Securing Networks with Juniper Networks

Transcription

1 Securing Networks with Juniper Networks Juniper Security Features Jean-Marc Uzé Liaison Research, Education and Government Networks and Institutions, EMEA TF-CSIRT Meeting, 26/09/02 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 2 1

2 Cyber Attacks Increasing Frequency Over 4,000 Distributed DoS attacks a week Sophistication Distributed DoS attacks hard to detect & stop Network elements recently targeted Impact Yahoo, ebay, Microsoft make headlines Cloud 9 (UK) ISP out of business Packet Sniffers IP Spoofing Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks Script Attacks Self-Propagating Automated Distributed Attacks Host Based Attacks Network Based Attacks Attacks Target Network Source: Published CERT figures Juniper Networks, Inc. Copyright Today s Security Compromises Attack Starts Tracing Blocking Attack Ends Performance SLA Target Partial Enable security at specific points on the network As platforms, interfaces or software allow Does not provide reliable security Time Reactive Security enabled after attack is detected High operational effort Performance SLAs affected Juniper Networks, Inc. Copyright

3 Ubiquitous Security Without Compromise Juniper Networks: Single Image, Security on All Interfaces Continuous Juniper Networks: Low impact turn it on it, leave it on Economical Juniper Networks: Included in the basic platform Proven Juniper Networks: Shipping since 2000 and in use in production networks around the world Let s You, Rather Than Your Equipment, Dictate Your Network Security Policy. Juniper Networks, Inc. Copyright Protecting and Enabling Revenues Customer Retention Increased customer satisfaction Match competitive security service offerings New Services Lawful Intercept Intrusion Detection Services High Speed Encrypted VPNs Attack Resistant Web Hosting Denial of Service Protection/Control Spoofing Protection Juniper Networks, Inc. Copyright

4 JUNOS Security Related Features User Administration Tacas+/Radius Protocol Authentication H/W Based Packet Filtering Individual Command Authorization Traffic Policing Firewall Syslogs/MIB H/W Based Router Protection Port-Mirroring IPSEC Encryption (Control and Transit traffic) Unicast RPF Radius Support for PPP/CHAP SNMPv3 JUNOS 3.x 1998 JUNOS 4.x JUNOS 5.x Juniper Networks, Inc. Copyright Juniper Security Features at a Glance Examples of Available Safeguards Prevention Infrastructure Protection 1. Hardware based router protection Customer Protection 3. IPSEC encryption of customer traffic 2. IPSEC encryption of Control Traffic 4. Source address verification Detection 5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS 6. Real-time DDOS attack identification Suppression 7. I/O filters to block attack flows 8. Rate limiting 9. Hitless filter implementation Juniper Networks, Inc. Copyright

5 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 9 System Architecture Junos Internet Software Update Internet I/O Card Forwarding Table Forwarding Table Switch Fabric Processor II I/O Card Routing Engine Maintains routing table and constructs forwarding table using knowledge of the network Packet Forwarding Engine Receives packet forwarding table from Routing Engine Copies packets from an input interface to an output interface Conducts incremental table updates without forwarding interruption Juniper Networks, Inc. Copyright

6 IP II ASIC Overview Internet Processor II Leverages proven, predictable ASIC forwarding technology of Internet Processor Provides breakthrough technology to support performance-based, enhanced Services Security and bandwidth control (I.e. filtering) at speed Visibility into network operations at speed Delivers performance WITH services Supported on all interfaces Juniper Networks, Inc. Copyright Filtering IP-II enables significant functionality with applications to network management Security Monitoring Accounting Filter Specification filter my-filter ip { rule 10 { protocol tcp ; source-address /24 ; port [ smtp ftp-data ]; action { reject tcp-reset ; Multiple rules may be specified. IP TCP All Packets Handled By Router Ver IHL ToS Total Len ID Fragmentation TTL Proto Hdr Checksum Source Address Destination Address Source Port Dest Port Sequence Number Acknowledgement Number Offset Flags Window Checksum Urgent Pointer Filters can act on highlighted fields, as well as incoming interface identifier and presence of IP options IP-II Packet Handling Programs Compile Microcode Log, syslog Count, Sample, Forwarding-class, Loss-priority, Policer Filters and route lookup are part of same program Juniper Networks, Inc. Copyright Forward Silent Discard TCP Reset Or ICMP Unreachable Routing Instance 6

7 JUNOS Internet Software Common software across entire product line leverages stability, interoperability, and a wide range of features Purpose built for Internet scale Modular design for high reliability Best-in-class routing protocol implementations Foundation for new services with MPLS traffic engineering Protocols Interface Mgmt Chassis Mgmt SNMP Operating System Security Juniper Networks, Inc. Copyright Traffic Framework Management, Control and Data planes Source, Destination and Type Router Management Router Management Routing Control Routing Control ICMP Notification ICMP Notification User Data User Data Juniper Networks, Inc. Copyright

8 Tools Prevent, Detect, Control Traffic Forward Redirect Monitor Sample Count Log Mark Limit Discard Route Control Import filters Export filters Mark Limit Announcements Prefixes Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 8

9 JUNOS Default to Secure Does not forward directed broadcasts Remote management access to the router is disabled. It must be explicitly enabled telnet, ftp, ssh No SNMP set support for editing configuration data Default Martian addresses Juniper Networks, Inc. Copyright Secure Shell Ssh v1 / v2 Communicating with the Router Support connexion limit + rate limit against SYN flood DoS attacks on the ssh port OpenSSH since JUNOS 5.4 Secure Copy Protocol (SCP) Uses the ssh encryption and authentication infrastructure to securely copy files between hosts Central Authentification TACACS + / RADIUS User classes with specific privileges File Records and Command Events Juniper Networks, Inc. Copyright

10 Hardware-Based Router Protection Router s control plane is complex and intelligence Need to be CPU based Protocols need processing power for fast updates and to minimize convergence time. Attacks launched at routers include sending: Forged routing packets (BGP,OSPF,RIP,etc..) Bogus management traffic (ICMP, SNMP, SSH,etc) Attacker can easily launch high speed attacks Rates in excess of 40M/second CPU based filtering unable to keep up Attacks consume CPU resources needed for control traffic. Danger of protocol time-outs, leading to network instabilities. Juniper Networks, Inc. Copyright Hardware Based Router Protection Hardware based filtering advantages Hardware drops attack ( untrusted ) traffic CPU free to process trusted control traffic One filter applied to the loopback Protects the router and all interfaces Provides ease of management No need to configure additional filters when adding new interfaces Juniper Networks, Inc. Copyright

11 Hardware Based Router Protection Define trusted source addresses Define protocols and ports that need to communicate Accept desired traffic and discard everything else One filter applied to the loopback interface protects router and all interfaces firewall { filter protect-re { term established { from { protocol tcp; tcp-established; then accept; term trusted-traffic { from { source-address { /24; /24; /24; /24; /24; protocol [icmp tcp ospf udp]; destination-port [bgp domain ftp ftpdatasnmp ssh ntp] ; then accept; term default { then { log; discard; Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 22 11

12 IPSec Encryption of Control Traffic Encrypt Control Traffic Between Routers Encryption uses ESP in Transport Mode ESP Provides Secure Communication for critical control/routing traffic Protects from attacks against control plane Juniper Networks, Inc. Copyright IPSec Encryption of Customer Traffic Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE) Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex) Applied via the Packet Forwarding Engine offload the encryption and decryption tasks from Routing Engine processor Delivers Private and Secure communication of mission-critical customer traffic Provides up to 1,000 tunnels per PIC Can Scale Using Multiple PICs Juniper Networks, Inc. Copyright

13 IPSec Encryption of Customer Traffic Crypto PIC highlights: Tunnel/Transport Mode Tunnel mode for data traffic Authentication Algorithms MD5 SHA-1 Encryption Algorithms DES 3-DES IKE Features Support for automated key management using Diffie-Hellman key establishment Main/Aggressive mode supported for IKE SA setup Quick Mode supported for IPSec SA setup Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 26 13

14 Source Address Verification Why it is needed: IP address spoofing is a technique used in DOS attacks Attacker pretends to be someone else Makes it difficult to trace back the attacks Common Operating Systems let users spoof machine s IP address access (UNIX, LINUX, Windows XP) How it is done: Route table look-up performed on IP source address Router determines if traffic is arriving on expected path traffic is accepted normal destination based look up is performed If traffic is not arriving on a the expected path then it is dropped Juniper Networks, Inc. Copyright Source Address Verification Juniper Solution urpf can be configured per-interface/sub-interface Supports both IPv4 and IPv6 Packet/Byte counters for traffic failing the urpf check Additional filtering available for traffic failing check: police/reject Can syslog the rejected traffic for later analysis Two modes available: Active-paths: urpf only considers the best path toward a particular destination Feasible-paths: urpf considers all the feasible paths. This is used where routing is asymmetrical. Juniper Networks, Inc. Copyright

15 Source Address Verification /24 Data Center so-1/0/ /24 *[BGP/170] >via so-1/0/0/0.0 so-0/0/0.0 Attack with Source address= urpf /24 Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 30 15

16 Real-time Traffic Analysis Sampling and cflowd format export (v5 + v8) since JUNOS 5.4: Passive Monitoring PIC Application is primarly for secuity and traffic analysis Monitors IPv4 packets and flows over SONET on: OC-3c, OC-12c and OC-48c PPP or HDLC (Cisco) layer 2 encapsulations Generates cflowd v5 records for export to collector nodes IPSec or GRE tunnels can be used for exporting Juniper Networks, Inc. Copyright Real-time Traffic Analysis Juniper Port Mirroring capability Copy of sampled packet can be sent to arbitrary interface Any Interface and speed up to 100% of selected packets N number of ingress ports to single destination port Work in progress with IDS vendor Discussions ongoing with high-speed analytical security application developers (OC48) Juniper Networks, Inc. Copyright

17 Real-time Traffic Analysis Data Center Mirrored Traffic Intrusion Detection System Juniper Networks, Inc. Copyright Preparation Real-time DDoS Identification Pre-configure Destination Class Usage (DCU) on customerfacing ingress interfaces Accounting feature typically for billing Supported in JUNOS 4.3 (12/2000) and beyond Counts packets, bytes destined for each of up to 16 communities per interface Counters retrievable via SNMP Note: Source Class Usage is also supported (since JUNOS 5.4) During Attack Use BGP to announce victim s /32 host address with special community Trigger SNMP polling of DCU counters on all ingress interfaces Apply heuristic to identify likely attack sources Juniper Networks, Inc. Copyright

18 Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch Victim Network Attacker Network User Network NOC Attack Network User Network 35 Juniper Networks, Inc. Copyright 2002 Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch /32 Community 100:100 Victim Network Attacker Network User Network NOC Attack Network Juniper Networks, Inc. Copyright 2002 User Network 36 18

19 Real-time DDoS Identification Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 38 19

20 I/O Filters To Block Attack Flows DOS attacks need to be detected and stopped Interface filters can be applied to block only attack flows Filters can be applied to any interface type Filters can be applied both on inbound and outbound /* apply the filter to the ingress point of the network */ so-0/2/2 { unit 0 { family inet { filter { input block-attack; address /30; /* This is the filter which blocks the attacks */ firewall { filter block-attack { term bad-guy { from { source-address { /32 protocol icmp; then { discard; log; Juniper Networks, Inc. Copyright Rate Limiting Suppression/Rate Limiting Advantages Protects router of customer by limiting traffic based on protocol/port/source and destination addresses Juniper Advantage Architectural reasons we perform Internet Processor ASIC not tied to an interface or release Behavior under attack Stable operation, routing and management traffic unaffected Juniper Networks, Inc. Copyright

21 Hitless Filter Implementation Can be applied immediately after identification of offending traffic Application of filters does not create short-term degraded condition as filters take effect Size and complexity of filter independent of forwarding performance Juniper Networks, Inc. Copyright Traffic Interruption During Filter Compilation Traffic flow All traffic gets drop During filter compilation Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright

22 No Interruption With Atomic Updates Traffic flow Attack traffic gets dropped Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 44 22

23 Next Steps On going Dialog with security team Ensuring existing security features are active Awareness of upcoming security issues Best Practices White Papers Security consulting and training Juniper Networks the Trusted Source Juniper Networks, Inc. Copyright Further References Juniper Networks Whitepapers Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks Juniper Networks Router Security Available from Juniper Networks, Inc. Copyright

24 Thank You 24