juniper security update - főoldal | relnet technológia kft hendrych... · · 2010-12-19juniper...
TRANSCRIPT
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Agenda
High End SRX security gateways
Overview, SRX1400
JunOS update
AppSecure
Competitive
This product roadmap sets forth Juniper Networks’ current intention and is
subject to change at any time without notice. No purchases are contingent
upon Juniper Networks delivering any feature or functionality depicted on this
roadmap.
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
NS-5400ISG2000
3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess,
175kcps
5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess,
175kcps
8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps
16U, 12 slot, 2RE*, 2+1 SCB,
2+2 AC, 3+1 DC, 120/30/30G,
10M sess, 350kcps
3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [45kcps
NS-5200ISG1000
SRX3600
SRX5800
SRX5600
SRX3400
SRX1400
Note *: Redundant REs not currently supported
Next-Gen Security SystemsScalable PerformanceRich Standard Services
• Firewall
• VPN
• IPS
• Routing
• QoS
• AppSecure
• More to come…
• Extensible Security Services
Integrated Networking Services
SRX / DATA CENTER SERVICES PLATFORMS
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Discrete Routing
Engine
Separate Control &
Data Planes
Two USB
Aux port
One SRX3000 IOC 2x 10GbE XFP
16x10/100/1000
16x 1000BASE-X
Future Items & next
gen hardware
AC
DC
AC
DC
Fan tray
(rear)
SRX1400 DETAILS
Management Module Expansion Slot Power Supply (FRU)Optional 2nd (redundant) &
hot swap power supply
–or– –or–
12 GbE ports
– 6x 10/100/1000 RJ45
– 6x 1000BASE-X SFP• 2 HA or data
Console port
GbE & 10GbE ports
– 6x 10/100/1000 RJ45
– 3x 1000BASE-X SFP• 2 HA or data
3x 10GbE SFP+
Console port
Choice of Base Systems
–or–
-GE -XGE–or–
SRX1400 NSPC
SRX3000 NPC & SPC
–or–
Double-wide slot for processing resources
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SRX HE JunOS 10.2-10.3 highlights (shipping)
ALG - IPSEC, MS-RPC, SUN-RPC, DNS, SIP, SQL
AppID decoupled from IDP
802.3AD LACP chassis cluster
IPv6 flow, QoS, filters, mgmt, screen, A/P HA
Dual HA data/control links
IDP nested applications
AppTrack
AppDoS cps limit
IDP packet capture
TCP/UDP sweep screen
Cone NAT with wild-card
Multicast HA
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SRX HE JunOS 10.4 highlights (BETA)
datapath-debug pcap support
port mirroring
IPv6 NAT, multicast, A/A HA
NAT-PT, DNS ALG
DS-lite, IPv4 tunnels over IPv6 networks
VoIP ALG DSCP rewrite
IPv6 syn-flood protections
DHCPv6
SRX1400 platform
session increase (SRX3600 – up to 6M sessions)
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
APPSECURE: APPID AS PART OF JUNOS SERVICES
Provide application visibility and context to additional services for
enhanced, application-aware security
Per
Packet
Policer
Per
Packet
Filter
Session
Match?
Per
Packet
Filter
Per
Packet
Shaper
Forwarding Lookup
Per
Packet
Policer
Per
Packet
Filter
Per
Packet
Policer
Per
Packet
Filter
AppID IPSAppID
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
APPSECURE SERVICE MODULES
AppTrack
AppTrack
AppFW
AppFW
AppDos
AppDoS
AI
Application Identification Engine
NAI
AppDos
IPS
AppQoS
AppQoS
Flow
Processing
ID Results
Future Item
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
APPSECURE: APPLICATION DENIAL OF SERVICE AppDoS
Identifies attacking botnet traffic vs. legitimate clients based on application layer metrics and remediates against botnet traffic
Employs multi-stage approach from server connection monitoring, deep protocol analysis to bot-client classification.
Server connection monitoring
Protocol analysis
Bot-client classification
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CONFIGURATION – NESTED-APPLICATION DEFINITION
Both predefined and custom nested-application definition are at [services application-identification nested-application]
[edit services application-identification]
nested-application junos:FACEBOOK {
type FACEBOOK;
index 311;
protocol HTTP;
signature NestedApplication:FACEBOOK {
member m01 {
context http-header-host;
pattern ".*(facebook\.com|fbcdn\.net)";
direction client-to-server;
}
}
}
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Competetive Agenda
Architecture
High End ScreenOS platform packet flow
High End SRX packet flow
SRX Performance
Integration of SRX with other security products
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
First Packet Flow
1. Incoming Packet from I/O
module into ASIC through FPGA
Switch Fabric
2. ASIC parses the packet header
and checks for the session
match
3. If session match not found, ASIC
passes first 64 bytes to
management module through
control bus. If Mgt module
needs more info, it can access
the packet in ASIC module’s
memory.
4. Mgt module creates new session
and forwards the packet info to
ASIC module for transmission.
FPGA
FPGA
IF1
IF2
ASIC
1
SDRAM
Control Bus
Management
Module
Data Bus
Data Bus
2
3
4
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Packet Flow Existing Session
Session match found, ASIC handles
packet directly
1. Incoming Packet from I/O
module
2. Packet transfer to ASIC
through FPGA
3. Session matched, and
packet is placed in
transmit queue of FPGA
(NAT, IPSec encap/decap,
screening for ASIC based
attacks all happens at
ASIC)
4. FPGA transfers the
packet out through I/O
moduleFIFO Bus
FPGA
FPGA
IF1
IF2
ASIC
1
SDRAM
Control Bus
FIFO Bus
2
3
4
Management
Module
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CP
SPU
FPGA
SPUFPGA
Fa
bri
c –
IOC
do
ma
in
Fab
ric –
SP
C d
om
ainFPGA NPFPGA
FPGA NPFPGA
FPGASWI
FPGASWI
1. Packet Received by NP
NP flow lookup, no match
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
3. CP chooses SPU, forwards packet SPU does session setup
4. Packet forwarded out egress port via NPC for queuing
2. NP sends packet to CP
PACKET FLOW SRX 3K: FIRST PACKET OF NEW FLOW
21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
PACKET FLOW SRX 3K: SESSION SETUP MESSAGES
1. SPU sends insert session to CP
2. SPU sends insert session to ingress NP
3. SPU sends insert session to egress NP
CP
SPU
FPGA
SPUFPGA
Fa
bri
c –
IOC
do
ma
in
Fab
ric –
SP
C d
om
ainFPGA NPFPGA
FPGA NPFPGA
FPGASWI
FPGASWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CP
SPU
FPGA
SPUFPGA
Fa
bri
c –
IOC
do
ma
in
Fab
ric –
SP
C d
om
ainFPGA NPFPGA
FPGA NPFPGA
FPGASWI
FPGASWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
PACKET FLOW SRX 3K: FAST PATH
1. Packet Received by NP NP flow lookup, match
2. NP send packet to SPU - SPU does fast path processing
3. Packet forwarded to egress NP
4. Packet egresses card
24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
• SSL session data pushed to NAC via IF-MAP
• IC pushes role-based FW policies to SRX• SRX senses attack, informs IC
• SSL VPN terminates user session
• IC removes SRX access
“Sales” user’s device is quarantined for automatic patch remediation
Remediation successful; full network access granted
User attempts to access “Finance” data, but is blocked
Imagine a person on the
road:
User logs in from un-
patched device
654
1 2 3
ENTERPRISE-WIDE ACCESS CONTROL
Apps
Data
Finance
Video
Mobile User
Patch
Remediation
SRX Firewall
NAC IC
Corporate Data Center
SSL VPNInternet