Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
rich_langston

Virtualized Security – Many things to many people

by Juniper Employee ‎07-11-2011 11:58 AM - edited ‎07-12-2011 11:22 AM

These days, terms like virtualization and “the cloud” are tossed around rather indiscriminately.  However, as technical terms go, they are remarkably ambiguous.  Add the term “security” and things become even murkier.  What does it mean to virtualize security?   If I’m virtualizing some of my servers, do I need to virtualize some of my security? 

 

Let’s take a few minutes to talk about the goals of security, and how we carry these forward into a virtual word.  This conversation will focus on security inside your own data center, and is applicable from the traditional to the “private cloud”. 

 

A huge part of the security challenge of virtualization is around separation of one set of servers from another.  Depending on your application, you may want to ensure traffic separation, administrative domains, or logging separation.  If your virtualization plans don’t need any different treatment of your traffic, then you probably don’t need to worry about virtualizing your security layer.

 

Most virtualization projects start with the need to keep data separate.  Typical drivers include a need for demonstrable regulatory compliance, control of personal information, and data center consolidation (collapsing/combining deferent departments into the same physical servers and networking gear, for example).

 

Juniper’s Datacenter SRX firewall line has a few tools we can use to separate traffic, administration, and reporting.  Let’s look at when to use zones, virtual routers, and the new Logical Systems technology.

 

Security zones create policy demarcation and enforcement points.  These allow you to treat traffic entering a particular zone differently based on where it is coming from. Zones are the building blocks of security policy, and can provide a high level of data separation.  Typical uses include setting a higher security bar for your PCI payment servers, for example, than for your intranet.

 

Using zones, you can build a rock-solid configuration to keep traffic where it belongs.  However, in a very large network, it might be difficult, or too complex, to build these policies.  Or, sometimes, it may be essential that specific traffic streams never come into contact.  Take for example traffic credit card or transaction data inside an enterprise, or two different customers in a managed data center.

 

To simplify things in these cases, virtual routers (VRs) can be used.  VRs essentially allow you to segment a single physical hardware firewall into two to 1,000 virtual firewall/routers. 

 

Virtual routers keep traffic separate by having completely different routing tables and instances – each with their own peering relationships.  This, by definition, means that two virtual routers can’t communicate on-box.  Junos features the flexibility to explicitly configure routing between VRs as a convenience.  Unless some routing is configured between VRs, traffic essentially passes as ‘two ships in the night’, despite the fact that it runs over the same physical hardware.

 

While zones and VRs give tools for traffic separation, they don’t offer any meaningful way to separate administration, reporting, or budgeting of system-level resources.  For these problems, Junos Logical Systems are the answer.

 

Logical Systems, or LSYS, effectively separate a single physical SRX into a collection of independent virtual firewalls.  These firewalls have their own administrators, log files, and routing tables.   LSYS is the solution if you need to hand off administration of part of the network security, to customers or another administrative department, while still sharing the hardware firewall.

 

LSYS also allows centralized control of resources, such as sessions, that are used in the system.  This allows protection of resources so that one LSYS can’t consume all of the system resources needed by the other LSYSs running on the same physical SRX.

 

Junos also has the flexibility to use all of these constructs together.  For example, zones can be used inside virtual routers.  Even better, multiple VRs (each with multiple zones) can also be used inside an LSYS.  I’ll blog some examples of customer configurations in the near future to give ideas on how to decide between all these security constructs.

 

I’ll also blog about vGW hyervisor security, and how it is complementary to the virtualization features in Junos.

 

 

 

 



 



Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.