Zabezpečení virtuální infrastruktury datového centra

Copyright © 2014 Juniper Networks, Inc. 1

JUNIPER FIREFLY PERIMETER AKA VIRTUAL SRX KAREL HENDRYCH SYSTEMS ENGINEER JUNIPER NETWORKS [email protected]

2 Copyright © 2013 Juniper Networks, Inc.

INTRODUCING THE FIREFLY SOLUTION


AGENDA

FIREFLY

INTRO

PERF DEMO MGMT DEMO

Firefly Suite

Firefly Host (vGW)

Firefly Perimeter (vSRX)

HA DEMO

IP monitoring

Hypervisor failure

Scale

Performance

Firewall/NAT TCP throughput demo

Virtual Director

vSRX bootstrapping demo

HA DEMO


HOW DOES IT WORK TODAY?

SRX

HYBRID CLOUD

Junos Space Security and

Virtual Director

MX Universal Router

Internet

MX WAN Enterprise

MULTI-LAYERED

DYNAMIC

GRANULAR

INTEGRATED

FLEXIBLE

AUTOMATED

VM VM VM VM

OSS/BSS Customer

Portal

Firefly

Perimeter

VIRTUALIZED HOST MULTI-TENANT

Hypervisor Firefly Host


FEATURE COMPARISONS

IDS

Traffic Monitoring and Visibility

Compliance Module

Network Based AV

VPN (IPsec)

Network Address Translation

URL Filtering

Introspection

Routing (BGP, OSPF, etc.)

Firewall 30+ Gbps/Kernel Implementation

East/West 4Gbps/VM Implementation

North/South

FIREFLY HOST

FIREFLY PERIMETER


FIREFLY PERIMETER – NGFW FEATURES

Junos Routing Protocols and SDK

Junos Rich and Extensible Security Stack

CLI, JWEB, SNMP, Junos Space - Security Director, Hypervisor Management, HA/FT

Perimeter Security Content Application

Firewall

VPN

NAT

Routing


VIRTUAL SRX HA DEMO


FIREFLY PERIMETER HIGH AVAILABILITY

Nested ESX

VSRX

VM

Nested ESX

VSRX

VM

ESX

VM

VM

Virtual IP

HA C/D links

Virtual IP

Host link down (not Firewall VM) Hypervisor host down


PERFORMANCE DEMO


FIREFLY PERIMETER- SCALE & PERFORMANCE

2

10

128

128

10240

1024

128

1024

256k

256K

8k

4k

160k

5

2GB

1024

vCPUs Required/Instance

Max vNICs/Instance

Max Zones

Max Address Books

Max Policies

Max Policies with Count

Max Applications/Policy

Max Addresses/Address-set

Max Firewall Sessions

Max Pat Sessions (Source NAT with PAT)

MAC/ARP Table Size

Max VLANS

Max OSPF Routes

Max VRs Supported

vRAM Required/Instance

Max Addresses/Policy

Scale (VMware & KVM)

Firewall (UDP 1514B puts) 4.9Gbps

(400 kpps) 1.1 Gbps (85 kpps)

Firewall (IMIX) 1.2 Gbps 242 Mbps

Firewall Ramp Rate (TCP) 26K CPS 9K CPS

Firewall Latency (512B UDP) 105 Micro Sec 482 Micro Sec

Firewall IPv6 (UDP 512B pkts) 1.7 Gbps 383 Mbps

NAT (UDP 1514B pkts) 4.4 Gbps 1 Gbps

NAT (IMIX) 1.1 Gbps 240 Mbps

NAT Ramp Rate (TCP) 20K CPS 8K CPS

IPSec (3DES+SHA1, 1514B) 295 Mbps 241 Mbps

IPSec (3DES+SHA1, IMIX) 66 Mbps 33 Mbps

IPSec (3DES+SHA1, 64B) 78 kpps 23 kpps

IKE Rate (3DES+SHA1,V1 or 2) 2000 Tunnels

83 Tunnels/sec 2000 Tunnels

48 Tunnels/sec

Performance* VMware KVM


MANAGEMENT DEMO


VIRTUAL DIRECTOR ARCHITECTURE DIAGRAM

Virtual Networks & Management Systems

vCenter Server

VMware

Virtual

Network

Physical Networks

SRX

IDP

MAG

(SSLVPN)

STRM

APP VM WEB VM DB VM

Firefly

Perimeter

Virtual

Director

Security

Director


AUTOMATED LIFECYCLE MANAGEMENT

Provision template

defines all the parameters

that VM requires to

execute an instance of

FFP (e.g. #NICs, network

addresses, location,

device boot-up

configuration)

Support for multiple

vCenters*

Easy to use wizard with

drop down menus that

guides deployment

Inject settings into the

newly instantiated VM so

it can be managed and

registered into Space

automatically

Delete FFP instances

when they are no longer

required

Virtual Director supports

two group types: Static

Groups and Smart

Groups

Smart groups allows for

dynamic association of

VMs to groups by defining

a set of rules based on

content, network and

custom attributes

A VM that matches a rule

automatically becomes a

member of the smart

group

Virtual Director monitors

and displays information

such as VM status,

memory allocated, # of

vCPUs, # of vNICs, host,

data center, resource

pool, CPU usage, and

memory usage

Virtual Director stores the

historic deployment

information in a database

Administrators can

access the reports to gain

insight and use the status

mode to receive email

alerts on deployment

failures

Create Deploy Group Monitor Report

*Defines all the vCenters within the organization in Virtual Director

1 2 3 4 5


STANDARD MANAGEMENT TOOLS

Virtual Director,

creating and

deleting firefly

perimeter

instances

Security Director,

manipulate the

security policy on

the Firefly

Perimeter VM

API’s, both of these

Space applications

can be driven with

API’s. Also Junos

‘netconf’ support.

(Support Portal

integration)

Jweb/CLI, Tenant

VM’s can be self

configured by SP

exposing

management

interface to tenant

Zabezpečení virtuální infrastruktury datového centra

Technology

Transcript of Zabezpečení virtuální infrastruktury datového centra