Professional Documents
Culture Documents
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 description and deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 SrX Series and vgW Virtual gateway Integrated Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Configuring the vgW Virtual gateway and SrX Series Services gateways Interoperation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Enabling the Junoscript Interface for vgW Virtual gateway Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Configuring Web-Management hTTPS using the Mycert Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Configuring the vgW Virtual gateway Automatic zone Synchronization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Integrating SrX Series IPS and the vgW Virtual gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Integrating the vgW Virtual gateway and the STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Configuring the vgW Virtual gateway Security design VM to Send System Log and NetFlow data to STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuring the STrM Series to receive vgW System Log and NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table of Figures
Figure 1. Juniper Networks two-tier data center architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Figure 2. SrX Series and vgW integrated solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 3. Configuring the SrX Series zone synchronization with vgW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Figure 4. Configuring controls for synchronization update intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 5. Configuring SrX Series IPS (SrX-IPS) as the external inspection device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Figure 6. Configuring vgW security design VM to send system log and NetFlow data to STrM Series . . . . . . . . . . . . . . . . . 13 Figure 7. Configuring the STrM Series to receive vgW system logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Figure 8. Configuring the STrM Series to receive vgW NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Introduction
Thanks to the exploding adoption of virtualization, a new type of data center is here. Architected for cloud computing, this new data center is a combination of physical servers and virtual workloadsand this means that the data center requires an even more pervasive range of security options. As nearly every business and organization in the world implements some degree of cloud computing, virtualization security will be as integral a component as traditional firewalls are in todays physical networks. In fact, the virtualization security market is one of the fastest growing market segments of this decade, with various analysts forecasting a five-year opportunity from hundreds of millions to billions of dollars. Juniper Networks not only understands the security requirements of the new data center, but Junipers solutions are prepared to adequately address these needs. Combining the new Juniper Networks vgW Virtual gateway with the high-end Juniper Networks SrX Series Services gateways, Juniper offers the most comprehensive security suite for all critical workloadsregardless of the platform on which they run. In addition, vgW integrates with Juniper Networks STrM Series Security Threat response Managers, providing visibility into the virtualized data center environment and enabling compliance as well. It provides integrated a consolidated log and flow statistics from both physical and virtual environment.
Scope
This paper specifically highlights the integration aspects of Juniper Networks virtualization security solution. It emphasizes implementation details around how the SrX Series Services gateways and STrM Series Security Threat response Mangers can be integrated with vgW Virtual gateway to provide seamless, physical, and virtual security, and enable compliance in the cloud-ready data center. This paper covers integration aspects of the vgW with other types of Juniper data center security products, such as SrX Series and STrM Series devices. This application note assumes that readers are basically familiar with the administration aspects of the products discussed, and is not a replacement for the individual product user guides. Note: The design and implementation of vgW itself is out of the scope of this paper.
Design Considerations
Hardware Requirements
Juniper Networks SrX3000 line of services gateways Juniper Networks SrX5000 line of services gateways Juniper Networks STrM Series Security Threat response Managers Juniper Networks EX Series Ethernet Switches
Software Requirements
VMware vCenter VMware ESXi Juniper Networks vgW Virtual gateway software Fundamental to virtual data center and cloud security is the control of access to virtual machines (VMs) for the specific business purposes sanctioned by the organization. At its foundation, the vgW is a hypervisor-based, VMsafecertified, stateful virtual firewall that inspects all packets to and from VMs, blocking all unapproved connections. Administrators can enforce stateful virtual firewall policies for individual VMs, logical groups of VMs, or all VMs. global, group, and single VM rules ensure easy creation of trust zones with strong control over high value VMs, while enabling enterprises to take full advantage of many virtualization benefits. The Juniper Networks vgW Virtual gateway is a software product designed for securing virtualized data centers and clouds. The vgW is based on the technology of Altor Networks, a leading innovator of virtual firewalls that Juniper acquired on december 6, 2010. The vgW is a comprehensive hypervisor-based virtualization security solution that enforces granular access control down to the individual VM. The vgW integrates tightly with existing security technologies, including the STrM Series, as well as the SrX Series high-performance security services gateways.
MX Series
Security
Switching
EX Series
SRX Series
EX Series
vGW Virtual Gateway SRX Series Services Gateways STRM Series Security Threat Response Managers
Zone/VLAN Policy
WEB-to-CRM
TCP/88
ACCEPT
1. Set Policy
PRE-PRODto-WEB PRE-PRODto-CRM
ANY
DENY
ANY
DENY
EX4200
Trunk Port
EX4200
Trunk Port
ESX 1
ESX 11
VM
VM
VM
VM
VM
VM
VM
VM
VLAN=120 PRE-PROD
In terms of the benefits of zone synchronization between the SrX Series and vgW, implementers have: guaranteed integrity of zones on the hypervisor (virtualization operating system) Automation and verification that VM connectivity does not violate zone policy Enhancement of the SrX Series network with knowledge of VMs and their zone location For a more detailed white paper on the physical and virtual security integration, please refer to www.juniper.net/us/ en/local/pdf/whitepapers/2000431-en.pdf.
Configuring the vGW Virtual Gateway and SRX Series Services Gateways Interoperation
Before configuring interoperability between the vgW and SrX Series, administrators must enable the Junoscript interface on the SrX Series, as vgW uses that to communicate with the SrX Series device.
[edit] user@host# set system services web-management https local-certificate mycert user@srx# set system services web-management https interface ge-0/0/0.0 user@srx# set system services web-management https port 443
1. Configure the IP address for the interface, if it is not already configured. 2. Enable Junoscript communications using the newly created certificate: [edit] u ser@srx# set system services xnm-ssl local-certificate mycert
Configuration Steps
1. On the vgW security design interface, we have to first specify the external inspection device IP address, as shown in Figure 5. The VgW firewall module encapsulates the raw packets inside a generic routing encapsulation (grE) layer and sends them out to the IP address of the external inspection device with a source address of that particular hypervisor security VM.
Figure 5. Configuring SRX Series IPS (SRX-IPS) as the external inspection device
On the data center SrX Series cluster, grE tunnels must be created from each security VM to the SrX Series grE interface. We have to create an interface that is in the same subnet as the security VMs on the SrX Series. In this case, let us assume that we have three ESXi hosts with three security VMs installed, and that the IP addresses of the three security VMs are 10.13.98.231, 10.13.98.232, and 10.13.98.233. 1. Configure the grE interface on the SrX Series device that will terminate the grE tunnels from the three security VMs.
{primary:node0}[edit] root@SRX-DC-1-NODE-0# show interfaces ge-1/0/1 GRE tunnels from the vGW SVMs. unit 0 { family inet { address 10.13.98.220/24; } } {primary:node0}[edit] root@SRX-DC-1-NODE-0#
2. Configure the three separate grE tunnels from each security VM to the grE interface that was created in the previous code snippet, and specify the destination routing instance as external-inspection that points to the routing table containing the tunnel destination address.
{primary:node0}[edit] root@SRX-DC-1-NODE-0# show interfaces gr-0/0/0 unit 0 { tunnel { source 10.13.98.220; destination 10.13.98.231; routing-instance { destination External-Inspection; } }
family inet; } unit 1 { tunnel { source 10.13.98.220; destination 10.13.98.232; routing-instance { destination External-Inspection; } } family inet; } unit 2 { tunnel { source 10.13.98.220; destination 10.13.98.233; routing-instance { destination External-Inspection; } } family inet; }
An outbound interface (and zone), ge-1/0/0.999, for the mirrored packets was created so that the policy lookup will complete and a flow will be created. This interface eventually black holes the packets.
{primary:node0}[edit] root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0 vlan-tagging; unit 999 { vlan-id 999; family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; } } }
3. Configure all three interfaces (previously discussed) into the same zone and a separate routing instance with default route next hop as the 9.9.9.9 address that was configured with a proxy Address resolution Protocol (ArP), as shown in the previous code snippet.
{primary:node0}[edit] root@SRX-DC-1-NODE-0# show routing-instances External-Inspection instance-type virtual-router; interface gr-0/0/0.0; interface gr-0/0/0.1; interface gr-0/0/0.2; interface ge-1/0/0.999; interface ge-1/0/1.0; routing-options {
10
{primary:node0}[edit] root@SRX-DC-1-NODE-0# show security zones security-zone vGW-Trust host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { gr-0/0/0.0; gr-0/0/0.1; gr-0/0/0.2; ge-1/0/1.0; ge-1/0/0.999; } {primary:node0}[edit]
drop-all firewall filters are applied to the sink interface, ge-1/0/0.999:
root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0.999 vlan-id 999; family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; } } root@SRX-DC-1-NODE-0# show firewall family inet { filter drop-all { term 1 { then { count sunk; discard; } } } }
11
4. Configure a security policy for incoming traffic entering and leaving the vgW trust zone with intrusion detection and prevention (IdP) invoked.
root@SRX-DC-1-NODE-0# show security policies from-zone vGW-Trust to-zone vGWTrust policy permit { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; } } log { session-init; session-close; } } }
With this configuration, a copy of all traffic from the vgW security VMs is tunneled into the SrX Series IdP engine for inspection. For details on configuring IdP policies, please refer to the Juniper Networks Junos OS Security Configuration guide at www.juniper.net/techpubs/en_uS/junos11.2/information-products/topic-collections/security/software-all/ security/junos-security-swconfig-security.pdf.
12
Configuring the vGW Virtual Gateway Security Design VM to Send System Log and NetFlow Data to STRM Series
To configure the vgW security design VM to send system log (syslog) and NetFlow information to the STrM Series: 1. Configure external logging in the vgW security design VM settings module. a. Select Settings -> Security Settings -> global -> External Logging. b. Specify the IP address of STrM Series device. c. At the same screen, configure NetFlow. Enter the STrM Series IP address in the NetFlow Configuration window, as shown in Figure 6.
Figure 6. Configuring vGW security design VM to send system log and NetFlow data to STRM Series Configuring the STRM Series to Receive vGW System Log and NetFlow Data
you can configure the STrM Series device or STrM Series Log Manager to log and correlate events received from external sources such as security equipment (firewalls) and network equipment (switches and routers). device Support Modules (dSMs) allow you to integrate STrM Series devices or the STrM Series Log Manager with these external devices. 1. download the latest real-time performance monitoring (rPM) data for the STrM Series version which includes vgW dSM (device specific module) from the Juniper support site and install them. Make sure you have Junipers vgW dSM installed. 2. Log into the STrM Series admin user interface. 3. Navigate to Admin -> data sources -> events -> Log sources and add a new log source. Make sure that you select Juniper vgW for the Log source type which assigns the vgW dSM when parsing the logs from the vgW security design VM.
13
14
Summary
Todays data center is increasingly a combination of physical servers and virtual workloads, architected for cloud computing and requiring a flexible suite of robust security options. Juniper Networks understands the security requirements of the new data center. Combining the vgW Virtual gateway with high-end SrX Series Services gateways, Juniper offers the most comprehensive security suite for all critical workloadsa solution that provides consistent security policy throughout the physical network and within the virtualized network as wellto deliver bestin-class security for the data center. By leveraging the STrM Series Security Threat response Managers for centralized logging and monitoring, enterprise administrators gain visibility into their data center environments for needed security and compliance.
Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 uSA Phone: 888.JuNIPEr (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net
APAC Headquarters Juniper Networks (hong Kong) 26/F, Cityplaza One 1111 Kings road Taikoo Shing, hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803
eMeA Headquarters Juniper Networks Ireland Airside Business Park Swords, County dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601
To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the united States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
3500207-001-EN
Sept 2011
15