Transcript Westcon / Juniper 5

Junos Rising
Westcon / Juniper 5-daagse
Pieter van Dijk
MAJOR MARKET TRENDS…
DATA MOBILITY AND SCALE AT AN ALL TIME HIGH, AND GROWING
Cloud Computing
Mobile Internet
Explosive Growth
Explosion of data, users, and
devices.
Total Spend on
Public Cloud Services:
Smartphones Have
Surpassed PCs –
as the Mobile Experience
Usurps the Desktop Model
120
Million
$59
Billion
$148
Billion
90
60
30
2009
PCs
2014
Smartphones
2009
2
2010
Copyright © 2009 Juniper Networks, Inc.
Source: Gartner
www.juniper.net
Source: IDC
2011
2016
SECURITY IS IMPACTED BY TWO TRENDS
Industry Trends
Compliance
Requirements
Business
Workforce Behavior
IT Infrastructure
Business Drivers
Security Trends
Attacker Behavior
3
Company Confidential
Evolving Threat Vectors
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
New Attack Targets
SECURITY MARKET TREND – EVOLVING THREATS
Notoriety
Profitability
.gov /.com
.me / .you
Threats
Sophistication
(Maturity)
Attacker
Type of Attack
APT
Botnets
Malware
DOS
Trojans
Virus
Worms
New Devices
New Applications
Internet Information Services
Target
ERP
4
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
ADDRESSING THE EVOLVING THREAT LANDSCAPE
Customer Priorities
Visibility into Web 2.0 Threats
Control of Application Usage
Rapid Response to New
Threats
Scalable Policy Enforcement &
Management
Juniper Security Solutions
AppSecure Software
SRX
6
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
Security Research Teams
www.juniper.net
VISIBILITY
Comprehensive Application
Visibility and Control
Global High Performance Network
Branch
What User
User Location
Campus
Mobile Clients
7
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Data Center
WhatSource
Application
to
Destination
User Device
APPSECURE: AN IMPORTANT COMPONENT
TO A LAYERED SECURITY APPROACH
Processing
Intensity & Cost
Inspection Depth
ACLs & Stateless
Firewall
• Decisions made based
on packet header info
such as Source and
Destination addresses
• Very fast
8
Company Confidential
Stateful
Firewall
Application
Security
Intrusion
Prevention
• More context incorporated • Looks at every bit for
into decision process
threats—thorough but
• Better at identifying
intensive processing
unauthorized or forged
• Best used sparingly
communications
• Still fast
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
BUILDING INTELLIGENT SECURITY
Introducing AppSecure
Suite of application based services designed for deploying security in
a knowledgeable manner
 Builds on existing SRX integrated services to deliver finer-grain policies
 Leverages integrated application intelligence
9
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
ADDRESSING THE NGFW MARKET WITH APPSECURE
Security at Scale for 800+ Applications
AppTrack
Visibility
AppFW
Enforcement
AppQoS
Control
AppSecure
Identity Management with
Application Access control
10
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
AppDoS
Protection
APPTRACK VISIBILITY FOR
INFORMED RISK ANALYSIS
AppTrack
Monitor & Track Applications
AppTrack
View application by protocol, Web
application, and utilization
Analyze usage and trends
Web 2.0 application visibility
Customize application monitoring
App usage monitoring
Scalable, flexible logging &
reporting
11
Copyright © 2010 Juniper Networks, Inc.
Log and report across security
solutions and systems
www.juniper.net
APPTRACK MAKES APPLICATION VISIBILITY AND
CONTROL AS EASY AS 1-2-3
1
Traffic analyzed
by AppTrack as it
traverses the SRX
3
1
DC
Firewall(s)
2
2
STRM or
3rd Party
SIEM
STRM
Reports
Server
Farms
12
Operations Center
Data Center
DC
Switching
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SRX sends
application logs
to a SIEM/Log
collector
3
SIEM reports
analyzed by IT
staff
APPTRACK DRIVES FIREWALL, QOS, DDOS, IDP
POLICY
Flow
Processing
AppTrack
AppFW
Permit or deny
based on user
and application
13
AppQoS
Adjust QOS
based on user
and application
AppDoS
IPS
App Based
DOS detection
Require further
traffic inspection
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
APPFW: BEYOND JUST FW OR APP CONTROL
AppFW
Control & Enforce Web 2.0 Apps
AppFW
Inspect ports and protocols
Uncover tunneled apps
HTTP
Stop multiple threat types
Dynamic application security
Control nested apps, chat, file
sharing and other Web 2.0 activities
Web 2.0 policy enforcement
Threat detection & prevention
14
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
APPFW – 3 DIMENSIONAL SECURITY POLICES
• Easily restrict application access to necessary users
• Reduce the spread of confidential information
• Stop high-risk and unwanted applications
DC
Firewall(s)
AppTrack
Traditiona
l Firewall
Policy
User and
Group
Awareness
Application
Awareness
User Store
(special UAC)
15
Match Criteria
Rule Source
Dest
Dynamic#
Zone
Zone Source IP User/Role Dest IP
Application
1 Zone-1
Zone-2 1.1.1.0
Amy
Any
Facebook
2 Zone-1
Zone-2 1.1.2.0
Finance Any
LinkedIn
3 Zone-1
Zone-2 any
any
Any
none
kazza,,Yahoo IM,
4 Zone-1
Zone-2 any
any
Any
Facebook
Then
Action
Permit
Permit
permit
Service Options
None Log
None Log
none
Log
Deny
none
DC
Switching
Log
Data Center
Operations Center
STRM
Copyright © 2010 Juniper Networks, Inc.
Server
Farms
www.juniper.net
APPQOS FOR SCALE & PERFORMANCE
AppQoS
Prioritize & Control App Bandwidth
AppQoS
Monitor Web 2.0 bandwidth
consumption
X
Throttle bit rates based on security
and usage insights
Dynamic application
quality-of-service (QoS)
Application prioritization
Performance management
16
Copyright © 2010 Juniper Networks, Inc.
Prioritize business critical apps
www.juniper.net
APPQOS – BANDWIDTH MANAGEMENT FOR BUSINESSES
Prioritize traffic based on application type
Limit the amount of bandwidth an application can consume
Mark the DSCP values for proper QoS treatment
Leverage Junos Class-of-Service feature set to fully control
application handling at the interface queue level
Give highest priority to
financial applications for
finance and sales
Approved applications
receive normal priority
AppTrack
Traditional
Firewall Policy
17
User and Group
Awareness
Application
Awareness
Copyright © 2010 Juniper Networks, Inc.
Lower priority for
multimedia applications,
except for the MM content
group
www.juniper.net
BOTNET & DOS THREAT MITIGATION
AppDoS
Protect Valuable On-line Business
AppDoS
Detect and mitigate botnet activity
Uncover misuse of routine Web
functionality
Purchase Item
Check bill
Select Item
View Item
Botnet detection & remediation
DoS monitoring & remediation
Adapt security policy and QOS
based on insights
Benchmark “normal” behavior to
detect anomalies
On-going anomaly detection
18
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
DDOS ATTACK EVOLUTION
Traditional DDoS Attacks
Saturation DDoS Attack
 Bandwidth saturation causing service
outages
 Synflood, packet floods
ack req ack req ack req
ack req ack req ack req
ack req ack req ack req
 Detectable – statistical/behavioral
 Effective containment
Now: stateful/meaningful
 Mimic legitimate traffic and
Stateful DDoS Attack
transactions
 Applications process legitimate
requests that are intended to disrupt
or overload service
 Can’t distinguish bad traffic/requests
from good
19
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
place in cart . . .
place in cart . . .
place in cart . . .
place in cart . . .
place in cart . . .
place in cart . . .
APPLICATION DDOS PROTECTION
Introducing Application Denial of Service AppDoS
Identifies attacking botnet traffic vs. legitimate clients based on
application layer metrics and remediates against botnet traffic
Employs multi-stage approach from server connection monitoring,
deep protocol analysis to bot-client classification.
 Server connection monitoring
 Protocol analysis
 Bot-client classification
Available on the SRX5000 and SRX3000 Series Gateways
20
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
WITHOUT ADDOS POLICY
GOOD TRAFFIC (1000CPS) + ADDOS TRAFFIC (4000CPS) = 5000CPS
Server
Threashold
4500CPS
DDoS,
degraged
performance
21
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
WITH APPDDOS POLICY ACTIVATED: BAD TRAFFIC IS BLOCKED, ONLY
GOOD TRAFFIC IS ALLOWED THROUGH (1000CPS)
Server
Threashold
4500CPS
AppDDoS,
Mitigated
22
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
IPS FOR CUSTOMIZABLE PROTECTION
Monitor & Mitigate Custom Attacks
IPS
AppSecure IPS
Detect and monitor suspicious
behavior
VULNERABILITY
Tune open signatures to detect and
mitigate tailored attacks
Exploits
Other
IPS’s
On-going threat protection
Mobile traffic monitoring
Custom attack mitigation
23
IPS
Copyright © 2010 Juniper Networks, Inc.
Uncover attacks exploiting encrypted
methods
Address vulnerabilities instead of
ever-changing exploits of the
vulnerability
www.juniper.net
FULL IDP CAPABILITIES
IPS




24
Full featured detection
Constant inspection
Decoder based updates
Geared for evasive application
detection
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
APPSECURE SERVICE MODULES
Flow
Processing
Ingress
AI
NAI
Egress
Application Identification Engine
Application
ID Results
IPS
AppTrack
AppDoS
AppFW
AppQoS
25
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
THE JUNIPER APPSECURE DIFFERENCE
SCALABLE
Performance up to 100G
Log storage up to 1.3TB
Advanced HA
COMPREHENSIVE
Traditional & Web 2.0
security
Adds botnet & DoS
detection
QOS & IPS
FLEXIBILE
Open attack signatures
Scriptable CLI
Modular hardware
Runs on SRX & Junos
Extensible FRU design
26
Mobile & fixed user
protection
Copyright © 2010 Juniper Networks, Inc.
www.juniper.net
Compatible Syslog format
JUNOS SPACE APPSECURE DEMO
27
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SRX Branch and High End Platform update
28
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Branch SRX
29
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Branch SRX
30
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SRX FEATURES MATRIX
Security






Wireless LAN and 3G
WAN
Firewall
VPN
IDP
Antivirus
Web filtering
Antispam
 802.11n
 3G/4G
Routing & Switching
 RIP, OSPF, BGP,
Multicast, IPv6
 MPLS; Full BGP table
 J Flow, RPM
 L2 Switching
 POE Options
31
Company Confidential
Physical Interfaces




Copyright © 2009 Juniper Networks, Inc.
T1/E1, Serial, DS3/E3
VDSL, ADSL, G.SHDSL
DOCSIS Cable Modem
Ethernet 10/100/1000
& 10G, Copper or Fiber
www.juniper.net
32
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Dynamic Services Architecture ™
Separate I/O and Services
Dedicated Control Plane
Plug-and-Play Modules
Dedicated Control Plane
Carrier-class Reliability
AppQoS
Firewall
VPN
AppTrack
IDP
ALG
LSYS
AppFW
More
I/O Cards
33
Screens
LLF
QoS
D/DoS
SYN Prot
Others?
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Terabit Fabric
Services Cards
Integrated Terabit Fabric
SECURITY FOUNDATION WITH SRX
120 Gbps
 Portfolio covers wide range
of customer requirements
 Integrated services gateway offering
up to 120 Gbps FW, 100Gbps
AppFW and 30 Gbps IPS
High End SRX
SRX5800
SRX5600
SRX3600
Branch SRX
SRX3400
10 Gbps
SRX650
SRX240
SRX210
SRX1400
SRX220
SRX100
Telecommuter
Small Office
34
Company Confidential
Small/Medium
Branch
Large Branch
Regional Office
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Large Enterprise
Service Provider
THE JUNOS PORTFOLIO
Junos Space
Junos Pulse
T Series
EX8216
MX Series
EX8208
SRX5000 Line
SRX1400
SRX3000 Line
EX4500 Line
SRX650
M Series
SRX100
J Series
EX3200 Line
LN1000
SRX210
10.2
10.3
core
One OS
35
Company Confidential
One Release Track
Copyright © 2009 Juniper Networks, Inc.
EX2200 Line
10.4
Frequent Releases
branch
EX4200 Line
www.juniper.net
Module
x
–API–
SRX240
SRX220
One Architecture
HIGH AVAILABILITY
36
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CARRIER-GRADE AVAILABILITY
In Service Software Upgrade
 Perform software upgrade while SRX cluster is



in production
Typical traffic loss times ~1sec*
Single command triggered upgrade not
requiring manual intervention
ISSU is supported in HA cluster mode only
Cluster Mode




Active/Active and Active/Passive support
Multi-Datacenter compatible
Fully Stateful – sessions persist across failover
Robust system health criteria


37
Company Confidential
Hardware/Software/Control Link/IP Tracking
Graceful Restart support for routing protocols
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
WHY HIGH AVAILABILITY?
All High End SRX Deployments Use HA
 Continuity of Services
 Provide Availability through redundancy
 Avoids single point of failure
How the SRX provides HA
 Utilizing JUNOS Services redundancy Protocol, JSRP (similar to NSRP in
screen OS)
 Control and data plane redundancy
 Single system View- Same config on both nodes
 Stateful traffic failovers with routing, firewall, NAT, VPN, and security services
Flexible Deployment Scenarios
 Basic/full mesh Active Passive
 Various Active/Active scenarios
 Asymmetric support
38
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SRX HA CONCEPT
JUNOS






New
Development
 Distributed
Parallel packet
Processing
 Control
port
redundancy
39
Routing
Graceful Restart
NSR
Flexibility in
Interfaces
Asymmetric Routing
Configuration Sync.
ScreenOS





RTO Sync
Stateful Failover
NSRP State
Machine
Keep-alive
Mechanism
IP Tracking
JSRP Model

JSRPD


Redundant
Interfaces




Control and

Fabric link
infrastructure
Copyright © 2009 Juniper Networks, Inc.

Routing
GRES

Graceful Restart

NSR (future)

Asymmetric Routing
Flexibility in

Interfaces
RTO
Synchronization
Stateful Failover
NSRP State
Machine
Keep-alive
Mechanism
IP Tracking
www.juniper.net
39
HIGH AVAILABILITY CHARACTERISTICS OVERVIEW
Redundancy
 Control Plane
 Active-passive
 Data Plane
 Active-passive
 Active-Active
Stateful Session Failover
 NAT
 ALG
Synchronization
 IPSec
 Authentication
 Configuration
 Session State
40
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
HIGH AVAILABILITY REDUNDANCY
Solution Architecture
GRES provides nonstop failover
NODE 1
NODE 0
Control
Plane
Daemons
RE ACTIVE
Node 0
Forwarding
Daemon
PFE ACTIVE
41
Company Confidential
Control
fxp1 fxp1 Plane
CONTROL Daemons
RE BACKUP
LINK
Node 1
fab0 fab1
DATALINK
 Single device abstraction
 Clean separation of control and
forwarding planes
 Unified configuration with
configuration sync
 Maximum of 2 devices
 Devices must be of the same
Hardware Model
Forwarding
Daemon
Control Plane
Data Plane + RTOs
Flowd
PFE BACKUP
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
TWO CHASSIS CONNECTED TOGETHER
node1
(secondary)
node0
(primary)
Control Plane
Connection
SPC-to-SPC
RE 0
RE 1
Data Plane
Connection
IOC to IOC
42
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER CONNECTIONS
Platform
Fxp0 (mgmt)
Fxp1 (HA control)
Fabric (Must be
configured)
J-Series
ge-0/0/2
ge-0/0/3
Any available GE interface
SRX 100/210
fe-0/0/6
fe-0/0/7
Any available FE or GE
Interface
SRX 220
ge-0/0/6
ge-0/0/7
Any available GE interface
SRX 240/650
ge-0/0/0
ge-0/0/1
Any available GE Interface
SRX 1400
onboard RE
ge-0/0/10 and/or ge0/0/11
Any available GE or XE
Interface
SRX 3400/3600
onboard RE
Built-in front-panel RE Any available GE or XE
ports
Interface
SRX 5600/5800
onboard RE
SPC control port
(must be configured)
43
Company Confidential
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Any Available GE or XE
Interface. Must be Fiber
VIRTUALIZATION
44
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VIRTUALIZATION CHALLENGES
Physical Network
Hidden Traffic
Complexity
Dynamic Applications
V-Motion
=
•
•
•
One server is
one server
Firewall can
see all traffic
Applications
don’t move
much
45
•
Traffic on the
same
hypervisor isn’t
sent to the
physical
firewall
•
One physical
server
represents
many virtual
ones
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
•
As applications move,
how does the physical
security follow?
46
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW MODULES
Main
Firewall
Dashboard view of
virtual data center
Firewall policy
and logs
Network
Traffic flows
AntiVirus
AV protection w/
quarantine
IDS
View of IDS alerts
Complian
ceVM/host
Alerts on
non-compliance
Introspect
ion
VM “x-ray”
(OS, apps, etc.)
47
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Reports
Granular reports
and scheduler
THE VGW PURPOSE-BUILT APPROACH
Service Provider & Enterprise Grade
 Three-tiered Model
1
 VMware Certified
 Protects each VM and the hypervisor
Virtual
Center
2
Security
Design
for vGW
VM
 Fault-tolerant architecture (i.e., HA)
VM1
VM2
VM3
ESX or ESXi Host
Virtualization-aware
 “Secure VMotion” scales to
3
Packet Data
THE vGW ENGINE
VMWARE API’s
Any vSwitch
(Standard, DVS, 3rd Party)
Granular, Tiered Defense
 Stateful firewall, integrated IDS,
HYPERVISOR
and AV
 Flexible Policy Enforcement
48
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
VMware Kernel
1,000+ hosts
 “Auto Secure” detects/protects
new VMs
Partner Server
(IDS, SIM,
Syslog, Netflow)
PERFORMANCE & SCALABILITY
49
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
VGW <-> SRX SERIES INTEGRATION
SRX Firewall Zones
Integration
 Imports zone configuration
from SRX Series into vGW
 Use imported zones as a
template for vGW security
Benefits
 Guarantee integrity of
Zones on hypervisor
 Automate and verify no
“policy violation” of VMs
 Empower SRX Series with
VM awareness
50
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net