• Like
Virtualization Technologies Overivew
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Virtualization Technologies Overivew



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. White Paper Virtualization Technologies Overview Juniper Networks NetScreen Integrated Firewall and VPN Security Devices Mar 2005 Don Wheeler Product Marketing Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net Part Number: 200103-001
  • 2. Contents Introduction ..........................................................................................................................................3 Virtualization Technologies Overview .............................................................................................3 VLANs.................................................................................................................................4 Security Zones ....................................................................................................................4 Virtual Routers ...................................................................................................................6 Virtual System (VSYS).......................................................................................................8 Copyright © 2004, Juniper Networks, Inc.
  • 3. Virtualization Technologies Overview Introduction Virtualization technologies in the Juniper Networks NetScreen integrated firewall/VPN security solutions allow users to leverage their hardware investment by easily and cost effectively providing additional security segmentation in a single security appliance or system within their networks. This leverage can be as simple as enabling a single physical interface to provide security to multiple network segments using 802.1Q VLAN tagging, or more sophisticated as in the support for multiple logical firewall/VPN security systems using Virtual Systems (VSYS) for true multi-department or multi-customer environment such as a very large enterprise or service provider offering managed security services, all in a single device. In addition to leveraging space and cost, virtualization technologies also provide greater administrative ease, which in itself provides better security by minimizing the potential for mis-configuration. Additionally, one important virtualization technology, Virtual Routers, directly increases security by separating the network routing instances and network routing updates of the various security domains from one other. The Juniper Networks NetScreen virtualization technologies, including full Virtual Systems (VSYS), have been core to ScreenOS since the NetScreen-1000 was introduced over four years ago. The secure separation of traffic within the multiple virtual systems, and security zones is fundamental to the core of the architecture in our field proven security systems. Development and systems quality assurance (QA) are designed around this core architecture-it is not an “enhancement” or “add-on” functionality. Juniper Networks NetScreen virtualized security solutions have been successfully deployed in very demanding ISP and network environments for years running. The key requirement of a virtualized security capability is security, with no benefit of virtualization being worth any trade off in security effectiveness. This has been the design principle of Juniper Networks NetScreen virtualization technologies, and it means that there is no compromise to security or performance with the use of virtualization. This paper explains the capabilities that fall under the definition of “virtualization technologies” and discusses how 1 they can be used to increase the value and security to customers. Virtualization Technologies Overview The virtualization technologies described in this section are part of a tightly integrated architecture that is both powerful and flexible. While each can be used independently to advantage, it is in combination that the greatest benefit and leverage is derived. NetScreen integrated firewall/VPN security solutions support the following virtualization technologies: • Virtual LANs (VLAN) • Security Zones • Virtual Routers (VR) • Virtual Systems (VSYS) 1. Some of the capabilities and capacities described in this document may apply only to specific hardware platforms, or may require additional licensing. Consult with a Juniper Networks representative for specific details. Copyright © 2004, Juniper Networks, Inc. 3
  • 4. Virtualization Technologies Overview VLANs Virtualization in its simplest form in the NetScreen security solution is the use of 802.1Q VLAN tags to define security sub-interfaces off of a single physical port. This extends the utility of each interface port as it allows multiple network segments to be secured through a single physical interface, and is especially useful to customers wanting to add security simply and easily into network topologies that have already been segmented using 802.1Q VLAN technology. A VLAN enabled, security sub-interface is independently configurable just as any regular physical interface is, meaning that it is assigned an IP address and security segmented separately from other sub-interfaces or even the physical interface that it is configured from. Fundamentally, this provides multiple security interfaces per physical port for security segmentation through the firewall/VPN device. In Route or NAT mode, use of VLANs means that the device actually terminates the VLAN, and can separate the traffic based on the VLAN tag. Additionally, the device can insert or remove VLAN tags as appropriate. In Transparent Mode, VLAN sub-interfaces (thus VLAN termination) are not currently supported, however the device can be configured to pass 802.1Q traffic through unaffected, allowing the security device to exist transparently within an 802.1Q VLAN environment. VLAN sub-interfaces used to segment the security of multiple networks on a single physical interface Using VLAN sub-interfaces shown above is easy. First define three sub-interfaces from the main INTERFACE configuration window, each with a unique 802.12Q tag and IP Address, and assign them into the trust zone. Then create intra-zone policies using IP addresses that control access between the protected networks or hosts in the policy rule base, and you have one physical port providing security for three network segments. Additional utility of VLAN based sub-interfaces comes from their use as layer-2 classification method in conjunction with the virtualization technologies of multiple security zones, virtual routers, and Virtual Systems (VSYS), all described in the following sections of this document. Untrust Zone Internet VLAN 1 VLAN 2 VLAN 3 Trust Zone 4 Copyright © 2005, Juniper Networks, Inc.
  • 5. Virtualization Technologies Overview Security Zones Superior security configuration and manageability are provided through the logical constructs called security zones or simply zones. Much more sophisticated than the simplistic levels of hierarchical trust offered by some vendors, the NetScreen security zone functionality provides true virtualized security segmentation that includes the well known defaults of Trust, Untrust and DMZ but also provides for additional security zones that can be used for additional DMZs and additional levels of trust or untrust in the network. The security zone capabilities apply to both firewall and VPN functionality, and the more complex the deployment, the more important and useful security zone capability becomes. Simply put, a security zone is a logical grouping of interfaces, sub-interfaces and IP hosts and subnets that will share security access controls and settings. While the familiar concepts of Trust, Untrust and DMZ exist as pre-defined zones, on the devices that support additional user-defined zones, the administrator has great flexibility in deploying additional security control in the network. As an example, a “Marketing Zone” can be created such that the interfaces and the IP hosts and networks assigned to that zone will have common security stance and common access rules applied under the “Marketing Zone” construct. The security policy rule set can now reference the Marketing Zone, and will apply to all objects assigned to that zone, instead of requiring a policy rule entry for each and every host or subnet separately. A key benefit of zones is the ease of configuration and management that comes with the security policy being configured around the logical zone construct as opposed to the less intuitive and potentially dynamic IP address topology. The way it works is that at configuration, the interfaces/sub-interfaces and the IP host and subnet addresses are created and assigned to a zone. An interface or sub-interface can belong to only one zone. The access control policies are then created referencing the security zones as source and destination. For example, a policy from the Marketing Zone to the Internet Zone could be configured to allow HTTP and FTP traffic. This policy would then automatically apply to all of the hosts and subnets assigned to the Marketing zone. Any future interface or IP address book changes are made to the configuration of the zone, and only that once. These changes then automatically apply to every policy rule that references that zone, avoiding the need to modify and save each and every security policy rule that referenced that specific interface, subnet or host that was modified. A large amount of administration time and effort is saved, and more importantly, the potential for security compromise due to misconfiguration is significantly reduced. Additionally, visualizing the security policy with security zones is much more intuitive, and assists the security administrator in correct implementation and management of the overall security policy, initially and throughout the process of securing the network. Additionally, security settings like SYN flood protection thresholds, Denial of Service defense parameters, and application component blocking behaviors can be individually configured for each security zone as desired for further customization. The number and type of security zones varies by platform, from the simple home/work zone functionality of the NetScreen-5GT to the 1000+ fully configurable security zone maximum in the NetScreen-5000 series. Multiple user- defined security zones are available on the NetScreen-200 series and up, with the number varying by platform. Consult the specific product datasheet for additional details. A classic use of security zones is for inter-departmental firewalling. The Marketing department, for instance, will typically have hosts and subnets with many security and access controls in common. These hosts and networks can be logically grouped into their own zone called “Marketing.” For exceptions or other special cases, where say one or more hosts belonging to the zone needs a specific or more restricted access, specific policy rules can also be created to the host or subnet level, giving the administrator the best of both worlds, again without compromising security. Security zones allow for easy consolidation of environments where multiple distributed firewalls are currently used for security segmentation. This firewall consolidation offers significant cost savings and reduced administrative burden, which are the primary drivers behind consolidation. Copyright © 2004, Juniper Networks, Inc. 5
  • 6. Virtualization Technologies Overview Enterprise inter-departmental firewall Another specific application of the security zone as logical construct is in the use of Dynamic Route-based VPN tunnels. A VPN Tunnel zone is a security zone use that separates the security policy (access control) from the selection of outbound IPSec tunnel (path). Once the traffic has been allowed by the security policy lookup to forward to the outbound zone called “Corp VPN Tunnel” for instance, that zone can have multiple VPN tunnel interfaces defined in it such that the route table, either from a statically configured entry, or via dynamic routing protocols, selects the best tunnel path to the destination. This gives rise to highly resilient VPNs and also minimizes the number of policy statements and phase-2 tunnels, since the policy statement no longer has to be specifically tied to a particular outbound IPSec tunnel. (Note: Policy-based VPN configuration options are still available also.) In addition to the basic interdepartmental firewall and tunnel zone applications described above, the functionality of security zones and virtualized sub-interfaces actually allows for multiple security domain support. As long as zones are defined specifically to each domain, and the policy set is going to be centrally (and very carefully) managed by the service provider for all customers, the security zones can be used to support multiple customers or security domains on a single physical device without requiring the more comprehensive VSYS capability. As we will see in the next two sections, virtual routers and especially Virtual Systems functionality significantly enhances the “virtualization” capabilities in the device, and make true multiple-customer virtualization support possible. Internet Policies control traffic between zones Port 7 Port 2 Port 8 Port 4 VLAN 2 VLAN 3 Engineering De pt. Zone Finance Marketing We b Ser vers De pt. Zone De pt. Zone Zone Zone 6 Copyright © 2005, Juniper Networks, Inc.
  • 7. Virtualization Technologies Overview Virtual Routers Support for multiple Virtual Routers (VRs) is an important security virtualization capability in the integrated firewall/VPN security device. A virtual router is a separate routing instance within the security device, with its own routing protocol, settings, route table, and routing updates. Each virtual router participates in its own routing domain. Multiple virtual routers allow the single device to participate in multiple routing domains completely separated from each other. This separation adds a critical element of security to the routing functionality of the security device. It does this by having different routing instances for say Trust and Untrust, that completely hides the internal network addresses and topology information from any outside or untrusted network segments e.g. the Internet or other internal subnet. In addition to having a virtual router for Trust and Untrust, (all NetScreen integrated firewall/VPN devices have at least two virtual routers) multiple virtual routers support additional routing instances for additional security domains, especially important for managed security services. In addition to the security benefit mentioned above, virtual routers also provide general administrative domain separation of routing for improved scalability and control. The way it works is that security zones are assigned to virtual routers. A zone can only belong to one virtual router, and multiple zones can be assigned to the same VR. Zones that share a virtual router are in the same routing domain and thus have layer-3 reachability amongst each other. Zones assigned to a particular virtual router must not have overlapping IP address space, while zones defined to different VRs can have overlapping IP space or even identical IP space. Layer-3 reachability between virtual routers must be explicitly configured in routing tables, in addition to being enabled via security policy of course. By default there is a Trust-VR and an Untrust-VR, with the default configuration having all zones assigned to the Trust- VR to allow “out of the box” IP connectivity. (Note: Again, all traffic must also be specifically permitted by a security policy for any IP connectivity to occur.) Basic internal and external virtual routers Internet Ext ernal Rout ing Table (Public IP Addresses) VR2 VR1 Int ernal Rout ing Table (Privat e IP Addresses) Private Network Copyright © 2004, Juniper Networks, Inc. 7
  • 8. Virtualization Technologies Overview Multiple virtual routers also have a role to play in higher levels of virtualization in the NetScreen integrated firewall/VPN security solutions. While security zone functionality provides security segmentation, support for multiple virtual routers adds routing domain segmentation, that makes the device capable of supporting multiple truly separate domains within an enterprise, or among various customers in a Service Provider based managed security service offering. A virtual router configured for use by one set of zones (or customer) is independent of other virtual routers of another set of zones (or customer). There is no exchange of routing information between virtual routers, and the routing updates from the one domain are not seen by the other domains. There is complete separation; that is unless the virtual routers are specifically configured to share information across with a static route or route export configuration. This is completely under administrative control. Additionally, having multiple virtual routers adds the ability to support networks with overlapping IP address space, as long as the overlapping IP addresses/subnets belong to zones assigned to different virtual routers. Overlapping IP address space is quite common with multi-customer environments like a service provider, or large enterprise where acquisition or consolidation brings two previously separate entities together. We have previously examined the basic building blocks of virtualization with VLAN based sub-interfaces, multiple security zones and multiple virtual routers. The combination of these capabilities creates the foundation for virtualized firewall and VPN services within a single device. It is the Virtual System or VSYS functionality that then adds the significant value in resource assignment, manageability and scalability of the virtualized system, especially important to larger scale implementations like a service provider offering network-based managed security services to it’s customers. Virtual System (VSYS) The NetScreen security systems can be logically partitioned into multiple firewall/VPN instances called Virtual Systems (VSYS), each with its own security zones, virtual routers, address book, policy rule set and management domain. It is t VSYS that segments a system into multiple security devices, and makes it practical to manage the multiple security domains that can range from the tens to hundreds. VSYS enables the single high performance security device to support multiple individual customers; leveraging the device cost and lowering overall total cost of ownership (TCO) with easier maintenance, management and support. Once a custom VSYS has been created by the admin, it provides the logical segmentation to the system. Objects like address book entries, VPN tunnels, users, and policy rule set then get specifically created and modified under the contextual umbrella of the virtual system. The management interfaces are also specific to the VSYS being configured and managed-each VSYS appears as a discreet security device. This means that each distinct VSYS will have its own WebUI interface, and NetScreen Security Manager connections and views. Importantly, the administrator(s) of one VSYS are isolated to the configuration and operation of their own virtual system. This per VSYS management is crucial if customers are to be given a management interface into “their own” security system, and is also a necessity in environments where a single central administrator is responsible for configuring and maintaining a number of virtual systems in a complex multi-customer deployment. Additional per-VSYS resource configurations include: • Authentication mechanisms • Dynamic IPs (DIP) • Dedicated log information • User defined services • Web Filtering • User defined Zones • Deep Inspection • User database • Mapped IPs (MIP) 8 Copyright © 2005, Juniper Networks, Inc.
  • 9. Virtualization Technologies Overview Incoming traffic can be classified into a VSYS based on source and/or destination of the following in information; VLAN, Interface, or IP address, giving great flexibility in how VSYS gets deployed. Source and/or destination traffic classification into a specific VSYS: Internet Internet Internet VSYS VSYS B B VSYS A VSYS A VSYS B VSYS C VSYS C VSYS A VLAN-based VSYS VSYS C classification Interface-based VSYS classification IP address-based VSYS classification In addition to the one or more custom VSYS, there is a ROOT VSYS that is controlled and administered by a central, overarching security and system administrator, who can access and configure all of the custom VSYS specific resources, as well as manage any shared resources, such as the SHARED-UNTRUST zone, which is a commonly shared connection to the Internet used by multiple internal security zones. The ROOT VSYS administrator also controls the initial assignment of interfaces, zones, and virtual routers to the specific custom VSYS, and also sets up the specific VSYS administrative accounts. Alternatively, all virtual systems can remain under the administration of the service providers ROOT ADMIN control in centralized management environments. Copyright © 2004, Juniper Networks, Inc. 9
  • 10. Virtualization Technologies Overview Logical representation of three virtual systems, each with it’s own management view: VSYS #1 VSYS #2 VSYS #3 In addition to separate management domains and interfaces, each VSYS consists of its own zones, interfaces and sub- interfaces, as well as virtual routers, address book, policy rule set, and is a functionally separate security device. Additional Information: Additional information can be found in the following excellent resources: Concepts and Examples Guide, ScreenOS 5.1, Volumes 2 and 6 Integrating NetScreen into High-Performance Networks 5.0, education course through Juniper Networks Education Services. Copyright © 2004 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, NetScreen-Global PRO, NetScreen-Remote, NetScreen ScreenOS and the NetScreen logo are trademarks and registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from Juniper Networks, Inc. 10 Copyright © 2005, Juniper Networks, Inc.