1. Solution Brief Managed Security Services for Network Service Provider Alexis Berthillier Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.netPart Number: 351097-001

2. Managed Security Services for Network Service Provider ContentsContents...................................................................................................................................................2Introduction ............................................................................................................................................3Managed Security Services ...................................................................................................................4 Players ............................................................................................................................................4 Market.............................................................................................................................................4 Offerings.........................................................................................................................................6 Target Market ................................................................................................................................6A Complete Approach to MSS Solutions ............................................................................................8 Traditional Managed Services .....................................................................................................8 Juniper Products for Managed Security Services....................................................................10Customer Case Study ..........................................................................................................................10 Customer Requirements.............................................................................................................10 Juniper Recommendation ..........................................................................................................11Future Managed Services....................................................................................................................12 Self-Service Managed Services ..............................................................................................12 Focused Application Delivery ...................................................................................................13Conclusion.............................................................................................................................................14 2 Copyright 2005, Juniper Networks, Inc. 3. Managed Security Services for Network Service Provider IntroductionIn the race to streamline business processes, lines of communication have been opened to partners, suppliers, customers, remote offices, and in-house and remote workers via the use of the Internet, intranets and extranets. Opening the corporate network to so many avenues of communication increases the requirement for security to facilitate this communication since these avenues have become vital to the operation of businesses, and have allowed access to the private corporate information, applications, and resources.The inability of administrators to keep pace with the hundreds of new vulnerabilities in applications, operating systems and even network infrastructure has led to networks with more potential holes than barriers. Coupled with the fact that these vulnerabilities and the tools to exploit them are blatantly advertised on the Internet, enterprises are facing the daunting task of building walls to protect their network while keeping it open for their business.Moreover, the amount of time between discovery of vulnerabilities and the release of tools exploiting these vulnerabilities is decreasing significantly. Network administrators have less time to react and install patches or fixes. IMLogic, which provides information on viruses to a consortium of instant-message and antivirus-software companies including AOL, Yahoo and Microsoft, said 42 new viruses surfaced from January through mid-March, more than triple the number during the same period last year. There were 52 reported IM-linked viruses for all of 2004. So far, all of the threats have targeted Windows-based PCs.Many IT administrators have begun to reevaluate their security arsenal and question their own ability to secure the network. The fact that they have thus far struggled to effectively secure their networks with internal resources has led IT leaders to seek additional means of security: this is driving the growth of Managed Security Services.This trend is reinforced by the following factors: The network downtime cost for an enterprise averages 3.6% of revenue in the last years (Infonetics Research,2005) Changes in legislation force enterprise to implement new policy measures to protect privacy.This Solution Brief will give an outline of the Managed Security Services landscape and different approaches for delivering such Services. Copyright 2005, Juniper Networks, Inc.3 4. Managed Security Services for Network Service Provider Managed Security Services Managed Security Services (MSS) refers to security capabilities outsourced to Managed Security Service Providers (MSSP). The extent of this outsourcing can range from supplementing an existing security feature to relinquishing full control and management to an MSSP. MSS is one of the many different kinds of Managed Servicessuch as Routing, Hosting, LAN or VPN servicesthat comprise in the market. Players There are a large number of players in this MSSP market space about 77 currently, including System Integrators, Network/Internet Service Providers, pure plays, consulting companies, and security vendors. In such a fragmented market, the trend is towards consolidation to a few players who can offer a broad range of services, ranging from network connectivity to security services, as well as deliver these services to a worldwide customer base as outlined by most security analyst and market researches (Frost & Sullivan, Light Reading Insider ). In this regard, Network Service Providers (NSPs) are ideally positioned to offer broader solutions which will reinforce their services since they already have the customer base by providing them connectivity as well as voice services, and provide better profitability and margins to counter balance the revenue erosion on-going on traditional services such as voice, leased-line or Frame Relay services. Notably, however, some of the smaller players in this market may have better market penetration, since they entered the market early on and specialize in security solutions. Market The key market factors for enterprises to outsource their security are: The network downtime costs for an enterprise averages 3.6% of revenue in the last few years (Infonetics Research, 2005) Changes in legislation force enterprise to implement new policies to manage privacy: HIPAA, Gramm-Leach- Bliley (GLB), Sarbanes-Oxley, and many other equivalent national measures (European Data Protection Directive, etc.) Constant Discovery of New Vulnerabilities Cost of 24x7x365 Monitoring Increased Use of Intranets and Extranets Increasing Complexity of Applications and Security Equipment Lack and cost of Qualified IT Security Specialists Cost savings offered by the economies of scale that MSSPs haveOn the other hand, there are some restraints within the enterprise to the adoption of managed services: Enterprise customers unwilling to relinquish control of their networks The difficult economy makes it difficult for administrators to delegate their responsibilities (e.g., they may be afraid of layoffs) 4Copyright 2005, Juniper Networks, Inc. 5. Managed Security Services for Network Service ProviderBecause of these positive factors, the MSS market is expected to grow significantly in the coming years. Figure 1: Expected Growth of MSS Market (2004) The markets revenue growth is attributable to the increasing adoption of these services by enterprise as well as the recurring revenue model of the services industry. Current high customer satisfaction rates have led to industry-wide high retention rates which are typically in the high 70%. High customer satisfaction and retention gives MSSPs the freedom to grow without having this growth entirely dependent on new customers. They can increase revenues from existing customers annually by positioning themselves as a solutions partner instead of a services provider. This distinction can allow MSSPs to sell additional or combination of solutions such as IPSec VPN with Firewall and Intrusion Detection Prevention. Stronger relationships facilitate growth from within the MSSPs existing customer base, as their service capabilities and the types/numbers of devices monitored both increase.The following chart outlines the growing demand for Managed Security Services.Figure 2: Enterprises Identifying Services as Essential or Very Important Copyright 2005, Juniper Networks, Inc. 5 6. Managed Security Services for Network Service ProviderOfferings The mix of services offered by MSSPs is expected to expand into Layer 4-7 analysis and protection to adapt to the new threats and attacks against enterprises. This is in part driving the demand for SSL remote access and managed IPS services. Figure 3: ProjectPercent of Revenues by Service in Global MSSP Market, 2001-2011 Target Market Initially, MSSPs thought large and medium enterprises were not their primary market since they tend to have the resources to fund their own security IT staff, and might therefore be opposed to outsourcing.As a result, it was thought that the ideal market for Managed Security Services was the Small and Medium Business (SMB) space, since they dont typically have the resources to fund their own security (often, they dont have any IT at all), and would therefore be a natural candidate for outsourcing.However, MSSPs quickly realized that the price levels were too high for SMBs, and that medium and large enterprises were indeed interested in outsourcing, often for no other reason than to serve as a safety net or complement to their in house efforts. Since then, innovations and integration into security appliances and network devices led by Juniper Networks integrated Firewall/VPN product line as well as dedicated security appliances compare to Software based solutions, has led pricing to decrease which now brings these services within the reach of SMB budgets. 6 Copyright 2005, Juniper Networks, Inc. 7. Managed Security Services for Network Service ProviderIn most markets, large enterprises often pave the way towards market generation by being first adopters of technologies. A similar trend is seen in the MSS market as SMBs are beginning to follow the lead of medium and large enterprises. The majority of SMBs has not been addressed by the system integrators or pure plays, so they are now looking to their network service providers for these offerings since they already rely on them to provide their connectivity and voice services.Service providers business models might not align well with the customized nature of security services for large enterprises which are increasingly looking for more of a consultative relationship with their security provider to get a custom solution to their requirements. This custom solution will generally requires a dedicated product solution instead of a product shared between multiple customers, which then may be CPE or network-based or even be an hybrid of both CPE and Network-based products. However, as the SMB market begins to ramp up, service providers have more opportunity to sell basic security services bundled in with their data and voice services and therefore address the overall spectrum of customers and solutions. Residential SMB Medium EnterprisesLarges Enterprises Customization LowLowMedium High Solution Shared Shared Shared or Dedicated DedicatedAs this evolution continues, service providers are starting to deploy network-based services to complement their existing CPE offerings in a shared environment to be able to match the cost point needed to address this market segment. Shared SolutionDedicated SolutionNetwork-based CPE and/or Network-basedFinally, this trend aligns service providers more accurately with the possible residential opportunity in front of them due to the aggressive rollout of broadbandwhich will ultimately be secured the same way as SMB and enterprisesto the home. Copyright 2005, Juniper Networks, Inc. 7 8. Managed Security Services for Network Service Provider A Complete Approach to MSS SolutionsJuniper Networks is a market leader in both security and IP solutions. Following the MSS trends, Juniper has a clear strategy for both enterprises and MSSPs to be successful. Juniper is committed to managed services as a way to increase our partners value add, and as such has solutions in the context of: Traditional Managed Service: Managed services targeted at delivering solutions to Service Providers who offera full managed service. Self-Service Managed Services: Intelligent service and policy control capabilities that allow the SP to offershared management to the customer (self service) to increase responsiveness, reduce cost and add customervalue. Focused Application Delivery: Application based service control enabling network services to be integrated intoapplication delivery, driven in part by architectures such as IBM Services Oriented Architecture andapplication hosting. This increases the value of the network element in delivering applications and transferssome margin from the ASP to the NSP.Traditional Managed ServicesCurrently, most MSSPs are offering CPE based solution to their customers; a typical deployment of such an offer is shown in the following figure. Location of platform CPE-basedService management Service ProviderSolution Dedicated SP NOC Figure 4: CPE-based Managed Firewall Service 8Copyright 2005, Juniper Networks, Inc. 9. Managed Security Services for Network Service ProviderThe CPE security device resides at the customer location and is remotely managed by the Security Network Operation Center (SNOC). This solution mainly addresses custom deals from medium and large enterprises, since these companies usually have very particular requirements, and therefore a combination of security devices and custom policies are implemented at the customer location. For example, a J-Series router might be combined with a Netscreen integrated IPSec Firewall for IPSec termination and firewall services, with an IDP for intrusion detection, and a SSL Secure Access for remote access.However, with trends towards SMB and possibly residential offerings, this solution does not scale from a CAPEX and OPEX point of view. As a result, MSSPs are now starting to deploy Network-based solutions where the CPE device is a router to provide connectivity to CO or Service PoP of the MSSP where the security services are actually provided.Location of platformNetwork-basedService managementService ProviderSolutionDedicated or SharedSP NOCFigure 5: Managed Services Provided at CO or PoP Copyright 2005, Juniper Networks, Inc.9 10. Managed Security Services for Network Service ProviderJuniper Products for Managed Security Services Managed Service Category Juniper CPE Products Juniper Network BasedProductsManaged security (F/W + A/V) NetScreen-HSC, -5GT (AV), andNetScreen-500 NetScree-5400 with NetScreen FW/IPSec VPN Product Virtual Systems line M/T Series with the AS PIC J-series M7i, M10i with the AS PICManaged site-to-site VPN (IPSec) NetScreen FW/IPSec VPN Product NetScreen-500 NetScree-5400 with line Virtual Systems J-series M/T Series with the AS PIC M7i, M10i with the AS PICE series with the TSM bladeManaged remote access VPN (SSL)NetScreen-SA 1000, 3000, 5000, Virtualized NetScreen-SA 1000, 3000, NetScreen-RA 500 5000, NetScreen-RA 500Managed Intrusion Prevention NetScreen-IDP 10, 100, 500. 1000 IDP as part of Netscreen ISG-2000 Managed Extranet NetScreen-SA 1000, 3000, 5000Virtualized NetScreen-SA 1000, 3000,5000 Customer Case StudyThis case study is based on a Juniper partner who employs Juniper security products to deliver a managed, network based, IPsec VPN service. Customer RequirementsThe key requirements were: Managed firewall to connect to Internet Managed remote access for road-warriors or telecommuters Managed site-to-site VPN for branches. 10 Copyright 2005, Juniper Networks, Inc. 11. Managed Security Services for Network Service ProviderJuniper Recommendation To furnish an MSS solution for this MSSP, Juniper offers either a single or two-box solution. Choices are: The E-series with stateful firewall enabled on a service module, or A two-box solution with a E-series router coupled with a Netscreen 5200/5400 firewallOn the surface, a single ERX with a Service Module could appear to be the most cost-effective solution. However, in order to support the required 500 virtual routers from a firewall perspective, a two-box solution using the ERX 1440 and NetScreen 5200/5400 was selected for this particular.This two-box solution, ERX 1440 and NetScreen 5200/5400, is able to support 500 customer virtual ports per each ERX/NetScreen pair. However, since one of the requirements is to have integrated management, the final solution also has a management platform using a Juniper partner (Dorado) so that this solution appears as seamless as a single box.MPLS NetworkVR IPSec Tunnel for Redundancy of all TrafficVRVR VRGigE GigE Trusted Un-TrustedIPSecUn-TrustedTrustedGRE over IPSecRemote EmployeeRemote Location Figure 6: The Two Box Solution Copyright 2005, Juniper Networks, Inc. 11 12. Managed Security Services for Network Service Provider Future Managed ServicesNext level of service of the managed services offerings could be self-service managed services, or application delivery in order to further reduce cost of operation and address the enterprises which do not want to outsource their security to a third party provider by fear of loosing control and, or having to lay-off some of their personnel. Self-Service Managed ServicesIn addition to all the services described above, Juniper Networks recognizes that in some cases it is hard for an enterprise to take the decision to outsource its security to a third party. The following figure outlines some of the reasons for this. Figure 7: Restraints to Outsourcing Security ServicesSince the two major restraints are related to the loss of management of their security policy to a third party provider, Juniper Networks has addressed these issues through the use of an enterprise web-based portal.Using this portal, the MSSP can delegate security policy management to the enterprise IT manager based on his subscription. This allows the IT manager to either have read access to his policies, logs, SLA monitoring data, or to have full access to these data and therefore have total control as if the security device was his own. As a result, even though the security device is shared among several customers, each of them can manage their security policies in addition to the MSSP. In addition, such portal benefits the MSSP since the initial service customization is reduced as is ongoing management and customer relationship tasks ultimately providing a customized service offering with reduced and load on the services organization and their call center. 12 Copyright 2005, Juniper Networks, Inc. 13. Managed Security Services for Network Service Provider Generic FW servicesCustomized FW service View FW hit reportsdefined in directory-Customer can modify FW(audits & Alerts)Customer does not have definitions on the fly (as Connections Allowed/direct control to customizedefined by the carrier) Disallowed/Completedthe service Subscribe + Modify Variety of Alerts Subscribe only Business FW Business+ FW Customized FW BostonDallas Figure 8: Managed Firewall Self-Service Solution Focused Application Delivery As the world migrates towards Infranets, this will transform the networking landscape by allowing Network Service Provider to deliver a secure, predictable IP infrastructure, as well as a framework for dynamic and assured user experiences.Juniper Networks is working with partners to move the user experience to the next level, and to ease any provisioning management and service monitoring tasks related to Managed Security Services by relying on the application to request changes to the network and security policies on behalf of the customer. 2 Service Activation Request (SOAP message) 1 Home Office dials Head Office3 SDX Performs Admission Control, Pushes new security Policy to open appropriate pin-holes in the FWHead Office 4 Active Call Between Parties Initiated Home Office Figure 9:Juniper Polycom Solution Copyright 2005, Juniper Networks, Inc.13 14. Managed Security Services for Network Service Provider ConclusionSecurity threats are at an all-time high, and the increasing resources demand of network/security administrators to keep up with the constant torrent of new vulnerabilities has led to billions of dollars of revenue to be lost each year as published by Infonetics Research (2005). As enterprises struggle to cope with these issues, governments around the world are increasing the focus - introducing legislation to further ensure enterprises take privacy very seriously.MSSPs provide complete security solutions to enterprises, starting with custom solutions for medium and large enterprise in the past few years, and now they are trying to extend this business to SMBs, and possibly residential customers, by leveraging new technologies and solutions.Juniper Networks is in a leadership position in the security space, as it has the largest product breadth and a unique strategy to partner with MSSPs to deliver secure and assured solutions: Traditional Managed Service: Managed services targeted at delivering solutions to Service Providers who offera full managed service. Self-Service Managed Services: Intelligent service and policy control capabilities that allow the SP to offershared management to the customer (self service) to increase responsiveness, reduce cost and add customervalue. Focused Application Delivery: Application based service control enabling network services to be integrated intoapplication delivery, driven in part by architectures such as IBM Services Oriented Architecture andapplication hosting. This increases the value of the network element in delivering applications and transferssome margin from the ASP to the NSP. Copyright 2005, Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen,NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks ofJuniper Networks, Inc. in the United States and other countries. The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet, Internet Processor, J2300,J4300, J6300, J-Protect, J-series, J-Web, JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160,M320, M-series, MMD, NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000 Series, NetScreen-SA 5000Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, NMC-RX,SDX, Stateful Signature, T320, T640, and T-series. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change,modify, transfer, or otherwise revise this publication without notice. 14 Copyright 2005, Juniper Networks, Inc.