Juniper Networks Intrusion Detection & Prevention June 2006 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Agenda Security Market Climate • IPS & Security Market • Market Drivers Juniper Networks IDP Product Overview • Complete Solution – Security Team • Product Features • Product Offering Management with Juniper Networks NSM Summary Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3 IPS and Security Market Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4 Security Market IPS technology is a mainstream part of network security for companies of all sizes Keeping up with new security threats and finding integrated management systems remain key concerns for security admins Assuring business critical applications have predictable quality of service over nonessential apps like P2P and IM Need Visibility, Control and Ease of Use Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5 Worldwide IPS Market Market focus on IPS technology exemplified by market forecast Worldwide IDS/IPS revenue expected to top $800 Million by year 2009 Network-based products continue to account for more than 2/3 of total revenue World Wide IDS/IPS Product Revenue 900 790 752 800 700 603 500 400 667 544 600 Revenue ($ Million) 819 384 427 Network-based 277 Host-based 300 200 100 0 CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09 Year Copyright © 2006 Juniper Networks, Inc. Source: Network Security Appliance and Software Quarterly Worldwide Market Share and Forecast for 1Q06 Proprietary and Confidential www.juniper.net 6 Customer Drivers Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7 Fear of external network attack and internal noncompliance External attacks remain the top reason for purchasing security appliances • Failure to block viruses, attacks or malware directly impact end-users A growing concern meanwhile is ensuring users on the network are doing what they’re supposed to be doing Direct impact to end-users Copyright © 2006 Juniper Networks, Inc. •Quantifiable loss of productivity •Impact to revenue •Headaches to administrators •Unauthorized access to critical data Proprietary and Confidential www.juniper.net 8 Firewall alone is not enough Every organization is connected to the Internet and deploys some form of firewall Most enterprise realize firewall alone is not sufficient to block sophisticated attacks Lifecycle of Vulnerabilities and Threats Getting Shorter Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9 Business compliance Need to enforce business practices including types and version of applications Need to ensure non-business applications does not hinder critical business applications Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10 New Technology Adoption Adoptions of new technologies continue to increase Enterprises are not satisfied to wait until security “catches up” Convergence of networks open up the infrastructure to new attacks New Technologies = New Risks Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11 Not Only for Enterprise Service Providers face similar security concerns as enterprise Keeping ahead of new security threats considered highest technical challenge by SP Source: Service Provider Plans for VPNs and Security North America, Europe, and Asia Pacific 2006 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12 IDP Product Overview Security Team Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13 The Juniper Approach Complete Solution Technology Vendor Relationships Internal Research 3rd Party Security Teams Service Provider Security Teams Worldwide Juniper Security Team Daily Updates Cooperative Security Research Partner MSSP Intelligence Customer Security Team Juniper Products Juniper Customers Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14 The Basic Security Threat Landscape Unknown Threats & Vulnerabilities Known Threats but no known ways to protect Known Threats with available protection Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15 The Juniper Advantage Superior protocol decoding and anomaly detection – the majority of the unknown Dedicated teams researching protocols and standards Provide breadth & Protocol Anomalies depth of coverage Give Security Experts better tools to deal with the unknown Copyright © 2006 Juniper Networks, Inc. Unknown Threats & Vulnerabilities Proprietary and Confidential www.juniper.net 16 Dedicated Security Team Dedicated team to research vulnerabilities and emerging threats • • • • Protocol decode expertise Multiple research and vendor partnerships Reverse engineering experts Global honey pot network Industry-leading response time • Daily and Emergency signature updates • Customer Accuracy Program • Team distributed globally • Emergency update within an hour www.juniper.net/security Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17 Real-world Example Security Team’s Response Typical chain of events on recent Microsoft “Super Tuesday” 10:17 AM 5/9/2006 Microsoft announces security bulletins; MS06-018, MS06019, MS06-20 and posts patches for the vulnerabilities 10:21 AM +4 min Juniper Networks announces coverage for vulnerabilities on all IDP platforms 11:50 AM +1hr 33min TippingPoint provides mixed messages on coverage 11:58 AM +1hr 41min ISS announces coverage only for MS06-019 End of Day No announcements from Cisco or McAfee Symantec announces coverage only for MS06-019 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18 IDP Product Overview Product Features Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19 Thwart Attacks at Every Turn Multiple Methods of Detection Malicious Activities/Attacks Recon Proliferation Attack •Traffic Anomaly Detection •Network Honeypot • Profiler •Protocol Anomaly Detection •Stateful Signatures •Synflood Protector •Backdoor Detection •IP Spoof Detection •Layer-2 Attack Detection • Security Explorer Multiple Method of Detection Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20 Traffic Anomaly Detection Method of identifying abnormal traffic usage No protocol anomalies or specific attack patterns but unusual traffic usage/volume Example: Ping Sweep • Scan the network to identify resources for possible attack in the future - reconnaissance • Ping sweep from external/suspicious source should alert administrator Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21 Protocol Anomaly Detection Protocols are well defined allowing accurate description of “normal” usage “Abuse” or abnormal use of the protocol are detected by the IDP appliances Example: FTP Bounce Attack FTP Client Please open FTP connection FTP Server Please connect to x.x.x.B (so unauthorized client can receive data) x.x.x.B is not the authorized client machine Possible abuse of FTP protocol Request denied!!! Copyright © 2006 Juniper Networks, Inc. x.x.x.A x.x.x.B Proprietary and Confidential www.juniper.net 22 Stateful Signatures Look for attacks in context Avoid blindly scanning all traffic for particular pattern • Improve efficiency • Reduce false-positives Example: Code Red Worm • Utilizes HTTP GET request for attack • IDP appliance only scan for the specific request and not any other HTTP traffic Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23 Backdoor Detection/Trojan Well-known “Trojan horse” concept Challenge is to identify the attack when the first line of defense has been overcome Heuristic method of analyzing interactive traffic Example: Traffic originating from web server • Web servers typically respond to requests for information, not initiate one • A sign of infected server/node Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24 Features Addressing Customer Challenges How can easily I find out what’s really running on my network? How can I uncover new network activities? How can I make sure new technologies doesn’t translate to new threats? Copyright © 2006 Juniper Networks, Inc. I don’t want to block non-business apps but how else can I control it? Wireless is great but how can I secure it? Proprietary and Confidential www.juniper.net 25 Security Explorer Interactive and dynamic touchgraph providing comprehensive network and application layer views • Integrated with Log Viewer and Profiler Identifies what’s running on a network host • Uncovers attacks, peer IP addresses, open ports, available applications and operating systems NEW - IDP 4.0 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26 Enhanced Profiler Uncovers new activities and traffic information across network and application levels Identifies new protocols, applications and operating systems • Alerts on rogue hosts, servers or IP addresses • Detect unwanted applications like P2P and IM Records information on active hosts, devices, protocols and services in various contexts • Instant Messaging alias, FTP username, e-mail address, subject heading, etc… NEW - NSM 2006.1 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27 Diffserv (DSCP) Marking Controls bandwidth allocation based on specific types of application Marks on a packet that match an IDP signature Allows upstream router to enforce on markings (value 1-63) to assure quality of service on critical applications or appropriate response to nonessential apps Available as an action per IDP rule for full granular control NEW - IDP 4.0 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28 Securing VoIP Applications New Protocol Decode – H.225 Assures that the VoIP signaling and control protocol cannot be used as a source of network attacks or abuse Protocol decode capability protects underlying vulnerability of protocol Allows creation of custom attack objects with contexts VoIP protection on top of existing SIP protocol support Proactively prevent future exploits NEW - IDP 4.0 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29 Securing Database Applications New Protocol Decode – Oracle TNS Protects database applications from an increasing number of exploits and buffer overflows in the internal network Blocks unauthorized users to Oracle servers Protects the underlying vulnerability of Oracle TNS protocol Prevents future threats at day zero NEW - IDP 4.0 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30 Securing Mobile Data Networks New Inspection Capability – GTP Encapsulated Traffic • Protects an inherently unsecured traffic • Supports UDP tunnel packets per GTPv0 and GTPv1 Ensures users on cellular network aren’t exposing the entire network to possible attacks Carrier protection on top of existing inspection for GRE encapsulated traffic NEW - IDP 4.0 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31 Only from Juniper Networks ! Coordinated Threat Control Identify specific attacks originating from remote user via SSL VPN and quarantine the user (and only the offending user) 1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched 2. IDP detect the attack and block requests to the internal resources 3. IDP sends identifying data to SA SSL VPN gateway 4. Based on data from IDP, SA quarantine and notifies the user Quarantine Identifying Data Attack Attack Copyright © 2006 Juniper Networks, Inc. Infected Available IDP 3.2r2 Proprietary and Confidential www.juniper.net 32 IDP Product Overview Product Offering Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33 IDP Product Overview -Timeline •IDP platform introduced •Integrated Stateful Signature creation and updates •Protocol decodes •Secure response notices •Introduction of fully integrated multi-gigabit FW/VPN/IDP system (ISG 1000 and 2000) •First to introduce daily signature updates 2005 •First to introduce Integrated Threat Control for SSL and IDP appliances 2006 2004 2002 •First and only IPS integrating Profiler for best-in-class network awareness Copyright © 2006 Juniper Networks, Inc. •Next generation of network visibility and control •Consolidated security management solution Proprietary and Confidential www.juniper.net 34 Typical IPS Deployment Regional Head Office NSM Satellite Office Main Office Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 35 IDP Product Line • Service Provider • Large Enterprise Perimeter • Internal LAN • Enterprise Perimeter • Internal LAN • SMB • Branch Office • Med Bus • Large BO • Enterprise Perimeter • Enterprise Perimeter ISG 1000/2000 IDP 1100@ 1 Gbps IDP 600 @ 500Mbps IDP 200 @ 200Mbps IDP 50 @ 50Mbps Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 36 IDP Standalone – 1100 C/F 1100C 1100F Copyright © 2006 Juniper Networks, Inc. IDP 1100 C/F Optimal for large enterprise / Gig environments Up to 1 Gbps throughput 500,000 max sessions 10 CG or 8 Fiber SX + 2 CG traffic, 1 CG mgmt & 1 CG HA ports HA clustering option Integrated bypass for CG traffic ports Proprietary and Confidential www.juniper.net 37 High Availability Options Bypass Third-party HA Standalone HA Bypass Unit for Fiber Gig networks - IDP 600F - IDP 1100F - ISG state-sync state-sync Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 38 Solutions for Every Need Juniper IDP Standalone Appliances • 50 Mbps – 1 Gbps • HA Clustering • Centralized policy management •Complement existing FW/VPN •Protect network segments •DMZ •LAN •Departmental servers Copyright © 2006 Juniper Networks, Inc. Juniper ISG Series •Next-Gen Security ASIC (GigaScreen) •Multi-Gigabit FW/VPN/IDP •Centralized policy management •High performance for demanding networks •Virtualization features •Granular rule-by-rule management Proprietary and Confidential www.juniper.net 39 ISG – Under the hood Integrated Best-of-breed Security & Networking gear Multi-Gig 2-way Layer 7 IDP Security Modules Module “blades” available for ISG-1000 and ISG-2000 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 40 ISG Series Architecture Dual 1Ghz PowerPC CPU 1GB RAM Security Module Processing • Dedicated processing for other security applications Security modules GigaScreen3 ASIC 1GB RAM Programmable Processors I/O I/O I/O I/O Unmatched processing power! Copyright © 2006 Juniper Networks, Inc. Management Processing • Dedicated processing helps ensure linear performance • High performance interconnect & flow setup Network Level Security Processing • ASIC-accelerated security •Stateful FW, NAT, VPN, DoS/DDoS •Intelligent Intrusion Prevention session load balancing •Embedded programmable processor facilitate new feature acceleration Proprietary and Confidential www.juniper.net 41 ISG Series Summary: ISG 1000 and ISG 2000 ISG 1000 ISG 2000 Max Throughput: Firewall 1 Gbps 2 Gbps Max Throughput: IPSec VPN (3DES/AES) 1 Gbps 1 Gbps Packets per second: FW/VPN 1.5/1.5 Million 3/1.5 Million Max sessions 500,000 1,000,000 VPN tunnels 2000 10000 Max Throughput: Deep Inspection 200 Mbps 300 Mbps Max Throughput: IDP Up to 1 Gbps Up to 2 Gbps Number of supported security modules (IDP) Up to 2 Up to 3 Number of fixed I/O interfaces 4 – 10/100/1000 0 Max interfaces Up to 20 Up to 28 Number of I/O modules 2 4 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 42 Product Details Juniper Firewall/VPN, with Screen OS Deep Inspection Juniper Stand-alone IDP Juniper ISG Series with IDP Hardware •NS-5XT •NS-5GT •NS-25 •NS-50 •NS-204 •NS-208 •NS-500 •ISG 1000 •ISG 2000 •NS-5200 •NS-5400 •IDP 50 •IDP 200 •IDP 600C •IDP 600F •IDP 1100C •IDP 1100F •ISG 2000 with IDP •ISG 1000 with IDP Software ScreenOS 5.0, 5.1, 5.2 IDP 4.0 ScreenOS 5.0-IDP Management NSM NSM 2006.1 NSM 2004 FP3-IDP1 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 43 Management Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 44 3-Tier Management – Secure and Scalable Distributed IDP Sensors Common User Interface Centralized NSM Server Distributed ISG with IDP Standalone IDP appliances requires IDP 4.0 for NSM support Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 45 Customers with a Hybrid Network Business Challenges • What is on my network? • Who is on my network? FW Mgmt Regional Head Office Product Challenges IPS Mgmt • Complex network environments • Multi-vendor FW and IPS systems FW Mgmt • Multiple Management Systems IPS Mgmt Main Office Copyright © 2006 Juniper Networks, Inc. IPS Mgmt Satellite Office FW Mgmt Proprietary and Confidential www.juniper.net 46 Juniper Networks Customers Juniper Offering • Juniper Networks IDPs & Firewalls Regional Head Office • Single Management System • Single User Interface Business Benefits • Enhanced Network Visibility • Granular Control • Ease of Use Satellite Office Main Office Copyright © 2006 Juniper Networks, Inc. NSM Proprietary and Confidential www.juniper.net 47 NSM Management Features NEW - NSM 2006.1 Scheduled Security Updates Automatically update devices with new attack objects. Domains Service providers and distributed enterprises may use this mechanism to logically separate devices, policies, reports, objects, etc… Role-based Administration granular approach in which all 100+ activities in the system may be assigned as separate permissions. Object Locking Multiple administrators can safely and concurrently modify different objects in the system at the same time. Audit Logs Sortable and filterable record of who made which changes to which objects in the system. Device Templates Manage shared configuration such as sensor settings in one place. Job Manager View pending and completed directives (such as device updates) and their status. High Availability Active/passive high availability of the management server. Scheduled Database Backups Copies of the NSM database may be saved on a daily basis. Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 48 Granular IDP Control w/NSM Firewall and IDP management from same user interface Configure desired response Copyright © 2006 Juniper Networks, Inc. Configure attack detection Proprietary and Confidential www.juniper.net 49 Summary Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 50 Why Juniper Networks IDP products? Security Coverage Product Innovation Trusted Company Market Recognition Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 51 Security Coverage Multiple prevention methods for protection against entire 'Vulnerability & Attack Lifecycle’ Complete packet capture and protocol decode @ Layer 7, including VoIP protocols 2-way Layer 7 inspection: blocks attacks from client-to-server and server-to-client 100% prevention and accuracy for Shellcode/buffer overflow attacks 100% prevention in protecting against Microsoft Vulnerabilities: Same day & Zero protection on “Patch Tuesday’s” Comprehensive Spyware protection, including 700+ signatures and growing daily Daily signature updates, including auto signature updates and auto policy push Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 52 Product Innovation Next generation of network visibility w/ Security Explorer Granular, Flexible Management solution for all Juniper Networks security appliances Automatic custom reports Multi Gigabit Performance Multiple Deployment Options “Profile” the network to understand applications and network traffic Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router integration Custom Signature Editor / Open Signatures Database Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 53 Trusted Company Financial Strength / $2 Billion in Revenue / Profitable / Cash Reserves Investment in R&D 25% - 30% of revenue Product Roadmap – IDP plays a key role in Juniper’s Infranet solution Global Support & Relationships Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 54 Market Recognition Most decorated IPS product in 2005 • • • • • • Winner ‘Editors Choice’ – Network Computing: ‘The Great IPS Test’ Winner ‘Best Multifunction Appliance’ – Network Computing (Well-Connected) Winner ‘Best IPS Appliance’ – Network Computing (Well-Connected) Winner ‘Product of the Year’ – SearchNetworking.com Winner ‘Product of the Year’ – IDG Research / TechWorld Winner ‘Best Deployment Scenario’ ISP Guide: City of Burbank, Juniper IDP Customer • Awarded ‘NSS Certification’ for Industry Approved IPS: IDP 600F • Winner ‘Product of the Year’ – ISG 1000 - ZDnet Australia • Winner ‘Editors Choice’ – IDP 200 - ZDnet Australia Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 55 Thanks You! Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 56