4
Smart Default Policy for New Virtual Machines
When a new VM is created, the vGW assigns it an administrator-
defined default policy. Allowing only admin and Domain Name
System (DNS) protocols, for example, mitigates the risks of
misconfigured or “rogue” VMs with vulnerable or infected workloads.
VMware Hypervisor Protection
By monitoring and storing all network connections to the
hypervisor using VMsafe APIs, the vGW creates a new defensive
layer that protects hypervisors against unauthorized connection
attempts from VMs.
vGW provides a hypervisor-based stateful firewall that inspects
all packets to and from VMs, blocking all unapproved connections
and subjecting allowed packets to deeper inspection (e.g., port 80
for Web applications). Administrators can enforce stateful firewall
policies for individual VMs, logical groups of VMs, or all VMs.
VM Introspection
Virtual Machine Introspection (VMI) is a groundbreaking approach,
analogous to an “X-ray” of VMs and the virtual environment from
the hypervisor. VMI enables information gathering about VMs, the
security of the virtual network, and virtual environment settings—
without the use of agents. The ability of malware to disable or
hide from security agents is a classic unresolved security problem
that has plagued the security industry for decades. VMI offers
an innovative new approach to leveraging the hypervisor for
an uncompromised “X-ray” inspection of VMs, where malware
literally has nowhere to hide. vGW incorporates VMI as part of its
security policy definition and enforcement mechanism.
By amassing information about the kinds of applications and
services running on VMs, vGW sustains deep knowledge about
the internal security state of each virtual device. This information
is then made available through vGW’s point-and-click dynamic
policy editor, so that rules can be easily built to enforce a desired
VM security posture. For example, a security rule could require
the presence of antivirus software to be present inside a VM, or
alternatively discover unapproved applications, forcing automated
quarantine and alerts for noncompliant machines. vGW’s unique
vantage point in the hypervisor delivers unprecedented visibility
and control over the virtual environment to achieve compliance
with corporate standards.
Figure 4: Granular virtual firewall policies enforce all
access to and from VMs
System Requirements
vGW Firewall
• Operating System Virtual Appliance
• Memory: 512 MB
• Disk space: 1 GB
• Virtual Infrastructure VMware
• vSphere 4
• VMware ESX or ESXi 4.0, with vCenter 4
Security Design for vGW
• Operating System Virtual Appliance
• Memory: 1 GB
• Disk space: 10 GB
• Virtual Infrastructure Infrastructure 3
• VMware ESX
• Server 3.x.x
• VirtualCenter 2.x.x
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services
and support, which are designed to accelerate, extend, and
optimize your high-performance network. Our services allow
you to bring revenue-generating capabilities online faster so
you can realize bigger productivity gains and faster rollouts of
new business models and ventures. At the same time, Juniper
Networks ensures operational excellence by optimizing your
network to maintain required levels of performance, reliability, and
availability. For more details, please visit
www.juniper.net/us/en/
products-services.
