250 likes | 412 Views
Introduction To The Security in a Virtual World. Presented By: Carousel Industries And Juniper Networks. Agenda. Virtualization Market Dynamics. Why a Virtual Firewall?. Security Risks of Virtualization. Significance of a Hypervisor Based Approach.
E N D
Introduction To The Security in a Virtual World Presented By: Carousel Industries And Juniper Networks
Agenda • Virtualization Market Dynamics • Why a Virtual Firewall? • Security Risks of Virtualization • Significance of a Hypervisor Based Approach • A Snap Shot of vGW (Virtual Firewall) and its Features and Benefits • Summary
Who is Carousel? Carousel Industries is a premier technology and communications solutions provider designing, implementing and maintaining powerful converged communication networks for enterprise customers worldwide. At Carousel highly trained and certified teams supply innovative thinking and leading technology to address your business problems, improving operations and reducing overall costs.
Why is Carousel different? Others may focus on the technology but we work with you to develop the right solution to meet your business needs. Carousel has a team of highly trained business consultants, certified technicians and engineers with years of design, implementation, support and solution based experience. Working with Carousel allows you to have one single point of contact so that you can concentrate on your business and employees. • Assist with building a strategy and roadmap • Maximize operational effectiveness – reduce costs • Mitigate risk
Market Dynamics 50% of the world’s workloads will be virtualized by 2012 Virtualization is near de-facto architecture for clouds GigaOM Survey Security is a top concern for virtualization adoption 37% of large enterprises expect to adopt IaaS (cloud) in the next year
Virtualization Security as a Requirement Security concerns remain a primary barrier to broad virtualization adoption Source: 2010 CDW Server Virtualization Life Cycle Report
Why a Virtual Firewall? • Reducing Risks of malicious attacks. Virtualization creates a new attack surface. • CapEx and OpEx advantages by allowing further virtualization. • Physical Firewall technologies in your data center are not protecting your virtual environment. • Avoid potential costly data center disruptions, customer dissatisfaction etc….. • Maintain corporate standards to avoid failed audits, which could lead to revenue lose.
Virtualization Specific Security Risks • Secure VMotion/Live-Migration • VMs may migrate to a unsecured or lower trust-level zone • Security should enable both migration and enforcement • Hypervisor Protection • New operating system means new attack surface • Hypervisor connection attempts should be monitored • Regulatory Compliance • Isolating VMs, Access Control, Audit, etc. • Segregating administrative duties inside the virtual network • Tracking VM security profiles
Security Implication of Virtualization Physical Network Virtual Network VM1 VM2 VM3 Virtual Switch ESX Host HYPERVISOR Firewall/IDS Sees/Protects All Traffic Between Servers Physical Security is “Blind” to Traffic Between Virtual Machines
Securing Virtual Networks 3. Kernel-based Firewall 2. Agent-based 1. VLAN Segmentation VMs segmented into separate VLANs; Inter-VM communications must route through the firewall Drawbacks: Complex VLAN networking; Lacks hypervisor visibility; High overhead Inter-VM traffic always protected; Micro-segmenting capabilities High-Performance from implementing firewall in the kernel Secures Hypervisor connections Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 ESX Host ESX Host ESX Host VS VS FW as Kernel Module VS HYPERVISOR HYPERVISOR HYPERVISOR FW Agents
vGW kernel Implementation vGW VM VM1 VM3 VM2 Policy Logging Management ESX Kernel Packet / Data vGW VMsafe Kernel Module VM1 VM2 VM3 vGW 4.5 Engine vGW VM Policy Logging Management Packet / Data Partner Server (IDS,Syslog,Netflow) VMsafe Interface ESX Host vGW VF VS VMware vSwitch or dvSwitch • Fully “fast-path” • All firewall processing is done within hypervisor • No Memory Copies, No Context Switches • High performance, >10Gbps throughput • Designed for ESX Architecture • Independent processing firewall policy per-VM • Scales up as core count increases
vGW = Hypervisor-based Architecture • Enterprise-grade • VMware “VMsafe Certified” • Protects each VM and the hypervisor • Fault-tolerant architecture (i.e. HA) • Virtualization Aware • “Secure VMotion” scales to 1,000+ ESX • “Auto Secure” detects/protects • new VMs • Granular, Tiered Defense • Stateful firewall and integrated IDS • Flexible Policy Enforcement – Zone, VM group, VM, Application, Port, Protocol, Security state Virtual Center VMWARE DVFILTER VMWARE VSWITCH OR CISCO 1000V
Visibility – to all inter-VM traffic and VM configuration Compliance – with dynamic policies against whitelists, blacklists & VM Introspection data Control – of all traffic, of malware proliferation, of policy deviations of VMs on the “move” Introducing vGW
Integration With vCenter • No manual synchronization • Complete VM inventory is pulled from vCenter • Security is kept in sync with changes to the virtual infrastructure and is notified of VM changes • VMs identified by their vCenter UUID • Don’t need to trust weak associations, like IP addresses • Differentiate between a VM and its clones or copies • Maintain correct policy and monitoring through vMotion, manual moves, or DHCP changes • Validate Infrastructure Configuration • Prevent “backdoor channels” like VMCI • Ensure configuration integrity, correct network attachment, auto-start configured, etc. • Automate Deployment • Firewalls deployed programmatically, hiding network and virtualization complexities • Simplifies High Availability setup by cloning mgmt. VMs
Automation - vGW Cloud Security SDK • Policy Automation of security policy controls • Security integration into VM provisioning process • Policy delegation to group admins or end-users • Multi-Tenant Policy Management XML-RPC based API • Programmatically control VM policy configuration • APIs for all functions done within UI • SDK Contains • XML-RPC API Documentation • Python scripts implementing APIs • Web portal application – PoC user delegated policy controls
Integrated with Juniper Data Center Security VM1 VM2 VM3 ALTOR vGW Policies vGW VMware vSphere STRM Zone Synchronization Traffic Mirroring to IPS Firewall Event Syslogs Netflow for Inter-VM Traffic Central Policy Management Network Juniper EX Switch Juniper SRX with IPS
Summary • vGW enables virtualization and clouds: • Hypervisor-based approach maximizes throughput and capacity • Industry benchmark for administrative ease and scale • Innovation makes enforcement granular and dynamic • vGW as part of Juniper data center security: • Comprehensive protection for all workloads • Extended security through several points of integration • Part of a clear path to unified security administration
Thank YouJohn R. McCreary vGW Account Managerjmccreary@juniper.netMobile: 312-437-0488Jerry MalleyAccount Executivejmalley@carouselindustries.com 800-401-0760