Westcon / Juniper 5
advertisement
Junos Rising Westcon / Juniper 5-daagse Pieter van Dijk MAJOR MARKET TRENDS… DATA MOBILITY AND SCALE AT AN ALL TIME HIGH, AND GROWING Cloud Computing Mobile Internet Explosive Growth Explosion of data, users, and devices. Total Spend on Public Cloud Services: Smartphones Have Surpassed PCs – as the Mobile Experience Usurps the Desktop Model 120 Million $59 Billion $148 Billion 90 60 30 2009 PCs 2014 Smartphones 2009 2 2010 Copyright © 2009 Juniper Networks, Inc. Source: Gartner www.juniper.net Source: IDC 2011 2016 SECURITY IS IMPACTED BY TWO TRENDS Industry Trends Compliance Requirements Business Workforce Behavior IT Infrastructure Business Drivers Security Trends Attacker Behavior 3 Company Confidential Evolving Threat Vectors Copyright © 2009 Juniper Networks, Inc. www.juniper.net New Attack Targets SECURITY MARKET TREND – EVOLVING THREATS Notoriety Profitability .gov /.com .me / .you Threats Sophistication (Maturity) Attacker Type of Attack APT Botnets Malware DOS Trojans Virus Worms New Devices New Applications Internet Information Services Target ERP 4 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net ADDRESSING THE EVOLVING THREAT LANDSCAPE Customer Priorities Visibility into Web 2.0 Threats Control of Application Usage Rapid Response to New Threats Scalable Policy Enforcement & Management Juniper Security Solutions AppSecure Software SRX 6 Company Confidential Copyright © 2009 Juniper Networks, Inc. Security Research Teams www.juniper.net VISIBILITY Comprehensive Application Visibility and Control Global High Performance Network Branch What User User Location Campus Mobile Clients 7 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net Data Center WhatSource Application to Destination User Device APPSECURE: AN IMPORTANT COMPONENT TO A LAYERED SECURITY APPROACH Processing Intensity & Cost Inspection Depth ACLs & Stateless Firewall • Decisions made based on packet header info such as Source and Destination addresses • Very fast 8 Company Confidential Stateful Firewall Application Security Intrusion Prevention • More context incorporated • Looks at every bit for into decision process threats—thorough but • Better at identifying intensive processing unauthorized or forged • Best used sparingly communications • Still fast Copyright © 2009 Juniper Networks, Inc. www.juniper.net BUILDING INTELLIGENT SECURITY Introducing AppSecure Suite of application based services designed for deploying security in a knowledgeable manner Builds on existing SRX integrated services to deliver finer-grain policies Leverages integrated application intelligence 9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ADDRESSING THE NGFW MARKET WITH APPSECURE Security at Scale for 800+ Applications AppTrack Visibility AppFW Enforcement AppQoS Control AppSecure Identity Management with Application Access control 10 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net AppDoS Protection APPTRACK VISIBILITY FOR INFORMED RISK ANALYSIS AppTrack Monitor & Track Applications AppTrack View application by protocol, Web application, and utilization Analyze usage and trends Web 2.0 application visibility Customize application monitoring App usage monitoring Scalable, flexible logging & reporting 11 Copyright © 2010 Juniper Networks, Inc. Log and report across security solutions and systems www.juniper.net APPTRACK MAKES APPLICATION VISIBILITY AND CONTROL AS EASY AS 1-2-3 1 Traffic analyzed by AppTrack as it traverses the SRX 3 1 DC Firewall(s) 2 2 STRM or 3rd Party SIEM STRM Reports Server Farms 12 Operations Center Data Center DC Switching Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX sends application logs to a SIEM/Log collector 3 SIEM reports analyzed by IT staff APPTRACK DRIVES FIREWALL, QOS, DDOS, IDP POLICY Flow Processing AppTrack AppFW Permit or deny based on user and application 13 AppQoS Adjust QOS based on user and application AppDoS IPS App Based DOS detection Require further traffic inspection Copyright © 2009 Juniper Networks, Inc. www.juniper.net APPFW: BEYOND JUST FW OR APP CONTROL AppFW Control & Enforce Web 2.0 Apps AppFW Inspect ports and protocols Uncover tunneled apps HTTP Stop multiple threat types Dynamic application security Control nested apps, chat, file sharing and other Web 2.0 activities Web 2.0 policy enforcement Threat detection & prevention 14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net APPFW – 3 DIMENSIONAL SECURITY POLICES • Easily restrict application access to necessary users • Reduce the spread of confidential information • Stop high-risk and unwanted applications DC Firewall(s) AppTrack Traditiona l Firewall Policy User and Group Awareness Application Awareness User Store (special UAC) 15 Match Criteria Rule Source Dest Dynamic# Zone Zone Source IP User/Role Dest IP Application 1 Zone-1 Zone-2 1.1.1.0 Amy Any Facebook 2 Zone-1 Zone-2 1.1.2.0 Finance Any LinkedIn 3 Zone-1 Zone-2 any any Any none kazza,,Yahoo IM, 4 Zone-1 Zone-2 any any Any Facebook Then Action Permit Permit permit Service Options None Log None Log none Log Deny none DC Switching Log Data Center Operations Center STRM Copyright © 2010 Juniper Networks, Inc. Server Farms www.juniper.net APPQOS FOR SCALE & PERFORMANCE AppQoS Prioritize & Control App Bandwidth AppQoS Monitor Web 2.0 bandwidth consumption X Throttle bit rates based on security and usage insights Dynamic application quality-of-service (QoS) Application prioritization Performance management 16 Copyright © 2010 Juniper Networks, Inc. Prioritize business critical apps www.juniper.net APPQOS – BANDWIDTH MANAGEMENT FOR BUSINESSES Prioritize traffic based on application type Limit the amount of bandwidth an application can consume Mark the DSCP values for proper QoS treatment Leverage Junos Class-of-Service feature set to fully control application handling at the interface queue level Give highest priority to financial applications for finance and sales Approved applications receive normal priority AppTrack Traditional Firewall Policy 17 User and Group Awareness Application Awareness Copyright © 2010 Juniper Networks, Inc. Lower priority for multimedia applications, except for the MM content group www.juniper.net BOTNET & DOS THREAT MITIGATION AppDoS Protect Valuable On-line Business AppDoS Detect and mitigate botnet activity Uncover misuse of routine Web functionality Purchase Item Check bill Select Item View Item Botnet detection & remediation DoS monitoring & remediation Adapt security policy and QOS based on insights Benchmark “normal” behavior to detect anomalies On-going anomaly detection 18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net DDOS ATTACK EVOLUTION Traditional DDoS Attacks Saturation DDoS Attack Bandwidth saturation causing service outages Synflood, packet floods ack req ack req ack req ack req ack req ack req ack req ack req ack req Detectable – statistical/behavioral Effective containment Now: stateful/meaningful Mimic legitimate traffic and Stateful DDoS Attack transactions Applications process legitimate requests that are intended to disrupt or overload service Can’t distinguish bad traffic/requests from good 19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net place in cart . . . place in cart . . . place in cart . . . place in cart . . . place in cart . . . place in cart . . . APPLICATION DDOS PROTECTION Introducing Application Denial of Service AppDoS Identifies attacking botnet traffic vs. legitimate clients based on application layer metrics and remediates against botnet traffic Employs multi-stage approach from server connection monitoring, deep protocol analysis to bot-client classification. Server connection monitoring Protocol analysis Bot-client classification Available on the SRX5000 and SRX3000 Series Gateways 20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net WITHOUT ADDOS POLICY GOOD TRAFFIC (1000CPS) + ADDOS TRAFFIC (4000CPS) = 5000CPS Server Threashold 4500CPS DDoS, degraged performance 21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net WITH APPDDOS POLICY ACTIVATED: BAD TRAFFIC IS BLOCKED, ONLY GOOD TRAFFIC IS ALLOWED THROUGH (1000CPS) Server Threashold 4500CPS AppDDoS, Mitigated 22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net IPS FOR CUSTOMIZABLE PROTECTION Monitor & Mitigate Custom Attacks IPS AppSecure IPS Detect and monitor suspicious behavior VULNERABILITY Tune open signatures to detect and mitigate tailored attacks Exploits Other IPS’s On-going threat protection Mobile traffic monitoring Custom attack mitigation 23 IPS Copyright © 2010 Juniper Networks, Inc. Uncover attacks exploiting encrypted methods Address vulnerabilities instead of ever-changing exploits of the vulnerability www.juniper.net FULL IDP CAPABILITIES IPS 24 Full featured detection Constant inspection Decoder based updates Geared for evasive application detection Copyright © 2010 Juniper Networks, Inc. www.juniper.net APPSECURE SERVICE MODULES Flow Processing Ingress AI NAI Egress Application Identification Engine Application ID Results IPS AppTrack AppDoS AppFW AppQoS 25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net THE JUNIPER APPSECURE DIFFERENCE SCALABLE Performance up to 100G Log storage up to 1.3TB Advanced HA COMPREHENSIVE Traditional & Web 2.0 security Adds botnet & DoS detection QOS & IPS FLEXIBILE Open attack signatures Scriptable CLI Modular hardware Runs on SRX & Junos Extensible FRU design 26 Mobile & fixed user protection Copyright © 2010 Juniper Networks, Inc. www.juniper.net Compatible Syslog format JUNOS SPACE APPSECURE DEMO 27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX Branch and High End Platform update 28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Branch SRX 29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Branch SRX 30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX FEATURES MATRIX Security Wireless LAN and 3G WAN Firewall VPN IDP Antivirus Web filtering Antispam 802.11n 3G/4G Routing & Switching RIP, OSPF, BGP, Multicast, IPv6 MPLS; Full BGP table J Flow, RPM L2 Switching POE Options 31 Company Confidential Physical Interfaces Copyright © 2009 Juniper Networks, Inc. T1/E1, Serial, DS3/E3 VDSL, ADSL, G.SHDSL DOCSIS Cable Modem Ethernet 10/100/1000 & 10G, Copper or Fiber www.juniper.net 32 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Dynamic Services Architecture ™ Separate I/O and Services Dedicated Control Plane Plug-and-Play Modules Dedicated Control Plane Carrier-class Reliability AppQoS Firewall VPN AppTrack IDP ALG LSYS AppFW More I/O Cards 33 Screens LLF QoS D/DoS SYN Prot Others? Copyright © 2009 Juniper Networks, Inc. www.juniper.net Terabit Fabric Services Cards Integrated Terabit Fabric SECURITY FOUNDATION WITH SRX 120 Gbps Portfolio covers wide range of customer requirements Integrated services gateway offering up to 120 Gbps FW, 100Gbps AppFW and 30 Gbps IPS High End SRX SRX5800 SRX5600 SRX3600 Branch SRX SRX3400 10 Gbps SRX650 SRX240 SRX210 SRX1400 SRX220 SRX100 Telecommuter Small Office 34 Company Confidential Small/Medium Branch Large Branch Regional Office Copyright © 2009 Juniper Networks, Inc. www.juniper.net Large Enterprise Service Provider THE JUNOS PORTFOLIO Junos Space Junos Pulse T Series EX8216 MX Series EX8208 SRX5000 Line SRX1400 SRX3000 Line EX4500 Line SRX650 M Series SRX100 J Series EX3200 Line LN1000 SRX210 10.2 10.3 core One OS 35 Company Confidential One Release Track Copyright © 2009 Juniper Networks, Inc. EX2200 Line 10.4 Frequent Releases branch EX4200 Line www.juniper.net Module x –API– SRX240 SRX220 One Architecture HIGH AVAILABILITY 36 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CARRIER-GRADE AVAILABILITY In Service Software Upgrade Perform software upgrade while SRX cluster is in production Typical traffic loss times ~1sec* Single command triggered upgrade not requiring manual intervention ISSU is supported in HA cluster mode only Cluster Mode Active/Active and Active/Passive support Multi-Datacenter compatible Fully Stateful – sessions persist across failover Robust system health criteria 37 Company Confidential Hardware/Software/Control Link/IP Tracking Graceful Restart support for routing protocols Copyright © 2009 Juniper Networks, Inc. www.juniper.net WHY HIGH AVAILABILITY? All High End SRX Deployments Use HA Continuity of Services Provide Availability through redundancy Avoids single point of failure How the SRX provides HA Utilizing JUNOS Services redundancy Protocol, JSRP (similar to NSRP in screen OS) Control and data plane redundancy Single system View- Same config on both nodes Stateful traffic failovers with routing, firewall, NAT, VPN, and security services Flexible Deployment Scenarios Basic/full mesh Active Passive Various Active/Active scenarios Asymmetric support 38 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net SRX HA CONCEPT JUNOS New Development Distributed Parallel packet Processing Control port redundancy 39 Routing Graceful Restart NSR Flexibility in Interfaces Asymmetric Routing Configuration Sync. ScreenOS RTO Sync Stateful Failover NSRP State Machine Keep-alive Mechanism IP Tracking JSRP Model JSRPD Redundant Interfaces Control and Fabric link infrastructure Copyright © 2009 Juniper Networks, Inc. Routing GRES Graceful Restart NSR (future) Asymmetric Routing Flexibility in Interfaces RTO Synchronization Stateful Failover NSRP State Machine Keep-alive Mechanism IP Tracking www.juniper.net 39 HIGH AVAILABILITY CHARACTERISTICS OVERVIEW Redundancy Control Plane Active-passive Data Plane Active-passive Active-Active Stateful Session Failover NAT ALG Synchronization IPSec Authentication Configuration Session State 40 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY REDUNDANCY Solution Architecture GRES provides nonstop failover NODE 1 NODE 0 Control Plane Daemons RE ACTIVE Node 0 Forwarding Daemon PFE ACTIVE 41 Company Confidential Control fxp1 fxp1 Plane CONTROL Daemons RE BACKUP LINK Node 1 fab0 fab1 DATALINK Single device abstraction Clean separation of control and forwarding planes Unified configuration with configuration sync Maximum of 2 devices Devices must be of the same Hardware Model Forwarding Daemon Control Plane Data Plane + RTOs Flowd PFE BACKUP Copyright © 2009 Juniper Networks, Inc. www.juniper.net TWO CHASSIS CONNECTED TOGETHER node1 (secondary) node0 (primary) Control Plane Connection SPC-to-SPC RE 0 RE 1 Data Plane Connection IOC to IOC 42 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER CONNECTIONS Platform Fxp0 (mgmt) Fxp1 (HA control) Fabric (Must be configured) J-Series ge-0/0/2 ge-0/0/3 Any available GE interface SRX 100/210 fe-0/0/6 fe-0/0/7 Any available FE or GE Interface SRX 220 ge-0/0/6 ge-0/0/7 Any available GE interface SRX 240/650 ge-0/0/0 ge-0/0/1 Any available GE Interface SRX 1400 onboard RE ge-0/0/10 and/or ge0/0/11 Any available GE or XE Interface SRX 3400/3600 onboard RE Built-in front-panel RE Any available GE or XE ports Interface SRX 5600/5800 onboard RE SPC control port (must be configured) 43 Company Confidential Copyright © 2009 Juniper Networks, Inc. www.juniper.net Any Available GE or XE Interface. Must be Fiber VIRTUALIZATION 44 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION CHALLENGES Physical Network Hidden Traffic Complexity Dynamic Applications V-Motion = • • • One server is one server Firewall can see all traffic Applications don’t move much 45 • Traffic on the same hypervisor isn’t sent to the physical firewall • One physical server represents many virtual ones Copyright © 2009 Juniper Networks, Inc. www.juniper.net • As applications move, how does the physical security follow? 46 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VGW MODULES Main Firewall Dashboard view of virtual data center Firewall policy and logs Network Traffic flows AntiVirus AV protection w/ quarantine IDS View of IDS alerts Complian ceVM/host Alerts on non-compliance Introspect ion VM “x-ray” (OS, apps, etc.) 47 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Reports Granular reports and scheduler THE VGW PURPOSE-BUILT APPROACH Service Provider & Enterprise Grade Three-tiered Model 1 VMware Certified Protects each VM and the hypervisor Virtual Center 2 Security Design for vGW VM Fault-tolerant architecture (i.e., HA) VM1 VM2 VM3 ESX or ESXi Host Virtualization-aware “Secure VMotion” scales to 3 Packet Data THE vGW ENGINE VMWARE API’s Any vSwitch (Standard, DVS, 3rd Party) Granular, Tiered Defense Stateful firewall, integrated IDS, HYPERVISOR and AV Flexible Policy Enforcement 48 Copyright © 2009 Juniper Networks, Inc. www.juniper.net VMware Kernel 1,000+ hosts “Auto Secure” detects/protects new VMs Partner Server (IDS, SIM, Syslog, Netflow) PERFORMANCE & SCALABILITY 49 Copyright © 2009 Juniper Networks, Inc. www.juniper.net VGW <-> SRX SERIES INTEGRATION SRX Firewall Zones Integration Imports zone configuration from SRX Series into vGW Use imported zones as a template for vGW security Benefits Guarantee integrity of Zones on hypervisor Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness 50 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
