![Page 2: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/2.jpg)
Agenda
� Intro & SRX High End Firewall� Junos DDoS Secure� Management
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
![Page 3: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/3.jpg)
SRX HE Firewall
![Page 4: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/4.jpg)
HW FIREWALLS : CONSOLIDATED SECURITY IN DC COREEdge
Core
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
![Page 5: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/5.jpg)
8U, 6 slot 60/15/15G
FW/VPN/IDP 95/55/35 44M sess, 400kcps
16U, 12 slot
FW/VPN/IDP 200/150/110G
60M sess, 400kcps
SRX3600
SRX5800
SRX5600
SRX / DATA CENTER SERVICES PLATFORMS
Next-Gen Security Systems�Rich Standard Services
• Firewall/NAT• DoS/DDoS/AppDDoS• VPN• IPS• QoS• AppSecure• LSYS
�Scalable Performance
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
3U 8+4 GE
FW/VPN/IDP 20/6/6G
3M sess, 150kcps
5U, 8+4 GEFW/VPN/IDP 30/10/10G
6M sess, 300kcps
3U, 12GE or 3XGE+9GE
FW/VPN/IDP 10/2/2G
1,5M sess, 70kcps
SRX3600
SRX3400
SRX1400
�Scalable Performance� NEW - FW PPS up to 220M !
*FW/IDP/IPSEC
![Page 6: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/6.jpg)
CP
SPU
FPGAFPGA NPFPGA FPGASWI
�
SRX3K PFE HIGH LEVEL ARCHITECTURE
•Flow lookup•Stateless Screens•CoS
•Phy•Policers
•Filters•Flow•Services
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SPUFPGA
Fab
ric –
IOC
dom
ain
Fab
ric –
SP
C d
omai
n
FPGA NPFPGA FPGASWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
![Page 7: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/7.jpg)
SRX1400, HTTP 20kB, IDP recommended + 2M PPS UDP
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
![Page 8: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/8.jpg)
Junos DDoS Secure
![Page 9: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/9.jpg)
Edge
Core
JUNOS DDOS SECURE
SRX SRX
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
![Page 10: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/10.jpg)
WHAT DOES DDOS SECURE PROTECT
Resources which can be:-
Servers� Weak IP stacks, bugs� IP stack table resources� Session overload� What are servers
Firewalls, Load Balancers, Concentrators
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� IP stack table resources� Session overload
Gateways� Bandwidth overload� Packet overloads� What are gateways
URLs� Request overload
� Slow or Partial requests
![Page 11: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/11.jpg)
HEURISTIC MITIGATION IN ACTION
Normal Internet Traffic
DDoS Attack Traffic
Normal Internet Traffic
Resources
Normal Internet Traffic
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC
Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency.
![Page 12: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/12.jpg)
JUNOS DDoS SECURE HOW DOES IT WORK (1/3)
� Packet validated against pre-defined RFC filters
� Malformed and mis-sequenced packets dropped
� Individual IP addresses
Mechanistic Traffic
Low CHARM Value
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Individual IP addresses assigned CHARM value
� Value assigned based on IP behaviours
First Time Traffic
Medium CHARM Value
Humanistic, Trusted Traffic
High CHARM Value
![Page 13: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/13.jpg)
JUNOS DDoS SECURE HOW DOES IT WORK (2/3)
Access dependent on CHARM threshold of target resource
� Below threshold packets dropped
� Above threshold allowed uninterrupted access
� Minimal (if any) false positives
CHARM Algorithm
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Minimal (if any) false positives
CHARM threshold changes dynamically with resource ‘busyness’
� Full stateful engine measures response times
� No server Agents
![Page 14: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/14.jpg)
JUNOS DDoS SECURE PACKET FLOW SEQUENCE (3/3)
IP Behavior TableResource
CHARM Threshold
Validates data packet� Validates against defined filters
� Validates packet against RFCs
� Validates packet sequencing
� TCP Connection state
1 Behaviour is recorded� Supports up to
32-64M profiles
� Profiles aged on least used basis
3 Calculates CHARM Threshold� Responsiveness
of Resource
4
CHARM Technology Resource Control
14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Drop Packet Drop Packet
Packet Enters
Syntax Screener
OK So Far
CHARM Generator
With CHARM Value
CHARM Screener
Packet Exits
Calculates CHARM value for data packet� References IP behavior table
� Function of time and historical behavior
� Better behaved = better CHARM
2 Allow or Drop� CHARM Threshold
� CHARM value
5
![Page 15: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/15.jpg)
DDOS SECURE vs. SIGNATURE BASED BLOCKING
DDoS Secure – Behavioural learning� Minimal configuration required
� No requirements for constant updates
DDoS Secure – Only drops if protected resource is struggling � Minimal, if any, False Positives
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Recognises and dynamically adapts to new or zero day attack vectors
Plug and Play� Low maintenance / human intervention
![Page 16: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/16.jpg)
JUNOS DDoS SECURE VARIANTS
� VMware Instance good for 1Gb throughput
� ~ 700K-800K pps
� 1U appliance capable of 1Gb & 10Gb
� ~750K cps / 2 M pps
16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� 1U appliances have a choice of Fail-safe Card
� Fiber (10G SR/LR)
� Copper (1G / 10G)
� All can be used Stand Alone or as Active – Standby Pair
� Or Active – Active (Asymmetric Routing)
![Page 17: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/17.jpg)
HOW JUNOS DDOS SECURE UNIT IS DEPLOYED
Acts like a bridge� Single in band bi-directional data path, via two NICs
� No IP address on NICs
� Inserts into the path of an existing Ethernet segment� No need to reconfigure other network units
� Circuit Interruption limited to a few seconds when installing
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Management is out of band, via 3rd IP addressed interface
State can be shared between multiple DDoS Secure appliances over a 4th Interface
Support for network redundancy
![Page 18: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/18.jpg)
WHEN THAT’S NOT GOOD ENOUGH … BGP FLOW SPEC, RFC 5575 ON JUNIPER UPSTREAM ROUTERS
� Flow Specification defines method for distribution of traffic flow specification using BGP NLRI
� Flow specification has n-tuple match criteria on the IP Packet
� Algorithm to define ordering of firewall match criteria
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Algorithm to define ordering of firewall match criteria
� Validation criteria defined to accept flow specification from peers
� Policing/QoS/drop actions
![Page 19: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/19.jpg)
Management
![Page 20: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/20.jpg)
Management
- JunOS CLI
- JunOS Space
- JDDOS UI
- STRM
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Open Management Interfaces:
- DMI/Netconf IETF standard
- JunOS scripting
- SNMP
- Syslog logging
![Page 21: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/21.jpg)
SECURITY THREAT RESPONSE MANAGER (STRM)Log management, Correlation, Flow, SIEM
21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
STRM supports SRX Series� Intrusion Prevention System (IPS) and AppSecure
� 220+ out-of-the box report templates
� Fully customizable reporting engine: creating, branding and scheduling delivery of reports
� Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
� Reports based on control frameworks: NIST, ISO and CoBIT
![Page 22: Junos DDoS Secure - PROIDEA€¦ · · 2013-11-05khendrych@juniper.net. Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS](https://reader031.vdocuments.net/reader031/viewer/2022022409/5b190fe37f8b9a46258c4612/html5/thumbnails/22.jpg)
Edge
Core
JUNOS DDOS SECURE + SRX + STRM
STRM CONSOLE
STRM LOGCOLLECTOR
STRM FLOWCOLLECTOR
UPSTREAM
22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
SRX SRX
COLLECTOR