Zabezpečení virtuální infrastruktury datového centra
-
Upload
marketingarrowecscz -
Category
Technology
-
view
127 -
download
0
Transcript of Zabezpečení virtuální infrastruktury datového centra
Copyright © 2014 Juniper Networks, Inc. 1
JUNIPER FIREFLY PERIMETER AKA VIRTUAL SRX KAREL HENDRYCH SYSTEMS ENGINEER JUNIPER NETWORKS [email protected]
Copyright © 2014 Juniper Networks, Inc. 3
AGENDA
FIREFLY
INTRO
PERF DEMO MGMT DEMO
Firefly Suite
Firefly Host (vGW)
Firefly Perimeter (vSRX)
HA DEMO
IP monitoring
Hypervisor failure
Scale
Performance
Firewall/NAT TCP throughput demo
Virtual Director
vSRX bootstrapping demo
HA DEMO
Copyright © 2014 Juniper Networks, Inc. 4
HOW DOES IT WORK TODAY?
SRX
HYBRID CLOUD
Junos Space Security and
Virtual Director
MX Universal Router
Internet
MX WAN Enterprise
MULTI-LAYERED
DYNAMIC
GRANULAR
INTEGRATED
FLEXIBLE
AUTOMATED
VM VM VM VM
OSS/BSS Customer
Portal
Firefly
Perimeter
VIRTUALIZED HOST MULTI-TENANT
Hypervisor Firefly Host
Copyright © 2014 Juniper Networks, Inc. 5
FEATURE COMPARISONS
IDS
Traffic Monitoring and Visibility
Compliance Module
Network Based AV
VPN (IPsec)
Network Address Translation
URL Filtering
Introspection
Routing (BGP, OSPF, etc.)
Firewall 30+ Gbps/Kernel Implementation
East/West 4Gbps/VM Implementation
North/South
FIREFLY HOST
FIREFLY PERIMETER
Copyright © 2014 Juniper Networks, Inc. 6
FIREFLY PERIMETER – NGFW FEATURES
Junos Routing Protocols and SDK
Junos Rich and Extensible Security Stack
CLI, JWEB, SNMP, Junos Space - Security Director, Hypervisor Management, HA/FT
Perimeter Security Content Application
Firewall
VPN
NAT
Routing
Copyright © 2014 Juniper Networks, Inc. 8
FIREFLY PERIMETER HIGH AVAILABILITY
Nested ESX
VSRX
VM
Nested ESX
VSRX
VM
ESX
VM
VM
Virtual IP
HA C/D links
Virtual IP
Host link down (not Firewall VM) Hypervisor host down
Copyright © 2014 Juniper Networks, Inc. 10
FIREFLY PERIMETER- SCALE & PERFORMANCE
2
10
128
128
10240
1024
128
1024
256k
256K
8k
4k
160k
5
2GB
1024
vCPUs Required/Instance
Max vNICs/Instance
Max Zones
Max Address Books
Max Policies
Max Policies with Count
Max Applications/Policy
Max Addresses/Address-set
Max Firewall Sessions
Max Pat Sessions (Source NAT with PAT)
MAC/ARP Table Size
Max VLANS
Max OSPF Routes
Max VRs Supported
vRAM Required/Instance
Max Addresses/Policy
Scale (VMware & KVM)
Firewall (UDP 1514B puts) 4.9Gbps
(400 kpps) 1.1 Gbps (85 kpps)
Firewall (IMIX) 1.2 Gbps 242 Mbps
Firewall Ramp Rate (TCP) 26K CPS 9K CPS
Firewall Latency (512B UDP) 105 Micro Sec 482 Micro Sec
Firewall IPv6 (UDP 512B pkts) 1.7 Gbps 383 Mbps
NAT (UDP 1514B pkts) 4.4 Gbps 1 Gbps
NAT (IMIX) 1.1 Gbps 240 Mbps
NAT Ramp Rate (TCP) 20K CPS 8K CPS
IPSec (3DES+SHA1, 1514B) 295 Mbps 241 Mbps
IPSec (3DES+SHA1, IMIX) 66 Mbps 33 Mbps
IPSec (3DES+SHA1, 64B) 78 kpps 23 kpps
IKE Rate (3DES+SHA1,V1 or 2) 2000 Tunnels
83 Tunnels/sec 2000 Tunnels
48 Tunnels/sec
Performance* VMware KVM
Copyright © 2014 Juniper Networks, Inc. 12
VIRTUAL DIRECTOR ARCHITECTURE DIAGRAM
Virtual Networks & Management Systems
vCenter Server
VMware
Virtual
Network
Physical Networks
SRX
IDP
MAG
(SSLVPN)
STRM
APP VM WEB VM DB VM
Firefly
Perimeter
Virtual
Director
Security
Director
Copyright © 2014 Juniper Networks, Inc. 13
AUTOMATED LIFECYCLE MANAGEMENT
Provision template
defines all the parameters
that VM requires to
execute an instance of
FFP (e.g. #NICs, network
addresses, location,
device boot-up
configuration)
Support for multiple
vCenters*
Easy to use wizard with
drop down menus that
guides deployment
Inject settings into the
newly instantiated VM so
it can be managed and
registered into Space
automatically
Delete FFP instances
when they are no longer
required
Virtual Director supports
two group types: Static
Groups and Smart
Groups
Smart groups allows for
dynamic association of
VMs to groups by defining
a set of rules based on
content, network and
custom attributes
A VM that matches a rule
automatically becomes a
member of the smart
group
Virtual Director monitors
and displays information
such as VM status,
memory allocated, # of
vCPUs, # of vNICs, host,
data center, resource
pool, CPU usage, and
memory usage
Virtual Director stores the
historic deployment
information in a database
Administrators can
access the reports to gain
insight and use the status
mode to receive email
alerts on deployment
failures
Create Deploy Group Monitor Report
*Defines all the vCenters within the organization in Virtual Director
1 2 3 4 5
Copyright © 2014 Juniper Networks, Inc. 14
STANDARD MANAGEMENT TOOLS
Virtual Director,
creating and
deleting firefly
perimeter
instances
Security Director,
manipulate the
security policy on
the Firefly
Perimeter VM
API’s, both of these
Space applications
can be driven with
API’s. Also Junos
‘netconf’ support.
(Support Portal
integration)
Jweb/CLI, Tenant
VM’s can be self
configured by SP
exposing
management
interface to tenant