If you talked with me at Interop, Las Vegas last week you heard me speak of Juniper’s New Network Platform Architecture. The New Network Platform Architecture is an initiative that brings together Juniper’s innovations in silicon, software, and systems to deliver best-in-class network designs that enable business advantages for our customers. This is a milestone for Juniper, and it shows the commitment that we have to delivering value to our customers to help them compete in today’s market place.

More than two decades ago the Berlin Wall crumbled because there was pressure from the people on both sides. So also, the Old Network is crumbling from pressure on two sides...

When it comes to vGW antivirus and IDS, we get a lot of questions about performance, signatures, and whether traffic has to be sent to an external device for inspection.

With vGW, both the IDS and antivirus engine signatures are housed on the vGW Security VM (SVM). The packets are not sent to an external location for processing on the antivirus engine.

vGW antivirus also comes in two flavors: 1) an on-access scan and 2) an on-demand scan. Think of on-access as real time with a micro agent loaded in each VM, but with the signature repository residing on the SVM.  If, for instance, a user tries to save an infected file to their VDI VM, the vGW on-access scan will intercept and quarantine the file. The on-demand option is more like point-in-time or offline antivirus. It uses a micro snapshot, scans the offline VMDK file, and then recommits the snapshot. This way, you can optionally schedule your VM scans during maintenance windows or off-peak hours to ensure that virus scanning does not negatively impact business-critical traffic.

Finally, the IDS engine is not inline and, therefore, firewall performance is not directly affected and the maximum throughput on any ESX/ESX(i) host in the environment is approximately 2 Gbps. The IDS processing is done on the SVM with stats rolled up for reporting to the Security Design management center. This processing can also be exported using packet mirroring or spanning to an external engine. Please note that this is only IDS and not an IPS option.

For more information please contact Cloud Security Sales.

Modern data center networks face an unprecedented array of challenges, including cost effective scaling, support for new applications such as highly virtualized data centers, more reliable delivery of Ethernet data frames, and much more.  This week at Interop in Las Vegas, IBM released a series of technical briefs that present a vision for the creation of an open data center with an interoperable network.
 

As the current movement toward open source virtualization (in other words, “no-pay” virtualization platform) is gaining more momentum, so are projects like OpenStack. Founded in July 2010 by Rackspace and NASA, OpenStack is an open source cloud computing platform project and community that currently has more than 165 companies, including two recent joiners, IBM and Red Hat. It has three core projects—Compute, Object Storage, and Image Service—with many more in the incubation hopper and, per a recent NetworkWorld article, also ranks as one of the top 10 most powerful Iaas companies.

The beauty of open source is that there is no vendor lock-in and, well, it’s cheaper—which are two things that are important to customers and, by extension, to Juniper. When it comes to the cloud, Juniper’s objective is to provide the best possible and most cost-effective security for its customers—whatever their choice of platform may be. OpenStack supports multiple hypervisors and Juniper’s vGW Virtual Gateway, which currently supports VMware and has short-term planned support for other hypervisors like KVM, Hyper-V, and Xen. So if organizations continue to rally behind OpenStack and the efforts of its growing number of active developers and cloud technologists to create a massively scalable cloud offering, they can count on Juniper to provide security that meets their needs for versatility as well as high-performance, multi-layered defenses, and compliance.

Today, Juniper Networks released its Trusted Mobility Index, a global survey of more than 4,000 mobile device users and IT decision-makers, which benchmarks current levels of trust in mobile technologies as well as examines how trends in mobile security and reliability influence attitudes and behaviors.

While there is a great deal of research into increasing mobile security and privacy threats – including Juniper’s own threat research conducted by its Mobile Threat Center – little attention has been given to understanding people’s current attitudes and confidence in their mobile experiences.

The total amount of known mobile malware has risen dramatically. From 2010 to 2011, Juniper Networks Mobile Threat Center identified a 155 percent increase in threats to mobile devices. However, no other category of mobile security threats is growing as quickly as Spyware.

In fact, in the first three months of 2012, Spyware targeting mobile devices has doubled. To put this in perspective, Juniper has discovered nearly the same amount of Spyware from January to March of 2012 as we have in the last eight years combined.

May 2012 Microsoft Patch Tuesday Summary

Welcome to another edition of patch Tuesday summary blog.  Last month’s patch Tuesday involved patching 11 vulnerabilities over 6 bulletins, while this month we are patching 23 vulnerabilities over 7 bulletins.

Here is a list of the vulnerabilities fixed in today’s patches:

The much brandied "Internet of things" or the more geeky M2M conjure up a vision of myriad of connected devices all talking to each other exchanging data in real time. Just for a moment overlay that with the security lens and you will start to see what is a seemingly intractable problem - how do you secure these billions of devices ?

Next week at Interop, there will be a good amount of reality and hype surrounding BYOD, Big Data, fabrics, software defined networking, and of course, THE CLOUD. My fellow Juniper representatives and I are looking forward to talking about those issues and architectural strategies for your IT infrastructure. However, there is a more mundane, but also important decision to be made when it comes to thinking about economics and future proofing your infrastructure: when, where, and why should you use 1G vs 10G switches?

The recent trend toward IT “consumerization” has flooded corporate IT with a host of new apps and personal devices, forcing businesses to re-think their network access strategies.  While these apps and devices raise valid concerns about security, compliance and management complexity, do they actually put your business at risk?

The solution is a “unified policy”—a holistic approach to coordinated security for enterprise network access, regardless of who owns a given device. 

Does VDI save money? Does it save time? Is it cheaper than regular desktops? Is it less secure? Is it more secure? The debate has been going for some time as to whether VDI is worth the investment—in terms of money and risk. Perhaps the best question to start with is: Why are you considering VDI? Why do you really want to use it?

For now, yes, there’s still some uncertainty around the ROI of VDI. Or, at minimum, it is less apparent than that of server virtualization. Same goes for security. Kinda. A VDI environment is not automatically more secure, but it is possible to make it more secure. And so if the ability to augment security and facilitate regulatory compliance is your biggest motivator toward adopting VDI, you may very well find it well worth the investment on that benefit alone. The key is finding the right solution for managing laptop security. It’s got to be comprehensive, high quality, high performing, and hypervisor-based so you can be best prepared to avoid any risks associated with synchronizing laptop contents inside the heart of your data center where so much sensitive data resides.

You’ll need a solution that gives you complete visibility into your virtual desktop environment so you can see what your users are installing. You’ll need a solution that enforces a gold image so that configuration standards are upheld and that any deviation triggers an alert or quarantine. You’ll need virtualization-specific antivirus protection that helps to prevent, detect, and remove malware, but does not compromise performance because, let’s face it, VDI users are expecting an experience that exceeds that of traditional PCs. They want fast. They want flexible. They want secure.

Read more about how Juniper Networks vGW Virtual Gateway delivers on these needs by enabling high quality, high performing security for VDI.

There has been a surge in smart phone adoption and Internet usage through mobile devices, according to recently released figures by Nielsen and IDC, both global providers of market intelligence.

According to Nielsen, as of February 2012, “Almost half (49.7%) of U.S. mobile subscribers now own smart phones…an increase of 38 percent over last year”, and according to IDC ,“By 2015, more U.S. Internet users will access the Internet through mobile devices than through PCs or other wireline devices”.

Many smart phone owners use these devices not just to make phones calls and/or exchange SMS messages, but also to check email, surf the Web and download and use mobile apps for information gathering, social media (e.g., Facebook) and entertainment (e.g., YouTube, playing games, etc.). Subscribers expect that when using their mobile devices, they will be able to exchange information relatively quickly and easily, play games, as well as download/upload files with a reasonable quality of service. However, what they might not realize is the mobile operator who is enabling mobile data services has made infrastructure and personnel investments for assuring subscribers an expected level of service quality as well as protecting subscribers from threats introduced to the mobile network.

In a mobile network, one of the vulnerable points is the Gi (for 3G network) or SGi (for 4G network) interface, which is the public data network/Internet facing interface that allows subscribers to use Internet-dependent features of their device (with an activated data plan or wireless service in place). This interface is subject to the same types of Internet borne threats seen in terrestrial networks and could result in loss of service to the wireless data subscriber. In order to extend a positive customer experience with high quality of service and to minimize customer churn, mobile operators should and do protect this interface. To learn about the key threats to the Gi/SGi interface and how Juniper Networks SRX security solutions can help mitigate these threats, read the White Paper.

How can you defend against a new generation of threats and attackers that are leveraging automation and outpacing alerting mechanisms and manual-access controls?

Mobile operators globally are observing significant growth in mobile data and bandwidth use. In fact, according to an article in The Hindu Business Line newspaper, just over 50% of the overall incremental wireless revenue in 2015 is expected to come from non-voice services. As such, operators need to offset the anticipated decline in voice service related revenue by offering new and innovative value-added services (VAS) to increase average revenue per user (ARPU). It is important to keep in mind that while in the past, SMS, MMS, and data access were typically considered VAS, over time those have increasingly become core services, and VAS is beginning to exclude those services.

To increase ARPU through offering VAS, operators could take one of two approaches. The first would be to partner

with a mobile content service provider to offer VAS. A recent example of this is the leading Indian mobile operator, Airtel, has collaborated with Singapore-based mobile content service provider Novosol to offer sports value added services. The second approach would be for a mobile operator to directly offer VAS. This obviously requires more effort and investment by the mobile operator, as the operator will be competing with experienced mobile content service providers for subscribers’ mindshare and ultimately, revenue share.

Value-added service providers are increasingly connecting to the mobile operator network via a messaging gateway since this gives the operator better control of the content. The operator can control subscriber access to the content, billing, etc.  The operator is also expected to protect subscribers from infected VAS servers as well as any threats to its own network -- to enable high uptime, and ultimately, keep customer satisfaction rates high and churn rates low. Juniper Networks offers solutions for mobile network operators to consolidate multiple security functions and adapt to evolving threats while monetizing new mobile services. To learn more, read the Solution Brief.

The US agency, NASA (National Aeronautics and Space Administration) is committed to innovating flight technologies, enabling humans to explore beyond the Earth’s orbit, managing International Space Station operations, and reaping the benefits of Earth and space exploration for society. It is also responsible for maintaining the security of all of its systems and data to prevent malicious activity and thwart any sabotage of important assets.

Despite efforts to safeguard its systems, in 2011 alone, NASA was the victim of 47 Advanced Persistent Threats (APTs), 13 of which successfully compromised agency computers, according to USA Today magazine.

An APT attack refers to a person gaining unauthorized access to a network and staying there undetected for a prolonged time period, with the intention of stealing data, and such an attack typically targets organizations in sectors with high-value information. So it doesn’t come as a complete surprise that NASA was targeted, since it houses a variety of sensitive data such as proprietary scientific research and plans.

The US agency, NASA (National Aeronautics and Space Administration) is committed to innovating flight technologies, enabling humans to explore beyond the Earth’s orbit, managing International Space Station operations, and reaping the benefits of Earth and space exploration for society. It is also responsible for maintaining the security of all of its systems and data to prevent malicious activity and thwart any sabotage of important assets.

Despite efforts to safeguard its systems, in 2011 alone, NASA was the victim of 47 Advanced Persistent Threats (APTs), 13 of which successfully compromised agency computers, according to USA Today magazine.

Not too long ago, enterprises eagerly purchased best of breed IT components and self-integrated the pieces to create their own solution.  Software and hardware from various suppliers implemented by internal IT staff members to meet what seemed like unique requirements.   It was complex, expensive, and time consuming to complete.  Often, major IT projects came in late and over budget.  Times have changed and now enterprises must control cost, reduce time to benefit, maximize efficiency, and build agility in their IT environments. IBM’s new family of Expert Integrated Systems is the latest step forward in advanced computing for IT customers.

April 2012 Microsoft Patch Tuesday Summary

Welcome to another edition of patch Tuesday summary blog.  Last month’s patch Tuesday involved patching 7 vulnerabilities over 6 bulletins, while this month we are patching  11 new vulnerabilities over  6 bulletins.

Here is a list of the vulnerabilities fixed in today’s patches:

We often take technology for granted.  Every day, we simply flip a switch to turn the lights in a room or press one button on the microwave to make a quick meal without a thought. We don’t think about the complexity of starting a car. Gasoline automatically mixes with the correct amount of oxygen to create a combustion powering the drive shaft to generate enough energy to move the vehicle. We just put the key in the ignition and turn it to the right.We often take technology for granted.  Every day, we simply flip a switch to turn the lights in a room or press one button on the microwave to make a quick meal without a thought. We don’t think about the complexity of starting a car. Gasoline automatically mixes with the correct amount of oxygen to create a combustion powering the drive shaft to generate enough energy to move the vehicle. We just put the key in the ignition and turn it to the right. We often take technology for granted.  Every day, we simply flip a switch to turn the lights in a room or press one button on the microwave to make a quick meal without a thought. We don’t think about the complexity of starting a car. Gasoline automatically mixes with the correct amount of oxygen to create a combustion powering the drive shaft to generate enough energy to move the vehicle. We just put the key in the ignition and turn it to the right.

Is there reason to look at protecting the protector aka protecting the network firewalls themselves ?

“Many devices which work on a small scale do not work on a large scale.” – Galileo

Although spoken several centuries ago, this observation uniquely applies to networks today. Scalability depends on the strength of the underlying network architecture. Recently, I had a chance to work with Network Test’s David Newman, one of the best in the business when it comes to network assessment tests. David and my colleagues put a QFabric System through a series of standardized tests under the most stringent data center conditions, across 1,536 10GbE ports—an unprecedented scale that has never been seen before (at least, not in my 13 years of experience). The results prove that QFabric delivers impressive performance at very large scale, provides operational simplicity with a single  switch model and seamlessly interoperates with existing data center and network infrastructure.

Friday March 23rd added another important milestone to Juniper's long track record of firsts as the highly anticipated PTX5000 Packet Transport Switch began shipping to Service Provider customers seeking a new solution for managing ever growing and increasingly unpredictable network traffic with MPLS optimized forwarding.

Founded more than a decade ago, VMware has not only been in the server virtualization/hypervisor business a long time, but it has practically owned the space. But, will that continue? VMware’s early dominance has progressively begun to be challenged and chipped away at by the likes of Microsoft with Hyper-V, Citrix with XenServer, and, interestingly, RedHat with its Linux-based KVM hypervisor. Though Gartner projected KVM market share to reach just 2% in 2012, Red Hat has aggressively been working to attract more attention by making its product more manageable and robust, as well as by garnering some heavy-weight support from the likes of IBM, HP, Intel, and more.

At CITE and RSA a few weeks ago, the themes of Bring Your Own Device (BYOD) and the “Consumerization of IT” continued to dominate booth demos, keynote sessions and breakout discussions. Mobile Device Management (MDM), mobile device security and application access control were key topics of discussions. Enterprises today are coming to terms with the concept of allowing their employees to bring their own devices to work, and are looking for solutions that will help them deploy employee-friendly mobility policies.

It was, however, intriguing to note how many people seem to consider MDM a full solution to their enterprise mobility challenges.