These days, terms like virtualization and “the cloud” are tossed around rather indiscriminately. However, as technical terms go, they are remarkably ambiguous. Add the term “security” and things become even murkier. What does it mean to virtualize security? If I’m virtualizing some of my servers, do I need to virtualize some of my security?
Let’s take a few minutes to talk about the goals of security, and how we carry these forward into a virtual word. This conversation will focus on security inside your own data center, and is applicable from the traditional to the “private cloud”.
A huge part of the security challenge of virtualization is around separation of one set of servers from another. Depending on your application, you may want to ensure traffic separation, administrative domains, or logging separation. If your virtualization plans don’t need any different treatment of your traffic, then you probably don’t need to worry about virtualizing your security layer.
Most virtualization projects start with the need to keep data separate. Typical drivers include a need for demonstrable regulatory compliance, control of personal information, and data center consolidation (collapsing/combining deferent departments into the same physical servers and networking gear, for example).
Juniper’s Datacenter SRX firewall line has a few tools we can use to separate traffic, administration, and reporting. Let’s look at when to use zones, virtual routers, and the new Logical Systems technology.
Security zones create policy demarcation and enforcement points. These allow you to treat traffic entering a particular zone differently based on where it is coming from. Zones are the building blocks of security policy, and can provide a high level of data separation. Typical uses include setting a higher security bar for your PCI payment servers, for example, than for your intranet.
Using zones, you can build a rock-solid configuration to keep traffic where it belongs. However, in a very large network, it might be difficult, or too complex, to build these policies. Or, sometimes, it may be essential that specific traffic streams never come into contact. Take for example traffic credit card or transaction data inside an enterprise, or two different customers in a managed data center.
To simplify things in these cases, virtual routers (VRs) can be used. VRs essentially allow you to segment a single physical hardware firewall into two to 1,000 virtual firewall/routers.
Virtual routers keep traffic separate by having completely different routing tables and instances – each with their own peering relationships. This, by definition, means that two virtual routers can’t communicate on-box. Junos features the flexibility to explicitly configure routing between VRs as a convenience. Unless some routing is configured between VRs, traffic essentially passes as ‘two ships in the night’, despite the fact that it runs over the same physical hardware.
While zones and VRs give tools for traffic separation, they don’t offer any meaningful way to separate administration, reporting, or budgeting of system-level resources. For these problems, Junos Logical Systems are the answer.
Logical Systems, or LSYS, effectively separate a single physical SRX into a collection of independent virtual firewalls. These firewalls have their own administrators, log files, and routing tables. LSYS is the solution if you need to hand off administration of part of the network security, to customers or another administrative department, while still sharing the hardware firewall.
LSYS also allows centralized control of resources, such as sessions, that are used in the system. This allows protection of resources so that one LSYS can’t consume all of the system resources needed by the other LSYSs running on the same physical SRX.
Junos also has the flexibility to use all of these constructs together. For example, zones can be used inside virtual routers. Even better, multiple VRs (each with multiple zones) can also be used inside an LSYS. I’ll blog some examples of customer configurations in the near future to give ideas on how to decide between all these security constructs.
I’ll also blog about vGW hyervisor security, and how it is complementary to the virtualization features in Junos.
Discussing a wide range of topics impacting enterprises and
data center security.