CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer

2 Copyright © 2011 Juniper Networks, Inc. VIRTUALIZATION CHALLENGES

3 Copyright © 2011 Juniper Networks, Inc. MEGA TREND – SERVER VIRTUALIZATION Source: IDC Capital Savings

4 Copyright © 2011 Juniper Networks, Inc. SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network Physical Security Is “Blind” to Traffic between Virtual Machines VM1VM2VM3 ESX/ESXi Host Firewall/IDS Sees/Protects All Traffic between Servers HYPERVISOR Virtual Switch

5 Copyright © 2011 Juniper Networks, Inc. THE ISOLATION CHALLENGE IN THE VSWITCH VM Isolation Challenge  vSwitches provide only basic connectivity  VMs plugged into the same vSwitch have direct access via the hypervisor  Port groups that are assigned VLAN IDs need a layer 3 device for routing  Distributed vSwitches don’t realistically address security  VM admins can assign vNICs to any network (even accidentally)

6 Copyright © 2011 Juniper Networks, Inc. Purpose Built Virtual Security VM1VM2VM3 VS ESX/ESXi Host Virtual Security Layer Traditional Security Agents VLANs & Physical Segmentation VM1VM2VM3 VS ESX/ESXi Host VM1VM2VM3 VS ESX/ESXi Host Regular Thick Agent for FW & AV HYPERVISOR APPROACHES TO SECURING VIRTUAL NETWORKS 123

7 Copyright © 2011 Juniper Networks, Inc. THE GOAL IS SECURE CLOUD COMPUTING Remote ESX 3ESXi 2ESX 1 ESXi 6 Hosted ESX 5 ESXi 4 Virtual Security Layer Public, Private, Hybrid Clouds Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!

8 Copyright © 2011 Juniper Networks, Inc. SOLUTION OVERVIEW

9 Copyright © 2011 Juniper Networks, Inc. Service Provider & Enterprise Grade  Three Tiered Model  VMware Certified (signed binaries!)  Protects each VM and the hypervisor  Fault-tolerant architecture (i.e., HA) Virtualization-aware  “Secure VMotion” scales to 1,000+ hosts  “Auto Secure” detects/protects new VMs Granular, Tiered Defense  Stateful firewall, integrated IDS, and AV  Flexible Policy Enforcement – zone, VM group, VM, individual vNIC THE VGW PURPOSE-BUILT APPROACH THE vGW ENGINE Virtual Center VM VM1VM2VM3 Partner Server (IDS, SIM, Syslog, Netflow) Packet Data VMWARE API’s Any vSwitch (Standard, DVS, 3 rd Party) HYPERVISOR VMware Kernel ESX or ESXi Host Security Design for vGW 1 2 3

10 Copyright © 2011 Juniper Networks, Inc. TIGHT INTEGRATION WITH VCENTER No manual synchronization  Complete VM inventory pulled from vCenter  Security synchs with changes to virtual infrastructure VMs identified by their vCenter UUID  No need to trust weak associations  Differentiate between a VM and its clones  Maintain correct policy and monitoring throughout change Validate infrastructure configuration  Prevent “backdoor channels”  Ensure configuration integrity Automate deployment  Deploy firewalls programmatically  Simplify HA setup by cloning management VMs

11 Copyright © 2011 Juniper Networks, Inc. KEY FEATURES AND BENEFITS

12 Copyright © 2011 Juniper Networks, Inc. VGW MODULES Network Visibility of inter-VM traffic flows IDSIntrospectionReports Centralized view of IDS alerts and ability to drill-down on attacks Centralized VM view (includes OS, apps, hot fixes, etc.) Automated reports for all functional modules Main Dashboard view of the virtual system threats (including VM quarantine view) FirewallAntiVirusCompliance Firewall policy management and logs Full AV protection for VMs Out-of-box and custom rules engine alerts on VM/host config changes

13 Copyright © 2011 Juniper Networks, Inc. VGW – NETWORK VISIBILITY Left-hand tree selection navigates right-hand pane Connections tab shows open traffic flow Custom time interval for troubleshooting All VM traffic flows stored in database and available for analysis Benefits:  Visibility to all VM communications  Ability to spot design issues with security policies  Single click to more detail on VMs

14 Copyright © 2011 Juniper Networks, Inc. VGW – FIREWALL Complete firewall protection for any network traffic to or from a VM Benefits:  Extremely flexible protection down to the vNIC  Ability to automatically assign policies to VMs  Ability to quarantine VMs for immediate isolation  Kernel implementation isolates connection table and rule base Define a quarantine policy for use on AV, Compliance or Image Enforcer violations NEW!

15 Copyright © 2011 Juniper Networks, Inc. POLICY MODEL DETAILS Individual vNIC policy allows administrators to set different policies on vNICs connected to different vSwitches or even the same vSwitch! Configuration:  Enable the pper vNIC option in Settings -> Install Settings  Configure the policy via the rule editor for each vNIC Implement the security granularity you require! (Global, Group, Individual VM, or even individual vNIC) vNICs show up for VMs NEW!

16 Copyright © 2011 Juniper Networks, Inc. VGW – IDS Send selectable traffic flows to internal IDS engine for deep- packet analysis against dynamic signature set. Security rule filters what is IDS inspected Review IDS Alerts by Targets and Sources Change “Time Interval” to expand time slot or set “Custom Time Period” to review historical data Click on Alert Type to get further details about the Signature that triggered the Alert

17 Copyright © 2011 Juniper Networks, Inc. AntiVirus components controlled centrally (scanner config, alert viewing, infected file remediation) VGW – ANTIVIRUS NEW! AV Dashboard for quick status understanding File Quarantine On-Demand and On- Access Scan Configurations

18 Copyright © 2011 Juniper Networks, Inc. VGW – INTROSPECTION Introspection is the agent-less ability to scan a VM’s virtual disk contents to understand what’s installed – OS, SP, Applications, Registry Values Benefits:  Know exactly what’s installed in a VM and automatically attach relevant security policy!  Categorize discovered values and easily determine install states (Application and VM views)  Use Image Enforcer to define a “gold” image (template or VM) then discover how VMs deviate from this across time  Works for Windows and Linux NEW!

19 Copyright © 2011 Juniper Networks, Inc. VGW – COMPLIANCE The compliance module includes pre-defined rules based on virtual security best practices and an engine so customers can define their own rules. Benefits:  Define rules on any VM or VM group (alerts and reports for compliance rule violations)  Automatically quarantine VMs into an isolated network if they violate a rule  Rules relevant to both VM and host configuration  Enhanced rule editor for intuitive manipulation of attributes NEW! Classifications of checks (VMware best practices, etc.) Easily see rule violations

20 Copyright © 2011 Juniper Networks, Inc. VGW – REPORTS Pre-defined and customizable reports covering all of solution modules Benefits:  Generate reports in PDF or CSV formats  Automatically send scheduled reports via or store directly in vGW management center  Scoping mechanism isolates contents (Customer/Dept A’s VMs never show up in Customer/Dept B’s report) AntiVirus Reports Report on Image Enforcer profiles NEW!

21 Copyright © 2011 Juniper Networks, Inc. ARCHITECTURE AND SCALABILITY

22 Copyright © 2011 Juniper Networks, Inc. STRM INTEGRATED WITH JUNIPER DATA CENTER SECURITY VM1VM2VM3ALTOR vGW VMware vSphere Network Juniper SRX with IDP Juniper EX Switch Policies Central Policy Management Zone Synchronization Traffic Mirroring to IPS vGW Firewall Event Syslogs Netflow for Inter-VM Traffic

23 Copyright © 2011 Juniper Networks, Inc. SRX SERIES INTEGRATION Firewall zones integration (zone synchronization between SRX Series and vGW) Benefits:  Guarantee integrity of zones on hypervisor  Automate and verify no “policy violation” of VMs  Empower SRX Series with VM awareness

24 Copyright © 2011 Juniper Networks, Inc. SRX AND VGW – MICRO-SEGMENTATION Data Center Switching SRX5800 VGW ESX-1 VGW ESX-2 CREATE A SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221 BLUE VMs BELONG TO CUSTOMER “A” IN ZONE 1 = VLAN 221 CREATE A SRX ZONE POLICY SRCDSTACTION ANYZONE “A” REJECT 2 TELL VGW ABOUT SRX AND CUSTOMER “A” REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs

25 Copyright © 2011 Juniper Networks, Inc. IDP INTEGRATION Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone or SRX integrated (11.2r1). Benefits:  Choice between using integrated vGW IDS or Juniper physical IDP  Combination of devices can be used to optimize performance (rules based flow direction)

26 Copyright © 2011 Juniper Networks, Inc. SRX Series Physical Hypervisor vGW Series VM vGW Virtual Gateway Management and Security Services Security Design Security Threat Response Manager STRM ServicesVirtual Firewall IPS DoS Protection AppSecure DoS SUMMARY Copyright © 2011 Juniper Networks, Inc. Virtual Control VM