presentation title here - dia.uniroma3.itrimondin/courses/rcng1011/slides/rcng_07_virtuali... ·...
TRANSCRIPT
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION TECHNOLOGIES
Server Virtualization Segmentation of physical servers into multiple OS instances.
Vmware, XenSource, Microsoft Hyper-V, Oracle OVM, IBM Power-V, RedHat KVM
Desktop Virtualization
• Complete management of offline user desktops with remote access and local use modes
• Vmware View, Microsoft TermServ NG (Kidaro), Citrix Presentation Server, RingCube
vDesk, MokaFive
Application Virtualization
• Autonomous execution of application sharing common libraries for easier maintenance
and lower risk
• Microsoft SoftGrid, Vmware ThinApp, Altiris, XenApp, AnandTech
Storage Virtualization
• Abstraction of physical storage from logical storage, enables quick data replication, and
lower data loss risk
• Netapp, EMC, Stor…
I/O Virtualization
• Consolidation of IO Interface types into fewer high capacity interfaces
• Xsigo, Brocade…NextIO
Network Virtualization
3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION
Network Virtualization Across Data Center
Strategy and Solution for Server Virtualization
Securing the Virtual Data Center
1
2
3
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. How to achieve L2/L3 network virtualization
2. Customer Deployment Scenarios
• Inter-Data Center L2 VLAN stretch connectivity
• Multi-Tiered Enterprise Application design
• L3VPN Network Segmentation for applications, business partners, regulatory compliance
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
DRIVER FOR “NETWORK VIRTUALIZATION”
• Establish traffic segmentation and improve privacy
• Increase network resiliency
• Improve network scalability and performance
• Improve security
• Rapidly deploy new services and applications
• Improve end user application performance
• Adhere to regulatory compliance
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION COMPONENTS
Device
Partitioning
1 : N
VLAN
VRF
IRB
Virtual Routers
Virtual Bridging
Logical Systems
JCS1200Logical Systems
Device
Aggregation
N : 1
Virtual Chassis
Multi-Chassis LAG
TX Matrix
JCS 1200
Virtual Chassis
Virtualization with MPLS
Network
Communication
N : M
L3 VPN (MPLS, GRE, IPsec)
L2 VPN (VPLS, Pseudo-wires, 802.1q)
Circuit to Packet (TDM, Serial, etc. to IP)
VLANVLAN
VLAN
MPLS
8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION ATTRIBUTES
High-Performance
MX Series Cloud
Scalable
Resilient
Transparent
Secure
Flexible
Adapt easily
to changing
business
needs
Hardware and
software
resiliency i.e.
NSR and ISSU
Traffic
Segmentation
Application
Security
Allow
separation of
Applications
and
Architecture
Rapidly
increase
throughput
and ports
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION TECHNOLOGIES
Device
Virtualization
(One-to-Many)
Virtual Router Bridge GroupLogical Systems
Simplifies
Configuration
Routing and
Management
Separation
Scalable Routing
Separation
VRF lite Virtual Switch
Routing
Separation
Scalable
Switching
Separation
Improves device
utilization and
manageability
Link
Virtualization
VLAN LAG GRE MPLS LSP
Traffic
Segmentation
Priority
Scale
Bandwidth
Resiliency
Traffic
Segmentation
Priority
Tunnel
non-IP
traffic
Improves Link
utilization,
scalability and
resiliency
Service
Virtualization
Improves layering
of services
using secure
virtual connectivity
L2VPN L3VPN VPLS
L2 Point-to-Point L2 Point-to-Multipoint L3 Multipoint-to Multipoint
Privacy ResiliencyTraffic Engineering
MPLS
Scalability
System
Virtualization
(Many-to-One)
Virtual Chassis
Resiliency Simplifies
Configuration
Service Scalability Physical Port
Scalability
Improves resiliency,
scalability and
manageability
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
THE MPLS NETWORK VIRTUALIZATION SOLUTION
MPLS enables one physical network to be configured and operate as many separate virtual networks L2 or L3 VPN services
Shared physical network – No compromises
The Result: Diverse needs of business units are satisfied with virtualized networks
that cost less and effectively scale to support the largest enterprises
SECURE
Simply manage bandwidth
needs
MPLS allows for optimal utilization of network bandwidth
Allocation per service/application while maintaining latency
requirements for critical applications
RELIABLEEasily add new
applications or networks
New acquisitions and various applications can be added to the network via MPLS VPNs Each subsidiary or application is allowed to operate as
though each has a private network…over a cost effective shared infrastructure
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
DATA CENTER SERVICES EDGE WITH MPLS
MX Series
EX4200
EX8216
MX & M Series
Powerful, reliable routers for the edge
Low latency and scalable multicast
Network Virtualization Boundary
MX in Core & WAN
MPLS, VPLS extend VLANs enabling mobility
SRX5800
L2/L3 Boundary
MX Series
Enterprise Services Edge:
• Cloud/Application Segments - L3 VPN
• VLAN extensions – VPLS
• TDM replacements over IP WAN
• Regulatory compliance
IPS #2
FW #2NAT #3
IPS #3FW #3
FW #1
VRF #2VRF #2
VRF#3VRF#3
VLANs(mapped into VRFs)
VRF #1 VRF #1
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION TRANSLATION
Service ID
(MPLS Label)Application / Service
Network
Communication
Network
Characteristics
Network
Technology
L2-0001 Storage Network L2 Stretch RSVP-TE VPLS
L2-0101 VMotion POD1 L2 Stretch Low Latency VPLS
L2-0102 VMotion POD2 L2 Stretch Low Latency VPLS
L3-0001Primary Application
ProductionL3 Unicast IP
Policy map to
Services (SRX)L3VPN
L3-0002Primary Application
Pre-ProductionL3 Unicast IP
Policy map to
Services (SRX)L3VPN
L3-0003Primary Application
ComplianceL3 Unicast IP
Policy map to
Services (SRX)L3VPN
L3-1001 Business Partner Access L3 Unicast IPPolicy map to
Services (SRX)
L3VPN
Hub and Spoke
M3-0001 Multicast Application L3 Multicast BW constrained P2MP
Simple example of how customers might track application/services to VPLS, L3VPN or
Multicast VPN from within a Data Center management system.
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION ADVANTAGES
Enables new services/applications onto the
network in a matter of minutes
Configuration changes add segmented applications
without disrupting production services
Supports network segmentation and privacy
Regional-, departmental-, and project-oriented
groups have control over their network assets and
configurations for M&A, and Divestitures
Enhances end-user application experience
Traffic Engineering enables a fine-tuning of the
network to deliver appropriate levels of services
Improve network resiliency
With features like Fast Re-Route – Enabling sub-50
msec reroute to maintain real-time traffic during a
node or link failure
Boost network scalability and performance
Scales for future growth
Seamless Network Connectivity
MPLS
Architecture
Scalable
Enhance User
Experience
Improve Network
Resiliency
Fast and Secure
New Service
Creation
Privacy
14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. How to achieve L2/L3 network virtualization
2. Customer Deployment Scenarios
• Inter-Data Center L2 VLAN stretch connectivity
• Multi-Tiered Enterprise Application design
• L3VPN Network Segmentation for applications, business partners, regulatory compliance
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK VIRTUALIZATION DEPLOYMENT EXAMPLES WITH MPLS
Inter-DC L2 Stretch Multi-Tier Applications
Power Generation
Stations
Transmission Distribution
Consumer
Internet
Smart Meter
Converged MPLS-based Network
Juniper Router
Utility Provider
Administrative VPN Network
SCADA/Control System
VPN Network
Juniper Router
Regulatory Compliance
VM1 DB1 DB1 VM2VM2 VM1
VPLS over
MPLS Core
Data Center 1 Data Center 2
MPLS
VLAN
Network Virtualization Layer
MX Series
MX Series
EX 4200
SRX SeriesSRX Series MX Series
DMZ Exnet Web Apps NOC NASAAA
DB
MPLS Services Edge Architecture
16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
INTER-DATA CENTER L2 STRETCH CONNECTIVITY
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SERVER LIVE MIGRATION AND MIRRORING SERVICES
VM1 DB1 DB1 VM2VM2 VM1
VPLS over
MPLS Core
Data Center 1 Data Center 2
DB1 VLAN
VM1 VLAN
DB1 VPLS
VM1 VPLS
MPLS
VLAN
Service Edge Boundary
L2 stretch between Data Centers
VMotion services
DB/Storage mirroring
VLAN to VPLS mapping at
Service Edge boundary
MX Series
MX Series
MX Series
MX Series
EX Series EX Series
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MIXED PRIVATE/PUBLIC TRANSPORT WITH PRIVATE MPLS CONFIGURATIONS
Private WAN(Leased Circuits)
Data Center 1 Data Center 2
Core WAN
Plane A
VPLS Serviceor L2VPN
Core WAN
Plane B
Data Center
Core/Aggregation Layer
MX Series with 16 Port 10GE
Line Card
Suitable for Large Data Center
Inter/Intra-data center transport
over an MPLS super core
With comprehensive MPLS L2/L3
VPN and VPLS feature-set
19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
ENTERPRISE DEPLOYMENT APPLICATIONS
INTERNET/Private IP/MPLS WAN
Corp Core
LAN/WAN
Small
Campus
Optimized for Ethernet Connectivity:
For Corporate, Small Campus and Small
Data Center WAN Ethernet Edge
Top of Rack Router in Large DCs
bringing the power of MPLS
Virtualization & L3 to the Access Layer
Small Data
Center
MPLS Virtualization in the Data Center
WAN Edge
MX80s
WAN Edge
MX80s
WAN Edge
MX80s
Access Layer
MX80s
WAN Edge
M or MX Series
23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
COMPLETE INTRA- AND INTER-DATA CENTER VIRTUALIZATION SCENARIO
24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
L2 Agg
Dom 1Dom 2Dom 3Dom N
VLANs
TOR2 TORs2 TORs2 TORs
VLANAccess
MX SeriesLDP [RSVP]
MPLS Service EdgeVPLS or L3VPN(L2/L3 Boundary)
POD 1
SRX5800
SRX5800
InternetOptional Internet Access
DATA CENTER MPLS / VPLS
10GE LAG
VLAN/VPLS WANInter-DC
MPLS Core or SuperCore
RSVP / TE
25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SCALING DATA CENTER MPLS / VPLS
SRX5800MX Series
10GE LAG
VLAN/VPLS WANInter-DCInternet
L2 Agg
MPLS Core or SuperCore
RSVP / TE
VLANs
LDP
LDP [RSVP]
MPLS Service EdgeVPLS or L3VPN(L2/L3 Boundary)
SRX5800
Dom 1Dom 2Dom 3Dom N
VLANs
TOR2 TORs2 TORs2 TORs
L2 Agg
Dom 1Dom 2Dom 3Dom N
TOR2 TORs2 TORs2 TORs
VLANAccess
POD 1POD N
SRX5800
26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
DATA CENTER MPLS / VPLS WITH VIRTUAL CHASSIS ON MX
SRX5800MX Series
10GE LAG
VLAN/VPLS WANInter-DCInternet
L2 Agg
MPLS Core or SuperCore
RSVP / TE
VLANs
LDP
LDP [RSVP]
MPLS Service EdgeVPLS or L3VPN(L2/L3 Boundary)
SRX5800
Dom 1Dom 2Dom 3Dom N
VLANs
TOR2 TORs2 TORs2 TORs
L2 Agg
Dom 1Dom 2Dom 3Dom N
TOR2 TORs2 TORs2 TORs
VLANAccess
POD 1POD N
SRX5800
27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SUMMARY
Network Virtualization in the Data
Center with MPLS
Enables new services/applications
onto the network in a matter of minutes
Supports network segmentation and
privacy
Enhances end-user application
experience
Improve network resiliency
Boost network scalability and
performance Seamless Network Connectivity
MPLS
Architecture
Scalable
Enhance User
Experience
Improve Network
Resiliency
Fast and Secure
New Service
Creation
Privacy
28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION
29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08
MARKET DRIVERS
Installed Base Grows 10x
YE 2012 (58M)YE 2008 (5.8M)VM Penetration of Installed Workloads
Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013
Gartner Dataquest Insight January 09
43% of enterprises with 500+ employees and 26% of SMBs100-499 employees are using server virtualization
Yankee July 09
30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION
Server Virtualization – Before and After
Impact on Networking
Network for Virtualized DC
Feature rich Virtual Switching – VEPA
1
2
3
5
31 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SERVER VIRTUALIZATION – BEFORE
Server
Application
O/S
NIC NIC
Network
Switch
Network
Switch
Application
O/S
NIC NIC
Network
endpoint
32 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Application
Network
Switch
Network
Switch
VM 1 VM 2 VM 3
SERVER VIRTUALIZATION - AFTER
NIC NIC
VEB
Application
1
O/S
Virtual Port
Application
2
O/S
Virtual Port
Application
3
O/S
Virtual Port
Server
Application
O/S
NIC NIC
Network
virtual endpoint
Hypervisor
33 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION
Server Virtualization – Before and After
Impact on Networking
Network for Virtualized DC
Feature rich Virtual Switching – VEPA
1
2
3
5
35 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Virtualized
vSwitch
Virtualized
vSwitch
Virtualized
vSwitch
Virtualized
vSwitch
Virtualized
vSwitch
Virtualized
vSwitch
Virtualized
vSwitch
SERVER VIRTUALIZATION: NEW ACCESS LAYER
New challenges
Too many switching elements
Additional switching tiers
Different management tools
for physical and virtual
Change from traditional roles and
responsibilities
VM network state and
policy migration
Unpredictable performance
with software implementations
Virtualized
vSwitch
Control Plane+
Data Plane
New Access Layer (Server admin)
Old access Layer (Network Operator)
Not virtualized
36 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SERVER VIRTUALIZATION - IMPACT ON NETWORKING
Large number of end
points
VM live migration, flexible
VM placement
VM clusters –
Mobility, Fault tolerance,
HA
Additional switching tiers,
switching elements
Change from traditional
roles and responsibilities
Fragmented networks –
lack of network and
security policies
Different management
tools
Feature inconsistency
between physical and
virtual
Unpredictable
performance with
software Vswitches
Lack of “Standards
based” solutions; vendor
lock-ins
NETWORK MANAGEMENT FEATURES
37 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION
Server Virtualization – Before and After
Impact on Networking
Network for Virtualized DC
Feature rich Virtual Switching – VEPA
1
2
3
5
38 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NETWORK FOR VIRTUALIZED DATA CENTER
Support Scale
Enable Ubiquitous Resource Pools
Any to any connectivity
Low latency, High speed
Provide flat L2 network
Spanning Tree Protocol (STP)
free design
Simplify network design
Collapse tiers, reduce number of
switching elements
Switching platforms
EX Virtual Chassis
Stratus
Inter-DC L2 Domain Span
MX – VPLS and MAC
VPNs
Security in the DC
SRX and Altor Virtual
Firewall
NETWORK
39 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNIPER'S STRATEGY AND SOLUTIONS FOR SERVER VIRTUALIZATION
Server Virtualization – Before and After
Impact on Networking
Network for Virtualized DC
Feature rich Virtual Switching – VEPA
1
2
3
5
40 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VIRTUAL ETHERNET PORT AGGREGATOR –VEPA-
41 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
FEATURE RICH VIRTUAL SWITCHING
VEPA
Virtual Ethernet Port Aggregator
Gains access to external switch
features
− Packet processing (TCAMs,
ACLs, etc.)
− Security features such as: DHCP
guard, ARP monitoring, source
port filtering, dynamic ARP
protection/inspection, etc.
• Enhances monitoring capabilities
− Statistics
− NetFlow, sFlow, rmon, port
mirroring, etc.
Standards Based and
Interoperable Solutions
Built to fully realize the ubiquitous
resource pools and flexible VM
placement
VM state and policy migration
FEATURES
42 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
FEATURE RICH VIRTUAL SWITCHING - VEPA
VM1 VM2 VM3
Vswitch
Pswitch
VM1 VM2 VM3
VEPA
Pswitch
Access
Access
Access
VEB / vSwitch VEPA
Evolving open standard IEEE 802.1Qbg
Simple - Bypasses “virtual switches” and
additional tiers in the network. Co-existence
possible.
Open – any server, hypervisor and switch
Scalable – span of VM mobility
Business agility – automated policy
provisioning & migration
Currently deployed
Multiple implementations
No clean, standard handoffs for
signaling VM mobility
43 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
BASIC VEPA OPERATION –UNICAST TRAFFIC-
44 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
BASIC VEPA OPERATION –MULTICAST TRAFFIC-
45 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CURRENT STATUS OF VEPA
IEEE Atlanta plenary meeting in November 2009 approved two new PARs1. 802.1Qbg – Virtual Bridged Local Area Networks Amendment: Edge Virtual
Bridging (http://www.ieee802.org/1/files/public/docs2009/new-bg-thaler-par-1109.pdf) - includes simple VEPA, multi-channel VEPA and AMPP
2. 802.1Qbh – Virtual Bridged Local Area Network Amendment: Bridge Port Extension (http://www.ieee802.org/1/files/public/docs2009/new-bh-thaler-par-1109-v2.pdf) - covers the original Cisco proposal of VN_Tag or port extender
Juniper will support 802.1Qbg
802.1Qbh - Cisco is currently the proposer and sole supporter!
Control plane signaling in 802.1Qbg is called VDP Juniper is working very closely with industry leading server, NIC and
network equipment vendors to develop a VDP standard by 2H 2010.
46 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNIPER’S SOLUTIONS LANDSCAPE
Switching within
the server (VEB) ?
VMware Vswitch
vDS
Replace
VMware's
Vswitch
Nexus 1000v
Junos Space
application to
manage vDS
Junos Space
Virtual Control
( Shipping)
Standards
based?
Industry Wide
support?
VEPA
IEEE 802.1Qbg
(2H 2011)
Port Extender
IEEE 802.1Qbh
VNTag
Nexus (1K + 5K)
Integrate virtual
appliances e.g.
Altor firewall
yes no
no yes
yesno
47 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURING THE VIRTUAL DATA CENTER
48 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURING THE VIRTUAL DATA CENTER
Market Drivers
Security Implications of Virtual Servers
Introducing Altor Virtual Firewall (VF)
What Juniper’s strategy ?
1
2
3
49 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Virtualization Server Licenses grew 53% in '08 over prior year IDC Server Virtualization Tracker December 08
MARKET DRIVERS
Installed Base Grows 10x
YE 2012 (58M)YE 2008 (5.8M)VM Penetration of Installed Workloads
Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013
Gartner Dataquest Insight January 09
43% of enterprises with 500+ employees and 26% of SMBs100-499 employees are using server virtualization
Yankee July 09
50 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATIONS OF VIRTUAL SERVERS
VIRTUAL NETWORKPHYSICAL NETWORK
VM1 VM2 VM3
ES
X H
ost
Physical Security is “Blind” toTraffic Between Virtual Machines
Firewall/IPS InspectsAll Traffic Between Servers
HYPERVISOR
51 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
3. Kernel-based Firewall
APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from
implementing firewall in the kernel
Micro-segmenting capabilities
VM1 VM2 VM3
ES
X H
os
t
FW as Kernel Module
2. Agent-based1. VLAN Segmentation
VM1 VM2 VM3
ES
X H
os
t
Each VM in separate VLAN
Inter-VM communications must
route through the firewall
Drawback: Possibly complex VLAN
networking
Each VM has a software firewall
Drawback: Significant performance
implications; Huge management
overhead of maintaining software
and signature on 1000s of VMs
VM1 VM2 VM3
ES
X H
os
t
FW Agents
HYPERVISORHYPERVISOR HYPERVISOR
52 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VM1 VM2 VM3
ES
X H
os
tALTOR VF
INTRODUCING THE ALTOR VIRTUAL FIREWALL
Hypervisor Kernel Stateful Firewall
Purpose-built virtual firewall
Secure Live-Migration (VMotion)
Security for each VM by VM ID
Fully stateful firewall
VMware “VMsafe Certified”
Tight Integration with Virtual Platform
Management, e.g. VMware vCenter
Fault-Tolerant Architecture
NSM
Juniper SRXJuniper Switch
Network
STRM
53 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VM1 VM2 VM3ALTOR VM
Policy
Logging
Management
ALTOR KERNEL IMPLEMENTATION
Altor built a custom kernel enforcement module in ESX Hypervisor
Packets are forwarded to Altor directly from the Virtual OS
AltorVMsafeKernelModule
VMware DVFilter
VMware vSwitch
Packet / Data
Altor 3.0
Engine
SRX w/IPSPacket / Data
ESX Kernel
VM1 VM2 VM3
VS
ES
X H
os
t
ALTOR VM
Policy
Logging
Management
Altor VF
54 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
STRM
INTEGRATION WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR VM
Altor
Center
Altor Virtual Firewall
VMware vSphere
NSMAltor Integration Point
Traffic Mirroring to IPS
Altor Integration Point
Central Policy Management
Network
Juniper SRX with IPSJuniper Switch
Altor Integration Point
Firewall Event Syslogs
Netflow for Inter-VM Traffic
Policies
55 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CUSTOMER USE CASE: VIRTUAL DESKTOPS (VDI)C
hall
en
ge
So
luti
on
Desktops can carry a lot of “dirty” apps
Malware can easily propagate in a virtual environment
from VM to VM and from VM host to host
Access control and worm suppression is
imperative for VDI deployment
Altor VF blocks worm outbreaks in the
virtual environment
Juniper IPS + Altor VF can detect and block
malware in physical and virtual environment
56 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CUSTOMER USE CASE: COMPLIANCEC
hall
en
ge
So
luti
on
Comply with PCI, SOX, FISMA, ISO27001 etc. mandates
to enforce access control, separation of duties
Comply with requirements for reporting and
alerting on access activity
Show the effectiveness of security controls
for audits
Purpose Built Firewalling – Altor’s stateful VF sees all inter-VM traffic, enforces policy on VMs, and
produces detailed reports on traffic, traffic flows
and applied security
Virtual IPS - Altor VF integrates with STRM and NSM to send firewall events, Netflow data and
mirror traffic to Juniper IPS
57 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CUSTOMER USE CASE: VIRTUAL DMZC
hall
en
ge
So
luti
on
DMZ resources span many applications and services
All DMZ resources share an Internet facing
network so security is critical
Partner and customer extranets must be
appropriately segmented and protected
Altor can segment each VM or group of VMs
with unique firewall policies
Security zones are maintained with
NO VLAN changes