3
Features and Benefits
Virtualization has brought both economic benefits and new
security concerns to enterprises. IT managers often hesitate to
virtualize systems with sensitive data or take full advantage of VM
live migration due to security worries. Among their concerns are:
• Undetected and uncontained malware outbreaks or insider
attacks in the virtual environment
• lack of visibility into, or control of, traffic between VMs that
never touches the physical network
• Inability to enforce policies that isolate VMs, prevent VM sprawl,
or secure features like VMotion
• Virtualization compliance gaps and audit data holes
• Increasing network complexity and administrative burden
caused by applying legacy VlAN or firewall technology to the
virtual environment
Figure 3: VM Introspection technology gives the vGW an
X-ray view of VMs
Without the means to mitigate risks in a cost-effective manner,
many enterprises are not currently realizing the full potential that
virtualization technology offers.
Architected for Multiple Platforms
Juniper Networks multi-platform architecture is designed to secure
all leading virtualization platforms (e.g., Microsoft Hyper-V, Xen) and
support their newest technologies, such as VMsafe from VMware.
Enterprises retain the freedom to choose whatever virtualization
technologies meet their needs, today and into the future.
Automated Deployment and Integration
The vGW virtual appliance automatically installs itself and
discovers all guest VMs through integration with vCenter. Unlike
using VlANs to isolate VMs, Juniper’s solution is easy to maintain
and readily scales as virtualization use grows and new virtual
machines are added to the environment.
Automated VM Security
The vGW automates the application and enforcement of security
rules. This is accomplished in two ways. First, it allows for the
creation of highly detailed security policies that “dynamically”
combine desired conditions from a rich database of virtual
infrastructure (VI) and VM information. The dynamic policy groups
can then be associated with one or more VMs. When additional
VMs are created, they can be automatically associated with known
groups and policies by matching predefined criteria. Administration
overhead is reduced by allowing a “build once, apply continuously”
model to security policy definition and enforcement.
Cloud Security API
Juniper provides an XMl-RPC programming interface that lets
service providers and large enterprises customize and automate
firewall provisioning. Users of the API can efficiently secure
virtualization services for internal or external customers, while
ensuring strict isolation of customer VMs.
Compliance
The vGW lets administrators, security managers, and compliance
auditors define and report on the specific conditions (corporate
and regulatory) that constitute compliant operation in their
environments. The vGW user interface allows for the building
of custom “whitelists” (desired configurations) and “blacklists”
(unwanted conditions). vGW continuously monitors all VMs,
including newly created ones, to report on the overall compliance
posture of the virtual environment. Virtual data center and cloud
administrators can see their aggregate compliance posture at a
glance and drill down on each VM to identify the exact condition
that has triggered a noncompliance alert (e.g., VM in wrong VlAN,
or trust zone has been quarantined).
High Availability
Using redundant system components, the vGW provides mission-
critical reliability. An easily deployed shadow management server
immediately takes over if the primary system fails, ensuring
uninterrupted policy enforcement and management control.
High-Performance, Hypervisor-Resident Firewall
By processing inspections in the VMware hypervisor kernel,
vGW provides 10 times the throughput of older, bridge-mode
firewalls running in virtual environments. This optimized VMsafe
innovation can increase VMs per host while eliminating network
reconfigurations. Firewall protection is continuous as VMs move
from host to host using VMotion. Unlike traditional firewalls,
the vGW keeps the “live” in live migration by maintaining open
connections and security throughout the event.
Intuitive Central Management
The Web-based central management console displays real-time
views of each virtual machine’s operating and security status at
a glance. And a simple, familiar interface for defining rules and
managing policies supports role-based administration, enabling
separation of duties.
Logging, Reporting, and Alerts
System logging output gives security event management systems
insight into virtual network activity. Administrators can print
reports of historical VM traffic data and configure SNMP traps to
alert them to selected events.
