securing the datacenter · cost efficiency and optimization . byod . new applications and cloud...

Copyright © 2014 Juniper Networks, Inc. 1 Copyright © 2013 Juniper Networks, Inc.

SECURING THE DATACENTER

CAIO KLEIN SEGURINFO 2014

2 Copyright © 2013 Juniper Networks, Inc. Access Apps Networks Mgmt Mobility Campus Data center Cloud Products

SECURITY AT JUNIPER

Security innovation & leadership

Customer segments Service providers, enterprise

Business segments Routing, switching, security

Invest more than 20% of revenue on R&D

Leader in high-end firewalls and remote access SSL VPN

Pioneer in Intrusion Deception technology

DDoS advanced technology

First to deliver purpose-built virtual firewall

SC Magazine 2013 best cloud and SSL VPN solution

Tech Target’s 2013 reader’s choice gold awards for virtual security, IDP, and NAC

Copyright © 2014 Juniper Networks, Inc. 3

Security requirements

TRANSLATING BUSINESS DRIVERS TO SECURITY REQUIREMENTS

IT initiatives Business drivers

CIO CTO CSO

Business agility

Cost efficiency and optimization

BYOD

New applications and cloud services

Technology consolidation and modernization

Broad device coverage

Flexible deployment options

Scalability and simplicity

Employee productivity


TRENDS THAT AFFECT THE DATA CENTER

Broader attack surface

Brand impact

Financial impact

COSTS AND RISK INCREASE

CHANGING IT LANDSCAPE

Mobility

Cloud & virtualization

Massive traffic increase

Targeted attacks

Sophisticated tools

Economics favor bad actors

EVOLUTION OF THREATS


DDoS SECURE ADVANCED DDoS MITIGATION TECHNOLOGY FOR YOUR NETWORK AND APPLICATIONS


Money Intellectual

property Records

Targeted, deliberate, and expensive

TARGETED ATTACKS ON THE RISE

Fact • 70% of all threats are at the Web application layer* • 70+% of organizations have been hacked in the

past two years through insecure Web apps*** • Yet 66% of breaches took months or more to

discover** Business Impact • Average cost incurred from a successful breach:

$8.9M** • Average annual cost incurred from a DDoS attack:

$3.5M***

Source: * Gartner ** 2012 Cost of Cyber Crime Study, Ponemon Institute, 2012 *** Ponemon Institute, 2013


Thresholds & Netflow Analysis

EVOLVING DDoS ATTACK COMPLEXITY Signature-Based

Scrubbers

Emerging Threats St

ealth

Newness Known Unknown

Volu

met

ric

Low

-and

-slo

w

Challenge: manual management

of IP thresholds in dynamic networks

Challenge: Creating signatures

for new attacks

Challenge: Maintaining Known

signatures of attacks


• Easy to detect

• Attacks are getting bigger in size

• Frequency of attacks increasing at a moderate rate

• Flash mobs organized via social media

• Overwhelming legitimate requests for tickets for a big event available in a very short period of time

• Growing faster than volumetric – 25% of attacks in 2013 (source: Gartner)

• More sophisticated & difficult to detect

• Target back-end weaknesses

• Small volume of requests can take out a large Web site

DDoS ATTACK VECTORS

VOLUMETRIC ANYTHING THAT MAKES THE RESOURCES BUSY LOW AND SLOW


Prevents volumetric and application-level “Low and Slow” DDoS attacks INTRODUCING DDoS SECURE

Heuristic Analysis

Normal Traffic

DDoS Attack Traffic

Normal Traffic

Benefits

Comprehensive Anti-DDoS Solution • Detects and mitigates multi-vector DDOS attacks,

including those that target specific applications • Ensures availability for legitimate users while

blocking malicious traffic, even under the most extreme attack conditions

• 80% effective 10 minutes after installation • 99.999% effective after 6-12 hours • Signature-free dynamic heuristic technology • No tuning or thresholds required (install and forget) • Flexible deployment options (physical and virtual)


CHARM: Real-time risk score for each source IP

KEY CONCEPT: CHARM ALGORITHM

• Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular

• Algorithms updated regularly with characteristics of new attacks

0

100

Initial 50

Human-like

Machine-like

Per Packet


DDoS SECURE – HOW DOES IT WORK • Packet validated against

pre-defined RFC filters • Malformed and

mis-sequenced packets dropped

• Individual IP addresses assigned CHARM value

• Value assigned based on IP behaviours

Low CHARM Value

Medium CHARM Value

High CHARM Value

Mechanistic Traffic

First Time Traffic

Humanistic, Trusted Traffic


CHARM threshold changes dynamically with resource response state

Access dependent on CHARM threshold of target resource

DDoS SECURE – HOW DOES IT WORK (CONT’D)

• Below threshold packets dropped

• Above threshold allowed uninterrupted access

• Minimal (if any) false positives

• Full stateful engine measures response times

• Dynamic and self-learning resource limitations

• No server Agents


Dynamic Resource Control

DDoS SECURE PACKET FLOW SEQUENCE

Drop Packet

IP Behavior Table Resource CHARM Threshold

Drop Packet

Packet Enters

Syntax Screener

OK So Far

CHARM Generator

With CHARM

Value

CHARM Screener

Packet Exits

Validates data packet • Validates against defined filters • Validates packet against RFCs • Validates packet sequencing • TCP connection state

1

Calculates CHARM value for data packet • References IP behavior table • Function of time and historical behavior • Better behaved = better CHARM

2

Behavior is recorded • Supports up to

32M profiles • Profiles aged on least

used basis

3 Calculates CHARM Threshold • Responsiveness

of resource

4

Allow or Drop • CHARM threshold • CHARM value

5


Dynamic Resource Control Example DDoS SECURE RESOURCE MANAGEMENT

In this example, Resource 2’s response time starts to degrade and the CHARM pass threshold is increased to start the process of rate limiting the bad traffic. At this point the good traffic will continue to pass unhindered whilst the attackers will start to believe their attack has been successful as their request fails.

Resource 1 Resource 2 Resource 3 Resource ‘N’

The attack traffic to Resource 2 reduces as the attackers switch the attack to Resource 3. Once again, DDoS Secure responds dynamically by increasing the pass threshold for Resource 3 limiting bad traffic.


HEURISTIC MITIGATION IN ACTION

DDoS Secure Heuristic Analysis

DDoS Attack Traffic

Management PC

Normal Internet Traffic

DDoS Attack Traffic


Normal Internet traffic flows through the DDoS Secure appliance, while the software analyzes the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal (<1ms) latency.


Resources


DNS REFLECTIVE / AMPLIFICATION


DNS RESOLVER PROTECTION

Measurement on App Response JDDS SRX DNS Resolvers

Inline Inspection Inbound Traffic Measurement

Eliminates DNS Reflection Attacks & Backscatter

1 2

3

• Sits passively inline • Measures both inbound and outbound traffic flow

• Monitors DNS Resource Records by Domain • Monitors Responses from Resolver • Monitors Resolver’s Recursive Activity

• HTTP • HTTPS (SSL & TLS) • DNS • VoIP / SIP

Juniper DDoS Secure (JDDS)

Native App Protection


THE WORLD’S MOST ADVANCED HEURISTIC DDoS TECHNOLOGY


WEBAPP SECURE THE SMARTEST WAY TO PROTECT WEBSITES AND WEBAPPS FROM ATTACKS


THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY

“Tar Traps” detect threats without false

positives.

Track IPs, browsers, software and scripts.

Understand attacker’s capabilities

and intents.

Adaptive responses, including block,

warn and deceive.

Detect Track Profile Respond


DETECTION BY DECEPTION

App Server

Server Configuration

Network Perimeter

Database Firewall

Query String Parameters

Tar Traps

Hidden Input Fields


TRACK ATTACKERS BEYOND THE IP

Track Software and Script Attacks Fingerprinting

HTTP communications.

Track Browser Attacks Persistent Token

Capacity to persist in all browsers including various privacy control features.

Track IP Address


JUNOS SPOTLIGHT SECURE

Attacker from San Francisco

Junos Spotlight Secure Global Attacker Intelligence Service

Junos WebApp Secure protected site in UK

Attacker fingerprint uploaded

Attacker fingerprint available for all sites protected by Junos

WebApp Secure

Detect Anywhere, Stop Everywhere


FINGERPRINT OF AN ATTACKER Browser version

Fonts

Browser add-ons

Timezone

IP Address

attributes used to create the fingerprint.

200+

availability of fingerprints

~ Real Time

nearly zero


SMART PROFILE OF ATTACKER Attacker local

name (on machine)

Incident history

Attacker threat level

Attacker global name

(in Spotlight)


RESPOND AND DECEIVE Junos WebApp Secure Responses

Human Hacker Botnet

Targeted Scan IP Scan

Scripts &Tools

Exploits

Warn attacker

Block user

Force CAPTCHA

Slow connection

Simulate broken application

Force log-out

All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.


VIRTUAL SECURITY & FIREFLY SUITE


MARKET SITUATION, BY GARTNER By 2016 public cloud infrastructure will include and be managed as critical national infrastructure regulations by the U.S.

20% of over VPN/Firewall market will be deployed in a virtual element. By 2015

100% Cloud as a delivery model will shape buy-ing and prioritization of security.

10% of over all IT security products capabilities will be delivered in/ from the cloud. By 2015

Worldwide public cloud services 131B


FROM TO

CLOUD & MSSP MARKET TRENDS

Physical Networks Elements Virtual Networks Elements and Overlays

Traditional Security Perimeters Blurred Boundaries, Everyone Is an Insider

Overprovisioned Hardware Elastic Compute, Security and Storage

Controlled & Defined User/Admin Roles Self Provisioned Security, Virtual Admins

Corp. Managed, Static Apps SaaS, User-Chosen Apps, Rogue Clouds

Simple Isolated Security Management Specialized, Intelligent & Coordinated Identity-based Security Management

Lega

cy M

odel

of

th

e B

usin

ess

Net

wor

k

Today’s Flexible, Proactive B

usiness Netw

ork


INTRODUCING THE FIREFLY SUITE

Security for virtual assets Monitoring and control Intelligence and automation

SRX

Hybrid Cloud

Junos Space Security and

Virtual Director

MX Universal

Router

Internet

OSS/BSS Customer Portal

Virtualized Host Multi-tenant

MX WAN Enterprise Hypervisor Firefly

Host

VM VM VM VM

Firefly Perimeter

fully virtualized security solution Protecting virtual applications and workloads in public or private clouds.

with Juniper Firefly host PROVIDING PROTECTION FOR THE CLOUD AND firefly perimeter & Junos space virtual director providing PROTECTION FROM THE CLOUD:


FIREFLY PERIMETER


FIREFLY PERIMETER

Firefly Perimeter

VM VM Virtual version of the SRX; provides north / south firewall (5Gbps), NAT, routing, VPN connectivity features in a flexible virtual machine format

Availability: JAN 15 2014 Official Public Launch! (VMware and Contrail)

VM VM

Secure


A CLOSER LOOK AT FIREFLY PERIMETER

Firewall

VPN

NAT

Network Admission Control

Perimeter Security

Anti-Virus

IPS Full IDP Feature Set

Web Filtering

Anti-Spam

Content

Application Awareness

Identity Awareness

Application

CLI, JWeb, SNMP, JSpace- SD, Hypervisor Management, HA/FT

Junos Routing Protocols and SDK

Junos Rich & Extensible Security Stack

Fully-tested Junos-based SRX code in a VM provides all Junos-related automation and connectivity options in addition to firewall


JUNOSV FIREFLY PERIMETER HA

Firefly Perimeter will support ‘Chassis Clustering’ (both Active-Active as well as Active-Passive modes). This support provides full stateful failover for any connections being processed. In addition, it will be possible for the cluster members to span hypervisors.

HYPERVISOR

VM VM

Virtualized Environment

HYPERVISOR

VM VM

Virtualized Environment

Firefly Perim Customer 1

(Active)

Firefly Perim Customer 1 (Passive)

Firefly Perim Customer 2

(Active)

Firefly Perim Customer 2 (Passive)


FIREFLY HOST


Security Suite integrated into Hypervisor Kernel Provides East/West Firewall (35+Gbps), AV, IDS, Compliance, Introspection, Network Monitoring

AVAILABILITY: VMWARE NOW, CONTRAIL SCOPING FOR 2014 FIREFLY HOST (FORMERLY VGW)

Firefly Host Engine

VM VM1 VM2 VM3

VMWARE DVFILTER VMWARE VSWITCH OR

CISCO 1000V

HYPERVISOR

ESX Kernel

ES

X H

ost

Firefly Host SECURITY VM • POLICY FROM MGMT TO ENGINE • LOGGING FROM ENGINE TO MGMT • IDS ENGINE • DEPLOYED AS HA PAIR • DELIVERED AS VIRTUAL APPLIANCE

The Firefly Host ENGINE • FULL FW

IMPLEMENTATION IN THE KERNEL

• STATEFUL FW • PER-VM POLICY


SECURE

Complete firewall protection

for any network traffic to or from a VM

Antivirus components controlled centrally (scanner config, alert viewing, infected file remediation)

IDS, send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set


MONITOR AND

CONTROL

Network visibility, All VM traffic flows stored in database and available for analysis

Pre-defined and customizable Reports

Compliance module

includes pre-defined rules based on virtual security best practices as well as customers rules


Introspection, agent-less ability to scan a VM’s virtual disk contents to understand what’s installed

Smart Groups allow for the use of attributes to create dynamic system associations

Open and ready for

innovation with reach sets of API’s

INTELLIGENCE AND

AUTOMATION


VIRTUAL SECURITY AND SDN


Complete line-up of Virtual Security Services and Connectivity Options!

• Protect critical asset against internal or external attack

• Utilize Intrusion Deception to uniquely defend web applications and increase complexity and cost of attack for bad actors

• Break attack automation with “fake” attack paths and responses that intelligently match attacker skillset while leaving legitimate users’ experience unaffected

• Provide connectivity (SSLVPN, NAC) via virtualized form factor

• Filter Distributed-Denial-of-Service attacks

DMZ

Web Apps

Internet

Internal LAN

User

Pulse SA Virtual Pulse UAC Virtual

VIRTUAL SECURITY & CONNECTIVITY

JUNIPER VIRTUALIZED SECURITY PORTFOLIO THE FLEXIBILITY OF CHOICE

SOLUTION

DDoS Secure Virtual

Firefly

WebApp Secure Virtual

Secure Analytics Virtual


SECURITY SERVICES ARE KEY ELEMENT IN SDN

Fire

fly P

erim

eter

DD

oS S

ecur

e

Web

App

Sec

ure

Pul

se S

A

Sec

ure

Ana

lytic

s

Oth

er s

ervi

ces

3rd

party

ser

vice

s

x86 Server/x86 Blade

Contrail Controller + vRouter

Virtual Infrastructure (OpenStack, etc.)

SOFTWARE-BASED SOLUTION, ENABLING CROSS-SELL & UPSELL OPPORTUNITIES WITH CONTRAIL INTEGRATION AND SUPPORT FOR SDN

NEW FLEXIBLE AND DYNAMIC APPROACH

• Reduced OPEX

• Flexible choices

• Elastic scaling of Security Services

• Reduced CAPEX


VIRTUAL SECURITY WITH CONTRAIL

Old School Contrail (NFV + SDN)

Ordering Weeks / months Instantly

HW cost High custom HW Commodity x86

Deployment Cabling “ click”

Scale Limited Elastic

Retirement Depreciation Re provisioning

Investment Protection Low High

Resource limitation High Service Chaining

44 Copyright © 2013 Juniper Networks, Inc.

SUMMARY • Intrusion prevention by Deception is the smartest tool to keep

attackers away from your Web Application • Smarter Heuristic is required to identify DDoS and protect your

resources from unavailability • Security Virtualization is mandatory on the Cloud environment • The complexity of virtual environments also requires orchestration

(NFV + SDN)

securing the datacenter · cost efficiency and optimization . byod . new applications and cloud...

Documents