Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Host Security


    Juniper Networks Firefly Host is a virtualized firewall that runs on VMware ESX/ESXi for to secure intra-virtual machine (VM) and inter-VM traffic. Juniper Firefly Host has three main components:

    • Firefly Host Security Design VM (SVM)—This provides a central management server. It provides charts, tables, and graphs, and collects the logs from the security policy which helps to adjust the virtualized environment.
    • Firefly Host Security VM—This is installed on each host of VMware ESX/ESXi to be secured. Firefly Host Security VM acts as a conduit to the Firefly Host kernel module that it inserts into the hypervisors of hosts. The Firefly Host Security VM maintains the policy and logging information.
    • Firefly Host kernel module—Virtualized network traffic is secured and analyzed against the security policy for all VM on the ESX/ESXi host in the Firefly Host kernel module installed on the host. All connections are processed and firewall security policy is enforced in the Firefly Host Series kernel module.

    Firefly Host protects the VM as well as the hypervisor. When it is deployed into the VMware environment, Firefly Host Security VM is installed on VMware ESX/ESXi host (Figure 1), it inserts the Firefly Host kernel module into the host’s hypervisor between the virtual network interface card (NIC) and virtual switch (vSwitch) or distributed virtual switch (DvSW).

    Firefly Host supports vMotion, enabling mobility of both the VM and the Firefly Host. In cases where a VM is moved to a different virtual machine, the security policy assigned to that VM moves along with the virtual machine. Because Firefly Host is supported by vMotion, this VM mobility does not require any additional configuration.

    Figure 1: Logical View of Juniper Networks Firefly Host Installation

    Logical View of Juniper Networks Firefly
Host Installation

    Firefly Host Security Design VM also manages the entire Security Virtual Machine (SVM), defining security policies, configuring antivirus, IDS, and so on. To secure ESX/ESXi hosts and VMs, we need to deploy SVM on the ESX/ESXi hosts first. As soon as you have deployed SVM on each ESX/ESXi host, it will be secured and insert the Firefly Host kernel on the ESX/ESXi hypervisor.

    Firefly Host Security Design VM can be managed through a Web GUI that enables you to define firewall security policy for all the VMs, similar to how you configure a physical SRX firewall. Traffic can be controlled between two VMs running on one ESX/ESXi host, and multiple VMs running on multiple ESX/ESXi hosts.

    Firefly Host Security Design VM pushes the firewall security policy to the SVM kernel module. When traffic enters through a physical network adapter on an ESX/ESXi host, it travels to the virtual switch or distributed switch first, then visits the Firefly Host kernel module before being forwarded to the appropriate VM. As the security policy resides in the kernel module and is based on the security policies, traffic is allowed or denied to or from the VM.

    Configuring the Firefly Host

    When you install SVM on the hosts, all the VMs are unsecured by default. Before defining security policies, you must secure the VM environment.

    Step-by-Step Procedure

    To configure Firefly Host, follow these steps:

    1. The first step in configuration is to log in to the Firefly Host to select the VMs that should be secured. The example below contains several ESXi hosts under Unsecured Network and Secured Network. On the left side (under Unsecured Network), Win2012-Exch02 VM is not secured. On the right side (under Secured Network), Win2012-Exch06 VM is secured. To secure or unsecure VM, you need to select or deselect the check box in front of the VM and click on Secure or Unsecure in the Settings tab. You also need to secure the port group when securing a VM (this is done similarly by selecting Secure in the Settings tab for a dvPort Group).

      Figure 2: An Example dvPort Group

      An Example dvPort Group
    2. Configure a group for one set of applications. The example below shows an application name (MediaWiki) that represents a single group. Additional application groups can be created using Add Smart Group under Security Settings, Group tab in Firefly Host. Define vi.notes which contains the keyword MediaWiki in the Firefly Host. By doing this, it will detect all VMs that have the keyword MediaWiki in an annotation of VM. Before defining security policies, it is a good idea to survey the existing VM environment to obtain a list of the applications hosted in the data center. Creating Smart Groups initially will save time during security policy configuration.

      Figure 3: Configure an Application Group

      Configure an  Application Group
    3. Once groups are defined in Firefly Host, an additional step is required on the vCenter Server. At the MediaWiki VM summary tab under vCenter Server, add the same keyword you used in vi notes in the Annotations field in Step 2. This is required to enable the Firefly Host to properly detect the virtual machine. In the below example, the MediaWiki Group in the Firefly Host will detect all VMs that are properly annotated with the tag MediaWiki.

      Figure 4: The Annotation Allows Firefly Host to Detect Related VMs

      The Annotation Allows Firefly Host to Detect Related
    4. Next, define security policies in the Firewall area of the Firefly Host. Also define an initial, Global rule under Global Policy in Policy Group. This rule creation applies to all VMs in the environment, enabling security even if an application group isn’t properly created. To create specific rules, navigate to Policy Groups in the left pane. You will notice that the policy groups contain both Inbound and Outbound rules. Inbound rule means traffic is coming into the VM and Outbound rule means traffic is originating from the VM. Below is an example rule that allows HTTP, HTTPS, and ICMP inbound to the MediaWiki application VM.

      Figure 5: Define Security Policies

      Define Security Policies


    Many network administrators are required to monitor security status in the data center. The administrators must be able to see details on allowed traffic, as well as blocked or anomalous traffic. This information is found in the Logs window. Logging can be enabled or disabled on a per policy basis. You can also enable logging for all the policies. Please keep in mind that enabling logging for all policies can have an effect on CPU utilization and can introduce network congestion or packet drops. Because of this, we do not recommend enabling logging for all policies.

    To see policy logs, you need to enable logging per policy. Once logging is enabled, the Firefly Host can filter by source IP address, destination IP address, or protocol. This filtering is performed in the advanced view of the logging screen.

    For more information on Firefly Host configuration, troubleshooting, and best practices, see the Firefly Host Administration Guide at:

    Juniper Networks Firefly Host - Installation and Administration Guide for VMware PDF Document

    Published: 2015-04-20