Zabezpečení virtuální infrastruktury datového centra

Click here to load reader

  • date post

    16-Jul-2015
  • Category

    Technology

  • view

    123
  • download

    0

Embed Size (px)

Transcript of Zabezpečení virtuální infrastruktury datového centra

  • Copyright 2014 Juniper Networks, Inc. 1

    JUNIPER FIREFLY PERIMETER AKA VIRTUAL SRX KAREL HENDRYCH SYSTEMS ENGINEER JUNIPER NETWORKS KHENDRYCH@JUNIPER.NET

  • 2 Copyright 2013 Juniper Networks, Inc.

    INTRODUCING THE FIREFLY SOLUTION

  • Copyright 2014 Juniper Networks, Inc. 3

    AGENDA

    FIREFLY

    INTRO

    PERF DEMO MGMT DEMO

    Firefly Suite

    Firefly Host (vGW)

    Firefly Perimeter (vSRX)

    HA DEMO

    IP monitoring

    Hypervisor failure

    Scale

    Performance

    Firewall/NAT TCP throughput demo

    Virtual Director

    vSRX bootstrapping demo

    HA DEMO

  • Copyright 2014 Juniper Networks, Inc. 4

    HOW DOES IT WORK TODAY?

    SRX

    HYBRID CLOUD

    Junos Space Security and

    Virtual Director

    MX Universal Router

    Internet

    MX WAN Enterprise

    MULTI-LAYERED

    DYNAMIC

    GRANULAR

    INTEGRATED

    FLEXIBLE

    AUTOMATED

    VM VM VM VM

    OSS/BSS Customer

    Portal

    Firefly

    Perimeter

    VIRTUALIZED HOST MULTI-TENANT

    Hypervisor Firefly Host

  • Copyright 2014 Juniper Networks, Inc. 5

    FEATURE COMPARISONS

    IDS

    Traffic Monitoring and Visibility

    Compliance Module

    Network Based AV

    VPN (IPsec)

    Network Address Translation

    URL Filtering

    Introspection

    Routing (BGP, OSPF, etc.)

    Firewall 30+ Gbps/Kernel Implementation

    East/West 4Gbps/VM Implementation

    North/South

    FIREFLY HOST

    FIREFLY PERIMETER

  • Copyright 2014 Juniper Networks, Inc. 6

    FIREFLY PERIMETER NGFW FEATURES

    Junos Routing Protocols and SDK

    Junos Rich and Extensible Security Stack

    CLI, JWEB, SNMP, Junos Space - Security Director, Hypervisor Management, HA/FT

    Perimeter Security Content Application

    Firewall

    VPN

    NAT

    Routing

  • 7 Copyright 2013 Juniper Networks, Inc.

    VIRTUAL SRX HA DEMO

  • Copyright 2014 Juniper Networks, Inc. 8

    FIREFLY PERIMETER HIGH AVAILABILITY

    Nested ESX

    VSRX

    VM

    Nested ESX

    VSRX

    VM

    ESX

    VM

    VM

    Virtual IP

    HA C/D links

    Virtual IP

    Host link down (not Firewall VM) Hypervisor host down

  • 9 Copyright 2013 Juniper Networks, Inc.

    PERFORMANCE DEMO

  • Copyright 2014 Juniper Networks, Inc. 10

    FIREFLY PERIMETER- SCALE & PERFORMANCE

    2

    10

    128

    128

    10240

    1024

    128

    1024

    256k

    256K

    8k

    4k

    160k

    5

    2GB

    1024

    vCPUs Required/Instance

    Max vNICs/Instance

    Max Zones

    Max Address Books

    Max Policies

    Max Policies with Count

    Max Applications/Policy

    Max Addresses/Address-set

    Max Firewall Sessions

    Max Pat Sessions (Source NAT with PAT)

    MAC/ARP Table Size

    Max VLANS

    Max OSPF Routes

    Max VRs Supported

    vRAM Required/Instance

    Max Addresses/Policy

    Scale (VMware & KVM)

    Firewall (UDP 1514B puts) 4.9Gbps

    (400 kpps) 1.1 Gbps (85 kpps)

    Firewall (IMIX) 1.2 Gbps 242 Mbps

    Firewall Ramp Rate (TCP) 26K CPS 9K CPS

    Firewall Latency (512B UDP) 105 Micro Sec 482 Micro Sec

    Firewall IPv6 (UDP 512B pkts) 1.7 Gbps 383 Mbps

    NAT (UDP 1514B pkts) 4.4 Gbps 1 Gbps

    NAT (IMIX) 1.1 Gbps 240 Mbps

    NAT Ramp Rate (TCP) 20K CPS 8K CPS

    IPSec (3DES+SHA1, 1514B) 295 Mbps 241 Mbps

    IPSec (3DES+SHA1, IMIX) 66 Mbps 33 Mbps

    IPSec (3DES+SHA1, 64B) 78 kpps 23 kpps

    IKE Rate (3DES+SHA1,V1 or 2) 2000 Tunnels

    83 Tunnels/sec 2000 Tunnels

    48 Tunnels/sec

    Performance* VMware KVM

  • Copyright 2014 Juniper Networks, Inc. 11

    MANAGEMENT DEMO

  • Copyright 2014 Juniper Networks, Inc. 12

    VIRTUAL DIRECTOR ARCHITECTURE DIAGRAM

    Virtual Networks & Management Systems

    vCenter Server

    VMware

    Virtual

    Network

    Physical Networks

    SRX

    IDP

    MAG

    (SSLVPN)

    STRM

    APP VM WEB VM DB VM

    Firefly

    Perimeter

    Virtual

    Director

    Security

    Director

  • Copyright 2014 Juniper Networks, Inc. 13

    AUTOMATED LIFECYCLE MANAGEMENT

    Provision template

    defines all the parameters

    that VM requires to

    execute an instance of

    FFP (e.g. #NICs, network

    addresses, location,

    device boot-up

    configuration)

    Support for multiple

    vCenters*

    Easy to use wizard with

    drop down menus that

    guides deployment

    Inject settings into the

    newly instantiated VM so

    it can be managed and

    registered into Space

    automatically

    Delete FFP instances

    when they are no longer

    required

    Virtual Director supports

    two group types: Static

    Groups and Smart

    Groups

    Smart groups allows for

    dynamic association of

    VMs to groups by defining

    a set of rules based on

    content, network and

    custom attributes

    A VM that matches a rule

    automatically becomes a

    member of the smart

    group

    Virtual Director monitors

    and displays information

    such as VM status,

    memory allocated, # of

    vCPUs, # of vNICs, host,

    data center, resource

    pool, CPU usage, and

    memory usage

    Virtual Director stores the

    historic deployment

    information in a database

    Administrators can

    access the reports to gain

    insight and use the status

    mode to receive email

    alerts on deployment

    failures

    Create Deploy Group Monitor Report

    *Defines all the vCenters within the organization in Virtual Director

    1 2 3 4 5

  • Copyright 2014 Juniper Networks, Inc. 14

    STANDARD MANAGEMENT TOOLS

    Virtual Director,

    creating and

    deleting firefly

    perimeter

    instances

    Security Director,

    manipulate the

    security policy on

    the Firefly

    Perimeter VM

    APIs, both of these Space applications

    can be driven with

    APIs. Also Junos netconf support. (Support Portal

    integration)

    Jweb/CLI, Tenant

    VMs can be self configured by SP

    exposing

    management

    interface to tenant

  • Copyright 2013 Juniper Networks, Inc.

    THANK YOU