Understanding Juniper Connected Security for VMware NSX Integration
This section presents an overview of how Juniper Networks vSRX Virtual Services Gateway integrates in the VMware NSX environment as an advanced security service with Junos Space Security Director as its security manager.
VMware NSX Overview
VMware NSX is VMware’s network virtualization platform for the software-defined data center (SDDC). Similar in concept to server virtualization, network virtualization decouples network functions from physical devices. With VMware NSX, existing networks are immediately ready to deploy a software-defined data center. This enables data center operators to create, provision, and manage their networks with greater agility and operational efficiency. VMware NSX is completely managed by the VMware vCenter Server through the VMware vSphere Web Client.
The VMware NSX network virtualization platform is security orientated. The NSX Distributed Firewall (DFW) on all ESXi hosts to provide a set of kernel-based Layer 2 (L2) through Layer 4 (L4) stateful firewall features inside the ESXi hypervisor to deliver segmentation within each virtual network. Every virtual machine (VM) running in a VMware NSX environment can be protected with a full stateful firewall at a granular level. DFW operates at the vNIC of each individual VM.
VMware NSX, however, does not provide advanced L4 through L7 security services which are critical to provide complete protection in a SDDC environment. Environments that require advanced, application-level network security capabilities can leverage VMware NSX to distribute, enable, and enforce advanced network security services in a virtualized network context.
You can add the vSRX Virtual Services Gateway as a partner security service in the VMware NSX environment. The vSRX security service is managed by the Junos Space Security Director and VMware NSX Manager to deliver a complete and integrated virtual security solution for your SDDC environment. The vSRX provides advanced security services, including intrusion detection and prevention (IDP), and application control and visibility services through AppSecure.
DFW implements a stateful traffic steering mechanism that identifies what traffic should be sent to the vSRX VM. The protected VMs and the security service vSRX VM run on the same physical ESXi host.
vSRX Integration with NSX Manager and Junos Space Security Director
To deploy the advanced security features of the vSRX Virtual Services Gateway in the VMware NSX environment, the Junos Space Security Director, vSRX, and NSX Manager operate together as a joint solution to fully automate the provisioning and deployment of the vSRX to protect applications and data from advanced cyberattacks.
Integration of the vSRX VM in the VMware NSX environment involves use with the following management software:
Junos Space Security Director—The centralized security management platform responsible for service registration and configuration of each vSRX instance. The Security Director provides you with the ability to manage a distributed network of virtualized and physical firewalls from a single location. The Security Director functions as the management interface between the NSX Manager and the vSRX Services Gateway. Security Director manages the firewall policies on all vSRX instances.
NSX Manager—The centralized network management component of VMware NSX. The NSX Manager provides integration with the VMware vCenter Server, which enables you to manage the VMware NSX environment through VMware vCenter. All VMware NSX operations and configuration is done through VMware vCenter, which communicates with the NSX Manager through Representational State Transfer (REST) APIs to delegate tasks to the responsible owner. The NSX Manager is always associated with a VMware vCenter Server.
The NSX Manager is added as a registered device in the Security Director and communication is bidirectionally synchronized by the Junos Space Policy Enforcer between the two management platforms. All shared objects (such as security groups) are synchronized between the NSX Manager and Security Director. This includes the IP addresses of all VMs in ESXi hosts, including the vSRX agent VMs. The Security Director creates an address group for each security group synchronized from the NSX Manager, along with the addresses of each member of the security group. The security groups discovered from the NSX Manager are mapped to dynamic address groups (DAG) in the Security Director. The Policy Enforcer retains the mapping of all IP addresses between security groups and dynamic address groups.
The vSRX Services Gateway is deployed as a partner service appliance in the VMware NSX environment. vSRX agent VMs are deployed for each ESXi host in a cluster. You use security policies to direct all VM traffic in an ESXi host through the vSRX VM (the Juniper security service) for L4 through L7 advanced security analysis.
High-Level Workflow
Figure 1 provides a high-level workflow of how the NSX Manager, Security Director, and vSRX interact to deploy vSRX as a security service in the VMware NSX environment.
The Junos Space Security Director initiates communication with the NSX Manager. The Security Director discovers, registers, and adds the NSX Manager as a device in its database. The Security Director also deploys the vSRX instance from the .ovf file and registers it as a security service. The NSX Manager and its inventory of shared objects (for example, security groups) and addresses are then synchronized with the Security Director. The registration process uses the Policy Enforcer to enable bidirectional communication between the Security Director and the NSX Manager.
The NSX Manager deploys the registered vSRX instance as a Juniper security service for each ESXi host in a vSphere cluster. The deployment is based on the vSRX .ovf file. Whenever an ESXi host is added to a vSphere cluster, NSX Manager creates a vSRX agent VM in the new ESXi host. The same process occurs if an ESXi host is removed from a vSphere cluster.
After the vSRX agent VM is provisioned as a security service on each ESXi host in a vSphere cluster, NSX Manager notifies Security Director by using REST API callbacks. The Security Director pushes the initial boot configurations and Junos OS configuration policies to each vSRX agent VM to support the NSX security group. The Security Director is aware of the NSX security groups and corresponding address groups, and all deployed vSRX agent VMs are automatically discovered (one per ESXi host).
Security policies redirect relevant network traffic originating from the VMs in a specific security group in the ESXi hosts in a vSphere cluster to the Juniper security service vSRX agent VM in each ESXi host for further analysis.
The vCenter Server and the NSX Manager continue to send real-time updates on changes in the virtual environment to Security Director.
The Security Director dynamically synchronizes the object database to all vSRX agent VMs deployed in ESXi clusters. Security groups discovered from NSX Manager are mapped to a dynamic address group (DAG) in Security Director. The Security Director manages the firewall policies on the vSRX agent VMs. Using the Security Director, you create advanced security service policies (for example, an application firewall policy or an IPS policy) and push those policies to each vSRX agent VM in an ESXi host.