security in a virtualised world
TRANSCRIPT
![Page 1: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/1.jpg)
SECURING THE VIRTUALISED DATACENTRE
Trevor Dearing
Director Network Strategy, EMEA
![Page 2: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/2.jpg)
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SOME DESIGNS ARE USEFUL FOR A LONG TIME
![Page 3: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/3.jpg)
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
CHEAPER RAW MATERIALS OFFER INCREMENTAL CHANGE
The vehicle to economics is to improve opex through architecture, not through dropping the price
![Page 4: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/4.jpg)
4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
NEW ARCHITECTURE TRANSFORMS WHAT'S POSSIBLE
![Page 5: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/5.jpg)
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
THE APPLICATIONS EVOLVED
Client – Server Architecture Service Oriented Architecture
ServerServer
Server
Server
Server
Server
95% 25%
Client Client
A fundamental change in data flows
A
D
C
B
DB
75%
A
D
C
B
DB
![Page 6: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/6.jpg)
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
THE SERVERS AND STORAGE EVOLVED
Servers were consolidated standardized and virtualized
Storage was consolidated and virtualizedNetwork services can be consolidated and virtualizedA single network to integrate the resource pools
![Page 7: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/7.jpg)
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
BUT, THE NETWORK ARCHITECTURE HAS NOT CHANGED
S
N
Spanning Tree disables up to 50% of bandwidth
Unnecessary layers add hops and latency
Data Center
Up to 50% of the ports interconnect switches,not servers or storage
Up to 75% of traffic EW
Today’s challenges:• Too complex
• Impacts scale and agility• Too slow• Too expensive• Security scalability and agility
![Page 8: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/8.jpg)
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Typical tree configuration
DEFINING THE IDEAL NETWORK
Flat, any-to-any connectivity
![Page 9: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/9.jpg)
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DEFINING THE IDEAL NETWORK
Flat, any-to-any connectivity
Single deviceN=1
Switch FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state
SwitchFabric
Simplicity of a single switch Single switch does not scale
![Page 10: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/10.jpg)
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DEFINING THE IDEAL NETWORK – A FABRIC
Flat, any-to-any connectivity
Single deviceN=1
Network FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state
Simplicity of a single switch Scalability of a network
A Network Fabric has the….
![Page 11: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/11.jpg)
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURITY IS IMPACTED BY TWO TRENDS
• Industry Trends
Security Trends
Mobile Workforce Data Center Consolidation Consumerization
Attacker behaviorNew Attack TargetsEvolving Threat Vectors
![Page 12: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/12.jpg)
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Yesterday
THE CHANGING DATA CENTER LEADS TO A GREATER SECURITY CHALLENGE
Legacy, client server, data, IPv4
Worms, viruses, trojans, DDoS
Dispersed, physical separation
Changing traffic
Evolving threats
ConsolidationVirtualization, increased
bandwidth utilization
Movement of hosts, systems
Application targeted attacks
Tomorrow
Today
12
![Page 13: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/13.jpg)
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
B
C
D
A
THE NEW NETWORK MEETS THAT CHALLENGE
Data Center
Network Core
Servers / Storage
HTTP/Web Services
Servers
Dynamic security at scale
Application visibility
Identity awarenetworking
Automating security infrastructure
13
![Page 14: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/14.jpg)
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Castle Model
Hotel Model
SECURE – NEW MODEL FOR THE CLOUD
Keep
Out!
![Page 15: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/15.jpg)
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Global High-Performance Network
Data C
enterData/App Consolidation
THE FUTURE OF SECURITY
Branch
Campus
Mobile Clients
NAT
Firewall
IPS
IDS
UTM
VPN
NAT
Firewall
Anti-malware
IDS
IPS
VPN
LAN Acceleration
Anti-virus
Remote Access
Remote Lock/wipe
Backup & Restore
NAT
Anti-malware
IPS
Firewall
IDS
VPN
1. Consolidation of security services (everywhere)
UAC
Firewall
![Page 16: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/16.jpg)
16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?
Global High-Performance Network
1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
Source to DestinationSource to
Destination
Data C
enter
What User
What Application
User Device
User Location
Branch
Campus
Mobile Clients
![Page 17: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/17.jpg)
17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
3. Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”
Global High-Performance Network
User Information
Log Information and place
Configuration Information
Data Flows
What User
What Application
User Device
User Location
Branch
Campus
Mobile Clients
Data C
enter
![Page 18: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/18.jpg)
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?
Global High-Performance Network
Data/App Consolidation
1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
3. Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”
Broad enterprise security: “Breadth and depth” across the enterprise
Data C
enter
Mobile Clients
Campus
Branch
![Page 19: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/19.jpg)
19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURE – CLOUD ENABLED SECURITY
Data CentersClients Global High-Performance Network
Server to ServerDC to DC
Client to DC
![Page 20: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/20.jpg)
20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DYNAMIC SECURITY AT SCALE
FC SAN
MX Series
EX8216
SRX5800
Servers Storage
• Dynamic allocation of security services within a single platform
• Scale to 130 Gbps / platform and 10M concurrent connections
• Automated firewall changes based on user visibility and policy
• Secure shifting traffic flows with a single platform
20
![Page 21: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/21.jpg)
21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SERVICE OFFERINGS CONTINUE TO GROW
SRX3600
SRX5800
SRX210SRX240SRX650 SRX100
SRX5600
Yesterday’s box is tomorrow’s feature
Perimeter Content Application
Firewall Intrusion detection AppDos
IPSec VPN Anti-Virus (Kaspersky/
Sophos) AppTrack
SSL VPN URL Filtering (Websense) Identity and application
coordination
Server virtualization security (Altor)
Anti-Spam
Malware (FireEye)
![Page 22: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/22.jpg)
22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURITY IMPLICATIONS OF VIRTUAL SERVERS
VIRTUAL NETWORKPHYSICAL NETWORK
VM1 VM2 VM3
ES
X H
os
t
Physical Security is “Blind” toTraffic Between Virtual Machines
Firewall/IPS InspectsAll Traffic Between Servers
HYPERVISOR
![Page 23: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/23.jpg)
23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
3. Kernel-based Firewall
APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from implementing firewall in the kernel
Micro-segmenting capabilities
VM1 VM2 VM3
ES
X H
ost
FW as Kernel Module
2. Agent-based1. VLAN Segmentation
VM1 VM2 VM3
ES
X H
ost
Each VM in separate VLAN
Inter-VM communications must route through the firewall
Drawback: Possibly complex VLAN networking
Each VM has a software firewall
Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs
VM1 VM2 VM3
ES
X H
ost
FW Agents
HYPERVISORHYPERVISOR HYPERVISOR
![Page 24: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/24.jpg)
24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
VM1 VM2 VM3
ES
X H
ostALTOR VF
INTRODUCING THE ALTOR VF
• Hypervisor Kernel Stateful Firewall
• Purpose-built virtual firewall Secure Live-Migration (VMotion) Security for each VM by VM ID Fully stateful firewall
• VMware “VMsafe Certified”
• Tight Integration with Virtual Platform Management, e.g. VMware vCenter
• Fault-Tolerant Architecture
NSM
Juniper SRXJuniper Switch
Network
STRM
![Page 25: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/25.jpg)
25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
STRM
INTEGRATION WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR VM
AltorCenter
Altor Virtual Firewall
VMware vSphere
NSMAltor Integration PointTraffic Mirroring to IPS
Altor Integration PointCentral Policy Management
Network
Juniper SRX with IPSJuniper Switch
Altor Integration PointFirewall Event Syslogs
Netflow for Inter-VM Traffic
Policies
![Page 26: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/26.jpg)
26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURING THE FABRIC
Flat, any-to-any connectivity
Single devicewith integrated
security
Network FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state• Security policies
Simplicity of a single switch Scalability of a network
A Network Fabric has the….
![Page 27: Security in A Virtualised World](https://reader037.vdocuments.us/reader037/viewer/2022110204/55d52bcebb61ebfa778b459a/html5/thumbnails/27.jpg)