Control - Juniper 5 Daagse

thoughtlessskytopΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

118 εμφανίσεις

Junos

Rising

Westcon

/ Juniper 5
-
daagse


Pieter van Dijk


2

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


MAJOR MARKET TRENDS…

DATA MOBILITY AND SCALE AT AN ALL TIME HIGH, AND GROWING

Cloud Computing

Source: Gartner

Source: IDC

Total Spend on

Public
Cloud Services:

2009

$59

Billion

2014

$148

Billion

Mobile Internet

Smartphones Have
Surpassed PCs



as the Mobile Experience
Usurps the Desktop Model

2009

2010

120

Million

60

90

30

Smartphones

PCs

Explosive Growth

Explosion of data, users, and
devices.

2016

2011

3

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

SECURITY IS IMPACTED BY TWO TRENDS


Industry Trends


Security Trends

Workforce Behavior

IT Infrastructure

Business Drivers

Attacker Behavior

New Attack Targets

Evolving Threat Vectors

Compliance

Requirements

Business

4

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

SECURITY MARKET TREND


EVOLVING THREATS

Attacker

Threats

Target

Notoriety

Profitability

.gov /.com

.me / .you

Sophistication
(Maturity)

Type of Attack

Botnets


Trojans

Virus

Worms

DOS

APT

Malware

New Devices

ERP

I nter net I nfor mati on Servi ces

New Applications

6

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

ADDRESSING THE EVOLVING
THREAT
LANDSCAPE

Customer Priorities

Visibility into Web 2.0 Threats

Scalable Policy Enforcement &
Management

Control of Application Usage

Rapid Response to New
Threats

Juniper Security Solutions

AppSecure Software

Security Research Teams

SRX

7

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

Global High Performance Network

Data Center

VISIBILITY

Comprehensive Application

Visibility and Control

Branch

Campus

Mobile Clients

Source to
Destination

Source to
Destination

What User

What Application

User Device

User Location

8

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

APPSECURE: AN IMPORTANT COMPONENT

TO A LAYERED SECURITY APPROACH

Inspection Depth

Processing
Intensity & Cost

ACLs & Stateless
Firewall

Stateful
Firewall

Application
Security

Intrusion
Prevention


Decisions made based
on packet header info
such as Source and
Destination addresses


Very fast


More context incorporated
into decision process


Better at identifying
unauthorized or forged
communications



Still fast


Looks at every bit for
threats

thorough but
intensive processing



Best used sparingly

9

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


BUILDING INTELLIGENT SECURITY


Suite of application based services designed for deploying security in a
knowledgeable manner


Builds on existing SRX integrated services to deliver finer
-
grain policies


Leverages integrated application intelligence

Introducing
AppSecure

Current Security Services


IPsec

VPNs, IPS, UTM


Stateful

FW, NAT, ALG


Routing, FBF,
QoS
, BW
Management

Advanced Security Services
With
AppSecure


Botnet

Protection


Application Access Control


Application BW
Management

Application
Intelligence

10

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential


Security at Scale for 8
00
+ Applications

ADDRESSING THE NGFW MARKET WITH APPSECURE

AppTrack

Visibility

AppFW

Enforcement

AppQoS

Control

AppDoS


Protection

AppSecure


Identity Management with


Application Access control

11

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Monitor & Track Applications

AppTrack

APPTRACK
VISIBILITY FOR

INFORMED RISK ANALYSIS

View
application by protocol, Web
application, and utilization

Analyze
usage and trends

Log and report
across security
solutions and systems

Customize
application monitoring

Web 2.0 application visibility

App usage monitoring

Scalable, flexible logging &
reporting

AppTrack


12

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Traffic analyzed
by
AppTrack

as it
t
raverses the SRX

1

2

3

APPTRACK

MAKES APPLICATION VISIBILITY AND
CONTROL AS EASY AS 1
-
2
-
3

SRX sends
application logs
to a SIEM/Log
collector

SIEM reports
analyzed by IT
staff

Operations Center

STRM

Reports

3

Server

Farms

DC

Firewall(s)

DC

Switching

STRM or

3
rd

Party

SIEM

Data Center

2

1

13

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


AppTrack

IPS

AppQoS

Flow
Processing

AppFW

AppDoS

APPTRACK DRIVES FIREWALL,
QOS
, DDOS, IDP
POLICY

Permit or deny
based on user
and application

Adjust QOS
based on user
and application

App Based
DOS detection

Require further
traffic inspection

14

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Control & Enforce Web 2.0 Apps

AppFW

APPFW: BEYOND JUST FW OR APP CONTROL

Inspect
ports
and

protocols

Control
nested apps, chat, file
sharing and other Web 2.0 activities

Dynamic application security

Web 2.0 policy enforcement

Threat detection & prevention

AppFW


HTTP

Uncover
tunneled apps

Stop
multiple threat types

15

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Server

Farms

DC

Firewall(s)

DC

Switching

Operations Center

APPFW


3 DIMENSIONAL SECURITY POLICES

STRM

Data Center

User Store

(special UAC)

Traditiona
l Firewall
Policy

User and
Group
Awareness

AppTrack

Application
Awareness



Match Criteria

Then

Rule
#

Source
Zone

Dest
Zone

Source IP

User/Role

Dest

IP

Dynami c
-
Appl i cati on

Acti on

Servi ce

Opti ons

1

Zone
-
1

Zone
-
2

1.1.1.0

Amy

Any

Facebook

Permit

None

Log

2

Zone
-
1

Zone
-
2

1.1.2.0

Finance

Any

LinkedIn

Permit

None

Log

3

Zone
-
1

Zone
-
2

any

any

Any

none

permit

none

Log

4

Zone
-
1

Zone
-
2

any

any

Any

kazza
,,Yahoo

IM,
Facebook

Deny

none

Log


Easily restrict application access to necessary users


Reduce the spread of confidential information


Stop high
-
risk and unwanted applications

16

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Prioritize & Control App Bandwidth

AppQoS

APPQOS FOR SCALE & PERFORMANCE

Monitor
Web 2.0 bandwidth
consumption

Dynamic application

quality
-
of
-
service (QoS)

Application prioritization

Performance management

AppQoS


Throttle
bit rates based on security
and usage insights

Prioritize
business critical apps

X

17

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


APPQOS



BANDWIDTH MANAGEMENT FOR BUSINESSES


Prioritize traffic based on application type


Limit the amount of bandwidth
an
application can consume


Mark the DSCP values for proper
QoS

treatment


Leverage
Junos

Class
-
of
-
Service
feature
set to fully control
application handling at
the
interface queue level



Traditional
Firewall Policy

User and Group
Awareness

AppTrack

Application
Awareness

Give highest priority to
financial applications for
finance and sales

Approved applications
receive normal priority

Lower priority for
multimedia applications,
except for the MM content
group

18

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Protect Valuable On
-
line Business

AppDoS

BOTNET & DOS THREAT MITIGATION

Detect and mitigate
botnet activity

Benchmark

“normal” behavior to
detect anomalies

Botnet detection & remediation

DoS monitoring & remediation

On
-
going anomaly detection

Uncover
misuse of routine Web
functionality

AppDoS


Purchase Item

Select Item

View Item

Check bill

Adapt
security policy and QOS
based on insights

19

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


DDOS

ATTACK EVOLUTION


Traditional
DDoS

Attacks


Bandwidth saturation causing service
outages


Synflood
, packet floods


Detectable


statistical/behavioral


Effective containment



Now:
stateful
/meaningful


Mimic legitimate traffic and
transactions


Applications process legitimate
requests that are intended to disrupt
or overload service


Can’t distinguish bad traffic/requests
from good

place in cart . . .

place in cart . . .

place in cart . . .

place in cart . . .

place in cart . . .

place in cart . . .

Stateful

DDoS

Attack

ack

req

ack

req

ack

req

ack

req

ack

req

ack

req

ack

req

ack

req

ack

req

Saturation
DDoS

Attack

20

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


APPLICATION DDOS PROTECTION


Identifies attacking
botnet

traffic vs. legitimate clients based on
application layer metrics and remediates against
botnet

traffic


Employs multi
-
stage approach from server connection monitoring,
deep protocol analysis to
bot
-
client classification.


Server connection monitoring


Protocol analysis


Bot
-
client classification

Available on the SRX5000 and SRX3000
Series Gateways

Introducing Application Denial of Service
AppDoS

21

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


WITHOUT ADDOS POLICY

GOOD TRAFFIC (1000CPS) + ADDOS TRAFFIC (4000CPS) = 5000CPS

Server
Threashold

4500CPS

DDoS,
degraged
performance

22

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


WITH APPDDOS POLICY ACTIVATED: BAD TRAFFIC IS BLOCKED, ONLY
GOOD TRAFFIC IS ALLOWED THROUGH (1000CPS)

AppDDoS,
Mitigated

Server
Threashold

4500CPS

23

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


Monitor & Mitigate Custom Attacks

IPS

IPS FOR CUSTOMIZABLE PROTECTION

Detect and monitor
suspicious
behavior

Address vulnerabilities
instead of
ever
-
changing
exploits

of the
vulnerability

On
-
going threat protection

Mobile traffic monitoring

Custom attack mitigation

Tune
open signatures to detect and
mitigate tailored attacks

Uncover
attacks exploiting encrypted
methods

IPS


Exploits

VULNERABILITY

AppSecure IPS

Other
IPS’s

24

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net



IPS


Full featured detection


Constant inspection


Decoder based updates


Geared for evasive application
detection

FULL IDP CAPABILITIES

25

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


AppTrack

IPS

AppQoS

Flow
Processing

AppFW

AI

Application Identification Engine

NAI

Ingress

Egress

Application
ID Results

AppDoS

APPSECURE SERVICE MODULES

26

Copyright
© 2010 Juniper Networks, Inc. www.juniper.net


THE JUNIPER APPSECURE DIFFERENCE

Performance up to 100G


SCALABLE

Adds botnet & DoS
detection

QOS & IPS


Mobile & fixed user
protection


Traditional & Web 2.0
security


COMPREHENSIVE

Open attack signatures

Scriptable CLI

Modular hardware

Compatible Syslog format

FLEXIBILE

Log storage up to 1.3TB


Advanced HA





Extensible FRU design


Runs on SRX & Junos


27

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


JUNOS

SPACE

APPSECURE DEMO

28

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


SRX
Branch and High End Platform update

29

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Branch SRX

30

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Branch SRX

31

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential



SRX FEATURES MATRIX

Security


Firewall


VPN


IDP


Antivirus


Web filtering


Antispam


Wireless LAN and 3G
WAN


802.11n


3G/4G

Routing & Switching


RIP, OSPF, BGP,

Multicast, IPv6


MPLS; Full BGP table


J Flow, RPM


L2 Switching


POE Options

Physical Interfaces


T1/E1, Serial, DS3/E3


VDSL, ADSL, G.SHDSL


DOCSIS Cable Modem


Ethernet 10/100/1000

& 10G, Copper or Fiber

32

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


33

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Dynamic Services Architecture



Separate I/O and Services


Plug
-
and
-
Play Modules


Integrated Terabit Fabric


Dedicated
Control Plane


Carrier
-
class Reliability

I/O Cards

Services
Cards

Terabit Fabric

Dedicated Control Plane

IDP

AppFW

AppQoS

Firewall

LSYS

VPN

More

ALG

AppTrack

Screens

LLF

QoS

D/
DoS

SYN
Prot

Others?

34

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

SECURITY FOUNDATION WITH SRX

120
Gbps


Portfolio covers wide range

of
customer requirements


Integrated
services
gateway offering
up to
120 Gbps FW, 100Gbps
AppFW and 30 Gbps IPS

Large Enterprise

Service Provider

Telecommuter

Small Office

Large Branch

Regional Office

Small/Medium

Branch

Branch SRX

SRX240

SRX650

SRX210

SRX100

SRX3400

SRX3600

SRX5600

SRX5800

High End SRX

10
Gbps

SRX1400

SRX220

35

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

THE JUNOS PORTFOLIO

EX4200 Line

EX8208

EX8216

EX3200 Line

EX2200 Line

EX4500 Line

MX Series

T Series

M Series

J Series

One OS

branch

core

One Release Track

Frequent Releases

10.2

10.3

10.4

One Architecture


API


Module

x

LN1000

Junos Space

Junos Pulse

SRX220

SRX3000 Line

SRX5000 Line

SRX210

SRX650

SRX100

SRX240

SRX1400

36

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY

37

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

CARRIER
-
GRADE AVAILABILITY


In Service Software Upgrade


Perform software upgrade while SRX cluster is
in production


Typical
traffic loss times ~1sec*


Single
command triggered upgrade not
requiring manual intervention


ISSU is supported in HA cluster mode only


Cluster Mode


Active/Active and Active/Passive support


Multi
-
Datacenter compatible


Fully Stateful


sessions persist across failover


Robust system health criteria


Hardware/Software/Control Link/IP Tracking


Graceful Restart support for routing protocols




38

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

WHY HIGH AVAILABILITY?


All High End SRX Deployments Use HA


Continuity of Services


Provide Availability through redundancy


Avoids single point of failure


How the SRX provides HA


Utilizing JUNOS Services redundancy Protocol, JSRP (similar to NSRP in
screen OS)


Control and data plane redundancy


Single system View
-

Same
config

on both nodes


Stateful traffic failovers with routing, firewall, NAT, VPN, and security services


Flexible Deployment Scenarios


Basic/full mesh Active Passive


Various Active/Active scenarios


Asymmetric support

39

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


39

JUNOS


Routing


Graceful
Restart


NSR


Flexibility in
Interfaces


Asymmetric Routing


Configuration Sync
.

ScreenOS


RTO
Sync


Stateful Failover


NSRP State
Machine


Keep
-
alive
Mechanism


IP Tracking


New
Development


Distributed
Parallel packet
Processing


Control port
redundancy

JSRP Model


Routing


GRES


Graceful Restart


NSR (future)


Asymmetric Routing


Flexibility in
Interfaces



JSRPD


Redundant
Interfaces


Control and
Fabric link
infrastructure


RTO
Synchronization


Stateful Failover


NSRP State
Machine


Keep
-
alive
Mechanism


IP
Tracking

SRX HA CONCEPT

40

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential


NAT


ALG


IPSec


Authentication


Control Plane


Active
-
passive


Data Plane


Active
-
passive


Active
-
Active


Configuration


Session State

Synchronization

Redundancy

Stateful Session Failover

HIGH AVAILABILITY CHARACTERISTICS OVERVIEW

41

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

GRES provides nonstop failover

Node 0

Node 1

Control
Plane
Daemons

RE ACTIVE

Forwarding
Daemon

PFE ACTIVE

Control
Plane
Daemons

RE BACKUP

Forwarding
Daemon

PFE BACKUP

fab0

fab1

fxp1

fxp1

Control Plane

Data Plane +
RTOs

Flowd


Single device abstraction


Clean separation of control and
forwarding planes


Unified configuration with
configuration
sync


Maximum of 2 devices


Devices must be of the same
Hardware Model


HIGH AVAILABILITY REDUNDANCY

Solution Architecture


DATALINK


CONTROL

LINK

NODE 0

NODE 1

42

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Control Plane

Connection

SPC
-
to
-
SPC

Data Plane

Connection

IOC to IOC

node0

(primary)

node1

(
secondary)

RE 0

RE 1

TWO CHASSIS CONNECTED TOGETHER

43

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


Company Confidential

Platform


Fxp0

(mgmt)


Fxp1

(HA control)


Fabric

(Must be
configured
)

J
-
Series

ge
-
0/0/2

ge
-
0/0/3

Any available GE interface

SRX 100/210

fe
-
0/0/6

fe
-
0/0/7

Any available FE or GE
Interface

SRX

220

ge
-
0/0/6

ge
-
0/0/7

Any available GE

interface

SRX 240/650

ge
-
0/0/0

ge
-
0/0/1

Any available GE Interface

SRX 1400

onboard RE

ge
-
0/0/10 and/or ge
-
0/0/11

Any available GE or XE
Interface

SRX 3400/3600

onboard RE

Built
-
in front
-
panel RE
ports

Any available GE or XE
Interface

SRX 5600/5800

onboard RE

SPC control port
(must be configured)

Any Available GE or XE
Interface. Must
be Fiber

CLUSTER CONNECTIONS

44

Copyright
©
2011
Juniper Networks, Inc. www.juniper.net


VIRTUALIZATION

45

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


VIRTUALIZATION CHALLENGES

Physical Network



One server is
one server


Firewall can
see all traffic


Applications
don’t move
much

=

Complexity



One physical
server
represents
many virtual
ones

Dynamic Applications



As applications move,
how does the physical
security follow?

V
-
Motion

Hidden Traffic



Traffic on the
same
hypervisor isn’t
sent to the
physical
firewall

46

Copyright
©
2011
Juniper Networks, Inc. www.juniper.net


47

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


VGW MODULES

Network

Traffic flows

IDS

Introspect
ion

Reports

View of IDS alerts

VM “x
-
ray”

(OS, apps, etc.)

Granular reports

and scheduler

Main

Dashboard view of
virtual data center

Firewall

AntiVirus

Complian
ce

Firewall policy

and logs

AV protection
w
/
quarantine

Alerts on VM/host
non
-
compliance

48

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net



Service Provider & Enterprise Grade


Three
-
tiered Model


VMware Certified


Protects each VM
and
the hypervisor


Fault
-
tolerant architecture (i.e., HA)


Virtualization
-
aware


“Secure
VMotion
” scales to

1,000+ hosts


“Auto Secure” detects/protects

new VMs


Granular, Tiered Defense


Stateful

firewall, integrated IDS,

and AV


Flexible Policy Enforcement

THE VGW PURPOSE
-
BUILT APPROACH

THE vGW ENGINE

Virtual
Center

VM

VM1

VM2

VM3

Partner Server

(IDS, SIM,

Syslog
,
Netflow
)

Packet Data

VMWARE API’s

Any vSwitch


(Standard, DVS, 3
rd

Party)

HYPERVISOR

VMware Kernel

ESX or ESXi Host

Security
Design
for
v
GW

1

2

3

49

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


PERFORMANCE & SCALABILITY

50

Copyright
© 2009 Juniper Networks, Inc. www.juniper.net


VGW

<
-
> SRX SERIES INTEGRATION



SRX Firewall Zones
Integration


Imports zone configuration
from SRX Series into
vGW


Use imported zones as a
template for
vGW

security


Benefits


Guarantee integrity of
Zones on hypervisor


Automate and verify no
“policy violation” of VMs


Empower SRX Series with
VM awareness