Data Center LAN Migration Guide - Juniper Networks
Data Center LAN Migration Guide - Juniper Networks
Data Center LAN Migration Guide - Juniper Networks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Data</strong> <strong>Center</strong> <strong>LAN</strong> <strong>Migration</strong> <strong>Guide</strong><br />
Consolidating and Virtualizing Security Services in the <strong>Data</strong> <strong>Center</strong>: Installation Tasks<br />
In addition to cyber theft and increasing malware levels, organizations must guard against new vulnerabilities<br />
introduced by data center technologies themselves. To date, security in the data center has been applied primarily<br />
at the perimeter and server levels. However, this approach isn’t comprehensive enough to protect information and<br />
resources in new system architectures. In traditional data center models, applications, compute resources, and<br />
networks have been tightly coupled, with all communications gated by security devices at key choke points. However,<br />
technologies such as server virtualization and Web services eliminate this coupling and create a mesh of interactions<br />
between systems that create subtle and significant new security risks within the interior of the data center. For a<br />
complete discussion of security challenges in building cloud-ready, next-generation data centers, refer to the white<br />
paper, “Security Considerations for Cloud-Ready <strong>Data</strong> <strong>Center</strong>”: www.juniper.net/us/en/local/pdf/implementationguides/8010046-en.pdf.<br />
A key requirement for this insertion point is for security services platforms to provide the performance, scalability, and<br />
traffic visibility needed to meet the increased demands of a consolidated data center. Enterprises deploying platforms<br />
which do not offer the performance and scalability of <strong>Juniper</strong> <strong>Networks</strong> SRX Series Services Gateways and their associated<br />
management applications are faced with a complex appliance sprawl and management challenge, where numerous<br />
appliances and tools are needed to meet requirements. This is a more costly, less efficient, and less scalable approach.<br />
Preinstallation Tasks for Security Consolidation and Virtualization<br />
SRX5800<br />
EX82XX<br />
Legacy Security Appliances<br />
Figure 16: SRX Series platform for security consolidation<br />
• Ensure that the appropriate power, cooling, airflow, physical rack space, and cabling required to support the new<br />
equipment have been ordered and installed.<br />
• Ensure that the security tier is sized to meet the organization’s requirements for capacity headroom for future growth.<br />
• Define and provision routing/switching Infrastructure first (see prior section). This sets the L3/L2 foundation<br />
domains upon which the security “zones” the SRX Series enforces will be built. The SRX Series supports a pool<br />
of virtualized security services that can be applied to any application flow traversing the data center network.<br />
Setting up the network with this foundation of subnets and V<strong>LAN</strong>s feeding the dynamic security enforcement point<br />
segments the data center resources properly and identifies what is being protected and what level of protection<br />
is needed. With SOA, for example, there are numerous data flows between servers within the data center and<br />
perimeter but security is often insufficient for securing these flows. Policies based on role/function, applications,<br />
business goals, or regulatory requirements can be achieved using a mix of V<strong>LAN</strong>, routing, and security zone policies<br />
enabling the SRX Series to enforce the appropriate security posture for each flow in the network.<br />
• The performance and scalability requirements should be scoped. SRX Series devices can be paired together in a<br />
cluster to scale to 120 Gbps of firewall throughput, as well as providing HA.<br />
Virtual machine security requirements should also be defined. <strong>Juniper</strong>’s vGW Virtual Gateway is hypervisor neutral,<br />
eliminating VM security blind spots. For more information on <strong>Juniper</strong>’s virtual firewall solution, refer to Chapter 2 (vGW<br />
Virtual Gateway).<br />
44 Copyright © 2012, <strong>Juniper</strong> <strong>Networks</strong>, Inc.