Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Security in the Virtualized IT Data Center

    The purpose of the data center is to host business-critical applications for the enterprise. Each role in the data center is designed and configured to ensure the highest quality user experience possible. This document describes the critical role that security play in the virtualized IT data center architecture.

    Security

    Security is a vital component of any network architecture and the virtualized IT data center is no exception. There are various areas within the data center where security is essential. At the perimeter, security is focused on securing the edge of the data center from external threats and with providing a secure gateway to the Internet. Remote access is another area where security is vital in the data center. Operators often require remote access to the data center to perform maintenance or new service activations. This remote access must be secured and monitored to ensure that only authorized users are permitted access. Robust authentication, authorization and accounting (AAA) mechanisms should be in place to ensure that only authorized operators are allowed access. Given that the data center is a cost and revenue center that can house the critical data and applications of many different enterprises, multi-factor authentication is an absolute necessity to properly secure remote access.

    Software application security in the virtualized IT data center is security that is provided between VMs. A great deal of inter-VM communication occurs in the data center and controlling this interactivity is a crucial security concern. If a server is supposed to access a database residing on another server, or on a storage array, a virtual security appliance should be configured to limit the communication between those resources to allow only those protocols that are necessary for operation. Limiting the communication between resources prevents security breaches in the data center and might be a requirement depending on the regulatory requirements of the hosted applications (HIPPA, for instance, can dictate security safeguards that must exist between patient and business data). Security in the virtual network, or between VMs, differs from security that can be implemented on a physical network. In a physical network, a hardware firewall can connect to different subnets, security zones, or servers and provide security between those devices (see Figure 1). In the virtual network, the physical firewall does not have the ability to see traffic between the VMs. In these cases, a virtual hypervisor security appliance should be installed to enable security between VMs.

    Figure 1 illustrates physical security compared to virtual network security.

    Figure 1: Physical Security Compared to Virtual Network Security

    Physical Security
Compared to Virtual Network Security

    Application Security

    When securing VMs, you need a comprehensive virtualization security solution that implements hypervisor security with full introspection; includes a high-performance, hypervisor-based stateful firewall; uses an integrated intrusion detection system (IDS); provides virtualization-specific antivirus protection; and offers unrivaled scalability for managing multitenant cloud data center security. The Juniper Networks Firefly Host (formerly vGW) offers all these features and enables the operator to monitor software, patches, and files installed on a VM from a central location. Firefly Host is designed to be centrally managed from a single-pane view, giving administrators a comprehensive view of virtual network security and VM inventory.

    Table 1 shows the relative merits of three application security design options: vSRX, SRX, and Firefly Host. Because other choices lack intrusion detection and prevention, quarantine capabilities, and mission-critical line-rate performance and scalability, Firefly Host is the preferred choice for this solution. Additionally, Firefly Host is integrated into all VMs and provides every endpoint with its own virtual firewall.

    Table 1 shows the application security options.

    Table 1: Application Security Options

    Requirement

    vSRX

    SRX

    Firefly Host

    Stateful security policies

    Yes

    Yes

    Yes

    Centralized management

    Yes

    Yes

    Yes

    Intrusion detection and prevention

    Yes

    Yes

    Yes

    Quarantine

    No

    No

    Yes

    10G line-rate performance at scale

    No

    No

    Yes

    To provide application security in the virtualized IT data center, this solution uses the Juniper Networks Firefly Host to provide VM-to-VM application security. Firefly Host integrates with VMware vCenter for comprehensive VM security and management.

    Figure 2 shows the design for application security.

    Figure 2: Application Security Design

    Application Security
Design

    In Figure 2, the following sequence occurs for VM-to-VM traffic:

    1. A VM sends traffic to a destination VM.
    2. The Firefly Host appliance inspects the traffic.
    3. The traffic matches the security policy.
    4. The ESXi host transmits the traffic.
    5. The second ESXi host receives the traffic.
    6. Firefly Host inspects the traffic.
    7. The traffic matches the security policy and permits the traffic to continue to the destination.
    8. The destination VM receives the traffic.

    Perimeter Security

    Edge firewalls handle security functions such as Network Address Translation (NAT), intrusion detection and prevention (IDP), security policy enforcement, and virtual private network (VPN) services.

    As shown in Figure 3, there are four locations where you could provide security services for the physical devices in your data center:

    1. Firewall filters in the QFabric system PODs
    2. Firewall filters in the core switches
    3. Dedicated, stateful firewalls (such as the SRX3600)
    4. Physical firewalls connected to the QFabric system PODs

    Figure 3: Physical Security Design

    Physical Security
Design

    For example, location 3 in Figure 3uses a stateful firewall to protect traffic flows travelling between the edge routers and core switches. Anything below the POD level is protected by the Firefly Host application.

    To provide perimeter security in the virtualized IT data center, this solution uses the SRX3600 Services Gateway as an edge firewall. This firewall offers up to 55-Gbps of firewall performance, which can easily support the VM traffic generated by this solution.

    Secure Remote Access

    The virtualized IT data center solution requires secure remote access into the data center environment. Such access must provide multifactor authentication, granular security controls, and usher scale that give multitenant data centers the ability to provide access to administrators and access to many thousands of users.

    The secure remote access application must be accessible through the Internet; capable of providing encryption, Role-Based Access Control (RBAC), and two-factor authentication services; able to access a virtualized environment; and scale to 10,000 users.

    Table 2 shows a comparison of the MAG Series gateway and the Junos Pulse gateway options. For the virtualized IT data center solution, the Junos Pulse gateway is superior because it offers all the capabilities of the MAG Series gateway as well as being a virtualized application.

    Table 2: Data Center Remote Access Options

    Requirement

    MAG Gateway

    Virtual Pulse Gateway

    Internet accessible

    Yes

    Yes

    Encryption

    Yes

    Yes

    Two-factor authentication

    Yes

    Yes

    Scale to 10,000 users

    Yes

    Yes

    Virtualized

    No

    Yes

    To provide secure remote access to and from the virtualized IT data center, this solution uses the Juniper Networks SA Series SSL VPN Appliances as remote access systems and the Junos Pulse gateway.

    Figure 4 shows the remote access flow.

    Figure 4: Remote Access Flow

    Remote Access Flow

    As shown in Figure 4, the remote access flow in the virtualized IT data center happens as follows:

    1. The user logs in from the Internet.
    2. The user session is routed to the firewall.
    3. Destination NAT is performed on the session.
    4. The authorized user matches the security policy.
    5. The traffic is forwarded to the Junos Pulse gateway.
    6. Traffic arrives on the Untrust interface.
    7. Trusted traffic permits a local address to be assigned to the user.
    8. The user is authenticated and granted access through RBAC.

    Modified: 2015-05-18