Securing Virtualization in the Cloud-Ready Data Center
-
Upload
michael-leonard -
Category
Documents
-
view
25 -
download
1
description
Transcript of Securing Virtualization in the Cloud-Ready Data Center
APPLICATION NOTE
Copyright © 2011, Juniper Networks, Inc. 1
SECurINg VIrTuALIzATION IN ThE CLOud-rEAdy dATA CENTEr Integrating vgW Virtual gateway with SrX Series Services gateways and STrM Series Security Threat response Manager for data Center Virtualization Security
2 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
TableofContents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
description and deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
SrX Series and vgW Virtual gateway Integrated Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring the vgW Virtual gateway and SrX Series Services gateways Interoperation . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enabling the Junoscript Interface for vgW Virtual gateway Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Configuring Web-Management hTTPS using the Mycert Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Configuring the vgW Virtual gateway Automatic zone Synchronization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Integrating SrX Series IPS and the vgW Virtual gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Integrating the vgW Virtual gateway and the STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring the vgW Virtual gateway Security design VM to Send System Log and NetFlow data to
STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring the STrM Series to receive vgW System Log and NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
TableofFigures
Figure 1. Juniper Networks two-tier data center architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2. SrX Series and vgW integrated solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 3. Configuring the SrX Series zone synchronization with vgW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Figure 4. Configuring controls for synchronization update intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 5. Configuring SrX Series IPS (SrX-IPS) as the external inspection device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 6. Configuring vgW security design VM to send system log and NetFlow data to STrM Series . . . . . . . . . . . . . . . . . 13
Figure 7. Configuring the STrM Series to receive vgW system logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 8. Configuring the STrM Series to receive vgW NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Copyright © 2011, Juniper Networks, Inc. 3
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
Introduction
Thanks to the exploding adoption of virtualization, a new type of data center is here. Architected for cloud computing,
this new data center is a combination of physical servers and virtual workloads—and this means that the data center
requires an even more pervasive range of security options. As nearly every business and organization in the world
implements some degree of cloud computing, virtualization security will be as integral a component as traditional
firewalls are in today’s physical networks. In fact, the virtualization security market is one of the fastest growing market
segments of this decade, with various analysts forecasting a five-year opportunity from hundreds of millions to billions
of dollars.
Juniper Networks not only understands the security requirements of the new data center, but Juniper’s solutions are
prepared to adequately address these needs. Combining the new Juniper Networks® vgW Virtual gateway with the
high-end Juniper Networks SrX Series Services gateways, Juniper offers the most comprehensive security suite for all
critical workloads—regardless of the platform on which they run. In addition, vgW integrates with Juniper Networks
STrM Series Security Threat response Managers, providing visibility into the virtualized data center environment
and enabling compliance as well. It provides integrated a consolidated log and flow statistics from both physical and
virtual environment.
Scope
This paper specifically highlights the integration aspects of Juniper Networks virtualization security solution. It
emphasizes implementation details around how the SrX Series Services gateways and STrM Series Security Threat
response Mangers can be integrated with vgW Virtual gateway to provide seamless, physical, and virtual security, and
enable compliance in the cloud-ready data center. This paper covers integration aspects of the vgW with other types
of Juniper data center security products, such as SrX Series and STrM Series devices.
This application note assumes that readers are basically familiar with the administration aspects of the products
discussed, and is not a replacement for the individual product user guides.
Note: The design and implementation of vgW itself is out of the scope of this paper.
DesignConsiderations
HardwareRequirements
• Juniper Networks SrX3000 line of services gateways
• Juniper Networks SrX5000 line of services gateways
• Juniper Networks STrM Series Security Threat response Managers
• Juniper Networks EX Series Ethernet Switches
SoftwareRequirements
• VMware vCenter
• VMware ESXi
• Juniper Networks vgW Virtual gateway software
Fundamental to virtual data center and cloud security is the control of access to virtual machines (VMs) for the
specific business purposes sanctioned by the organization. At its foundation, the vgW is a hypervisor-based, VMsafe-
certified, stateful virtual firewall that inspects all packets to and from VMs, blocking all unapproved connections.
Administrators can enforce stateful virtual firewall policies for individual VMs, logical groups of VMs, or all VMs. global,
group, and single VM rules ensure easy creation of “trust zones” with strong control over high value VMs, while enabling
enterprises to take full advantage of many virtualization benefits.
The Juniper Networks vgW Virtual gateway is a software product designed for securing virtualized data centers and
clouds. The vgW is based on the technology of Altor Networks, a leading innovator of virtual firewalls that Juniper
acquired on december 6, 2010. The vgW is a comprehensive hypervisor-based virtualization security solution
that enforces granular access control down to the individual VM. The vgW integrates tightly with existing security
technologies, including the STrM Series, as well as the SrX Series high-performance security services gateways.
4 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
DescriptionandDeploymentScenario
As depicted in Figure 1, the Juniper two-tier data center consists of virtual chassis fabric technology on the Juniper Networks
EX4200, EX4500, and EX8200 lines of Ethernet switches, and the Juniper Networks MX Series 3d universal Edge routers,
combined with the Juniper Networks QFX3500 Switch. This innovative combination eliminates the aggregation tier and
Spanning Tree Protocol (STP) in the data center. A pair of SrX3000 and SrX5000 gateways is deployed in cluster mode to
provide services such as firewalls and intrusion prevention systems (IPS). On the compute layer, vgW software is installed
on the VMware ESXi hypervisors to secure the virtualization layer, in this case VMware infrastructure.
Figure1.JuniperNetworkstwo-tierdatacenterarchitecture
Table 1 lists the products tested and their version numbers, respectively.
Table1.ProductsTested
PRoDuCTS VeRSIoNTeSTeD
vGWVirtualGateway 4.5
SRXSeriesServicesGateways 11.2r1
STRMSeriesSecurityThreatResponseManagers 2010.0
EX Series
EX Series
MX Series
SwitchingSecurity
SRX Series
SRX SERIESZONES
VIRTUALIZEDDATA CENTER
Copyright © 2011, Juniper Networks, Inc. 5
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
SRXSeriesandvGWVirtualGatewayIntegratedSolution
The SrX Series with vgW Virtual gateway integration delivers the security necessary for today’s data center with its
mix of physical and virtualized workloads. Integrated with the SrX Series, the vgW Virtual gateway queries the SrX
Series gateway for its zone, interface, network, and routing configuration. vgW then uses that information with the
vgW management system (Security design for vgW) to create VM Smart groups so that users of vgW can see VM-to-
zone attachments, create additional inter-VM zone policies, and incorporate zone knowledge into compliance checks
(for example, is a client x VM connected to a client y zone). Figure 2 depicts an example of the SrX Series and vgW
integrated solution.
Figure2.SRXSeriesandvGWintegratedsolution
In combination, the SrX Series and vgW deliver best-in-class security to the data center, enabling security
administrators to guarantee that consistent security is enforced from the perimeter to the server VM. The SrX Series
delivers zone-based segregation at the data center perimeter. vgW integrates the knowledge collected in SrX Series
zones to ensure that zone integrity is enforced on the hypervisor using automated security concepts like Smart groups
and virtual machine introspection. Together, these solutions deliver stateful firewall and optional malware detection
for inter-zone and inter-VM traffic; compliance monitoring and enforcement of SrX Series zones within the virtualized
environment; and automated quarantine of VMs that violate access, regulatory, or zone policies.
ESX 1
VLANWEBCRM
PRE-PRODUCTION
TrunkPort
TrunkPort
DATA CENTER INTERCONNECT
ESX 11
EX4200 EX4200
vGW Engine
WEB-to-CRM
Zone/VLAN Policy
NEW VM – PRE-PROD VM VLAN=120
POLICY VIOLATION!VLAN 121 instead of 120
PRE-PROD-to-WEB
PRE-PROD-to-CRM
TCP/88
ANY
ANY
ACCEPT
DENY
DENY
2. I
nsp
ect
an
d C
om
pa
re3
. Det
ect
an
d N
oti
fy1.
Set
Po
licy
SRX Series
VM VM VM VM VM VM VM VM
vSwitch
VLAN=110CRM
VLAN=121WEB
VLAN=120PRE-PROD
6 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
In terms of the benefits of zone synchronization between the SrX Series and vgW, implementers have:
• guaranteed integrity of zones on the hypervisor (virtualization operating system)
• Automation and verification that VM connectivity does not violate zone policy
• Enhancement of the SrX Series network with knowledge of VMs and their zone location
For a more detailed white paper on the physical and virtual security integration, please refer to www.juniper.net/us/
en/local/pdf/whitepapers/2000431-en.pdf.
ConfiguringthevGWVirtualGatewayandSRXSeriesServicesGatewaysInteroperation
Before configuring interoperability between the vgW and SrX Series, administrators must enable the Junoscript
interface on the SrX Series, as vgW uses that to communicate with the SrX Series device.
enablingtheJunoscriptInterfaceforvGWVirtualGatewayAccess
To allow the vgW to gain access to the SrX Series device for zone synchronization, administrators must enable the
Junoscript XML scripting API.
1. generate a digital SSL certificate and install it on the SrX Series device.
2. Enter the following openssl command in your SSh command-line interface (CLI) on a BSd or Linux system on
which openssl is installed. The openssl command generates a self-signed SSL certificate in the Privacy-Enhanced
Mail (PEM) format. It writes the certificate and an unencrypted 1024-bit rSA private key to the specified file: %
openssl req -x509 -nodes -newkey rsa:1024 -keyout mycert.pem -out mycert.pem.
3. When prompted, type the appropriate information in the identification form. For example, type uS for the country
name.
4. display the contents of the file that you created: cat mycert.pem
5. Install the SSL certificate on the SrX Series device. Copy the file containing the certificate from the BSd or
Linux system to the SrX Series device. To install the certificate using the CLI, enter the following statement in
configuration mode:
[edit]user@host# set security certificates local mycert load-key-file mycert.pem
ConfiguringWeb-ManagementHTTPSusingtheMycertCertificate
[edit]user@host# set system services web-management https local-certificate mycertuser@srx# set system services web-management https interface ge-0/0/0.0user@srx# set system services web-management https port 443
1. Configure the IP address for the interface, if it is not already configured.
2. Enable Junoscript communications using the newly created certificate: [edit] user@srx# set system
services xnm-ssl local-certificate mycert
Copyright © 2011, Juniper Networks, Inc. 7
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
ConfiguringthevGWVirtualGatewayAutomaticZoneSynchronizationProcess
1. After the Junoscript interface is enabled on the SrX Series, select the Settings module -> Security settings -> SrX
zones, and click Add.
Figure3.ConfiguringtheSRXSerieszonesynchronizationwithvGW
Host: device management IP address on the SrX Series device used to connect to the vgW Security design VM.
Port: TCP port used to connect to the SrX Series device through the Junoscript interface (the standard port is 3220).
LoginIDandPassword: Credentials used to authenticate to the SrX Series device. The account for the SrX Series
object requires read access to the SrX Series device’s zones, interface, network, and routing configuration. Optionally, it
requires write access to the Address Book for each zone to populate it with VM entries.
Note: If you do not want the system to enter VM objects into the SrX Series device’s Address Book, write access is not
required.
After entering these parameters, the vgW security design VM opens a secure connection to the SrX Series Junoscript
interface and reads the authorized information from the SrX Series, making the zone information available through
the vgW security design administration interface. When the zone synchronization process is complete, a list of zones is
displayed. Administrators can select the zones to import into the vgW as VM zone groupings.
The “VMs associated with this SrX” (options available depicted in Figure 3) is the scope of which VMs should be
assessed against this SrX Series device. This synchronization process is used to define which VMs are relevant to the
specified SrX Series device, which may be required when multiple SrX Series devices are used to protect the virtual
environment, or when only a subset of VMs is positioned behind a single SrX Series device.
In addition, you can configure zone synchronization to automatically poll the SrX Series device for zone updates. To
control synchronization updates, specify values for the following parameters:
updateFrequency: how often to query the SrX Series device for updates (interval).
RelevantInterfaces: Select the SrX Series interfaces (one device) to be monitored by the virtual network. The vgW
automatically discovers any new zones assigned to the relevant interfaces and adds them to the vgW for monitoring.
8 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
Figure4.Configuringcontrolsforsynchronizationupdateintervals
IntegratingSRXSeriesIPSandthevGWVirtualGateway
The traffic from vgW can be sent out to external inspection devices for further analysis, for example external intrusion
detection service (IdS) and network analyzers. In this case, we are going to use SrX Series IPS to inspect the traffic for
potential attacks and anomalies and generate alerts to notify the security administrator.
ConfigurationSteps
1. On the vgW security design interface, we have to first specify the external inspection device IP address, as
shown in Figure 5. The VgW firewall module encapsulates the raw packets inside a generic routing encapsulation
(grE) layer and sends them out to the IP address of the external inspection device with a source address of that
particular hypervisor security VM.
Copyright © 2011, Juniper Networks, Inc. 9
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
Figure5.ConfiguringSRXSeriesIPS(SRX-IPS)astheexternalinspectiondevice
On the data center SrX Series cluster, grE tunnels must be created from each security VM to the SrX Series grE
interface. We have to create an interface that is in the same subnet as the security VMs on the SrX Series. In this case,
let us assume that we have three ESXi hosts with three security VMs installed, and that the IP addresses of the three
security VMs are 10.13.98.231, 10.13.98.232, and 10.13.98.233.
1. Configure the grE interface on the SrX Series device that will terminate the grE tunnels from the three security
VMs.
{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces ge-1/0/1 ## This interface terminates the GRE tunnels from the vGW SVMs.unit 0 { family inet { address 10.13.98.220/24; }} {primary:node0}[edit]root@SRX-DC-1-NODE-0#
2. Configure the three separate grE tunnels from each security VM to the grE interface that was created in the
previous code snippet, and specify the destination routing instance as external-inspection that points to the
routing table containing the tunnel destination address.
{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces gr-0/0/0unit 0 { tunnel { source 10.13.98.220; destination 10.13.98.231; routing-instance { destination External-Inspection; } }
10 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
family inet;}unit 1 { tunnel { source 10.13.98.220; destination 10.13.98.232; routing-instance { destination External-Inspection; } } family inet;}unit 2 { tunnel { source 10.13.98.220; destination 10.13.98.233; routing-instance { destination External-Inspection; } } family inet;}
An outbound interface (and zone), ge-1/0/0.999, for the mirrored packets was created so that the policy lookup will
complete and a flow will be created. This interface eventually “black holes” the packets.
{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0 vlan-tagging;unit 999 { vlan-id 999; family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; } }}
3. Configure all three interfaces (previously discussed) into the same zone and a separate routing instance with
default route next hop as the 9.9.9.9 address that was configured with a proxy Address resolution Protocol (ArP),
as shown in the previous code snippet.
{primary:node0}[edit]root@SRX-DC-1-NODE-0# show routing-instances External-Inspectioninstance-type virtual-router;interface gr-0/0/0.0;interface gr-0/0/0.1;interface gr-0/0/0.2;interface ge-1/0/0.999;interface ge-1/0/1.0;routing-options {
Copyright © 2011, Juniper Networks, Inc. 11
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
static { route 0.0.0.0/0 next-hop 9.9.9.10; }} {primary:node0}[edit]root@SRX-DC-1-NODE-0# show security zones security-zone vGW-Trusthost-inbound-traffic { system-services { all; } protocols { all; }}interfaces { gr-0/0/0.0; gr-0/0/0.1; gr-0/0/0.2; ge-1/0/1.0; ge-1/0/0.999;} {primary:node0}[edit]
“drop-all” firewall filters are applied to the “sink” interface, ge-1/0/0.999:
root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0.999vlan-id 999;family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; }} root@SRX-DC-1-NODE-0# show firewall family inet { filter drop-all { term 1 { then { count sunk; discard; } } }}
12 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
4. Configure a security policy for incoming traffic entering and leaving the vgW trust zone with intrusion detection
and prevention (IdP) invoked.
root@SRX-DC-1-NODE-0# show security policies from-zone vGW-Trust to-zone vGW-Trust policy permit { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; } } log { session-init; session-close; } }}
With this configuration, a copy of all traffic from the vgW security VMs is tunneled into the SrX Series IdP engine for
inspection.
For details on configuring IdP policies, please refer to the Juniper Networks Junos® OS Security Configuration guide
at www.juniper.net/techpubs/en_uS/junos11.2/information-products/topic-collections/security/software-all/
security/junos-security-swconfig-security.pdf.
IntegratingthevGWVirtualGatewayandtheSTRMSeries
Integrating Juniper Networks vgW Virtual gateway with the STrM Series provides for defense-in-depth control and
offers greater visibility into virtualized server environment traffic patterns.
The vgW and STrM Series integration provides features that include:
• STrM Series benefits, such as centralized log and event management, network-wide threat detection, and
compliance reporting to the virtualized data center. Typically, enterprise customers deploy some sort of Security
Information and Event Management (SIEM)/Subscriber Identity Module (SIM) products that provide them with
compliance reports.
• Capabilities that allow the vgW to provide the STrM Series with logs, events, and statistics on traffic between
VMs. This integration provides a single pane, comprehensive, and consistent view of your physical and virtual
infrastructure. vgW and STrM Series implementations have two points of integration.
The vgW exports:
• Firewall logs and events to STrM Series devices through system logs
• Statistics on traffic between VMs through NetFlow
Copyright © 2011, Juniper Networks, Inc. 13
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
ConfiguringthevGWVirtualGatewaySecurityDesignVMtoSendSystemLogandNetFlowDatatoSTRMSeries
To configure the vgW security design VM to send system log (syslog) and NetFlow information to the STrM Series:
1. Configure external logging in the vgW security design VM settings module.
a. Select Settings -> Security Settings -> global -> External Logging.
b. Specify the IP address of STrM Series device.
c. At the same screen, configure NetFlow. Enter the STrM Series IP address in the NetFlow Configuration window,
as shown in Figure 6.
Figure6.ConfiguringvGWsecuritydesignVMtosendsystemlogandNetFlowdatatoSTRMSeries
ConfiguringtheSTRMSeriestoReceivevGWSystemLogandNetFlowData
you can configure the STrM Series device or STrM Series Log Manager to log and correlate events received from
external sources such as security equipment (firewalls) and network equipment (switches and routers). device
Support Modules (dSMs) allow you to integrate STrM Series devices or the STrM Series Log Manager with these
external devices.
1. download the latest real-time performance monitoring (rPM) data for the STrM Series version which includes
vgW dSM (device specific module) from the Juniper support site and install them. Make sure you have Juniper’s
vgW dSM installed.
2. Log into the STrM Series admin user interface.
3. Navigate to Admin -> data sources -> events -> Log sources and add a new log source. Make sure that you select
Juniper vgW for the Log source type which assigns the vgW dSM when parsing the logs from the vgW security
design VM.
14 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
Figure7.ConfiguringtheSTRMSeriestoreceivevGWsystemlogs
4. Similarly, configure the NetFlow source by navigating to Admin -> data sources -> flow -> Log sources and add a
new log source.
Figure8.ConfiguringtheSTRMSeriestoreceivevGWNetFlowdata
Copyright © 2011, Juniper Networks, Inc. 15
APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center
Printed on recycled paper3500207-001-EN Sept 2011
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the united States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
eMeAHeadquarters
Juniper Networks Ireland
Airside Business Park
Swords, County dublin, Ireland
Phone: 35.31.8903.600
EMEA Sales: 00800.4586.4737
Fax: 35.31.8903.601
APACHeadquarters
Juniper Networks (hong Kong)
26/F, Cityplaza One
1111 King’s road
Taikoo Shing, hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
CorporateandSalesHeadquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 uSA
Phone: 888.JuNIPEr (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.
Summary
Today’s data center is increasingly a combination of physical servers and virtual workloads, architected for cloud
computing and requiring a flexible suite of robust security options. Juniper Networks understands the security
requirements of the new data center. Combining the vgW Virtual gateway with high-end SrX Series Services
gateways, Juniper offers the most comprehensive security suite for all critical workloads—a solution that provides
consistent security policy throughout the physical network and within the virtualized network as well—to deliver best-
in-class security for the data center. By leveraging the STrM Series Security Threat response Managers for centralized
logging and monitoring, enterprise administrators gain visibility into their data center environments for needed security
and compliance.
AboutJuniperNetworks
Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud
providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics
of networking. The company serves customers and partners worldwide. Additional information can be found at
www.juniper.net.