Juniper Networks
Intrusion Detection & Prevention
June 2006
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
1
Agenda
 Security Market Climate
• IPS & Security Market
• Market Drivers
 Juniper Networks IDP Product Overview
• Complete Solution – Security Team
• Product Features
• Product Offering
 Management with Juniper Networks NSM
 Summary
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
3
IPS and Security Market
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
4
Security Market
 IPS technology is a mainstream part of network
security for companies of all sizes
 Keeping up with new security threats and finding
integrated management systems remain key
concerns for security admins
 Assuring business critical applications have
predictable quality of service over nonessential
apps like P2P and IM
 Need Visibility, Control and Ease of Use
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
5
Worldwide IPS Market
 Market focus on IPS technology exemplified by market forecast
 Worldwide IDS/IPS revenue expected to top $800 Million by year 2009
 Network-based products continue to account for more than 2/3 of total
revenue
World Wide IDS/IPS Product Revenue
900
790
752
800
700
603
500
400
667
544
600
Revenue
($ Million)
819
384
427
Network-based
277
Host-based
300
200
100
0
CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09
Year
Copyright © 2006 Juniper Networks, Inc.
Source: Network Security Appliance and Software
Quarterly Worldwide Market Share and Forecast for 1Q06
Proprietary and Confidential
www.juniper.net
6
Customer Drivers
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
7
Fear of external network attack and internal
noncompliance
 External attacks remain the top reason for
purchasing security appliances
• Failure to block viruses, attacks or malware directly
impact end-users
 A growing concern meanwhile is ensuring users
on the network are doing what they’re supposed
to be doing
Direct impact to end-users
Copyright © 2006 Juniper Networks, Inc.
•Quantifiable loss of productivity
•Impact to revenue
•Headaches to administrators
•Unauthorized access to critical data
Proprietary and Confidential
www.juniper.net
8
Firewall alone is not enough
 Every organization is connected to the Internet
and deploys some form of firewall
 Most enterprise realize firewall alone is not
sufficient to block sophisticated attacks
Lifecycle of Vulnerabilities and Threats
Getting Shorter
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
9
Business compliance
 Need to enforce business practices including
types and version of applications
 Need to ensure non-business applications does
not hinder critical business applications
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
10
New Technology Adoption
 Adoptions of new technologies continue to
increase
 Enterprises are not satisfied to wait until
security “catches up”
 Convergence of networks open up the
infrastructure to new attacks
New Technologies = New Risks
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
11
Not Only for Enterprise
 Service Providers
face similar security
concerns as
enterprise
 Keeping ahead of new
security threats
considered highest
technical challenge by
SP
Source: Service Provider Plans for VPNs and
Security North America, Europe, and Asia Pacific 2006
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
12
IDP Product Overview
Security Team
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
13
The Juniper Approach
Complete Solution
Technology Vendor
Relationships
Internal Research
3rd Party
Security Teams
Service Provider
Security Teams
Worldwide
Juniper
Security
Team
Daily
Updates
Cooperative
Security Research
Partner MSSP
Intelligence
Customer
Security Team
Juniper Products
Juniper Customers
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
14
The Basic Security Threat Landscape
Unknown Threats &
Vulnerabilities
Known Threats but no known
ways to protect
Known Threats with
available protection
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
15
The Juniper Advantage

Superior protocol decoding and anomaly
detection – the majority of the unknown

Dedicated teams researching
protocols and standards
Provide breadth &
Protocol Anomalies
depth of coverage
Give Security Experts better
tools to deal with the unknown


Copyright © 2006 Juniper Networks, Inc.
Unknown Threats &
Vulnerabilities
Proprietary and Confidential
www.juniper.net
16
Dedicated Security Team
 Dedicated team to research vulnerabilities and emerging threats
•
•
•
•
Protocol decode expertise
Multiple research and vendor partnerships
Reverse engineering experts
Global honey pot network
 Industry-leading response time
• Daily and Emergency signature
updates
• Customer Accuracy Program
• Team distributed globally
• Emergency update within an hour
 www.juniper.net/security
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
17
Real-world Example Security Team’s Response
 Typical chain of events on recent Microsoft “Super Tuesday”
10:17 AM
5/9/2006
Microsoft announces security bulletins; MS06-018, MS06019, MS06-20 and posts patches for the vulnerabilities
10:21 AM
+4 min
Juniper Networks announces coverage for vulnerabilities
on all IDP platforms
11:50 AM
+1hr 33min
TippingPoint provides mixed messages on coverage
11:58 AM
+1hr 41min
ISS announces coverage only for MS06-019
End of Day
No announcements from Cisco or McAfee
Symantec announces coverage only for MS06-019
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
18
IDP Product Overview
Product Features
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
19
Thwart Attacks at Every Turn
Multiple Methods of Detection
Malicious Activities/Attacks
Recon
Proliferation
Attack
•Traffic Anomaly Detection
•Network Honeypot
• Profiler
•Protocol Anomaly Detection
•Stateful Signatures
•Synflood Protector
•Backdoor Detection
•IP Spoof Detection
•Layer-2 Attack Detection
• Security Explorer
Multiple Method of Detection
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
20
Traffic Anomaly Detection
 Method of identifying abnormal traffic usage
 No protocol anomalies or specific attack
patterns but unusual traffic usage/volume
 Example: Ping Sweep
• Scan the network to identify resources for possible
attack in the future - reconnaissance
• Ping sweep from external/suspicious source should
alert administrator
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
21
Protocol Anomaly Detection
 Protocols are well defined allowing accurate
description of “normal” usage
 “Abuse” or abnormal use of the protocol are
detected by the IDP appliances
 Example: FTP Bounce Attack
FTP Client
Please open FTP connection
FTP Server
Please connect to x.x.x.B
(so unauthorized client can receive data)
x.x.x.B is not the authorized client machine
Possible abuse of FTP protocol
Request denied!!!
Copyright © 2006 Juniper Networks, Inc.
x.x.x.A
x.x.x.B
Proprietary and Confidential
www.juniper.net
22
Stateful Signatures
 Look for attacks in context
 Avoid blindly scanning all traffic for particular
pattern
• Improve efficiency
• Reduce false-positives
 Example: Code Red Worm
• Utilizes HTTP GET request for attack
• IDP appliance only scan for the specific request and
not any other HTTP traffic
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
23
Backdoor Detection/Trojan
 Well-known “Trojan horse” concept
 Challenge is to identify the attack when the
first line of defense has been overcome
 Heuristic method of analyzing interactive
traffic
 Example: Traffic originating from web server
• Web servers typically respond to requests for
information, not initiate one
• A sign of infected server/node
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
24
Features Addressing Customer Challenges
 How can easily I find out
what’s really running on my
network?
 How can I uncover new
network activities?
 How can I make sure new
technologies doesn’t translate
to new threats?
Copyright © 2006 Juniper Networks, Inc.
 I don’t want to block
non-business apps but
how else can I control it?
 Wireless is great but
how can I secure it?
Proprietary and Confidential
www.juniper.net
25
Security Explorer
 Interactive and dynamic
touchgraph providing
comprehensive network and
application layer views
• Integrated with Log Viewer and
Profiler
 Identifies what’s running on a
network host
• Uncovers attacks, peer IP
addresses, open ports, available
applications and operating systems
NEW - IDP 4.0
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
26
Enhanced Profiler
 Uncovers new activities and traffic
information across network and
application levels
 Identifies new protocols,
applications and operating systems
• Alerts on rogue hosts, servers or IP
addresses
• Detect unwanted applications like P2P
and IM
 Records information on active
hosts, devices, protocols and
services in various contexts
• Instant Messaging alias, FTP username,
e-mail address, subject heading, etc…
NEW - NSM 2006.1
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
27
Diffserv (DSCP) Marking
 Controls bandwidth allocation based on specific
types of application
 Marks on a packet that match an IDP signature
 Allows upstream router to enforce on markings
(value 1-63) to assure quality of service on
critical applications or appropriate response to
nonessential apps
 Available as an action per IDP rule for full
granular control
NEW - IDP 4.0
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
28
Securing VoIP Applications
 New Protocol Decode – H.225
 Assures that the VoIP signaling and control
protocol cannot be used as a source of network
attacks or abuse
 Protocol decode capability protects underlying
vulnerability of protocol
 Allows creation of custom attack objects with
contexts
 VoIP protection on top of existing SIP protocol
support
 Proactively prevent future exploits
NEW - IDP 4.0
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
29
Securing Database Applications
 New Protocol Decode – Oracle TNS
 Protects database applications from an
increasing number of exploits and buffer
overflows in the internal network
 Blocks unauthorized users to Oracle servers
 Protects the underlying vulnerability of Oracle
TNS protocol
 Prevents future threats at day zero
NEW - IDP 4.0
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
30
Securing Mobile Data Networks
 New Inspection Capability – GTP Encapsulated
Traffic
• Protects an inherently unsecured traffic
• Supports UDP tunnel packets per GTPv0 and GTPv1
 Ensures users on cellular network aren’t
exposing the entire network to possible attacks
 Carrier protection on top of existing inspection
for GRE encapsulated traffic
NEW - IDP 4.0
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
31
Only from Juniper Networks !
Coordinated Threat Control
 Identify specific attacks originating from remote user via SSL VPN
and quarantine the user (and only the offending user)
1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched
2. IDP detect the attack and block requests to the internal resources
3. IDP sends identifying data to SA SSL VPN gateway
4. Based on data from IDP, SA quarantine and notifies the user
Quarantine
Identifying Data
Attack
Attack
Copyright © 2006 Juniper Networks, Inc.
Infected
Available IDP 3.2r2
Proprietary and Confidential
www.juniper.net
32
IDP Product Overview
Product Offering
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
33
IDP Product Overview -Timeline
•IDP platform introduced
•Integrated Stateful Signature
creation and updates
•Protocol decodes
•Secure response notices
•Introduction of fully integrated
multi-gigabit FW/VPN/IDP
system (ISG 1000 and 2000)
•First to introduce daily signature
updates
2005
•First to introduce
Integrated Threat
Control for SSL
and IDP appliances
2006
2004
2002
•First and only IPS integrating
Profiler for best-in-class
network awareness
Copyright © 2006 Juniper Networks, Inc.
•Next generation of
network visibility and
control
•Consolidated
security management
solution
Proprietary and Confidential
www.juniper.net
34
Typical IPS Deployment
Regional Head
Office
NSM
Satellite Office
Main Office
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
35
IDP Product Line
• Service Provider
• Large Enterprise Perimeter
• Internal LAN
• Enterprise Perimeter
• Internal LAN
• SMB
• Branch
Office
• Med Bus
• Large BO
• Enterprise
Perimeter
• Enterprise
Perimeter
ISG 1000/2000
IDP 1100@ 1 Gbps
IDP 600 @ 500Mbps
IDP 200 @ 200Mbps
IDP 50 @ 50Mbps
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
36
IDP Standalone – 1100 C/F

1100C
1100F
Copyright © 2006 Juniper Networks, Inc.
IDP 1100 C/F
Optimal for large
enterprise / Gig
environments
Up to 1 Gbps
throughput
500,000 max
sessions
10 CG or 8 Fiber SX
+ 2 CG traffic, 1 CG
mgmt & 1 CG HA
ports
HA clustering option
Integrated bypass
for CG traffic ports
Proprietary and Confidential
www.juniper.net
37
High Availability Options
Bypass
Third-party HA
Standalone HA
Bypass Unit for
Fiber Gig networks
- IDP 600F
- IDP 1100F
- ISG
state-sync
state-sync
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
38
Solutions for Every Need
Juniper IDP Standalone Appliances
• 50 Mbps – 1 Gbps
• HA Clustering
• Centralized policy management
•Complement existing FW/VPN
•Protect network segments
•DMZ
•LAN
•Departmental servers
Copyright © 2006 Juniper Networks, Inc.
Juniper ISG Series
•Next-Gen Security ASIC
(GigaScreen)
•Multi-Gigabit FW/VPN/IDP
•Centralized policy management
•High performance for demanding
networks
•Virtualization features
•Granular rule-by-rule management
Proprietary and Confidential
www.juniper.net
39
ISG – Under the hood
 Integrated Best-of-breed Security &
Networking gear
 Multi-Gig 2-way Layer 7 IDP Security Modules
 Module “blades” available for ISG-1000 and
ISG-2000
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
40
ISG Series Architecture
Dual 1Ghz PowerPC CPU
1GB RAM
Security Module Processing
• Dedicated processing for other security
applications
Security
modules
GigaScreen3 ASIC
1GB RAM
Programmable Processors
I/O
I/O
I/O
I/O
Unmatched processing power!
Copyright © 2006 Juniper Networks, Inc.
Management Processing
• Dedicated processing helps ensure linear
performance
• High performance interconnect & flow setup
Network Level Security Processing
• ASIC-accelerated security
•Stateful FW, NAT, VPN, DoS/DDoS
•Intelligent Intrusion Prevention session
load balancing
•Embedded programmable processor
facilitate new feature acceleration
Proprietary and Confidential
www.juniper.net
41
ISG Series Summary:
ISG 1000 and ISG 2000
ISG 1000
ISG 2000
Max Throughput: Firewall
1 Gbps
2 Gbps
Max Throughput: IPSec VPN (3DES/AES)
1 Gbps
1 Gbps
Packets per second: FW/VPN
1.5/1.5 Million
3/1.5 Million
Max sessions
500,000
1,000,000
VPN tunnels
2000
10000
Max Throughput: Deep Inspection
200 Mbps
300 Mbps
Max Throughput: IDP
Up to 1 Gbps
Up to 2 Gbps
Number of supported security modules (IDP)
Up to 2
Up to 3
Number of fixed I/O interfaces
4 – 10/100/1000
0
Max interfaces
Up to 20
Up to 28
Number of I/O modules
2
4
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
42
Product Details
Juniper Firewall/VPN, with
Screen OS Deep Inspection
Juniper Stand-alone
IDP
Juniper ISG Series
with IDP
Hardware
•NS-5XT
•NS-5GT
•NS-25
•NS-50
•NS-204
•NS-208
•NS-500
•ISG 1000
•ISG 2000
•NS-5200
•NS-5400
•IDP 50
•IDP 200
•IDP 600C
•IDP 600F
•IDP 1100C
•IDP 1100F
•ISG 2000 with IDP
•ISG 1000 with IDP
Software
ScreenOS 5.0, 5.1, 5.2
IDP 4.0
ScreenOS 5.0-IDP
Management
NSM
NSM 2006.1
NSM 2004 FP3-IDP1
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
43
Management
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
44
3-Tier Management – Secure and Scalable
Distributed IDP Sensors
Common User
Interface
Centralized
NSM Server
Distributed ISG with IDP
Standalone IDP appliances requires IDP 4.0 for NSM support
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
45
Customers with a Hybrid Network
 Business Challenges
• What is on my network?
• Who is on my network?
FW
Mgmt
Regional Head
Office
 Product Challenges
IPS
Mgmt
• Complex network
environments
• Multi-vendor FW and
IPS systems
FW Mgmt
• Multiple Management
Systems
IPS Mgmt
Main Office
Copyright © 2006 Juniper Networks, Inc.
IPS
Mgmt
Satellite Office
FW Mgmt
Proprietary and Confidential
www.juniper.net
46
Juniper Networks Customers
 Juniper Offering
• Juniper Networks IDPs &
Firewalls
Regional Head
Office
• Single Management System
• Single User Interface
 Business Benefits
• Enhanced Network Visibility
• Granular Control
• Ease of Use
Satellite Office
Main Office
Copyright © 2006 Juniper Networks, Inc.
NSM
Proprietary and Confidential
www.juniper.net
47
NSM Management Features
NEW - NSM 2006.1
Scheduled Security Updates
Automatically update devices with new attack objects.
Domains
Service providers and distributed enterprises may use this
mechanism to logically separate devices, policies, reports,
objects, etc…
Role-based Administration
granular approach in which all 100+ activities in the system
may be assigned as separate permissions.
Object Locking
Multiple administrators can safely and concurrently modify
different objects in the system at the same time.
Audit Logs
Sortable and filterable record of who made which changes
to which objects in the system.
Device Templates
Manage shared configuration such as sensor settings in one
place.
Job Manager
View pending and completed directives (such as device
updates) and their status.
High Availability
Active/passive high availability of the management server.
Scheduled Database Backups
Copies of the NSM database may be saved on a daily basis.
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
48
Granular IDP Control w/NSM
Firewall and IDP management from same user interface
Configure desired response
Copyright © 2006 Juniper Networks, Inc.
Configure attack detection
Proprietary and Confidential
www.juniper.net
49
Summary
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
50
Why Juniper Networks IDP products?
 Security Coverage
 Product Innovation
 Trusted Company
 Market Recognition
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
51
Security Coverage
 Multiple prevention methods for protection against entire
'Vulnerability & Attack Lifecycle’
 Complete packet capture and protocol decode @ Layer 7, including
VoIP protocols
 2-way Layer 7 inspection: blocks attacks from client-to-server and
server-to-client
 100% prevention and accuracy for Shellcode/buffer overflow
attacks
 100% prevention in protecting against Microsoft Vulnerabilities:
Same day & Zero protection on “Patch Tuesday’s”
 Comprehensive Spyware protection, including 700+ signatures and
growing daily
 Daily signature updates, including auto signature updates and auto
policy push
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
52
Product Innovation
 Next generation of network visibility w/ Security Explorer
 Granular, Flexible Management solution for all Juniper Networks
security appliances
 Automatic custom reports
 Multi Gigabit Performance
 Multiple Deployment Options
 “Profile” the network to understand applications and network
traffic
 Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router
integration
 Custom Signature Editor / Open Signatures Database
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
53
Trusted Company
 Financial Strength / $2 Billion in Revenue /
Profitable / Cash Reserves
 Investment in R&D 25% - 30% of revenue
 Product Roadmap – IDP plays a key role in
Juniper’s Infranet solution
 Global Support & Relationships
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
54
Market Recognition
 Most decorated IPS product in 2005
•
•
•
•
•
•
Winner ‘Editors Choice’ – Network Computing: ‘The Great IPS Test’
Winner ‘Best Multifunction Appliance’ – Network Computing (Well-Connected)
Winner ‘Best IPS Appliance’ – Network Computing (Well-Connected)
Winner ‘Product of the Year’ – SearchNetworking.com
Winner ‘Product of the Year’ – IDG Research / TechWorld
Winner ‘Best Deployment Scenario’ ISP Guide: City of Burbank, Juniper IDP
Customer
• Awarded ‘NSS Certification’ for Industry Approved IPS: IDP 600F
• Winner ‘Product of the Year’ – ISG 1000 - ZDnet Australia
• Winner ‘Editors Choice’ – IDP 200 - ZDnet Australia
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
55
Thanks You!
Copyright © 2006 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
56