1 / 14

Agenda

Agenda. Challenges, Complexities, Best Practice Integrating Physical and Virtual Security Layers. Virtualization And The Challenges It Presents. New Blind Spots For Network Based Firewalls Traffic that does not leave the physical host or a segment

sunila
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda • Challenges, Complexities, Best Practice • Integrating Physical and Virtual Security Layers

  2. Virtualization And The Challenges It Presents • New Blind Spots For Network Based Firewalls • Traffic that does not leave the physical host or a segment • Mobile devices, BYOD, intra VM communication, • Network based firewalls or network based IDS tools may not see such blind spots • Juniper vGW & SRX Integration eliminates one of these • Need for a More Highly Available Infrastructure • Network infrastructure underlying the cloud needs to be more highly available than ever before due to multi-tenant type solutions. • We offer solid Active/Active and Active/Standby HA

  3. Virtualization And The Challenges It Presents • Management Plane Complexities & Shared Services • DNS, DHCP, NTP, Syslog, SIEM..... • You are no longer owning tangible assets • Separate management network for Shared Services? • Shared services on common infrastructure? • How will you maintain controlled access and separation? • Some of these services part of our every router, switch and firewall shipped. • We have architecturally separate Data and Control Planes in JunOS

  4. Best Practices Choose the Right Gateway • Your external gateway is door to customers, opportunities, etc..... • But also to the competitors and attackers..... • Virtualization Aware Perimeter Gateway that provides logical separation • Beware of Porous Perimeters • Backdoors ,Side Channels • Who has the onus to find them? Provider or You? • STRM our SIEM • Use Defense-in-Depth • Not a new concept though highly complex in the virtual regime • Multi-Layer Defense Solution

  5. SRX AND VGW – INTEGRATING VIRTUAL AND PHYSICAL SECURITY LAYERS

  6. Physical and Virtual Security Layers • Organizations will continue to adopt cloud computing in phases • A mix of physical and virtualized data center workloads to co-exist • Physical firewalls such as SRX will secure Physical work loads, while the virtual workload secured by vGW. • Two layers need to be integrated • Two layer need to work in tandem to create a uniform security posture.

  7. Firewall Zones Integration Zone-Synchronization between SRX Series and vGW. Benefits Guarantee integrity of Zones on Hypervisor. Empower SRX Series with VM awareness. Ensure a particular VM is only attached to authorized zone Consistent security between perimeter to Server VM Automate and verify no "policy violation" of VMs. SRX and vGW Integration

  8. SRX and vGW Integration

  9. Importing zones vGW creates policy groups for SRX zones policy groups dynamically associates VMs to its zone Auto-populates policy group based on VLAN, IP, Scope SRX Series integration

  10. Exporting vGW VMs to SRX Address Book Selective object exports. Tag object names for easy identification. Creates address-book entry in theassigned zone. Ensure VM names are Junos compatible. Communication between SRX and vGW via encrypted tunnel (xnm-ssl on TCP 3220) SRX Series Integration

  11. SRX AND VGW – MICRO-SEGMENTATION BLUE VMs BELONG TO CUSTOMER “A” IN ZONE 1 = VLAN 221 ESX-1 CREATE AN SRX ZONE “A” FOR CUSTOMER “A” WITH VLAN 221 1 VGW CREATE AN SRX ZONE POLICY SRC DST ACTION ANY ZONE “A” REJECT 2 Data Center Switching ESX-2 CREATE VGW POLICY TO SEGMENT WITHIN CUSTOMER “A” VMs REFINE “SMART GROUPS” WITH CUSTOMER “A” VM INFORMATION TELL VGW ABOUT SRX AND CUSTOMER “A” 3 4 5 SRX5800 VGW

  12. Synchronized physical and virtual security ensures only Customer "A’s" VMs are attached to VLAN 221 Optimization of VLANs If Customer "A" needs to segregate VM's within VLAN 221, VGW policy can be used instead of more VLANs. Faster VM provisioning SP can deliver VMs faster to customers because there is no physical port provisioning. Benefits of SRX + VGWsecurity model SRX Series

  13. Send virtual network traffic to physical Juniper IDP for analysis. Compatible with standalone IDP or SRX integrated (11.2r1) IDP. Benefits: Choice between using integrated vGW IDS or Juniper physical IDP. Combination of devices can be used to optimize performance (rules based flow direction). IDP Integration

  14. Thank You

More Related