4. Market Dynamics
Cloud Computing Services, Virtualization Top CIO 2011 Priorities
–Gartner, CIO Survey, January 2011
Virtualization 2.0 includes a host of new use cases that range from high
availability and DR to hosted clients and true utility computing
–IDS, Worldwide Virtual Machine Software Forecast, August 2011
91% of respondents told Forrester that they are using virtual servers for
production workloads. That’s up dramatically from 78% in 2010
–Forrester, Storage Choices for Virtual Server Environments, March 2011
The top 3 drivers for deploying new security solutions for virtualized
environments are preventing new threats specific to virtual environments,
preventing inter-VM threats, and maintaining secure server configurations
–Infonetics, Security for Virtualized Infrastructure, April 2011
“Data sprawl” was rated as a top security issue by the IT professionals
surveyed on their opinions about server virtualization
–Kuppinger Cole, Virtualization Security Trends & Insights Surveys, November 2010
4
5. Security implication of virtualization
Physical Network Virtual Network
VM1 VM2 VM3
ESX/ESXi Host
Virtual
Switch
HYPERVISOR
Firewall/IDS Sees/Protects Physical Security Is “Blind” to
All Traffic between Servers Traffic between Virtual Machines
5
6. THE ISOLATION CHALLENGE IN THE VSWITCH
VM Isolation Challenge
• vSwitches provide only basic
connectivity
• VMs plugged into the same vSwitch
have direct access via the
hypervisor
• Port groups that are assigned
VLAN IDs need a layer 3 device for
routing
• Distributed vSwitches don’t
realistically address security
• VM admins can assign vNICs to
any network (even accidentally)
6
7. APPROACHES TO SECURING VIRTUAL NETWORKS
VLANs & Physical Traditional Security Integrated
1 Segmentation 2 Agents 3 Virtual Security
VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3
ESX/ESXi Host
ESX/ESXi Host
ESX/ESXi Host
VS VS
Virtual Security Layer
VS
HYPERVISOR HYPERVISOR
HYPERVISOR
Regular Thick Agent for FW & AV
7
9. INDUSTRY RECOGNITION OF VGW
Distinction
• 1st purpose-built virtual firewall
• Widely recognized innovation leader
Most Innovative Company
RSA® Conference 2010
9
10. THE VGW PURPOSE-BUILT APPROACH
Service Provider & Enterprise Grade
• Three Tiered Model
1
• VMware Certified (signed binaries!)
Virtual Security 2
Design
• Protects each VM and the hypervisor
Center for vGW VM
VM1 VM2 VM3
• Fault-tolerant architecture (i.e., HA)
ESX or ESXi Host
Virtualization-aware
Partner Server
(IDS, SIM,
Syslog, Netflow)
• “Secure VMotion” scales to
3
1,000+ hosts THE vGW ENGINE
Packet Data
VMware Kernel
• “Auto Secure” detects/protects
VMWARE API’s
Any vSwitch
new VMs
(Standard, DVS, 3rd Party)
Granular, Tiered Defense
HYPERVISOR
• Stateful firewall, integrated IDS,
and AV
• Flexible Policy Enforcement – zone,
VM group, VM, individual vNIC
10
11. vGW Security Design VM Architecture
vGW Security Design Firewall
vGW Security Design Management Install VMware VI-API
Connector
VM Inventory
Admin/User Web UI & Status
XML – RPC vCenter Server
Time Server
Provisioning server
Connector
(NTP)
Certificate
Authority
Management
Connector
Admin/User (vGW Security VM)
Netflow
Policy Connector Netflow Collector
VM Ownership Flow Statistics Reporting
Processor
Processor Engine Engine
Engine
Syslog
Connector
SEIM/Syslog
Collector
Caching & DB Optimization Engine
VMWARE VSWITCH OR
CISCO 1000V
Alerting SMTP
Engine
Policy DB Netflow &
Firewall Log DB
SNMP
11
12. vGW Svm and kernel Architecture
ESX/ESX(i) Host
vGW Security VM
Management
Connector Netflow
Connector
Netflow
vGW Security Design Collector
Policy Engine AV & IDS Log
(XML) Signatures Distribution
Syslog
Control Connector
Connector
SEIM/Syslog
Collector
ESX/ESX(i) Kernel
vGW VMsafe FastPath Control Span
Connector Connector
IDS/IPS
Connection Server
Table
Connection
Table
VM-Firewall Engines
VM-Firewall Engines
Wireshark
Packet Packet Endpoint
VMWARE VSWITCH OR Ingress Egress
CISCO 1000V
VMware DvFilter
Virtual Switch: VMware vSwitch, VMware dvSwitch, or 3rd Party
12
13. VGW - PERFORMANCE
TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details
13
14. VGW – MANAGEMENT SCALABILITY & FLEXIBILITY
Multi-Center allows
linking of
configuration
information for
Select which objects
multiple Security you want to sync
Design vGW VM’s with delegate
centers
(‘linked-mode’)
Split-Center allows
you to divide one
vCenter into separate
logical entities for Complete isolation
of data centers
different Security
Design vGW VMs.
14
16. vGW modules
Main Firewall AntiVirus Compliance
Dashboard view of Firewall policy Full AV protection Out-of-box and
the virtual system management for VMs custom rules engine
threats (including and logs alerts on VM/host
VM quarantine view) config changes
Network IDS Introspection Reports
Visibility of Centralized view Centralized VM Automated reports
inter-VM traffic flows of IDS alerts and view (includes OS, for all functional
ability to drill-down apps, hot fixes, modules
on attacks etc.)
16
17. VGW – NETWORK VISIBILITY
All VM traffic flows stored in database and available for analysis
Benefits:
• Visibility to all VM communications
• Ability to spot design issues with security policies
Connections
• Single click to more detail on VMs tab shows open
traffic flow
Custom time
Left-hand tree interval for
selection troubleshooting
navigates
right-hand
pane
17
18. VGW – FIREWALL
Complete firewall protection for any network traffic to or from a VM
Benefits:
• Extremely flexible protection down to the vNIC
• Ability to automatically assign policies to VMs
• Ability to quarantine VMs for immediate isolation
• Kernel implementation isolates connection table and rule base
Define a
quarantine
policy for use
on AV,
Compliance or
Image Enforcer
violations
18
19. VGW – IDS
Send selectable traffic flows to internal IDS engine for deep-packet
analysis against dynamic signature set.
Security rule filters what is
IDS inspected
Review IDS
Alerts by Targets
and Sources
Click on Alert Change “Time
Type to get Interval” to
further details expand time slot
about the or set “Custom
Signature that Time Period” to
triggered the review historical
Alert data
19
20. VGW – ANTIVIRUS
AntiVirus components controlled centrally (scanner config, alert viewing,
infected file remediation)
On-Demand
and On-
Access Scan
Configurations
AV Dashboard for quick
status understanding
File Quarantine
20
21. VGW ANTIVIRUS PERFORMANCE
% Performance Degradation
1 (30 VMs – MS Office On-Access Execution Time)
2
On-Demand File Scans
Run at ~5MB/second!!
3 VM Memory Usage (MB) 4 VM Disk Usage (MB)
21
22. VGW – INTROSPECTION
Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s
installed – OS, SP, Applications, Registry Values
Benefits:
• Know exactly what’s installed in a VM and automatically attach relevant security policy!
• Categorize discovered values and easily determine install states (Application and VM views)
• Use Image Enforcer to define a ‘”gold” image (template or VM) then discover how VMs deviate from this across time
• Works for Windows and Linux
22
23. VGW – COMPLIANCE
The compliance module includes pre-defined rules based on virtual security best
practices and an engine so customers can define their own rules.
Benefits:
• Define rules on any VM or VM group (alerts and reports for compliance rule violations)
• Automatically quarantine VMs into an isolated network if they violate a rule
• Rules relevant to both VM and host configuration Classifications
of checks
(VMware best
• Enhanced rule editor for intuitive manipulation of attributes
practices, etc.)
Easily
see rule
violations
23
24. VGW – REPORTS
Pre-defined and customizable reports covering all of solution
modules
Benefits:
• Generate reports in PDF or CSV formats
• Automatically send scheduled reports via email or store directly in vGW
management center
• Scoping mechanism isolates contents (Customer/Dept A’s VMs never
show up in Customer/Dept B’s report)
AntiVirus
Reports
Report on Image
Enforcer profiles
24
26. AUTOMATION - SMART GROUPS
Smart Groups allow for the use of attributes to create dynamic system
associations.
Benefits:
• Tie vGW product discoveries to Smart Group definitions.
• Tie vCenter and VM config attributes to Smart Group definitions
• Attributes are read real time so if a VM changes in vCenter, it’s instantly
updated in vGW
Smart Groups help
capability allows
administrator to see
name, description
and values of
attributes
Priority and precedence level can
be defined to Tier Groups easily
26
27. xerox implementation
Customer
Goals Develop a multi-tenant virtualized data hosting cloud on VMware
Ability to secure each guest VM in a mixed workload environment
Utilize custom portal for customers (long term)
Resolved firewall complexity and increased network visibility
Why Juniper?
vGW was selected because of the tight integration with
vCenter, ability to dynamically apply policy to new VMs
(Smart Groups) and robust firewall feature set.
vGW enables complete control and compliance in the cloud
27
28. AUTOMATION - VGW CLOUD SECURITY SDK
Policy Automation of security
policy controls
• Security integration into VM
provisioning process
• Policy delegation to group admins or
end-users
• Multi-Tenant Policy Management
XML-RPC based API
• Programmatically control VM policy
configuration
• APIs for all functions done within UI
Cloud SDK Download Location:
https://www.juniper.net/support/products/vgw/#sw SDK Contains
• XML-RPC API Documentation
• Python scripts implementing APIs
• Web portal application – PoC user
28
delegated policy controls
31. Integrated with Juniper data center Security
VM1 VM2 VM3 ALTOR
vGW
Central Policy Management
vGW
VMware vSphere
Firewall Event Syslogs
Netflow for Inter-VM Traffic
Zone Synchronization
& Traffic Mirroring STRM
Network
Juniper SRX Juniper IDP
31
32. SRX AND VGW – MICRO-SEGMENTATION
ESX-1 BLUE VMs BELONG TO
CUSTOMER “A” IN CREATE A SRX ZONE “A” FOR
ZONE 1 = VLAN 221 1 CUSTOMER “A” WITH VLAN 221
VGW
CREATE A SRX ZONE POLICY
2 SRC
ANY
DST
ZONE “A”
ACTION
REJECT
Data Center
ESX-2 Switching
SRX5800
VGW
TELL VGW ABOUT SRX AND REFINE “SMART GROUPS” WITH
3 CUSTOMER “A” 4 CUSTOMER “A” VM INFORMATION
CREATE VGW POLICY TO
5 SEGMENT WITHIN CUSTOMER “A”
VMs
32
33. CONCLUSION
vGW enables virtualization and clouds
• Purpose-built approach maximizes throughput, capacity and scale
• Industry benchmark for administrative ease and scale
• Innovation makes enforcement granular and dynamic
• Complete suite of security and visibility tools for virtual environments
vGW as part of Juniper data center security
• Comprehensive protection for all workloads
• Extended security through several points of integration
33