In data centers virtualization has created a bit of a network security black hole for engineers. Firewalls have no problem applying and enforcing security policies to server-to-server traffic in a data center, but traffic between virtual machines (VMs) on a virtualized server is another story.
A few months ago I reported about how vendors like Cisco and Check Point have created software that essentially extends the reach of physical firewalls into a server’s hypervisor. At the time, Juniper was developing the same capability by partnering with virtualization security startup Altor Networks. Not long after I wrote that story, Juniper bought Altor. Now just a couple months after the deal Juniper has announced that it’s integrated Altor’s technology with its firewalls, the SRX Series Services Gateway products. Juniper’s new vGW Virtual Gateway is a hypervisor-level firewall based on Altor’s technology. Network engineers can deploy vGW on every virtualized server in a data center and then manage and enforce security on the VMs on those servers through the SRX hardware.
“Typically we see the data center carved up into different [security] zones,” said Peter Lunk, director of product marketing at Juniper. “We’ve done integration so that the vGW can pull down zone information from the SRX and then it can populate and place individual VMs sitting on that server into the different zones assigned by the SRX. Then it can push that information up to the SRX. Now you can see all the way down to the VM level and see which virtual machines are sitting in which zone. Now [engineers] have control over whether you can move VMs in and out of those zones. And if you’re turning up a new VM, [engineers can control] which zone it needs to be attached to. If someone is trying to change the VM we have some control over that as well.”
A product like this gives network security engineers renewed visibility and control over what’s happening within virtual infrastructure. It should also have plenty of application in cloud computing environments as well.
The vGW can also mirror traffic within hypervisors up to the SRX so that the SRX can perform deep analysis on packets and basic reporting on any anomalies. Lunk said Juniper will expand on this mirroring capability in the future. He declined to offer details, but undoubtedly Juniper will add some automated security response features to the SRX for traffic mirrored by the vGW.
Lunk said Juniper has also done some engineering work to make Altor’s syslogs compatible with its own, so that the vGW can report into Juniper’s Security Threat Response Manager (STRM).