Data Center LAN Migration Guide - Juniper Networks

More documents

Recommendations

Info

Data Center LAN Migration Guide Consolidating and Virtualizing Security Services in the Data Center: Installation Tasks In addition to cyber theft and increasing malware levels, organizations must guard against new vulnerabilities introduced by data center technologies themselves. To date, security in the data center has been applied primarily at the perimeter and server levels. However, this approach isn’t comprehensive enough to protect information and resources in new system architectures. In traditional data center models, applications, compute resources, and networks have been tightly coupled, with all communications gated by security devices at key choke points. However, technologies such as server virtualization and Web services eliminate this coupling and create a mesh of interactions between systems that create subtle and significant new security risks within the interior of the data center. For a complete discussion of security challenges in building cloud-ready, next-generation data centers, refer to the white paper, “Security Considerations for Cloud-Ready Data Center”: www.juniper.net/us/en/local/pdf/implementationguides/8010046-en.pdf. A key requirement for this insertion point is for security services platforms to provide the performance, scalability, and traffic visibility needed to meet the increased demands of a consolidated data center. Enterprises deploying platforms which do not offer the performance and scalability of Juniper Networks SRX Series Services Gateways and their associated management applications are faced with a complex appliance sprawl and management challenge, where numerous appliances and tools are needed to meet requirements. This is a more costly, less efficient, and less scalable approach. Preinstallation Tasks for Security Consolidation and Virtualization SRX5800 EX82XX Legacy Security Appliances Figure 16: SRX Series platform for security consolidation • Ensure that the appropriate power, cooling, airflow, physical rack space, and cabling required to support the new equipment have been ordered and installed. • Ensure that the security tier is sized to meet the organization’s requirements for capacity headroom for future growth. • Define and provision routing/switching Infrastructure first (see prior section). This sets the L3/L2 foundation domains upon which the security “zones” the SRX Series enforces will be built. The SRX Series supports a pool of virtualized security services that can be applied to any application flow traversing the data center network. Setting up the network with this foundation of subnets and VLANs feeding the dynamic security enforcement point segments the data center resources properly and identifies what is being protected and what level of protection is needed. With SOA, for example, there are numerous data flows between servers within the data center and perimeter but security is often insufficient for securing these flows. Policies based on role/function, applications, business goals, or regulatory requirements can be achieved using a mix of VLAN, routing, and security zone policies enabling the SRX Series to enforce the appropriate security posture for each flow in the network. • The performance and scalability requirements should be scoped. SRX Series devices can be paired together in a cluster to scale to 120 Gbps of firewall throughput, as well as providing HA. Virtual machine security requirements should also be defined. Juniper’s vGW Virtual Gateway is hypervisor neutral, eliminating VM security blind spots. For more information on Juniper’s virtual firewall solution, refer to Chapter 2 (vGW Virtual Gateway). 44 Copyright © 2012, Juniper Networks, Inc.
Data Center LAN Migration Guide In the preinstallation phase, security policies must be developed. This typically takes time and can be complex to coordinate. Juniper Professional Services can be used as a resource to help analyze and optimize security policies at all enforcement points. The full suite of Juniper Networks Professional Services offerings can be found at: www.juniper.net/us/en/products-services/consulting-services. • Establish a migration plan, identifying a time line and key migration points, if all appliances cannot be migrated in a flash cut. • As with the other insertion points, PoC testing can be done and could include: - Establishing the size of the target rule base to be used post conversion - Checking the efficacy of the zone definitions - Determining the effectiveness of the IPS controls - Determining the suitability and implementation of the access controls to be used Installation Tasks As with the aggregation/core insertion point, it is important to have a fallback position to existing appliances in the event of any operational issues. The current firewall appliances should be kept on hot standby. The key to a successful migration is to have applications identified for validation and to have a clear test plan for success criteria. There are three typical options for migration, with option 1 being the one most commonly used. Migration Test Plan (Option 1) • Test failover by failing the master firewall (legacy vendor) to the backup (this confirms that HA works and the other devices involved in the path are working as expected). • Replace the primary master, which was just manually failed, with the Juniper firewall. The traffic should still be flowing through the secondary, which is the legacy vendor firewall. • Turn off the virtual IP (VIP) address or bring the interface down on the backup (legacy vendor firewall) and force everything through the new Juniper firewall. • A longer troubleshooting window helps to ensure that the switchover has happened successfully. Also, turn off synchronization checks (syn-checks) initially, to process already established sessions, since the TCP handshake has already occurred on the legacy firewall. This will ensure that the newly established Juniper firewall will not drop all active sessions as it starts up. Migration Test Plan (Option 2) • This is essentially a flash cut option where an alternate IP address for the new firewall is configured along with the routers and the hosts then point to the new firewall. If there is an issue, gateways and hosts can then be provisioned to fall back to the legacy firewalls. With this option, organizations will sometimes choose to leave IPsec VPNs or other termination on their old legacy firewalls and gradually migrate them over a period of time. Migration Test Plan (Option 3) • This option is typically used by financial organizations due to the sensitive nature of their applications. • A Switched Port Analyzer (SPAN) session will be set up on the relevant switches with traffic sent to the Juniper firewalls, where traffic is analyzed and session tables are built. This provides a clear understanding of traffic patterns and provides more insight into the applications being run. This option also determines whether there is any interference due to filter policies or IPS, and it creates a more robust test and cutover planning scenario. This option typically takes more time than the other options, so organizations typically prefer to go with option 1. Again, this is a more common option for companies in the financial sector. Copyright © 2012, Juniper Networks, Inc. 45
Page 1 and 2: DATA CENTER LAN MIGRATION GUIDE
Page 3 and 4: Data Center LAN Migration Guide Cha
Page 5 and 6: Copyright © 2010, Juniper Networks
Page 7 and 8: 3-TIER LEGACY NETWORK Ethernet Figu
Page 9 and 10: Why Migrate? Data Center LAN Migrat
Page 11 and 12: The Case for a High Performing, Sim
Page 13 and 14: Why Juniper? Data Center LAN Migrat
Page 17 and 18: Junos Pulse SRX5000 Line SRX3000 Li
Page 19 and 20: Data Center LAN Migration Guide A k
Page 21 and 22: Data Center LAN Migration Guide For
Page 23 and 24: MPLS/VPLS for Data Center Interconn
Page 25 and 26: Junos Space applications include: D
Page 29 and 30: Data Center LAN Migration Guide Add
Page 31 and 32: TRIGGER EVENT NETWORK INSERTION LAy
Page 33 and 34: Data Center LAN Migration Guide •
Page 35 and 36: For more detailed information on NI
Page 37 and 38: PoC lab could include: - Interface
Page 39 and 40: Data Center LAN Migration Guide Sig
Page 41 and 42: Data Center LAN Migration Guide The
Page 43: Installation Tasks Refer to Figure
Page 47 and 48: Data Center LAN Migration Guide •
Page 49 and 50: Data Center LAN Migration Guide At
Page 51 and 52: Data Center LAN Migration Guide Ste
Page 53 and 54: Juniper Professional Services Data
Page 57 and 58: Hardware Data Center LAN Migration
Page 59 and 60: OSI Layer 3: Network Troubleshootin
Page 61 and 62: The commands presented in this sect
Page 65 and 66: Data Center LAN Migration Guide 3.
Page 67 and 68: Data Center LAN Migration Guide Cop

Data Center LAN Migration Guide - Juniper Networks

Create successful ePaper yourself

Delete template?

Save as template?