securing virtualization in the cloud-ready data center

APPLICATION NOTE

Copyright © 2011, Juniper Networks, Inc. 1

SECurINg VIrTuALIzATION IN ThE CLOud-rEAdy dATA CENTEr Integrating vgW Virtual gateway with SrX Series Services gateways and STrM Series Security Threat response Manager for data Center Virtualization Security

2 Copyright © 2011, Juniper Networks, Inc.

APPLICATION NOTE - Securing Virtualization in the Cloud-ready data Center

TableofContents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

description and deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

SrX Series and vgW Virtual gateway Integrated Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Configuring the vgW Virtual gateway and SrX Series Services gateways Interoperation . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enabling the Junoscript Interface for vgW Virtual gateway Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring Web-Management hTTPS using the Mycert Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring the vgW Virtual gateway Automatic zone Synchronization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Integrating SrX Series IPS and the vgW Virtual gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Integrating the vgW Virtual gateway and the STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring the vgW Virtual gateway Security design VM to Send System Log and NetFlow data to

STrM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuring the STrM Series to receive vgW System Log and NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

TableofFigures

Figure 1. Juniper Networks two-tier data center architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 2. SrX Series and vgW integrated solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 3. Configuring the SrX Series zone synchronization with vgW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Figure 4. Configuring controls for synchronization update intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 5. Configuring SrX Series IPS (SrX-IPS) as the external inspection device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 6. Configuring vgW security design VM to send system log and NetFlow data to STrM Series . . . . . . . . . . . . . . . . . 13

Figure 7. Configuring the STrM Series to receive vgW system logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 8. Configuring the STrM Series to receive vgW NetFlow data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14



Introduction

Thanks to the exploding adoption of virtualization, a new type of data center is here. Architected for cloud computing,

this new data center is a combination of physical servers and virtual workloads—and this means that the data center

requires an even more pervasive range of security options. As nearly every business and organization in the world

implements some degree of cloud computing, virtualization security will be as integral a component as traditional

firewalls are in today’s physical networks. In fact, the virtualization security market is one of the fastest growing market

segments of this decade, with various analysts forecasting a five-year opportunity from hundreds of millions to billions

of dollars.

Juniper Networks not only understands the security requirements of the new data center, but Juniper’s solutions are

prepared to adequately address these needs. Combining the new Juniper Networks® vgW Virtual gateway with the

high-end Juniper Networks SrX Series Services gateways, Juniper offers the most comprehensive security suite for all

critical workloads—regardless of the platform on which they run. In addition, vgW integrates with Juniper Networks

STrM Series Security Threat response Managers, providing visibility into the virtualized data center environment

and enabling compliance as well. It provides integrated a consolidated log and flow statistics from both physical and

virtual environment.

Scope

This paper specifically highlights the integration aspects of Juniper Networks virtualization security solution. It

emphasizes implementation details around how the SrX Series Services gateways and STrM Series Security Threat

response Mangers can be integrated with vgW Virtual gateway to provide seamless, physical, and virtual security, and

enable compliance in the cloud-ready data center. This paper covers integration aspects of the vgW with other types

of Juniper data center security products, such as SrX Series and STrM Series devices.

This application note assumes that readers are basically familiar with the administration aspects of the products

discussed, and is not a replacement for the individual product user guides.

Note: The design and implementation of vgW itself is out of the scope of this paper.

DesignConsiderations

HardwareRequirements

• Juniper Networks SrX3000 line of services gateways

• Juniper Networks SrX5000 line of services gateways

• Juniper Networks STrM Series Security Threat response Managers

• Juniper Networks EX Series Ethernet Switches

SoftwareRequirements

• VMware vCenter

• VMware ESXi

• Juniper Networks vgW Virtual gateway software

Fundamental to virtual data center and cloud security is the control of access to virtual machines (VMs) for the

specific business purposes sanctioned by the organization. At its foundation, the vgW is a hypervisor-based, VMsafe-

certified, stateful virtual firewall that inspects all packets to and from VMs, blocking all unapproved connections.

Administrators can enforce stateful virtual firewall policies for individual VMs, logical groups of VMs, or all VMs. global,

group, and single VM rules ensure easy creation of “trust zones” with strong control over high value VMs, while enabling

enterprises to take full advantage of many virtualization benefits.

The Juniper Networks vgW Virtual gateway is a software product designed for securing virtualized data centers and

clouds. The vgW is based on the technology of Altor Networks, a leading innovator of virtual firewalls that Juniper

acquired on december 6, 2010. The vgW is a comprehensive hypervisor-based virtualization security solution

that enforces granular access control down to the individual VM. The vgW integrates tightly with existing security

technologies, including the STrM Series, as well as the SrX Series high-performance security services gateways.



DescriptionandDeploymentScenario

As depicted in Figure 1, the Juniper two-tier data center consists of virtual chassis fabric technology on the Juniper Networks

EX4200, EX4500, and EX8200 lines of Ethernet switches, and the Juniper Networks MX Series 3d universal Edge routers,

combined with the Juniper Networks QFX3500 Switch. This innovative combination eliminates the aggregation tier and

Spanning Tree Protocol (STP) in the data center. A pair of SrX3000 and SrX5000 gateways is deployed in cluster mode to

provide services such as firewalls and intrusion prevention systems (IPS). On the compute layer, vgW software is installed

on the VMware ESXi hypervisors to secure the virtualization layer, in this case VMware infrastructure.

Figure1.JuniperNetworkstwo-tierdatacenterarchitecture

Table 1 lists the products tested and their version numbers, respectively.

Table1.ProductsTested

PRoDuCTS VeRSIoNTeSTeD

vGWVirtualGateway 4.5

SRXSeriesServicesGateways 11.2r1

STRMSeriesSecurityThreatResponseManagers 2010.0

EX Series

EX Series

MX Series

SwitchingSecurity

SRX Series

SRX SERIESZONES

VIRTUALIZEDDATA CENTER



SRXSeriesandvGWVirtualGatewayIntegratedSolution

The SrX Series with vgW Virtual gateway integration delivers the security necessary for today’s data center with its

mix of physical and virtualized workloads. Integrated with the SrX Series, the vgW Virtual gateway queries the SrX

Series gateway for its zone, interface, network, and routing configuration. vgW then uses that information with the

vgW management system (Security design for vgW) to create VM Smart groups so that users of vgW can see VM-to-

zone attachments, create additional inter-VM zone policies, and incorporate zone knowledge into compliance checks

(for example, is a client x VM connected to a client y zone). Figure 2 depicts an example of the SrX Series and vgW

integrated solution.

Figure2.SRXSeriesandvGWintegratedsolution

In combination, the SrX Series and vgW deliver best-in-class security to the data center, enabling security

administrators to guarantee that consistent security is enforced from the perimeter to the server VM. The SrX Series

delivers zone-based segregation at the data center perimeter. vgW integrates the knowledge collected in SrX Series

zones to ensure that zone integrity is enforced on the hypervisor using automated security concepts like Smart groups

and virtual machine introspection. Together, these solutions deliver stateful firewall and optional malware detection

for inter-zone and inter-VM traffic; compliance monitoring and enforcement of SrX Series zones within the virtualized

environment; and automated quarantine of VMs that violate access, regulatory, or zone policies.

ESX 1

VLANWEBCRM

PRE-PRODUCTION

TrunkPort

TrunkPort

DATA CENTER INTERCONNECT

ESX 11

EX4200 EX4200

vGW Engine

WEB-to-CRM

Zone/VLAN Policy

NEW VM – PRE-PROD VM VLAN=120

POLICY VIOLATION!VLAN 121 instead of 120

PRE-PROD-to-WEB

PRE-PROD-to-CRM

TCP/88

ANY

ANY

ACCEPT

DENY

DENY

2. I

nsp

ect

an

d C

om

pa

re3

. Det

ect

an

d N

oti

fy1.

Set

Po

licy

SRX Series

VM VM VM VM VM VM VM VM

vSwitch

VLAN=110CRM

VLAN=121WEB

VLAN=120PRE-PROD



In terms of the benefits of zone synchronization between the SrX Series and vgW, implementers have:

• guaranteed integrity of zones on the hypervisor (virtualization operating system)

• Automation and verification that VM connectivity does not violate zone policy

• Enhancement of the SrX Series network with knowledge of VMs and their zone location

For a more detailed white paper on the physical and virtual security integration, please refer to www.juniper.net/us/

en/local/pdf/whitepapers/2000431-en.pdf.

ConfiguringthevGWVirtualGatewayandSRXSeriesServicesGatewaysInteroperation

Before configuring interoperability between the vgW and SrX Series, administrators must enable the Junoscript

interface on the SrX Series, as vgW uses that to communicate with the SrX Series device.

enablingtheJunoscriptInterfaceforvGWVirtualGatewayAccess

To allow the vgW to gain access to the SrX Series device for zone synchronization, administrators must enable the

Junoscript XML scripting API.

1. generate a digital SSL certificate and install it on the SrX Series device.

2. Enter the following openssl command in your SSh command-line interface (CLI) on a BSd or Linux system on

which openssl is installed. The openssl command generates a self-signed SSL certificate in the Privacy-Enhanced

Mail (PEM) format. It writes the certificate and an unencrypted 1024-bit rSA private key to the specified file: %

openssl req -x509 -nodes -newkey rsa:1024 -keyout mycert.pem -out mycert.pem.

3. When prompted, type the appropriate information in the identification form. For example, type uS for the country

name.

4. display the contents of the file that you created: cat mycert.pem

5. Install the SSL certificate on the SrX Series device. Copy the file containing the certificate from the BSd or

Linux system to the SrX Series device. To install the certificate using the CLI, enter the following statement in

configuration mode:

[edit]user@host# set security certificates local mycert load-key-file mycert.pem

ConfiguringWeb-ManagementHTTPSusingtheMycertCertificate

[edit]user@host# set system services web-management https local-certificate mycertuser@srx# set system services web-management https interface ge-0/0/0.0user@srx# set system services web-management https port 443

1. Configure the IP address for the interface, if it is not already configured.

2. Enable Junoscript communications using the newly created certificate: [edit] user@srx# set system

services xnm-ssl local-certificate mycert

www.juniper.net/us/en/local/pdf/whitepapers/2000431-en.pdf

www.juniper.net/us/en/local/pdf/whitepapers/2000431-en.pdf



ConfiguringthevGWVirtualGatewayAutomaticZoneSynchronizationProcess

1. After the Junoscript interface is enabled on the SrX Series, select the Settings module -> Security settings -> SrX

zones, and click Add.

Figure3.ConfiguringtheSRXSerieszonesynchronizationwithvGW

Host: device management IP address on the SrX Series device used to connect to the vgW Security design VM.

Port: TCP port used to connect to the SrX Series device through the Junoscript interface (the standard port is 3220).

LoginIDandPassword: Credentials used to authenticate to the SrX Series device. The account for the SrX Series

object requires read access to the SrX Series device’s zones, interface, network, and routing configuration. Optionally, it

requires write access to the Address Book for each zone to populate it with VM entries.

Note: If you do not want the system to enter VM objects into the SrX Series device’s Address Book, write access is not

required.

After entering these parameters, the vgW security design VM opens a secure connection to the SrX Series Junoscript

interface and reads the authorized information from the SrX Series, making the zone information available through

the vgW security design administration interface. When the zone synchronization process is complete, a list of zones is

displayed. Administrators can select the zones to import into the vgW as VM zone groupings.

The “VMs associated with this SrX” (options available depicted in Figure 3) is the scope of which VMs should be

assessed against this SrX Series device. This synchronization process is used to define which VMs are relevant to the

specified SrX Series device, which may be required when multiple SrX Series devices are used to protect the virtual

environment, or when only a subset of VMs is positioned behind a single SrX Series device.

In addition, you can configure zone synchronization to automatically poll the SrX Series device for zone updates. To

control synchronization updates, specify values for the following parameters:

updateFrequency: how often to query the SrX Series device for updates (interval).

RelevantInterfaces: Select the SrX Series interfaces (one device) to be monitored by the virtual network. The vgW

automatically discovers any new zones assigned to the relevant interfaces and adds them to the vgW for monitoring.



Figure4.Configuringcontrolsforsynchronizationupdateintervals

IntegratingSRXSeriesIPSandthevGWVirtualGateway

The traffic from vgW can be sent out to external inspection devices for further analysis, for example external intrusion

detection service (IdS) and network analyzers. In this case, we are going to use SrX Series IPS to inspect the traffic for

potential attacks and anomalies and generate alerts to notify the security administrator.

ConfigurationSteps

1. On the vgW security design interface, we have to first specify the external inspection device IP address, as

shown in Figure 5. The VgW firewall module encapsulates the raw packets inside a generic routing encapsulation

(grE) layer and sends them out to the IP address of the external inspection device with a source address of that

particular hypervisor security VM.



Figure5.ConfiguringSRXSeriesIPS(SRX-IPS)astheexternalinspectiondevice

On the data center SrX Series cluster, grE tunnels must be created from each security VM to the SrX Series grE

interface. We have to create an interface that is in the same subnet as the security VMs on the SrX Series. In this case,

let us assume that we have three ESXi hosts with three security VMs installed, and that the IP addresses of the three

security VMs are 10.13.98.231, 10.13.98.232, and 10.13.98.233.

1. Configure the grE interface on the SrX Series device that will terminate the grE tunnels from the three security

VMs.

{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces ge-1/0/1 ## This interface terminates the GRE tunnels from the vGW SVMs.unit 0 { family inet { address 10.13.98.220/24; }} {primary:node0}[edit]root@SRX-DC-1-NODE-0#

2. Configure the three separate grE tunnels from each security VM to the grE interface that was created in the

previous code snippet, and specify the destination routing instance as external-inspection that points to the

routing table containing the tunnel destination address.

{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces gr-0/0/0unit 0 { tunnel { source 10.13.98.220; destination 10.13.98.231; routing-instance { destination External-Inspection; } }



family inet;}unit 1 { tunnel { source 10.13.98.220; destination 10.13.98.232; routing-instance { destination External-Inspection; } } family inet;}unit 2 { tunnel { source 10.13.98.220; destination 10.13.98.233; routing-instance { destination External-Inspection; } } family inet;}

An outbound interface (and zone), ge-1/0/0.999, for the mirrored packets was created so that the policy lookup will

complete and a flow will be created. This interface eventually “black holes” the packets.

{primary:node0}[edit]root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0 vlan-tagging;unit 999 { vlan-id 999; family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; } }}

3. Configure all three interfaces (previously discussed) into the same zone and a separate routing instance with

default route next hop as the 9.9.9.9 address that was configured with a proxy Address resolution Protocol (ArP),

as shown in the previous code snippet.

{primary:node0}[edit]root@SRX-DC-1-NODE-0# show routing-instances External-Inspectioninstance-type virtual-router;interface gr-0/0/0.0;interface gr-0/0/0.1;interface gr-0/0/0.2;interface ge-1/0/0.999;interface ge-1/0/1.0;routing-options {



static { route 0.0.0.0/0 next-hop 9.9.9.10; }} {primary:node0}[edit]root@SRX-DC-1-NODE-0# show security zones security-zone vGW-Trusthost-inbound-traffic { system-services { all; } protocols { all; }}interfaces { gr-0/0/0.0; gr-0/0/0.1; gr-0/0/0.2; ge-1/0/1.0; ge-1/0/0.999;} {primary:node0}[edit]

“drop-all” firewall filters are applied to the “sink” interface, ge-1/0/0.999:

root@SRX-DC-1-NODE-0# show interfaces ge-1/0/0.999vlan-id 999;family inet { filter { input drop-all; output drop-all; } address 9.9.9.9/30 { arp 9.9.9.10 mac aa:bb:cc:dd:ee:ff; }} root@SRX-DC-1-NODE-0# show firewall family inet { filter drop-all { term 1 { then { count sunk; discard; } } }}



4. Configure a security policy for incoming traffic entering and leaving the vgW trust zone with intrusion detection

and prevention (IdP) invoked.

root@SRX-DC-1-NODE-0# show security policies from-zone vGW-Trust to-zone vGW-Trust policy permit { match { source-address any; destination-address any; application any; } then { permit { application-services { idp; } } log { session-init; session-close; } }}

With this configuration, a copy of all traffic from the vgW security VMs is tunneled into the SrX Series IdP engine for

inspection.

For details on configuring IdP policies, please refer to the Juniper Networks Junos® OS Security Configuration guide

at www.juniper.net/techpubs/en_uS/junos11.2/information-products/topic-collections/security/software-all/

security/junos-security-swconfig-security.pdf.

IntegratingthevGWVirtualGatewayandtheSTRMSeries

Integrating Juniper Networks vgW Virtual gateway with the STrM Series provides for defense-in-depth control and

offers greater visibility into virtualized server environment traffic patterns.

The vgW and STrM Series integration provides features that include:

• STrM Series benefits, such as centralized log and event management, network-wide threat detection, and

compliance reporting to the virtualized data center. Typically, enterprise customers deploy some sort of Security

Information and Event Management (SIEM)/Subscriber Identity Module (SIM) products that provide them with

compliance reports.

• Capabilities that allow the vgW to provide the STrM Series with logs, events, and statistics on traffic between

VMs. This integration provides a single pane, comprehensive, and consistent view of your physical and virtual

infrastructure. vgW and STrM Series implementations have two points of integration.

The vgW exports:

• Firewall logs and events to STrM Series devices through system logs

• Statistics on traffic between VMs through NetFlow

www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/junos-security-swconfig-security.pdf

www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/security/junos-security-swconfig-security.pdf



ConfiguringthevGWVirtualGatewaySecurityDesignVMtoSendSystemLogandNetFlowDatatoSTRMSeries

To configure the vgW security design VM to send system log (syslog) and NetFlow information to the STrM Series:

1. Configure external logging in the vgW security design VM settings module.

a. Select Settings -> Security Settings -> global -> External Logging.

b. Specify the IP address of STrM Series device.

c. At the same screen, configure NetFlow. Enter the STrM Series IP address in the NetFlow Configuration window,

as shown in Figure 6.

Figure6.ConfiguringvGWsecuritydesignVMtosendsystemlogandNetFlowdatatoSTRMSeries

ConfiguringtheSTRMSeriestoReceivevGWSystemLogandNetFlowData

you can configure the STrM Series device or STrM Series Log Manager to log and correlate events received from

external sources such as security equipment (firewalls) and network equipment (switches and routers). device

Support Modules (dSMs) allow you to integrate STrM Series devices or the STrM Series Log Manager with these

external devices.

1. download the latest real-time performance monitoring (rPM) data for the STrM Series version which includes

vgW dSM (device specific module) from the Juniper support site and install them. Make sure you have Juniper’s

vgW dSM installed.

2. Log into the STrM Series admin user interface.

3. Navigate to Admin -> data sources -> events -> Log sources and add a new log source. Make sure that you select

Juniper vgW for the Log source type which assigns the vgW dSM when parsing the logs from the vgW security

design VM.



Figure7.ConfiguringtheSTRMSeriestoreceivevGWsystemlogs

4. Similarly, configure the NetFlow source by navigating to Admin -> data sources -> flow -> Log sources and add a

new log source.

Figure8.ConfiguringtheSTRMSeriestoreceivevGWNetFlowdata



Printed on recycled paper3500207-001-EN Sept 2011

Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the united States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

eMeAHeadquarters

Juniper Networks Ireland

Airside Business Park

Swords, County dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

APACHeadquarters

Juniper Networks (hong Kong)

26/F, Cityplaza One

1111 King’s road

Taikoo Shing, hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

CorporateandSalesHeadquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 uSA

Phone: 888.JuNIPEr (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Summary

Today’s data center is increasingly a combination of physical servers and virtual workloads, architected for cloud

computing and requiring a flexible suite of robust security options. Juniper Networks understands the security

requirements of the new data center. Combining the vgW Virtual gateway with high-end SrX Series Services

gateways, Juniper offers the most comprehensive security suite for all critical workloads—a solution that provides

consistent security policy throughout the physical network and within the virtualized network as well—to deliver best-

in-class security for the data center. By leveraging the STrM Series Security Threat response Managers for centralized

logging and monitoring, enterprise administrators gain visibility into their data center environments for needed security

and compliance.

AboutJuniperNetworks

Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud

providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics

of networking. The company serves customers and partners worldwide. Additional information can be found at

www.juniper.net.

securing virtualization in the cloud-ready data center

Documents