper physical IDP  Combination of devices can be used to optimize performance (rules based flow direction)

26 26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX Series Physical Hypervisor vGW Series VM vGW Virtual Gateway Management and Security Services Security Design Security Threat Response Manager STRM ServicesVirtual Firewall IPS DoS Protection AppSecure DoS SUMMARY Copyright © 2011 Juniper Networks, Inc. www.juniper.net Virtual Control VM

27

Download ppt "CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Complete Event Log Viewing, Monitoring and Management.

Complete Event Log Viewing, Monitoring and Management.
1 Copyright © 2012 Juniper Networks, Inc. www.juniper.net Executive Intro Slide Turn Trends into Opportunities Vertical Wide Michael Tjon-En-Fa Industry,

1 Copyright © 2012 Juniper Networks, Inc. Executive Intro Slide Turn Trends into Opportunities Vertical Wide Michael Tjon-En-Fa Industry,
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect www.NetComLearning.com.

What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect
Www.cyberoam.com © Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.

© Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
What is a Virtual Tap? Intelligent Access and Monitoring Architecture Solutions.

What is a Virtual Tap? Intelligent Access and Monitoring Architecture Solutions.
© 2009 VMware Inc. All rights reserved VMware Updates Orlando VMware User Group – April 2011 Ryan Johnson VMware, Inc. Technical Account Manager Professional.

© 2009 VMware Inc. All rights reserved VMware Updates Orlando VMware User Group – April 2011 Ryan Johnson VMware, Inc. Technical Account Manager Professional.
VMware Update 2009 Daniel Griggs Solutions Architect, Virtualization Servers & Storage Solutions Practice Dayton OH.

VMware Update 2009 Daniel Griggs Solutions Architect, Virtualization Servers & Storage Solutions Practice Dayton OH.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,

The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
High Availability Module 12.

High Availability Module 12.
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Similar presentations

Ads by Google