Submit Search
Upload
Alternatives for-securing-virtual-networks
•
1 like
•
267 views
J
Justin Cletus
Follow
Alternatives for-securing-virtual-networks
Read less
Read more
Engineering
Report
Share
Report
Share
1 of 6
Download now
Download to read offline
Recommended
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
Symantec
Secure remote access in solaris 9
Secure remote access in solaris 9
Tintus Ardi
Security in a Virtualised Environment
Security in a Virtualised Environment
Peter Wood
Virtualization security
Virtualization security
Ahmed Nour
Cloud security
Cloud security
insoonjo
Cloud servers-new-risk-considerations
Cloud servers-new-risk-considerations
Accenture
VMware Technical Overview (2012)
VMware Technical Overview (2012)
Steven Aiello
Recommended
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
Symantec
Secure remote access in solaris 9
Secure remote access in solaris 9
Tintus Ardi
Security in a Virtualised Environment
Security in a Virtualised Environment
Peter Wood
Virtualization security
Virtualization security
Ahmed Nour
Cloud security
Cloud security
insoonjo
Cloud servers-new-risk-considerations
Cloud servers-new-risk-considerations
Accenture
VMware Technical Overview (2012)
VMware Technical Overview (2012)
Steven Aiello
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
Matt Loong
How to configure esx to pass an audit
How to configure esx to pass an audit
Concentrated Technology
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
MazeBolt Technologies
Integrate microsoft azure storage with backup solutions
Integrate microsoft azure storage with backup solutions
Ingram Micro
Security Risk Assessment for Quality Web Design
Security Risk Assessment for Quality Web Design
Ting Yin
security report
security report
jitendra sharma
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
enigma0x3
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula Cloud
NETWAYS
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Graeme Wood
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
Bob Radvanovsky
DDoS Explained
DDoS Explained
The Lorenzi Group
Netbackup intallation guide
Netbackup intallation guide
rajan981
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
Booz Allen Hamilton
Returnil 2010
Returnil 2010
Rose Banioki
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
Jason Edelstein
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Acrodex
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Spiffy
Mid term report
Mid term report
lokesh039
IDSaaS: Intrusion Detection System as a Service in Cloud
IDSaaS: Intrusion Detection System as a Service in Cloud
IRJET Journal
Juniper Networks Solutions for VMware NSX
Juniper Networks Solutions for VMware NSX
Juniper Networks
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
More Related Content
What's hot
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
Matt Loong
How to configure esx to pass an audit
How to configure esx to pass an audit
Concentrated Technology
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
MazeBolt Technologies
Integrate microsoft azure storage with backup solutions
Integrate microsoft azure storage with backup solutions
Ingram Micro
Security Risk Assessment for Quality Web Design
Security Risk Assessment for Quality Web Design
Ting Yin
security report
security report
jitendra sharma
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
enigma0x3
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula Cloud
NETWAYS
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Graeme Wood
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
Bob Radvanovsky
DDoS Explained
DDoS Explained
The Lorenzi Group
Netbackup intallation guide
Netbackup intallation guide
rajan981
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
Booz Allen Hamilton
Returnil 2010
Returnil 2010
Rose Banioki
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
Jason Edelstein
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Acrodex
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Spiffy
Mid term report
Mid term report
lokesh039
IDSaaS: Intrusion Detection System as a Service in Cloud
IDSaaS: Intrusion Detection System as a Service in Cloud
IRJET Journal
What's hot
(20)
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
The SCADA That Didn't Cry Wolf - Kyle Wilhoit
How to configure esx to pass an audit
How to configure esx to pass an audit
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
Integrate microsoft azure storage with backup solutions
Integrate microsoft azure storage with backup solutions
Security Risk Assessment for Quality Web Design
Security Risk Assessment for Quality Web Design
security report
security report
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Project SHINE Findings Report (1-Oct-2014)
Project SHINE Findings Report (1-Oct-2014)
DDoS Explained
DDoS Explained
Netbackup intallation guide
Netbackup intallation guide
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
Returnil 2010
Returnil 2010
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Mid term report
Mid term report
IDSaaS: Intrusion Detection System as a Service in Cloud
IDSaaS: Intrusion Detection System as a Service in Cloud
Similar to Alternatives for-securing-virtual-networks
Juniper Networks Solutions for VMware NSX
Juniper Networks Solutions for VMware NSX
Juniper Networks
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
Juniper Networks: Security for cloud
Juniper Networks: Security for cloud
TechnologyBIZ
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
Juniper Networks
Integrating SDN into the Data Center
Integrating SDN into the Data Center
Juniper Networks
Enhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of Things
The Marketing Distillery
Set Up Security and Integration with DataPower XI50z
Set Up Security and Integration with DataPower XI50z
Sarah Duffy
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
Symantec
ICM_NSX-T_V2.4_LAB
ICM_NSX-T_V2.4_LAB
ThanhBinhNguyen78
Aerohive whitepaper-cooperative control WLAN
Aerohive whitepaper-cooperative control WLAN
Altaware, Inc.
Pda management with ibm tivoli configuration manager sg246951
Pda management with ibm tivoli configuration manager sg246951
Banking at Ho Chi Minh city
V mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paper
Chiến Nguyễn
Whitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service provider
S. Hanau
Securing your mobile business with ibm worklight
Securing your mobile business with ibm worklight
bupbechanhgmail
Web securith cws getting started
Web securith cws getting started
Harissa Maria
DDoS Secure: VMware Virtual Edition Installation Guide
DDoS Secure: VMware Virtual Edition Installation Guide
Juniper Networks
VMware Network Virtualization Design Guide
VMware Network Virtualization Design Guide
EMC
Sg248203
Sg248203
Fauzil Rizqi
Juniper netscreen 25
Juniper netscreen 25
rikvar
IBM Data Center Networking: Planning for Virtualization and Cloud Computing
IBM Data Center Networking: Planning for Virtualization and Cloud Computing
IBM India Smarter Computing
Similar to Alternatives for-securing-virtual-networks
(20)
Juniper Networks Solutions for VMware NSX
Juniper Networks Solutions for VMware NSX
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Juniper Networks: Security for cloud
Juniper Networks: Security for cloud
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
USING SOFTWARE-DEFINED DATA CENTERS TO ENABLE CLOUD BUILDERS
Integrating SDN into the Data Center
Integrating SDN into the Data Center
Enhancing intelligence with the Internet of Things
Enhancing intelligence with the Internet of Things
Set Up Security and Integration with DataPower XI50z
Set Up Security and Integration with DataPower XI50z
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
ICM_NSX-T_V2.4_LAB
ICM_NSX-T_V2.4_LAB
Aerohive whitepaper-cooperative control WLAN
Aerohive whitepaper-cooperative control WLAN
Pda management with ibm tivoli configuration manager sg246951
Pda management with ibm tivoli configuration manager sg246951
V mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paper
Whitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service provider
Securing your mobile business with ibm worklight
Securing your mobile business with ibm worklight
Web securith cws getting started
Web securith cws getting started
DDoS Secure: VMware Virtual Edition Installation Guide
DDoS Secure: VMware Virtual Edition Installation Guide
VMware Network Virtualization Design Guide
VMware Network Virtualization Design Guide
Sg248203
Sg248203
Juniper netscreen 25
Juniper netscreen 25
IBM Data Center Networking: Planning for Virtualization and Cloud Computing
IBM Data Center Networking: Planning for Virtualization and Cloud Computing
More from Justin Cletus
Traffic aware dynamic
Traffic aware dynamic
Justin Cletus
First step toward
First step toward
Justin Cletus
Cloud computing-05-10-en
Cloud computing-05-10-en
Justin Cletus
Hybrid cloud based firewalling
Hybrid cloud based firewalling
Justin Cletus
Fuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering Algorithms
Justin Cletus
Mining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and Correlations
Justin Cletus
Data mining Concepts and Techniques
Data mining Concepts and Techniques
Justin Cletus
Dm lecture1
Dm lecture1
Justin Cletus
More from Justin Cletus
(8)
Traffic aware dynamic
Traffic aware dynamic
First step toward
First step toward
Cloud computing-05-10-en
Cloud computing-05-10-en
Hybrid cloud based firewalling
Hybrid cloud based firewalling
Fuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering Algorithms
Mining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and Correlations
Data mining Concepts and Techniques
Data mining Concepts and Techniques
Dm lecture1
Dm lecture1
Recently uploaded
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
pranjaldaimarysona
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
sanyuktamishra911
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
upamatechverse
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Dr.Costas Sachpazis
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
M Maged Hegazy, LLM, MBA, CCP, P3O
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
ranjana rawat
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
purnimasatapathy1234
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
Suhani Kapoor
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
ranjana rawat
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
rakeshbaidya232001
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
120cr0395
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls in Nagpur High Profile
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
SIVASHANKAR N
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur High Profile
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
Suhani Kapoor
result management system report for college project
result management system report for college project
Tonystark477637
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
Recently uploaded
(20)
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
result management system report for college project
result management system report for college project
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Alternatives for-securing-virtual-networks
1.
White Paper Copyright ©
2013, Juniper Networks, Inc. 1 ALTERNATIVES FOR SECURING VIRTUAL NETWORKS A Different Network Requires a Different Approach— Extending Security to the Virtual World
2.
2 Copyright ©
2013, Juniper Networks, Inc. White Paper - Alternatives for Securing Virtual Networks Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 VM Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 VMware Technologies Bring Added Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Extending Physical Security to the Virtual Arena . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Limitations of Firewalls Built for a Different World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Securing the Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Firefly Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Enforcing Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Continuous Protection for Migrating VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Detecting Intrusions Without Adding Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Supporting Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Processes for Installing a Firewall in the Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion—Securing the Whole Enterprise Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.
Copyright © 2013,
Juniper Networks, Inc. 3 White Paper - Alternatives for Securing Virtual Networks Executive Summary Invisible networks are spreading within data centers. Virtualization of computing hardware is creating these networks of VMs within physical servers. Traditional network monitoring and security measures are unable to see or control the growing volume of inter-VM traffic. Enterprises are increasingly concerned about the risks of virtual networks, which range from undeterred malware exploits to mixing trusted and untrusted systems. Some have scaled back the scope and economic benefits of virtualization. Others have tried to apply traditional security to the virtual environment. However, key virtualization technologies such as VMotion from VMware break the traditional models of physical network tools. Juniper Networks® Firefly Host* has been purpose-built to mitigate the risks of virtual networks, while maintaining the ROI of virtualization. A next-generation security solution specifically designed for the virtual environment, Firefly Host monitors and controls inter-VM traffic, enforcing security policies at the individual VM level. Because Firefly Host was designed from scratch to secure the latest virtualization technologies, it provides the thorough protection and ease of operation missing from traditional physical networking products and workarounds. In this white paper, we will examine the virtualization issues that challenge today’s data centers and discuss their best options for securing virtual networks. Introduction VM Security Challenges An increasingly large share of data center network traffic is occurring between VMs within a virtualization server on the virtual network, yet the VM and network administrators have minimal ability to see or control inter-VM communication. By default, every VM on the host can communicate directly with every other VM through a simple virtual switch, without any inter-VM traffic monitoring or policy-based inspection and filtering. Inter-VM traffic on a host doesn’t touch the physical network—it is invisible to traditional network monitoring tools and unprotected by physical network security devices. As a result, VMs are highly vulnerable to attack. For example, a buffer overflow attack on a vulnerable application can enable an attacker to run arbitrary code in a VM. And with no packet inspection or filtering of virtual network traffic, the attacker can gain access to all other VMs resident on the host. Experienced security professionals know that IT workloads with different levels of trust should never exist in the same security domain. Mixing trust levels can result in privilege escalation that allows unauthorized parties to view confidential data. A Web server that grants access to the general public or to all employees, for example, must not have an unfiltered connection to an enterprise resource planning (ERP) system with private employee data or unreleased financials. Most IT-related government and industry regulations demand that enterprises take necessary steps to prevent trust level breaches. Yet for various reasons, VMs with different trust levels often wind up on the same host with nothing to filter the traffic between them. For instance, it is easy for even non-IT employees to create and deploy new VMs. The potential for mixing trust levels is therefore even greater than in the physical world, where provisioning new physical servers takes more time and planning. It is also easy to accidentally combine trusted and untrusted workloads in the same security domain when transitioning a VM from a low trust testing environment to a more trusted production environment. Using offshore contractors for development or QA can increase this exposure. VMware Technologies Bring Added Challenges VMware live migration technologies—VMotion and DRS—magnify the potential for inadvertently mixing trust levels. On the one hand, achieving the full economic benefits of virtualization requires using VMotion, but the downside is unpredictable combinations of trusted and untrusted VMs sharing the same virtual subnet. The financial justification for virtualization often depends on maximizing capacity utilization or hosting more and more VMs on a single piece of hardware. IT groups may have little incentive to assess trust levels and strictly segregate VM workloads accordingly. To make matters worse, VM administrators may not be aware that the safeguards that shield sensitive data and critical applications on the physical LAN do not exist within virtualization servers. Faced with the real risks of mixed trust levels in virtual environments, some network security professionals have reined in the scope of virtualization. Some greatly limit the number of VMs per physical host, and perhaps assign a different physical network interface card (NIC) to each one, in order to isolate VMs from one another. Some go so far as to prohibit the use of VMotion or DRS (or both) to avoid compromising enterprise security. The disadvantage of this “brute force” approach is a reduction in the operating and capital cost savings available from virtualization. Buying, powering, cooling, hosting, and maintaining extra hardware for new VMs purely to address security concerns is an expensive solution that can have a severely negative impact on a project’s ROI. *Formerly vGW Virtual Gateway
4.
4 Copyright ©
2013, Juniper Networks, Inc. White Paper - Alternatives for Securing Virtual Networks Extending Physical Security to the Virtual Arena Other enterprises have tried securing VMs by extending physical network security to the virtual arena. Most often, they assign a small group of VMs or even a single VM to its own host-based VLAN to achieve segmentation and isolation. A major drawback of VLAN-based security is the growth in complexity and administrative costs that occurs as the VM population grows. Costs accelerate due to the extra time needed to: • Set up and maintain VLANs for each new virtualization server and VM group • Synchronize VLAN configurations on virtual and physical switches • Troubleshoot and fix configuration errors such as assigning a VM to the wrong VLAN • Manage the growth and complexity of access control lists as VLANs proliferate • Ensure compatibility between physical network and virtual network security policies All of these factors apply to a static VM environment. They can become far worse if the enterprise uses VMotion, with VMs continually on the move between hosts and virtual switches. Despite all of the added cost and complexity, host-based VLANs leave a security gap whenever more than one VM is assigned to a given VLAN. Without a traffic monitoring and filtering mechanism, inter-VM communication within the VLAN remains invisible and outside the realm of traditional policy enforcement. Limitations of Firewalls Built for a Different World Some security managers have tried using traditional perimeter firewalls to secure virtual networks. They redirect inter- VM traffic to physical firewalls for inspection and then send it back into the virtualization servers. Alternatively, some try installing perimeter firewalls as VMs on virtual servers. Both schemes suffer from major limitations. The leading perimeter firewalls were architected years before the newer features of virtualization existed. As such, they lack tight integration with virtualization management systems such as VMware vCenter. This makes deployment and administration highly manual, arduous, and error-prone processes. Also, traditional firewalls aren’t able to maintain state information or provide continuous protection for VMs during VMotion or DRS. Network security administrators must undertake constant and labor-intensive firewall policy adjustments to account for VMs traveling between physical servers. External perimeter firewalls have the additional limitation of being incapable of inspecting or filtering inter-VM communications. Conversely, running perimeter firewalls on virtualization servers can create an unacceptably large overhead burden due to their typically high resource requirements. If the perimeter firewalls are supplemented with an intrusion prevention system (IPS) running on the host, there may be little capacity left for applications. Securing the Virtual Machine Finally, none of the workarounds or applications of physical network technology to the virtual environment addresses the threat of the rogue VM. New virtual machines typically begin life with their network ports open and many protocols available to many sources. As such, a new VM deployed in any way that is not completely isolated from every other VM becomes an instant source or destination for malware or other exploit. Clearly, virtualized environments demand security measures specifically designed for them. Only purpose-built defenses can preserve virtual network security, regulatory compliance, and the financial benefits of virtualization. Firefly Host Juniper Networks Firefly Host addresses the inadequacies and excessive costs of applying physical security measures to virtual networks, and has been architected for the virtual environment and its unique challenges. Firefly Host is the first purpose-built stateful firewall that mitigates virtual network risks while maintaining virtualization ROI. Enforcing Security Policies The Firefly Host installs as a virtual appliance on each virtualization host and inspects all traffic to and from each VM guest. Administrators use a web-based management console to define and centrally manage traditional firewall rules that include allowed and rejected sources, destinations, protocols, actions to take, etc. Rules can apply to all VMs, a group of VMs with similar connectivity and security needs (such as Web servers), or a single VM. Policies built with these rules can also be enforced at the global, group, and per-VM levels. This three-tiered rule and policy structure simplifies administration while giving network administrators granular control of virtual network traffic. Where older firewall technologies often require manual replication of rules across multiple physical firewalls, the Firefly Host provides “write once, protect many” efficiency.
5.
Copyright © 2013,
Juniper Networks, Inc. 5 White Paper - Alternatives for Securing Virtual Networks Continuous Protection for Migrating VMs Using VMotion, administrators can conduct virtualization hardware maintenance with little or no application downtime, and also maximize hardware capacity utilization. The inability of host-based VLANs or legacy firewalls to secure these high value capabilities and protect VMs “in flight” highlights the need for purpose-built virtual network security. With Firefly Host, the virtual firewall is “attached” to a VM at all times and travels with it during a VMotion event. This assures continuous security policy enforcement before, during, and after every live migration. Just as importantly, Firefly Host maintains the connected states of all applications within the migrating VM. Only Firefly Host provides this combination of “always on” protection and virtualization feature support. Detecting Intrusions Without Adding Overhead While controlling traffic and enforcing policies is paramount for virtualization security, being able to detect attacks occurring exclusively within the virtual network is also extremely valuable. The challenge in this case is to avoid burdening the virtualization server with the heavy processing overhead characteristic of network IDS. Attack signatures and detection techniques are essentially the same in the physical and virtual environments, so it can make sense to leverage existing physical IDS/IPS systems. The Firefly Host makes this possible with rule-based mirroring of virtual network traffic to external network devices. The advantages of this approach to intrusion detection and prevention are minimal additional cost or overhead and continuous monitoring during VMotion events. Numerous studies have identified human error as a primary cause of security breaches. Mistakes such as misconfigurations can expose vulnerable applications and servers to attack. The problem is especially severe in the virtual world, where the phenomenon of “VM sprawl” is evidence that virtualization is occurring outside established change management processes and other IT checks. Firefly Host mitigates the risks of VM sprawl. It automatically applies an administrator defined default firewall policy to every newly created VM, closing any security holes before they can be exploited. For example, a default policy might only allow use of specified administrative protocols while blocking all other traffic. The initial policy can be customized when the security posture and connectivity needs of the VM are better understood. Supporting Administrators Security considerations alone make Firefly Host the right choice for protecting VMs. In addition, the solution has the advantage of being much easier to set up and maintain than alternatives. As shown in the following table, automated installation allows administrators to deploy the Firefly Host with a few clicks. By way of contrast, deploying a legacy firewall in a virtual environment is a cumbersome process with many opportunities for error. Table 1. Administration Requirements (traditional firewall vs. Firefly Host) Traditional Firewall Firefly Host 1. Create a new vSwitch 1. Click items to secure in UI (entire ESX server, specific port group, etc.) 2. Create promiscuous port group on original vSwitch 2. Click “Secure” button 3. Create promiscuous port group on new vSwitch 4. Create firewall VM a. Copy VM archive b. Extract VM files c. Add VM to vCenter d. Configure NIC connections 5. For each port group to be secured, create a mirror of it on the secured vSwitch 6. Move each VM to be secured to the new vSwitch/port group 7. Remove previous port group 8. Create new secured port group using name of original port group 9. Move VMs to final port group
6.
6 Copyright ©
2013, Juniper Networks, Inc. White Paper - Alternatives for Securing Virtual Networks 2000382-003-EN Nov 2013 Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net Printed on recycled paper To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller. Processes for Installing a Firewall in the Virtual Network Administrators need to know both the operational and security status of a VM in order to troubleshoot problems and design policies most effectively. That’s why, after installation, the Firefly Host automatically connects with vCenter and imports operating data on all VMs. The Firefly Host dashboard shows live statistics on each VM’s resource utilization along with its network activity. The Firefly Host solution also synchronizes automatically and on demand with vCenter to quickly secure newly created VMs. Monitoring, logging, and analyzing inter-VM traffic at the individual VM level is a prerequisite for creating a secure environment. Accordingly, the Firefly Host provides the same real-time views of traffic into and out of each VM that the Altor Networks Virtual Network Security Analyzer (VNSA) offers. It outputs firewall log data in system log format, broadening security event correlation systems’ coverage to the virtual network. It uses SNMP traps to send admin alerts via existing network management systems. And it provides printable reports of historical VM traffic trends over configurable periods to support compliance audits and to help with firewall policy definition. Conclusion—Securing the Whole Enterprise Network An increasingly large share of data center network traffic is occurring between virtual machines within a virtualization server on the virtual network, yet the VM and network administrators have minimal ability to see or control inter-VM communication. Inter-VM traffic on a host doesn’t touch the physical network, and as such it is invisible to traditional network monitoring tools, and unprotected by physical network security devices. As a result, traditional network monitoring and security measures are unable to effectively manage the growing volume of inter-VM traffic, leaving VMs highly vulnerable to attack. It is hard to justify a lower security posture for the virtual network than for its physical counterpart. In many cases, the data passing between VMs arguably needs a higher level of security. The cost, complexity, and security limitations of using physical network security within the virtual environment rule out pre-virtualization technologies as viable choices. Only Juniper Networks’ pioneering, purpose-built Firefly Host provides the thorough, continuous, and efficient security required by today’s virtualized data centers. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net.
Download now