Upload
ipexpo-online
View
477
Download
0
Tags:
Embed Size (px)
Citation preview
SECURING THE VIRTUALISED DATACENTRE
Trevor Dearing
Director Network Strategy, EMEA
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SOME DESIGNS ARE USEFUL FOR A LONG TIME
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
CHEAPER RAW MATERIALS OFFER INCREMENTAL CHANGE
The vehicle to economics is to improve opex through architecture, not through dropping the price
4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
NEW ARCHITECTURE TRANSFORMS WHAT'S POSSIBLE
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
THE APPLICATIONS EVOLVED
Client – Server Architecture Service Oriented Architecture
ServerServer
Server
Server
Server
Server
95% 25%
Client Client
A fundamental change in data flows
A
D
C
B
DB
75%
A
D
C
B
DB
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
THE SERVERS AND STORAGE EVOLVED
Servers were consolidated standardized and virtualized
Storage was consolidated and virtualizedNetwork services can be consolidated and virtualizedA single network to integrate the resource pools
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
BUT, THE NETWORK ARCHITECTURE HAS NOT CHANGED
S
N
Spanning Tree disables up to 50% of bandwidth
Unnecessary layers add hops and latency
Data Center
Up to 50% of the ports interconnect switches,not servers or storage
Up to 75% of traffic EW
Today’s challenges:• Too complex
• Impacts scale and agility• Too slow• Too expensive• Security scalability and agility
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Typical tree configuration
DEFINING THE IDEAL NETWORK
Flat, any-to-any connectivity
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DEFINING THE IDEAL NETWORK
Flat, any-to-any connectivity
Single deviceN=1
Switch FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state
SwitchFabric
Simplicity of a single switch Single switch does not scale
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DEFINING THE IDEAL NETWORK – A FABRIC
Flat, any-to-any connectivity
Single deviceN=1
Network FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state
Simplicity of a single switch Scalability of a network
A Network Fabric has the….
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURITY IS IMPACTED BY TWO TRENDS
• Industry Trends
Security Trends
Mobile Workforce Data Center Consolidation Consumerization
Attacker behaviorNew Attack TargetsEvolving Threat Vectors
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Yesterday
THE CHANGING DATA CENTER LEADS TO A GREATER SECURITY CHALLENGE
Legacy, client server, data, IPv4
Worms, viruses, trojans, DDoS
Dispersed, physical separation
Changing traffic
Evolving threats
ConsolidationVirtualization, increased
bandwidth utilization
Movement of hosts, systems
Application targeted attacks
Tomorrow
Today
12
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
B
C
D
A
THE NEW NETWORK MEETS THAT CHALLENGE
Data Center
Network Core
Servers / Storage
HTTP/Web Services
Servers
Dynamic security at scale
Application visibility
Identity awarenetworking
Automating security infrastructure
13
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Castle Model
Hotel Model
SECURE – NEW MODEL FOR THE CLOUD
Keep
Out!
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
Global High-Performance Network
Data C
enterData/App Consolidation
THE FUTURE OF SECURITY
Branch
Campus
Mobile Clients
NAT
Firewall
IPS
IDS
UTM
VPN
NAT
Firewall
Anti-malware
IDS
IPS
VPN
LAN Acceleration
Anti-virus
Remote Access
Remote Lock/wipe
Backup & Restore
NAT
Anti-malware
IPS
Firewall
IDS
VPN
1. Consolidation of security services (everywhere)
UAC
Firewall
16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?
Global High-Performance Network
1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
Source to DestinationSource to
Destination
Data C
enter
What User
What Application
User Device
User Location
Branch
Campus
Mobile Clients
17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
3. Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”
Global High-Performance Network
User Information
Log Information and place
Configuration Information
Data Flows
What User
What Application
User Device
User Location
Branch
Campus
Mobile Clients
Data C
enter
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
WHERE IS SECURITY HEADED?
Global High-Performance Network
Data/App Consolidation
1. Consolidation of security services (everywhere)
2. Application Visibility and Control: “Location to Network” vs. “Source to Destination”
3. Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”
Broad enterprise security: “Breadth and depth” across the enterprise
Data C
enter
Mobile Clients
Campus
Branch
19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURE – CLOUD ENABLED SECURITY
Data CentersClients Global High-Performance Network
Server to ServerDC to DC
Client to DC
20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
DYNAMIC SECURITY AT SCALE
FC SAN
MX Series
EX8216
SRX5800
Servers Storage
• Dynamic allocation of security services within a single platform
• Scale to 130 Gbps / platform and 10M concurrent connections
• Automated firewall changes based on user visibility and policy
• Secure shifting traffic flows with a single platform
20
21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SERVICE OFFERINGS CONTINUE TO GROW
SRX3600
SRX5800
SRX210SRX240SRX650 SRX100
SRX5600
Yesterday’s box is tomorrow’s feature
Perimeter Content Application
Firewall Intrusion detection AppDos
IPSec VPN Anti-Virus (Kaspersky/
Sophos) AppTrack
SSL VPN URL Filtering (Websense) Identity and application
coordination
Server virtualization security (Altor)
Anti-Spam
Malware (FireEye)
22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURITY IMPLICATIONS OF VIRTUAL SERVERS
VIRTUAL NETWORKPHYSICAL NETWORK
VM1 VM2 VM3
ES
X H
os
t
Physical Security is “Blind” toTraffic Between Virtual Machines
Firewall/IPS InspectsAll Traffic Between Servers
HYPERVISOR
23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
3. Kernel-based Firewall
APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from implementing firewall in the kernel
Micro-segmenting capabilities
VM1 VM2 VM3
ES
X H
ost
FW as Kernel Module
2. Agent-based1. VLAN Segmentation
VM1 VM2 VM3
ES
X H
ost
Each VM in separate VLAN
Inter-VM communications must route through the firewall
Drawback: Possibly complex VLAN networking
Each VM has a software firewall
Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs
VM1 VM2 VM3
ES
X H
ost
FW Agents
HYPERVISORHYPERVISOR HYPERVISOR
24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
VM1 VM2 VM3
ES
X H
ostALTOR VF
INTRODUCING THE ALTOR VF
• Hypervisor Kernel Stateful Firewall
• Purpose-built virtual firewall Secure Live-Migration (VMotion) Security for each VM by VM ID Fully stateful firewall
• VMware “VMsafe Certified”
• Tight Integration with Virtual Platform Management, e.g. VMware vCenter
• Fault-Tolerant Architecture
NSM
Juniper SRXJuniper Switch
Network
STRM
25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
STRM
INTEGRATION WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR VM
AltorCenter
Altor Virtual Firewall
VMware vSphere
NSMAltor Integration PointTraffic Mirroring to IPS
Altor Integration PointCentral Policy Management
Network
Juniper SRX with IPSJuniper Switch
Altor Integration PointFirewall Event Syslogs
Netflow for Inter-VM Traffic
Policies
26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Confidential
SECURING THE FABRIC
Flat, any-to-any connectivity
Single devicewith integrated
security
Network FabricData Plane• Flat – single
look up• Any-to-any
Control Plane• Single device• Shared state• Security policies
Simplicity of a single switch Scalability of a network
A Network Fabric has the….