Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

Transcription

1 APPLICATION NOTE Securing Virtualization in the Cloud-Ready Data Center Integrating vgw Virtual Gateway with SRX Series Services Gateways and STRM Series Security Threat Response Manager for Data Center Virtualization Security Copyright 2011, Juniper Networks, Inc. 1

2 Table of Contents Introduction Scope Design Considerations Hardware Requirements Software Requirements Description and Deployment Scenario SRX Series and vgw Virtual Gateway Integrated Solution Configuring the vgw Virtual Gateway and SRX Series Services Gateways Interoperation Enabling the Junoscript Interface for vgw Virtual Gateway Access Configuring Web-Management HTTPS Using the Mycert Certificate Configuring the vgw Virtual Gateway Automatic Zone Synchronization Process Integrating SRX Series IPS and the vgw Virtual Gateway Configuration Steps Integrating the vgw Virtual Gateway and the STRM Series Configuring the vgw Virtual Gateway Security Design VM to Send System Log and NetFlow Data to STRM Series Configuring the STRM Series to Receive vgw System Log and NetFlow Data Summary About Juniper Networks Table of Figures Figure 1. Juniper Networks two-tier data center architecture Figure 2. SRX Series and vgw integrated solution Figure 3. Configuring the SRX Series zone synchronization with vgw Figure 4. Configuring controls for synchronization update intervals Figure 5. Configuring SRX Series IPS (SRX-IPS) as the external inspection device Figure 6. Configuring vgw security design VM to send system log and NetFlow data to STRM Series Figure 7. Configuring the STRM Series to receive vgw system logs Figure 8. Configuring the STRM Series to receive vgw NetFlow data Copyright 2011, Juniper Networks, Inc.

3 Introduction Thanks to the exploding adoption of virtualization, a new type of data center is here. Architected for cloud computing, this new data center is a combination of physical servers and virtual workloads and this means that the data center requires an even more pervasive range of security options. As nearly every business and organization in the world implements some degree of cloud computing, virtualization security will be as integral a component as traditional firewalls are in today s physical networks. In fact, the virtualization security market is one of the fastest growing market segments of this decade, with various analysts forecasting a five-year opportunity from hundreds of millions to billions of dollars. Juniper Networks not only understands the security requirements of the new data center, but Juniper s solutions are prepared to adequately address these needs. Combining the new Juniper Networks vgw Virtual Gateway with the high-end Juniper Networks SRX Series Services Gateways, Juniper offers the most comprehensive security suite for all critical workloads regardless of the platform on which they run. In addition, vgw integrates with Juniper Networks STRM Series Security Threat Response Managers, providing visibility into the virtualized data center environment and enabling compliance as well. It provides integrated a consolidated log and flow statistics from both physical and virtual environment. Scope This paper specifically highlights the integration aspects of Juniper Networks virtualization security solution. It emphasizes implementation details around how the SRX Series Services Gateways and STRM Series Security Threat Response Mangers can be integrated with vgw Virtual Gateway to provide seamless, physical, and virtual security, and enable compliance in the cloud-ready data center. This paper covers integration aspects of the vgw with other types of Juniper data center security products, such as SRX Series and STRM Series devices. This application note assumes that readers are basically familiar with the administration aspects of the products discussed, and is not a replacement for the individual product user guides. Note: The design and implementation of vgw itself is out of the scope of this paper. Design Considerations Hardware Requirements Juniper Networks SRX3000 line of services gateways Juniper Networks SRX5000 line of services gateways Juniper Networks STRM Series Security Threat Response Managers Juniper Networks EX Series Ethernet Switches Software Requirements VMware vcenter VMware ESXi Juniper Networks vgw Virtual Gateway software Fundamental to virtual data center and cloud security is the control of access to virtual machines (VMs) for the specific business purposes sanctioned by the organization. At its foundation, the vgw is a hypervisor-based, VMsafecertified, stateful virtual firewall that inspects all packets to and from VMs, blocking all unapproved connections. Administrators can enforce stateful virtual firewall policies for individual VMs, logical groups of VMs, or all VMs. Global, group, and single VM rules ensure easy creation of trust zones with strong control over high value VMs, while enabling enterprises to take full advantage of many virtualization benefits. The Juniper Networks vgw Virtual Gateway is a software product designed for securing virtualized data centers and clouds. The vgw is based on the technology of Altor Networks, a leading innovator of virtual firewalls that Juniper acquired on December 6, The vgw is a comprehensive hypervisor-based virtualization security solution that enforces granular access control down to the individual VM. The vgw integrates tightly with existing security technologies, including the STRM Series, as well as the SRX Series high-performance security services gateways. Copyright 2011, Juniper Networks, Inc. 3

4 Description and Deployment Scenario As depicted in Figure 1, the Juniper two-tier data center consists of virtual chassis fabric technology on the Juniper Networks EX4200, EX4500, and EX8200 lines of Ethernet switches, and the Juniper Networks MX Series 3D Universal Edge Routers, combined with the Juniper Networks QFX3500 Switch. This innovative combination eliminates the aggregation tier and Spanning Tree Protocol (STP) in the data center. A pair of SRX3000 and SRX5000 gateways is deployed in cluster mode to provide services such as firewalls and intrusion prevention systems (IPS). On the compute layer, vgw software is installed on the VMware ESXi hypervisors to secure the virtualization layer, in this case VMware infrastructure. MX Series Security Switching SRX SERIES ZONES EX Series SRX Series VIRTUALIZED DATA CENTER EX Series Figure 1. Juniper Networks two-tier data center architecture Table 1 lists the products tested and their version numbers, respectively. Table 1. Products Tested Products Version Tested vgw Virtual Gateway 4.5 SRX Series Services Gateways 11.2r1 STRM Series Security Threat Response Managers Copyright 2011, Juniper Networks, Inc.

5 SRX Series and vgw Virtual Gateway Integrated Solution The SRX Series with vgw Virtual Gateway integration delivers the security necessary for today s data center with its mix of physical and virtualized workloads. Integrated with the SRX Series, the vgw Virtual Gateway queries the SRX Series gateway for its zone, interface, network, and routing configuration. vgw then uses that information with the vgw management system (Security Design for vgw) to create VM Smart Groups so that users of vgw can see VM-tozone attachments, create additional inter-vm zone policies, and incorporate zone knowledge into compliance checks (for example, is a client x VM connected to a client y zone). Figure 2 depicts an example of the SRX Series and vgw integrated solution. Zone/VLAN Policy SRX Series WEB-to-CRM TCP/88 ACCEPT VLAN WEB CRM PRE-PRODUCTION EX4200 DATA CENTER INTERCONNECT Trunk Port ESX 1 vgw Engine Trunk Port ESX 11 EX4200 VM VM VM VM VM VM VM VM VLAN=121 WEB VLAN=110 CRM vswitch VLAN=120 PRE-PROD 3. Detect and Notify 2. Inspect and Compare 1. Set Policy PRE-PRODto-WEB PRE-PRODto-CRM ANY ANY NEW VM PRE-PROD VM VLAN=120 POLICY VIOLATION! VLAN 121 instead of 120 DENY DENY Figure 2. SRX Series and vgw integrated solution In combination, the SRX Series and vgw deliver best-in-class security to the data center, enabling security administrators to guarantee that consistent security is enforced from the perimeter to the server VM. The SRX Series delivers zone-based segregation at the data center perimeter. vgw integrates the knowledge collected in SRX Series zones to ensure that zone integrity is enforced on the hypervisor using automated security concepts like Smart Groups and virtual machine introspection. Together, these solutions deliver stateful firewall and optional malware detection for inter-zone and inter-vm traffic; compliance monitoring and enforcement of SRX Series zones within the virtualized environment; and automated quarantine of VMs that violate access, regulatory, or zone policies. Copyright 2011, Juniper Networks, Inc. 5

6 In terms of the benefits of zone synchronization between the SRX Series and vgw, implementers have: Guaranteed integrity of zones on the hypervisor (virtualization operating system) Automation and verification that VM connectivity does not violate zone policy Enhancement of the SRX Series network with knowledge of VMs and their zone location For a more detailed white paper on the physical and virtual security integration, please refer to en/local/pdf/whitepapers/ en.pdf. Configuring the vgw Virtual Gateway and SRX Series Services Gateways Interoperation Before configuring interoperability between the vgw and SRX Series, administrators must enable the Junoscript interface on the SRX Series, as vgw uses that to communicate with the SRX Series device. Enabling the Junoscript Interface for vgw Virtual Gateway Access To allow the vgw to gain access to the SRX Series device for zone synchronization, administrators must enable the Junoscript XML scripting API. 1. Generate a digital SSL certificate and install it on the SRX Series device. 2. Enter the following openssl command in your SSH command-line interface (CLI) on a BSD or Linux system on which openssl is installed. The openssl command generates a self-signed SSL certificate in the Privacy-Enhanced Mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file: % openssl req -x509 -nodes -newkey rsa:1024 -keyout mycert.pem -out mycert.pem. 3. When prompted, type the appropriate information in the identification form. For example, type US for the country name. 4. Display the contents of the file that you created: cat mycert.pem 5. Install the SSL certificate on the SRX Series device. Copy the file containing the certificate from the BSD or Linux system to the SRX Series device. To install the certificate using the CLI, enter the following statement in configuration mode: [edit]user@host# set security certificates local mycert load-key-file mycert.pem Configuring Web-Management HTTPS Using the Mycert Certificate [edit] user@host# set system services web-management https local-certificate mycert user@srx# set system services web-management https interface ge-0/0/0.0 user@srx# set system services web-management https port Configure the IP address for the interface, if it is not already configured. 2. Enable Junoscript communications using the newly created certificate: [edit] user@srx# set system services xnm-ssl local-certificate mycert 6 Copyright 2011, Juniper Networks, Inc.

7 Configuring the vgw Virtual Gateway Automatic Zone Synchronization Process 1. After the Junoscript interface is enabled on the SRX Series, select the Settings module -> Security settings -> SRX Zones, and click Add. Figure 3. Configuring the SRX Series zone synchronization with vgw Host: Device management IP address on the SRX Series device used to connect to the vgw Security Design VM. Port: TCP port used to connect to the SRX Series device through the Junoscript interface (the standard port is 3220). Login ID and Password: Credentials used to authenticate to the SRX Series device. The account for the SRX Series object requires read access to the SRX Series device s zones, interface, network, and routing configuration. Optionally, it requires write access to the Address Book for each zone to populate it with VM entries. Note: If you do not want the system to enter VM objects into the SRX Series device s Address Book, write access is not required. After entering these parameters, the vgw security design VM opens a secure connection to the SRX Series Junoscript interface and reads the authorized information from the SRX Series, making the zone information available through the vgw security design administration interface. When the zone synchronization process is complete, a list of zones is displayed. Administrators can select the zones to import into the vgw as VM zone groupings. The VMs associated with this SRX (options available depicted in Figure 3) is the scope of which VMs should be assessed against this SRX Series device. This synchronization process is used to define which VMs are relevant to the specified SRX Series device, which may be required when multiple SRX Series devices are used to protect the virtual environment, or when only a subset of VMs is positioned behind a single SRX Series device. In addition, you can configure zone synchronization to automatically poll the SRX Series device for zone updates. To control synchronization updates, specify values for the following parameters: Update Frequency: How often to query the SRX Series device for updates (interval). Relevant Interfaces: Select the SRX Series interfaces (one device) to be monitored by the virtual network. The vgw automatically discovers any new zones assigned to the relevant interfaces and adds them to the vgw for monitoring. Copyright 2011, Juniper Networks, Inc. 7

8 Figure 4. Configuring controls for synchronization update intervals Integrating SRX Series IPS and the vgw Virtual Gateway The traffic from vgw can be sent out to external inspection devices for further analysis, for example external intrusion detection service (IDS) and network analyzers. In this case, we are going to use SRX Series IPS to inspect the traffic for potential attacks and anomalies and generate alerts to notify the security administrator. Configuration Steps 1. On the vgw security design interface, we have to first specify the external inspection device IP address, as shown in Figure 5. The VGW firewall module encapsulates the raw packets inside a generic routing encapsulation (GRE) layer and sends them out to the IP address of the external inspection device with a source address of that particular hypervisor security VM. 8 Copyright 2011, Juniper Networks, Inc.

9 Figure 5. Configuring SRX Series IPS (SRX-IPS) as the external inspection device On the data center SRX Series cluster, GRE tunnels must be created from each security VM to the SRX Series GRE interface. We have to create an interface that is in the same subnet as the security VMs on the SRX Series. In this case, let us assume that we have three ESXi hosts with three security VMs installed, and that the IP addresses of the three security VMs are , , and Configure the GRE interface on the SRX Series device that will terminate the GRE tunnels from the three security VMs. {primary:node0[edit] show interfaces ge-1/0/1 ## This interface terminates the GRE tunnels from the vgw SVMs. unit 0 { family inet { address /24; {primary:node0[edit] root@srx-dc-1-node-0# 2. Configure the three separate GRE tunnels from each security VM to the GRE interface that was created in the previous code snippet, and specify the destination routing instance as external-inspection that points to the routing table containing the tunnel destination address. {primary:node0[edit] root@srx-dc-1-node-0# show interfaces gr-0/0/0 unit 0 { tunnel { source ; destination ; routing-instance { destination External-Inspection; Copyright 2011, Juniper Networks, Inc. 9

10 family inet; unit 1 { tunnel { source ; destination ; routing-instance { destination External-Inspection; family inet; unit 2 { tunnel { source ; destination ; routing-instance { destination External-Inspection; family inet; An outbound interface (and zone), ge-1/0/0.999, for the mirrored packets was created so that the policy lookup will complete and a flow will be created. This interface eventually black holes the packets. {primary:node0[edit] root@srx-dc-1-node-0# show interfaces ge-1/0/0 vlan-tagging; unit 999 { vlan-id 999; family inet { filter { input drop-all; output drop-all; address /30 { arp mac aa:bb:cc:dd:ee:ff; 3. Configure all three interfaces (previously discussed) into the same zone and a separate routing instance with default route next hop as the address that was configured with a proxy Address Resolution Protocol (ARP), as shown in the previous code snippet. {primary:node0[edit] root@srx-dc-1-node-0# show routing-instances External-Inspection instance-type virtual-router; interface gr-0/0/0.0; interface gr-0/0/0.1; interface gr-0/0/0.2; interface ge-1/0/0.999; interface ge-1/0/1.0; routing-options { 10 Copyright 2011, Juniper Networks, Inc.

11 static { route /0 next-hop ; {primary:node0[edit] root@srx-dc-1-node-0# show security zones security-zone vgw-trust host-inbound-traffic { system-services { all; protocols { all; interfaces { gr-0/0/0.0; gr-0/0/0.1; gr-0/0/0.2; ge-1/0/1.0; ge-1/0/0.999; {primary:node0[edit] Drop-all firewall filters are applied to the sink interface, ge-1/0/0.999: root@srx-dc-1-node-0# show interfaces ge-1/0/0.999 vlan-id 999; family inet { filter { input drop-all; output drop-all; address /30 { arp mac aa:bb:cc:dd:ee:ff; root@srx-dc-1-node-0# show firewall family inet { filter drop-all { term 1 { then { count sunk; discard; Copyright 2011, Juniper Networks, Inc. 11

12 4. Configure a security policy for incoming traffic entering and leaving the vgw trust zone with intrusion detection and prevention (IDP) invoked. root@srx-dc-1-node-0# show security policies from-zone vgw-trust to-zone vgw- Trust policy permit { match { source-address any; destination-address any; application any; then { permit { application-services { idp; log { session-init; session-close; With this configuration, a copy of all traffic from the vgw security VMs is tunneled into the SRX Series IDP engine for inspection. For details on configuring IDP policies, please refer to the Juniper Networks Junos OS Security Configuration Guide at security/junos-security-swconfig-security.pdf. Integrating the vgw Virtual Gateway and the STRM Series Integrating Juniper Networks vgw Virtual Gateway with the STRM Series provides for defense-in-depth control and offers greater visibility into virtualized server environment traffic patterns. The vgw and STRM Series integration provides features that include: STRM Series benefits, such as centralized log and event management, network-wide threat detection, and compliance reporting to the virtualized data center. Typically, enterprise customers deploy some sort of Security Information and Event Management (SIEM)/Subscriber Identity Module (SIM) products that provide them with compliance reports. Capabilities that allow the vgw to provide the STRM Series with logs, events, and statistics on traffic between VMs. This integration provides a single pane, comprehensive, and consistent view of your physical and virtual infrastructure. vgw and STRM Series implementations have two points of integration. The vgw exports: Firewall logs and events to STRM Series devices through system logs Statistics on traffic between VMs through NetFlow 12 Copyright 2011, Juniper Networks, Inc.

13 Configuring the vgw Virtual Gateway Security Design VM to Send System Log and NetFlow Data to STRM Series To configure the vgw security design VM to send system log (syslog) and NetFlow information to the STRM Series: 1. Configure external logging in the vgw security design VM settings module. a. Select Settings -> Security Settings -> Global -> External Logging. b. Specify the IP address of STRM Series device. c. At the same screen, configure NetFlow. Enter the STRM Series IP address in the NetFlow Configuration window, as shown in Figure 6. Figure 6. Configuring vgw security design VM to send system log and NetFlow data to STRM Series Configuring the STRM Series to Receive vgw System Log and NetFlow Data You can configure the STRM Series device or STRM Series Log Manager to log and correlate events received from external sources such as security equipment (firewalls) and network equipment (switches and routers). Device Support Modules (DSMs) allow you to integrate STRM Series devices or the STRM Series Log Manager with these external devices. 1. Download the latest real-time performance monitoring (RPM) data for the STRM Series version which includes vgw DSM (device specific module) from the Juniper support site and install them. Make sure you have Juniper s vgw DSM installed. 2. Log into the STRM Series admin user interface. 3. Navigate to Admin -> Data sources -> events -> Log sources and add a new log source. Make sure that you select Juniper vgw for the Log source type which assigns the vgw DSM when parsing the logs from the vgw security design VM. Copyright 2011, Juniper Networks, Inc. 13

14 Figure 7. Configuring the STRM Series to receive vgw system logs 4. Similarly, configure the NetFlow source by navigating to Admin -> Data sources -> flow -> Log sources and add a new log source. Figure 8. Configuring the STRM Series to receive vgw NetFlow data 14 Copyright 2011, Juniper Networks, Inc.

15 Summary Today s data center is increasingly a combination of physical servers and virtual workloads, architected for cloud computing and requiring a flexible suite of robust security options. Juniper Networks understands the security requirements of the new data center. Combining the vgw Virtual Gateway with high-end SRX Series Services Gateways, Juniper offers the most comprehensive security suite for all critical workloads a solution that provides consistent security policy throughout the physical network and within the virtualized network as well to deliver bestin-class security for the data center. By leveraging the STRM Series Security Threat Response Managers for centralized logging and monitoring, enterprise administrators gain visibility into their data center environments for needed security and compliance. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: EMEA Sales: Fax: please contact your Juniper Networks representative at or authorized reseller. Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Sept 2011 Printed on recycled paper Copyright 2011, Juniper Networks, Inc. 15