CONTINUOUS MONITORING IN FEDERAL AGENCY NETWORKS

Transcription

1 White Paper CONTINUOUS MONITORING IN FEDERAL AGENCY NETWORKS Juniper offers a wide range of sense-and-respond capabilities to support continuous monitoring government initiatives Copyright 2014, Juniper Networks, Inc. 1

2 Table of Contents Executive Summary...3 Introduction...3 Challenges... 4 Prioritization... 6 Monitoring Virtual Assets... 6 Best Practices... 6 Technology Approaches... 8 Endpoint + Connectivity Context... 9 Data Center + Connectivity Context...12 Cloud + Connectivity Context...15 Juniper Networks Capabilities for Continuous Monitoring...18 SRX Series Services Gateways...18 Firefly Host...18 WebApp Secure...20 Spotlight Secure...20 DDoS Secure...20 Unified Access Control...20 Junos Pulse...20 Juniper Endpoint Profiler...21 Conclusion...21 About Juniper Networks List of Figures Figure 1: U.S. Government direction for continuous monitoring via open standards...3 Figure 2: NIST continuous monitoring management domains... 8 Figure 3: TNC component architecture... 9 Figure 4: Trusted Network Connect and SCAP functional components...10 Figure 5: MAP/CMDB information coordination role...10 Figure 6: Key continuous monitoring functions for the data center...12 Figure 7: SDN layers...17 Figure 8: Service chaining of security and continuous monitoring virtual functions...17 Figure 9: Notional architecture of Juniper Networks end-to-end continuous monitoring capabilities...19 Figure 10: Integrated SRX Series and Firefly Host solution...19 List of Tables Table 1: Continuous Monitoring Challenges... 4 Table 2: Example Requirements for Continuous Monitoring Tools Copyright 2014, Juniper Networks, Inc.

3 Executive Summary Continuous monitoring is a strategic initiative designed to improve cyber situational awareness and positively impact the risk posture of federal agencies. A variety of daunting questions and tasks face federal IT managers as they plan the transition to a continuous monitoring approach. To address these challenges, federal IT managers must create the risk management governance structure needed to plan and execute a continuous monitoring strategy. They must prioritize what assets to monitor and what parameters or metrics to collect. And they must also overcome the challenges related to virtualization and the cloud. U.S. Government direction for continuous monitoring via open standards covers five major categories of elements that need continuous monitoring software assets, compute assets, connectivity assets, vulnerabilities, and threats. This paper describes the most common challenges, continuous monitoring tools and best practices, and various technology approaches. It also outlines Juniper Networks next-generation security products for continuous monitoring, which include solutions for monitoring endpoint compliance and integrity, managing access and data center infrastructure integrity, and handling boundary protection and incident response/management. Introduction The continuous monitoring initiative was spurred by U.S. Office of Management and Budget (OMB) memorandum M-10-15, issued on April 21, 2010, which changed from static point-in-time security authorization processes to ongoing assessment and authorization throughout the system development life cycle. More recently, OMB issued memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. The memorandum provides instructions for annual FISMA reporting, and it emphasizes monitoring the security state of information systems on an ongoing basis with a frequency sufficient to make ongoing, risk-based decisions. The initiative has been supported by NIST, which has published a body of guidelines for meeting OMB goals related to continuous monitoring, including: NIST IR 7756 CAESARS Framework Extension Reference Model NIST IR 7799 Workflow, Subsystem, and Interface Specifications NIST IR 7800 Data Domain Binding and Handling Specifications NIST Special Publication , Revision 1, Applying the Risk Management Framework to Federal Information Systems (February 2010) NIST Special Publication , Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication , Revision 4, Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication , Revision 1, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Interpreting these guidelines reveals a framework for continuous monitoring as reflected in Figure 1. CPE CCE OVAL XCCDF FISMA Reporting Malware Categorization MAEC Attack Patterns CAPEC SCAP Software Assets Anomaly Detection Compute Assets Threats Compliance Assessment Software Assurance OCIL Patching Virus Protection RISK Logs Events Anomaly Detection Connectivity Assets DLP Vulnerabilities CVRF Scanning Metadata Access Point Remote Access Firewall IDS Rules Signatures Network Discovery OVAL CVE CVSS Figure 1: U.S. Government direction for continuous monitoring via open standards Copyright 2014, Juniper Networks, Inc. 3

4 As depicted in Figure 1, there are five major categories of elements that need continuous monitoring software assets, compute assets, connectivity assets, vulnerabilities, and threats. A variety of sensors and responders form the foundation of continuous monitoring for each element. Standard data formats (often in XML) support the sensor- or responder-generated descriptive content. Each output by a sensor or action by a responder must also be distinguished by an identifier, such as a software ID, a common vulnerability name, a threat signature ID, a patch number, etc. The relationship between elements must also be continuously correlated and tracked to produce the critical continuous monitoring outcome of real-time situational awareness and to enable defensive courses of action for managing the risk posture of the enterprise. Continuous monitoring is generally deployed in phases, which include monitoring endpoint compliance and integrity, managing access and data center infrastructure integrity, and boundary protection and incident response/ management. As federal agencies come on board with this new risk-managed approach for cyber-defense, it is important to understand the challenges, the best practices, and the technology approaches available to make this transition. Challenges A variety of daunting questions and tasks face federal IT managers as they plan the transition to a continuous monitoring approach. To address these challenges, federal IT managers must create the risk management governance structure needed to plan and execute a continuous monitoring strategy. This governance structure should be aligned to the NIST Risk Management Framework and address the challenges outlined in the following table. Table 1: Continuous Monitoring Challenges Challenges Questions Example Tasks, Metrics, Approaches Risk tolerance level and what causes it to change (both internal and external forces) Types of cyber-intelligence needed to understand your current risk posture What is the impact to my business if information or other computing assets are lost, stolen, damaged, or modified by threat actors? What threats are likely to affect my risk posture and what is the likelihood of losses? What type/level of compliance do I need to maintain? What assets and asset parameters should I monitor? What metrics should I collect? What are the normal configurations for each type of asset? What assets are used by a business process? What threats and attack graphs should I be most concerned about? Where and when am I most vulnerable to threats? Business/privacy impact assessments, FIPS 199/200 assessment, risk assessment INFOCON Level, Common Vulnerability Scoring System (CVSS), Information Assurance Vulnerability Alerts (IAVAs), threat assessment and consequence analysis Health Insurance Portability and Accountability Act (HIPAA), Sarbanes- Oxley, FISMA, Payment Card Industry Data Security Standard (PCI DSS), EO 13636, service-level agreements (SLAs), Security Technical Implementation Guides (STIGs) System/network inventory, information catalog, identity Asset type, configuration, integrity state, protection robustness; normal (baseline) state, availability, connection state, netflow rate, session state, capacity, packet capture/ analysis, log analysis Application/asset dependency graph, resource capacity and loads/changes over time Threat models, connectivity graph, information sensitivity/value, downtime impacts Vulnerability locality, CVSS 2.0 score, patch state 4 Copyright 2014, Juniper Networks, Inc.

5 Table 1: Continuous Monitoring Challenges (continued) Challenges Questions Example Tasks, Metrics, Approaches How responsive your infrastructure needs to be to address different cyber-events that impact risk levels How to prioritize changes that are needed to successfully implement continuous monitoring capabilities that can reduce your exposure to risk How the introduction of new capabilities affects your ability to support continuous monitoring How to scale continuous monitoring to cover your entire enterprise What rate of monitoring should I employ to detect a cyber-incident? What kind of response(s) should I employ for a cyber-incident? How quickly can I institute a timely response to neutralize a cyberattack? How quickly do I need to recover from a cyber-incident to meet my risk tolerance level? How adaptable is my continuous monitoring capability for the detection of new threats? What fixes do I need to implement first to reduce my risk exposure? How can I best utilize the available resources to detect and respond to a cyberincident? How do I scale my continuous monitoring capability to handle the large datasets that are generated by sensors? How do I support continuous monitoring for cloud-based or virtual assets? How do I implement continuous monitoring over the system life cycle and supply chain? How much asset coverage can I realistically achieve for my budget and risk posture? How much will my operations workload increase to support continuous monitoring? How can I phase in new mission systems, continuous monitoring, or infrastructure changes with minimal operations disruption? What are the human capital improvements needed? Sampling rate relative to the rate of change of attack methods, the attack surface of a potential target, the value of a potential target, the rate of configuration changes applied to a target, and the time needed to identify and respond to an attack or ensure compliance Classify attack/incident, block attack, slow down attack/effects from attack, deceive and track attacker, remediate the asset(s), quarantine or replace the asset(s), perform forensics/assess impact, send alerts Trained Computer Emergency Readiness [or Response] Team (CERT), automated cyber C2/situational awareness, automated countermeasures, incident response plan Mission impact assessment, degree of redundancy in infrastructure, Continuity of Operations Plan and Disaster Recovery (COOP/DR) plan, frequency and completeness of backups, insurance Adaptation rate that increases situational awareness and provides the ability to respond faster than ability of attacker to recon defenses, exploit vulnerabilities, and create damage Prioritized threats, risk score, CVSS, impact assessment, patch readiness, asset replacement capability Cross-team information sharing and coordination, automated correlation tools to risk categorization, automated C2 tools, automated deconflict/false positive analysis tools, global threat intelligence Security information and event management (SIEM) scaling options, cloudbased capabilities, clustering, federation, metadata extraction, distributed processing, data center switch fabrics Identity-based controls, virtualization protections, encryption, virtual machine (VM) orchestration and controllers Hardware/software assurance, counterfeit tracking technology, integrated supply chain and asset management, product evaluations Budget, program vs. project approach, risk priorities, number of locations, number of assets, remote vs. on-premise endpoints, business impact assessment Proof of concepts/pilots, coverage model, tabletop exercises, and simulations Open standards/apis; pre-integrated, certified, and tested solutions; virtual machines; widgets; cloud-based deployment; Web services Training and skills assessment, workload balancing Copyright 2014, Juniper Networks, Inc. 5

6 Prioritization One of the more difficult challenges listed above involves prioritizing what assets to monitor and what parameters or metrics to collect. Several different assessment approaches can be used to identify priorities. One approach includes threat modeling and attack graphing, which seek to quantify the threats to the infrastructure. An attack graph is a concise representation of the known methods an attacker might employ to compromise a security mechanism through leveraging dependencies among known vulnerabilities. The attack graph is derived from a network model that consists of at least the following elements a list of assets, a list of known vulnerabilities, asset connectivity, and usually at least one security policy. The root information needed to produce an attack graph consists of the core of the IP information for each asset (i.e., media access control address, IP address, version, etc.), as well as vulnerability scanning information, CVSS scores, and security policy. If an attack graph is considered the basis of representing what needs protection within an enterprise information flow, then the elements needed to produce an attack graph are key to understanding what to monitor continuously. The assets which need protection and monitoring can be found and mapped via a network discovery tool. Once connectivity maps are formed for an enterprise, metadata can be added from tools like vulnerability scanning to produce an attack graph to support an agency s continuous monitoring. Vulnerability scanning models the exposure of an asset to known attacks, and linking metadata collected from the different tools can enable better monitoring of the agency enterprise. Monitoring Virtual Assets Another emerging challenge involves continuous monitoring of virtual assets a compute, connectivity, or software element that runs in a virtual machine. Virtualization adoption is on the rise for a variety of compelling reasons, such as cost and management elasticity. IT administrators are able to easily manage and expand their systems infrastructure with virtualization technology, such as live migration to move VMs from one physical server to another in order to perform hardware maintenance without system downtime. They can also quickly spin up new VMs via templates and clones rather than waiting weeks for new hardware to arrive. In essence, this flexibility means agencies can move at a more dynamic and rapid pace. Since virtual assets tend to be transient or may migrate among different hardware platforms, it can be difficult to establish and maintain a measurable baseline of virtual assets for monitoring. Virtual assets also pose issues in the deployment of cyber sensors as inter-vm flows may not be visible to physical security appliances or sensors. IT managers could use VLANs to funnel the traffic out of the virtual environment through physical security appliances and back into the virtual environment. However, this is inefficient and often lacks the granular control and dynamism needed to implement such things as security on moving VMs, or VMs getting created on the fly via cloning. Instead, a preferred approach is to implement the sensors or agents in the virtual environment itself. However, depending on the VM architecture (e.g., implement an agent in the guest VMs, implement the security in a VM, implement security partially in the kernel or completely in the kernel), the sensors or security agents could also have a variety of impacts on performance. In general, this challenge of monitoring and controlling inter-vm flows is particularly problematic in multitenant environments where separation and monitoring of inter-vm flows and access methods are often mandatory. Best Practices Continuous situational awareness is a key outcome for a continuous monitoring program. Situational awareness must incorporate information views to support a variety of administrator roles for the enterprise; for example, the system, the network, endpoints, and security administrators. The situational awareness tools must also support a variety of perspectives, from the administrator to the data center manager to the CIO, CISO, and CTO. Continuous monitoring content generated by sensors, external information sources, workflow systems, and policy mechanisms must also be digested, correlated, and reported in an expeditious fashion to ensure rapid response to incidents. There are many inputs that continuous monitoring tools provide to questions that administrators must answer to support comprehensive situational awareness. Some examples are contained in the following table. 6 Copyright 2014, Juniper Networks, Inc.

7 Table 2: Example Requirements for Continuous Monitoring Tools Continuous Monitoring Tools and Best Practices User activity monitoring, user access control, endpoint provisioning, and remediation Network activity monitoring, data and network leakage prevention, botnet detection, deep packet inspection (DPI), SSL intercept Alert management, continuous monitoring orchestration, continuous monitoring dashboards Global threat intelligence, threat models Compliance management, vulnerability scanning (network, Web, database, endpoint), patch management Application and database monitoring, virus definition status, log analysis Sense Who/what is on the network; where are they located; what are they accessing; what is the state of their device; are they authorized for this activity; are they abusing applications or privileges? What types of traffic are on my network, entering my network, leaving my network; what network connections have been authorized/ not authorized through configuration management processes; is sensitive data leaving the network, and is this transmittal authorized by policy? What types of alerts are in process; how many alerts are in process; what are my alert trends; what is going on that is not normal? What are the current threat vectors; what are the emerging threats that impact me; what threats am I currently experiencing and where? What is my vulnerability status; what patches are still outstanding for a device; what devices are out of compliance with the configuration baseline; what vulnerabilities are most prone to exploitation? Are my critical databases and application(s) open to direct access from untrusted networks; is my sensitive and/or privacy-related information adequately protected? Respond What registered assets are not online, are quarantined, in process of remediation; what type of user abuse activity is on my network, who is abusing their privileges, and what types of actions are underway to mitigate this activity? What policies, rules, and controls are in place to control network traffic; what Policy Decision Point/Policy Enforcement Points (PDP/PEPs) are used to enforce these rules; what systems are impacted by an exploitation or network outage; how well am I containing data loss; what activities are occurring that reflect or are causing network anomalies? What is the status of my incident response; is this a malicious attack, a false positive, or some other anomalous behavior? Am I identifying and responding to threats in a timely manner: am I prioritizing threat responses correctly; are my countermeasures effective in reducing my attack surface? Am I identifying and responding to vulnerabilities in a timely manner; am I prioritizing vulnerability abatement actions correctly; how fast is my attack surface increasing/decreasing; have I appropriately considered all mission impacts prior to mitigating a vulnerability? Have I checked my applications and database calls for code flaws; have I implemented encryption where needed; am I checking logs for anomalous activity? Incident response is the active element of a continuous monitoring strategy. Being able to surge to contain an ongoing attack is critical to reducing the damaging effects on a compromised asset. This ability to surge often depends on how quickly an organization can adapt new defensive courses of action and reallocate resources to create containment zones and remediate compromised or affected assets. It is also dependent on the quality of indicators and warnings that are received from sensors or intelligence sources regarding impending threats. The status of an incident is closely monitored and reported by continuous monitoring tools. In general, the rate of adaptation to new cyberthreats, the quality of indicators and warnings, and the rate of monitoring are critical performance parameters for a good incident response capability. Although continuous monitoring is still in its infancy in terms of adoption, agencies need to keep innovation in the forefront of their approach. For example, many of the current sensors are signature-based, which are easily fooled or bypassed by zero-day attacks or some of the new types of advanced persistent threats. Agencies need to consider new innovations such as behavior-based sensors, as well as tools which can dynamically reshape the attack surface of a particular target such as IP-address hopping and intrusion deception, to provide additional continuous monitoring coverage and countermeasures for these threats. Continuous monitoring also requires a wide variety of capabilities to be effective and these capabilities represent a wide diversity of tools. Agencies need to consider tools that can interoperate seamlessly with existing continuous monitoring systems so that new sensors which detect new threat vectors can be quickly added. Workflow and orchestration tools also must be integrated with sensors, SIEM tools, forensics tools, policy tools, security enforcement points, and management tools to enable root cause analysis and ensure that courses of action can be quickly identified and deployed to any point of the enterprise. Data synthesis and analysis are aided through the use of tools and sensors that support data standards such as Security Content Automation Protocol (SCAP) and other standards that are promoted by NIST guidelines. These standards facilitate the consumption of sensor output and the production of timely status in situational awareness dashboards. Continuous monitoring tools must also enable cross-discipline (server, network, storage, security) collaboration and data synthesis. The bottom line is that agencies need to consider how innovation can be leveraged to convert their investment in continuous monitoring to make their infrastructure continuously adaptive and dynamically secure. Copyright 2014, Juniper Networks, Inc. 7

8 Scaling performance and continuous monitoring coverage are important concerns for agencies embarking on a continuous monitoring program. Sensors deployed in large enterprises can generate an avalanche of data each day. Analysis and synthesis tools must scale to meet these big data requirements. Continuous monitoring tools need to scale from a throughput perspective or number of events managed, but also cohesively support enterprises that are geographically distributed. For example, new threat indicators must be shared quickly across the enterprise to ensure that attacks that are first detected and thwarted in one part of the enterprise can be blocked at other scattered networked locations. Sensors and security enforcement mechanisms must also behave and perform well in both physical and virtual environments, while also enabling synchronized security visibility and responses across virtual and physical layers. Continuous monitoring tools also need to provide some assurance to IT managers that 100% (or some coverage goal) of the networked assets are being monitored in some way. To this end, IT managers need a comprehensive asset management capability tied to other network discovery, traffic analysis, and log analysis tools to ensure accurate and complete coverage. Technology Approaches This section describes high-level approaches for continuous monitoring. Figure 2 presents the key management domains that continuous monitoring technology approaches must address, along with the different contexts where continuous monitoring tools must perform. As shown in Figure 2, there are several types of user endpoint contexts that an agency can manage mobile, fixed, and virtual. In addition, mobile endpoints may not be enterprise-owned but will still need to be monitored under a bring-your-own-device (BYOD) program. Cloud, data center, and a variety of connectivity contexts (public Web, agency networks) must also be managed across all of the different continuous monitoring management domains. A cohesive continuous monitoring approach will tie together each of these different management domains in an integrated sense-and-respond capability, while providing end-to-end visibility across the different contexts. Continuous Monitoring Vulnerability Management Public W.W.W.,.MIL,.Gov Mobility Event Management Patch Management Incident Management Digital Policy Management Cloud Data Center Network Management Software Assurance Malware Detection APT (Zero Day) License Management Virtual Desktops Fixed Assets Asset Management Configuration Management Information Management Figure 2: NIST continuous monitoring management domains The specific risk management and continuous monitoring approaches employed by an agency will differ based on their use and adoption rate of technology, mission priorities, budget, and threat profile. For example, an agency that largely leverages FedRAMP-certified public cloud service providers should focus on strong identity for AAA (authentication, authorization, and accounting or audit), as well as the monitoring of data protection mechanisms (such as data-atrest encryption, data-in-transit encryption) as key elements of their continuous monitoring strategy. Agencies that have widely deployed mobile or telework users accessing their enterprise resources should leverage network access control (NAC), strong identity mechanisms, and the monitoring of endpoint protections as important countermeasures and continuous monitoring approaches. 8 Copyright 2014, Juniper Networks, Inc.

9 The following sections present a set of notional approaches for the different contexts endpoint + connectivity, data center + connectivity, and cloud + connectivity. Open, nonproprietary standards are emphasized for each approach. Endpoint + Connectivity Context The endpoint context incorporates four major open architectural standards: The Trusted Network Connect (TNC) suite of standards developed and promoted by the Trusted Computing Group; the Security Content Automation Protocol (SCAP) family of standards developed and endorsed by NIST; the ISO/IEC Software Identification Tag standard (SWID), which describes a schema for identifying applications installed on endpoints and their patch status; and public key infrastructure (PKI) standards for identifying users and devices. As illustrated in Figure 3, the TNC architecture includes several components which can support different use cases for compliance. For example, TNC components form a classic NAC architecture. A Network Access Requestor (NAR) requests access to a protected network. A Network Access Authority (NAA), acting as a Policy Decision Point (PDP), obtains information about the NAR such as device identity and device health. The PDP then consults policies established by the network owner to decide what access should be granted to the NAR, and sends instructions to a Network Access Enforcer Policy Enforcement Point (PEP), which enforces the decision. If conditions change (e.g., the health of the NAR improves or degrades), the PDP can send a revised decision to the PEP, increasing or decreasing the NAR s network access. AR PEP PDP MAP MAPC Integrity Measurement Layer Integrity Measurement Collectors IF-M Integrity Measurement Verifiers IF-IMC IF-IMV Integrity Evaluation Layer TNC Client IF-TNCCS TNC Server IF-MAP MAP Server IF-MAP Flow Controllers Network Access Layer Network Access Requestor IF-T Network Access Enforcer IF-PEP Network Access Authority IF-MAP IF-MAP Sensors Others Supplicant/ VPN Client, etc. Edge Switch/ Access Firewall/ VPN Gateway IF-MAP AAA Server Metadata Access Point IDS, Interior Firewalls, etc Figure 3: TNC component architecture The NAR and NAA support IF-T TLS, since a transport connection is needed that: Can handle large volumes of data to be sent while the device is connected Allows either the TNC client or TNC server to initiate a connection Supports secure transport based on machine certificates at both ends of the connection The NAR and NAA must therefore support the use of machine certificates for TLS at each endpoint consistent with other TNC protocol requirements. The NAR must be able to locate an authorized PDP, and switch to a new PDP when required by the network in conformance with TNC discovery protocols. The PDP sends metadata it has obtained to a database called a Metadata Access Point (MAP). Other security systems such as sensors, flow controllers, and risk management devices can use this metadata to improve their operations and share their own metadata and events with the PDP through the MAP, enabling additional security automation. SCAP fits easily into the TNC architecture as shown in Figure 4. SCAP endpoint agents can plug into the TNC architecture through the IF-IMC standard. SCAP-validated analysis software can be connected to the PDP using the TNC s IF-IMV standard. External SCAP scanners can function as sensors, sharing data and alerts about device configuration through the MAP using the TNC s IF-MAP standard. Copyright 2014, Juniper Networks, Inc. 9

10 Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers SCAP Client Software SCAP Analysis Software SCAP External Scanner Figure 4: Trusted Network Connect and SCAP functional components At all three of these interfaces, SCAP gives the user the ability to know what is running on a machine as well as its compliance with required checklists and SCAP-based enterprise policies. TNC adds the capability to automatically perform enforcement based on identity and other criteria, as well as the framework to integrate all these different sensors. In short, TNC handles the networking and network integration, and SCAP handles the compliance aspects. Throughout the TNC architecture, open standards are used to connect the different components. This allows products from different vendors to work together easily, leveraging each other s strengths and forming a system that is much more capable than any one component alone. Also, uses of MAP data are innumerable asset management solutions, analytics tools, gateway devices that need to make additional connectivity decisions, and metrics reporting scripts, among others, are all able to reference the data stored in the MAP to achieve their purposes. For example, an intrusion detection system (IDS) can act as a sensor, detecting attacks on the network. When the IDS detects an attack, it can publish metadata about the event to the MAP. The PDP will be notified immediately if the attack pertains to a NAR for which it is responsible. Appropriate action can be taken automatically, such as blocking the attack at its source. TNC standards are also focusing on being able to collect compliance data from an endpoint and store it in a Configuration Management Database (CMDB). This makes compliance data from a network s endpoints available on a persistent basis to authorized network infrastructure and network administrators. Figure 5 highlights the central coordinating role provided by the MAP/CMDB. SDN Controller Asset Management System/MDM Endpoint Security (via NAC) Policy Decision Point (PDP) IPAM SIM/SEM MAP/CMDB Physical Security Embedded Systems DLP IF-MAP Protocol AAA NIDS HIDS Switching Wireless Firewalls Figure 5: MAP/CMDB information coordination role 10 Copyright 2014, Juniper Networks, Inc.

11 Compliance checks may be triggered for multiple reasons, including: Network policy states that a previous check has aged out and become invalid. The TNC client (TNCC) notices that the relevant compliance data on the endpoint has changed, for example, due to application updates, deletions, or additions. The TNC server (TNCS) is alerted by a network sensor or an administrator (via the PDP s user interface) that a check must be completed. All information exchanges between the collectors and verifiers are subject to the network s policy, which may limit the content or size of information sent between the endpoint and the PDP. Because the endpoint compliance report is sent in a standards-based schema (ISO/IEC :2009) over secure, standardized protocols (IF-T TLS), and the identifiers are stored in a centralized location (the MAP or CMDB) linked to unique endpoint identifiers, authorized users are able to access the report. The TNC Architecture defines requirements for the PDP that include a RADIUS server. This is necessary for an NAC use case; however, this is not a requirement for a PDP used in an endpoint compliance-only use case. The PDP is responsible for gathering the information reported by the endpoints and storing the data in a CMDB or MAP. RADIUS functionality, if desired, may be implemented either on the PDP, or separately in the network architecture. The endpoint authenticates to the PDP using a machine certificate during the establishment of the outer tunnel achieved with IF-T. Ideally, this certificate should be associated with the identity of a Trusted Platform Module (TPM) if present on the endpoint. The enterprise should stand up a certificate root authority, install its root certificate on endpoints and on the PDP, and provision the endpoints and the PDP with machine certificates. The endpoint should also report updates as its local SWID repository changes, as well as each time it disconnects and reconnects to the network. The PDP provides a persistent account of endpoints that have connected to the network over a period of time set by the administrator, such as What endpoints are connected to the network at any given time What SWID tags were reported for the endpoints The ability to answer these questions offers a standards-based approach to asset management and asset reporting, which is a vital part of enterprise tasks such as compliance report generation for FISMA, PCI, HIPAA, etc. The administrative interface also provides the ability for authorized users or infrastructure to locate endpoints running software for which vulnerabilities have been announced, because of (1) the unique IDs assigned to each device; and (2) the rich application data provided in the devices compliance report. The MAP or CMDB can be queried to find all devices running a vulnerable application. Devices suspected of being vulnerable can be remediated by the network administrator or flagged for further scrutiny. The ability of the TNC client to notify the PDP whenever a modification is made to the endpoint enables immediate identification of endpoints that need remediation. TNC specifications support the ability to send quarantine and disconnect instructions to the responsible PEP for a noncompliant endpoint. The MAP or CMDB s standardized API allows authorized infrastructure devices and software to search endpoint compliance reports for evidence that an endpoint s software inventory has changed, and it can make endpoint software inventory data available to other NAC devices. This automates security data sharing in a way that expedites the correlation of relevant network data, allowing administrators and infrastructure devices to identify odd device behavior and configuration using secure, standards-based schema and protocols. In summary, a TNC/SCAP-based endpoint continuous monitoring approach makes it possible to perform compliance checks against all network-connected devices by: 1. Uniquely identifying the endpoint and associated software. 2. Assessing compliance based on data from the endpoint or from server-based scans. 3. Creating a secure, authenticated, confidential channel between the endpoint and the PDP. 4. Enabling the endpoint to notify the PDP about changes to its configuration. 5. Enabling the PDP to request information about the configuration of the endpoint. 6. Storing the configuration information in a database linked to the identifier for the endpoint. Copyright 2014, Juniper Networks, Inc. 11

12 The endpoint context also requires an SIEM element that provides situational awareness and compliance support through the combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment. SIEM tools should support asset profiling to identify assets that are at risk of attack, not just those that are already under attack. SIEM tools should automatically build these profiles from IPs appearing on the network, and allow administrators to group and weight the importance of the assets. This weighting is used to determine a security event s priority or risk ranking as the event occurs. SIEM tools need to integrate with MAP and/or CMDB sources to extend continuous monitoring intelligence for network discovery, NAC, and other network event processing within SIEM tools. SIEM tools maintain an historical perspective of user and system identity associated with the asset, and assets can be named and grouped by specific regulations for improved compliance management. Data Center + Connectivity Context The data center is composed of many parts, and it has a diverse set of continuous monitoring needs. Agencies need to monitor the network, their high value Web applications, and access to resources. Managers are also under pressure to cut costs and support dynamic workloads while not compromising quality of service delivery. Agencies are leveraging virtualization and moving from element management to orchestrated workflows, such as zero touch provisioning, to support these goals. Figure 6 highlights the key continuous monitoring functions that are needed for the data center. Some data center managers are struggling with how to reconcile competing priorities to virtualize their environments, while still ensuring that existing requirements for protection and visibility are maintained. For example, collapsing multiple servers into a single one comprised of several virtual machines (VMs) eliminates all firewall, intrusion detection, and other protections in use prior to virtualization. Physical security measures literally become blind to traffic between VMs, since they are no longer in the data path. Consequently, they cannot enforce protections or maintain visibility. This platform diversity and the push to virtualization also make it difficult to employ an open standards approach for continuous monitoring in the data center. Specifically, SCAP is less than effective in defining the information security controls for virtual and physical servers, or for agency infrastructure such as connected copiers, printers, scanners, and file shares. Also, SCAP has not been effective in the support of security configuration controls of network communications. Defining and managing security control settings for agency server loads requires more effort than endpoint configurations. SCAP, anomaly detection, and host remediation capabilities operate in virtual and physical environments identically. Virtual environments can be taken offline when compute processing is not needed. These offline virtual environments can be stored on a shared storage but because the VM is not operating, they can become out of date from a compliance perspective. The ability to use a virtual switch control to remediate the virtual asset does not yet exist. Virtual machines will need to become operational to allow patch, compliance, and remediation of the virtual host to be supported. IT operations can set aside compute resources and schedule offline VM boot, patch, compliance check, and store operations to keep assets virtually ready. Log and event management are supported within the virtual environment when the VMs are operational and can be configured to work with the continuous monitoring infrastructure. CM Edge Sensors and Responders Perimeter Stateful Firewall Remediation Manager EDGE Network Infrastructure CM Core/Access/Resource Sensors and Responders SDN Network Controller Web Application Firewall Deep Packet Inspection CORE IP Address Management IPS UTM DHCP NAT ACCESS Converged Access Zone/Domain Stateful Firewall Web Activity Monitoring Vulnerability Scanner VPN App DOS Protection Compliance/ Integrity Checker Compliance Analysis DNS Traffic Analysis/ Port Security SAN NETWORK Compute IP Storage Data at Rest Protection Cloud-Ready Security Network Access Control DDOS Protection CM Managers and Repositories Database Firewall Data Loss Prevention Network Discovery Metadata Access Point(MAP) CMDB Security Incident and Event Manager (SIEM) Workflow Orchestrator/ Element Mgrs AAA Forensics/ Malware Analysis Network Leak Detection Application Layer Gateway Mobile Device Manager (MDM) Threat Intelligence/ Profiler/Fingerprint Audit Log Repository Attack Graphs/ Modeling Directory Services Policy Manager CM Network Service CM Management Service CM IA Service Figure 6: Key continuous monitoring functions for the data center 12 Copyright 2014, Juniper Networks, Inc.

13 High-performance, stateful firewalls are the cornerstone of security in the virtualized data center. Stateful firewalls enforce policies that align with mission requirements through the classification and segmentation of networks. Stateful firewalls provide both sensor and responder actions in a continuous monitoring approach. In addition to being the primary Layer 3/Layer4 access control system, stateful firewalls can support many additional security functions and continuous monitoring sensors or responders such as denial of service (DoS) or quota protections, DPI on specific applications, and Network Address Translation (NAT). With stateful firewalls, it is possible to introduce fine-grained control over all traffic flow types (intra-data center, inter-data center, and data center WAN). It is also possible to support key security functions such as NAT, Application Layer Gateway (ALG) services, IPsec VPN services, distributed DoS, as well as unified threat management (UTM), which includes antivirus, anti-spam, and Web filtering. These continuous monitoring sense-and-respond functions should be implemented in a modular way per policy zone, as this approach provides maximum agility, efficiency, and performance. There is a clear need for a hypervisor-neutral firewall capability in highly virtualized data centers. A virtual firewall that inspects all traffic to and from each VM can eliminate blind spots and enforce policies at the global, group, and per- VM level. With a virtual firewall, enterprises can granularly define security policies within zones of trust and precisely control whether VMs within the same zone of trust can communicate. This ensures isolation between and within trust levels, and allows for precise micro-segmentation. A comprehensive continuous monitoring and security approach would include mechanisms to integrate the virtual firewall policy on the hypervisor with the physical network firewall policy above the hypervisor, and ensure that alerts are passed to continuous monitoring event managers. Network- and application-level attacks are an ongoing concern for the data center, and the data center network must be able to detect and prevent attacks in traffic flows by supporting versatile, high-performance IPS functionality as part of the security and continuous monitoring services. Because applications must be available to users at locations that are not inherently secure, the risk of misuse or application DoS will always be high. Moreover, because applications are colocated in virtualized data center infrastructures, a chain effect (in which an application is affected by the risk to which another application is exposed) can easily occur. IPS must be highly accurate in its detection and prevention capabilities, with low numbers of false positives and false negatives. Effective intrusion detection and prevention requires a multidimensional approach involving protocol analysis, anomaly detection, and signature analysis. IPS should support multiple detection modes and accommodate placement of sensors in different parts of the data center network. As an example, sniffer modes involve network taps that passively observe the flow of traffic and identify potential threats, whereas inline systems are deployed with traffic flows and can potentially prevent attacks in real time. Mixed mode solutions can deliver the benefits of both sniffer and inline methods. Responder actions that are triggered when an attack is detected should include the traditional allow/deny along with finer grained actions such as rate limiting, setting DiffServ code point (DSCP) marking, closing connections, and performing TCP resets. The IPS platforms should support the performance and capacities required in data centers of varying sizes and inspect Layer 4 through Layer 7 information at line rates. They should coordinate threat responses with other access control gateways (SSL VPN and NAC) by sharing attacker information, so that attacks can be mitigated closest to their source. Because protocol decoders in the IPS deconstruct streams and build the right context to look for threats, a powerful and rich protocol decoder must be in place. Finally, network-based security and continuous monitoring services, including intrusion detection, attack prevention, encryption, and monitoring, should be consolidated into highly scalable, virtualized security platforms to reduce security device sprawl. Historically, attack prevention has focused on identifying and thwarting malicious activity within allowed traffic, as evidenced by content security technologies such as antivirus and anti-spyware. These mechanisms have been a vital part of the network fabric and offer protection by identifying known attack patterns or behaviors that deviate from the norm. Unfortunately, new types of attacks are constantly occurring, and attackers often employ new ways to exploit and hide in allowed traffic. This places agencies in a continual mode of catch-up, trying to make sure that they have appropriate attack coverage against the latest vulnerabilities and threats. Organizations need tighter control over what can and cannot be done within a given application. In other words, the continuous monitoring approach must evolve from a reactive approach to a more proactive and adaptive stance. However, with the emergence of new applications, the application networking and security landscape continues to change. Although existing intrusion prevention techniques are still applicable, simply identifying source and destination addresses and port combinations no longer offers sufficient protection. Traditional stateful security devices assume that an application uses a service that runs over a fixed, predetermined, and publically acknowledged TCP/UDP port number, and that the traffic being processed can be identified by looking at the first packet in a session. This approach no longer works because the relationship between port numbers and applications is simply a convention that may not apply, and because it is necessary to examine subsequent packets to establish reliably the actual application and specific functions or commands that are being used. Copyright 2014, Juniper Networks, Inc. 13

14 The concept of adaptive continuous monitoring is intended to address these evolving security threats. The idea is to go beyond traditional security approaches to identify exactly what actions are allowed by specific users in specific application instances. Application visibility and control are essential for applications such as BitTorrent, Skype, and YouTube which are enabled on top of HTTP and use nonstandard ports (or even randomly assigned ports). Application control is also important to maintain agility in the data center. If an IT organization wants to shut down one application and bring up a new one, it must be able to do so quickly. If firewalls support only protocol and port mappings, doing so becomes a time-consuming and tedious task. To enable agility, firewall configuration must be supported at the application level with controls that are independent of ports and protocols. To support application visibility and control, network security platforms such as enforcement gateways, firewalls, and monitoring systems must identify application context and user conversations with thorough and intelligent signaturebased classification. They must provide visibility into the application infrastructure, making it possible to determine application usage profiles and other valuable application-level information. It must be possible to control application and resource access based on user identity, user attributes, device identity, and device attributes, not just source IP address. With a mobile, dynamic workforce that connects to application elements that reside on multiple servers within the data center, organizations can no longer assign access privileges based on a well-controlled and fixed user location represented by an IP address. To further complicate matters, hackers can easily impersonate legitimate users, or simply change the IP address they are using by pointing to a different anonymous proxy. Additionally, new platforms such as virtual machines do not even use IP addresses as identifying marks. In other words, bad actors have many easy ways to disassociate themselves from IP addresses. Therefore, security services must be application- and identityaware, and continuous monitoring services must monitor this user application context. In regards to Web applications, continuous monitoring tools need to detect new attacks or be capable of detecting hackers who are still in the reconnaissance phase, probing for weaknesses to attack. New behavior-based, Web activity monitoring tools can enable administrators to detect abuse activity with no false positives, flushing out abusive users, exposing attacks that were previously undetectable, and highlighting new and unknown attack vectors against the application. These tools slow abusive users down by creating a layer of deception and obfuscation around the application, making it extremely difficult to introspect and map. These tools should support a variety of response policies, including incident triggers, abuse profiles, and abuse responses. Authentication, Authorization, and Accounting (AAA) services control whether users can log into systems, and they determine which resources each user is permitted to access. The continuous monitoring and network security infrastructure should be able to leverage existing identity and audit data stores, including Active Directory and Lightweight Directory Access Protocol (LDAP) servers, to enable correlations between legitimate actors, actions, and resources. DPI technology helps deliver advanced continuous monitoring sense-and-respond services by identifying applications based on key characteristics and by applying policies appropriate to them. For example, a DPI-enabled network element can apply filtering policies to a video data stream to detect and act on malware payloads while also ensuring preferred quality of service for video streams. Performance monitoring also has the ability to detect capacity constraints that may be caused by security issues as well. For example, continuous monitoring, application, and network tools need the ability to detect and respond to distributed denial of service (DDoS) attacks volumetric attacks and the new, web-based, low and slow attacks. These tools need to maintain management access even during a DoS/DDoS attack so that route update processing continues. To make continuous monitoring approaches truly adaptive and responsive, all continuous monitoring components must come together in a well-orchestrated ensemble under the IT organization s control. The term orchestration refers to the automated arrangement, coordination, and management of continuous monitoring components to meet continuous monitoring objectives. Because continuous monitoring orchestration is complex and depends heavily on an organization s specific continuous monitoring tools and the systems being monitored, its requirements are best met by an orchestration platform that is open and extensible for integration with diverse application and management systems. To be effective in the virtualized data center, an orchestration platform should include the following capabilities: Auto-discovery To deliver on efficiency and productivity, a continuous monitoring orchestration platform should have robust, extensible, and standards-based discovery functions that automatically recognize the network elements in the data center network. Modular, extensible platform and architecture To be effective in a diverse, multivendor environment, a continuous monitoring orchestration platform should allow simple and robust insertion of continuous monitoring modules based on well understood Service Oriented Architectures (SOAs), Web services, and application design principles (for efficiency, agility, and scale). This should include hot insertion, deletion, and change. 14 Copyright 2014, Juniper Networks, Inc.

15 Extensive and explicit use of standards To be effective, the orchestration platform must leverage open standards such as Worldwide Web Consortium (W3C), Internet Engineering Task Force (IETF), and Trusted Network Connect (TNC) standards for open communication between network and application elements. It must also ensure smooth interoperability with existing and future management systems. Resilient, scalable, and distributed architecture As virtual data centers evolve, they often require distribution of continuous monitoring capabilities to multiple distributed sites, to share responsibilities among distributed teams, and extend visibility to new and distant infrastructures. An orchestration platform for this environment should be built on an architecture of replicated and distributed platforms and components, so that connectivity is maintained regardless of location, and access to continuous monitoring information is available despite changes in infrastructure availability and performance. Flexible, virtualized, and role-based user access Because network, system, and security managers can be located anywhere and may be called upon to perform important continuous monitoring functions at virtually any time, the orchestration platform should allow secure access from multiple network and device locations by leveraging flexible user interface and access technologies. Cross-system correlation The orchestration platform must be able to supervise the interplay of all monitored elements to ensure that vulnerabilities and threats are properly and accurately captured; dependencies between systems are understood (e.g., if this server or firewall is compromised, what behind it is at risk; if this server fails, what else is impacted); sharing of continuous monitoring information is provided between security, server, storage, and network teams; and context is provided (e.g., insider vs. external attacker). Threat intelligence The orchestration platform must promote global threat visibility so that an attack at one location can be quickly identified and shared with other global users to help respond to zero day threats. Vulnerability intelligence The orchestration platform needs to take actions based on the correlation of the vulnerability state of each monitored asset with other knowledge bases: What functions or applications are present; what is the current version and patch history of each function or application; what is the usage (installed and used, installed and not used, etc.); is the asset exploitable by a subject threat; what is the status of patching or other vulnerability abatement approach. These continuous monitoring orchestration features necessitate that, in addition to the automation that is already an integral part of each component manager, orchestration requires that components interoperate with each other, continuous monitoring processes and rules are implemented properly, and end-to-end continuous monitoring services are delivered completely and reliably. Continuous monitoring orchestration takes the data center a major step beyond localized automation to encompass fully coordinated visibility and adaptive control over the data center s continuous monitoring sensor, response, and reporting elements. Cloud + Connectivity Context Because successful attacks on federal information systems can result in serious damage to the interests of the United States, many agencies take a cautious approach to using commercial cloud services. For instance, the same visibility into the real-time use, traffic, and consumption of data or information within agency environments is required from commercial cloud services providing comparable services. To help mitigate the risk of using commercial services, agencies are required to acquire cloud commercial services from FedRAMP-certified cloud service providers (CSPs). The standardization of Information Assurance (IA) controls and sharing of security assessment data through the FedRAMP program is intended to facilitate the adoption of commercially provided cloud services. An essential component of the ongoing, dependable use of externally provided cloud services is the integration of a cloud provider s continuous monitoring and response capabilities with an agency s systems for protecting information and ensuring FISMA compliance. This integration is needed to synchronize cyberattack detection, diagnosis, mitigation, and response activities and maintain ongoing assurance of agencies information and missions. In many ways, the continuous monitoring challenges and approaches for cloud environments are similar to those found in the data center, but there are several new uncertainties introduced by cloud computing: Processor Where is my process running? Am I sharing the processor with other users/ organizations? Data Storage Where does my data reside? Is my data co-resident with other users data? Are there copies of my data that were created without my knowledge or permission? Communications How does my CSP know who I am? How is my connection to cloud components protected? Administration Who administers the cloud infrastructure? Who has access to my data? My activity history? Key Management Where and how are keys generated, stored? How are keys distributed, protected? How are keys and data recovered if lost? When and how are keys destroyed? Copyright 2014, Juniper Networks, Inc. 15

16 Generally, the process of continuous monitoring compliance required by FedRAMP is complex because data is located in the CSP s data centers, which may introduce regulatory compliance issues such as data privacy, locality, segregation, and security that must be enforced by the cloud provider. However, from a cloud user perspective, continuous monitoring control and visibility are highly limited for cloud environments. Data integrity and privacy have emerged as major concerns for cloud users. Cloud users are worried about who has access to their data in the cloud and demand more trustworthiness. Therefore, cryptography is integral to cloud operations. It is needed to support strong authentication of remote users and administrators. It is used to implement strong communication protocols between a user (browser) and the cloud. It is used to partition user data in multitenancy environments and provide data confidentiality (even from administrators). It is used to support data integrity (tamper detection). However, FedRAMP has weaknesses for monitoring the use of cryptography by CSPs: No minimum requirements for key parameters No explicit requirement for Key Management Policy (KMP) No explicit requirement for Key Management Practices Statement (KMPS) No requirement for key recovery The result is that the cloud user has little visibility into cloud key management and limited assurance of soundness of key management policies, practices, and operations by CSPs. This can translate into limited continuous monitoring visibility as well. Multi-tenancy in cloud environments also introduces other continuous monitoring and security issues. Many production-level clouds optimistically assume that all cloud nodes are equally trustworthy when dispatching jobs; jobs are dispatched based on node load, not reputation. This increases their vulnerability to attack, since compromising even one node suffices to corrupt the integrity of many distributed computations. Moreover, unintentional data leakage can be introduced by VM replication. Some confidential information such as passwords or cryptographic keys can be recorded while an image is being created. If the image is not cleaned, this sensitive information can be exposed to other users. VM images are dormant artifacts that are hard to patch while they are offline; and, cloud users may have vulnerabilities exposed by uncontrolled VM migration. The increasing use by CSPs of REST services, for which there is no security standard, also implies that inter-services communication may be handled in a mostly ad hoc fashion, and possibly insecure manner. Cloud computing technologies also can enhance continuous monitoring capabilities. For example, they enable largescale analysis of complex cyber sensor data to advance the hunt for vulnerabilities and threats. This large-scale analysis can provide long-term trending on network activity to continuously compare what s happening now against those trends. This type of trend analysis can reveal anomalies such as advanced persistent threats (APTs). Cloud resources can also be used to pre-compute activity patterns for every user over many dimensions on all of their sessions to distinguish normal from anomalous behavior. Cloud analytics can also be used to ferret out rare oscillations in communications between two hosts to help detect low and slow attacks. SDN is another cloud-based capability which can also support the dynamic orchestration needed for adaptive cyber countermeasures and responses. Cloud-based applications have undergone a shift to virtualized services over a number of years. However a corresponding transition to virtual network functions that facilitate cloud connectivity has lagged this transition to virtual services. The network has been considered physical infrastructure that is planned, deployed, and managed separately from virtual business applications. This line of thinking is changing with the advent of SDN. SDN embraces the concept that the network needs to have the same flexibility as the business application with respect to elasticity of resources in use, agility to deploy new services, as well as orchestrated management. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destinations (the data plane). Figure 7 reflects the layers of SDN and this decoupling of control plane from the forwarding plane. 16 Copyright 2014, Juniper Networks, Inc.

17 Automation, Analytics Compute, Analytics OSS/BSS DC Orchestration System Rest APIs Control Plane/policy Control Plane Configuration Management, Automation Control Plane Control Plane Control Plane Virtual Service Overlay Physical Network/ Forwarding Plane Figure 7: SDN layers SDN technology enables service orchestration of virtual networking services, thereby removing the dependence on physical appliances that hinder agility and add cost to cloud deployments. To intermediate the business processes with network operations, a network controller is enabled. This controller translates abstract commands into specific rules applied at the physical underlay to automate the network control and provisioning of workloads. This abstraction allows the customer to request virtual machines without getting into the details of underlying elements like ports, VLANs, subnets, etc. In addition to managing network virtual machines, SDN technology provides additional capabilities like service chaining of security and continuous monitoring services. Specifically, virtual network functions can be dynamically configured at the edge of the network in series or in parallel with the virtual mission application by an SDN controller. For instance, a virtual firewall function is configured and a network controller has chained this service in series with other continuous monitoring/security services to secure and monitor the virtual mission application. In addition, a set of higher order logic processing could determine that a firewall rule, protocol, or port should be changed to respond to certain events or threats to the mission application. Figure 8 depicts this service chaining capability. Contrail SDN Controller Orchestrator Dynamic Service Chain Configuration Mobile Edge VM VM VM Broadband Edge Pool of x86 Appliances Tenant Network A Firewall Firewall Enterprise Edge MX Series Router with x86 Service Card MX Series Router with x86 Appliances Tenant Network B VM VM VM Data Center Figure 8: Service chaining of security and continuous monitoring virtual functions Copyright 2014, Juniper Networks, Inc. 17

18 SDN improves the agility of cloud-based systems but also introduces new continuous monitoring and security challenges. SDN controllers increase the exposure of northbound interfaces to other applications that will interact with the controller and the rest of the network. Therefore, SDN environments depend on strong authentication of users and applications and must ensure that elements like encryption are mandated between a forwarding plane and a control plane. Essentially, strong controls and monitoring are needed to ensure that the control plane the crown jewels of the network is protected from attacks to external elements that beforehand had to go through intermediate elements. Additionally, since SDN controllers require a secure, dedicated connection to elements they re managing, the threat of denial of service increases. Therefore, the elements that comprise the four SDN layers must be protected and monitored for DoS attacks. Perhaps more importantly, though, are issues arising from SDN s consolidation of control. In a centralized architecture like SDN, the central control framework for network services is the absolute arbiter of connection rules, and if you compromise it, you have compromised everything. Attacks against the control plane aren t the only risk posed by this central arbiter of policies. There s also the issue of policy collisions. While SDN enables automation, problems may occur without proper management of the policies that drive the automatic control of the infrastructure. There are a number of scenarios where policy collisions could occur and cause problems with visibility and transparency that might be difficult to troubleshoot. Continuous monitoring tools must be implemented to monitor for these different security issues posed by SDN controllers. Juniper Networks Capabilities for Continuous Monitoring Juniper Networks offers a wide variety of sense-and-respond capabilities needed to support continuous monitoring. A sampling of these capabilities is presented in Figure 9, which depicts an end-to-end notional architecture. Many of these capabilities are offered in physical and virtual appliance form factors along with different scaling options. Also, these capabilities provide open interfaces and many are based on open standards to facilitate their integration with third-party continuous monitoring tools. Note that all aspects of continuous monitoring are supported boundary protection and incident response/ management, managing access and data center infrastructure integrity, and endpoint compliance and integrity. Descriptions of these capabilities are presented below. As depicted in Figure 9, Juniper offers next-generation security products that include Juniper Networks SRX Series Services Gateways, Firefly Host, WebApp Secure, Spotlight Secure attacker database, DDoS Secure, and Unified Access Control. These capabilities are available on dedicated hardware, hypervisors, and SDN-centric data centers. For an enterprise with physical, virtualized, or hybrid data centers and plans toward SDN, there is no comparable alternative for the breadth of data center protection, detection accuracy, and SDN architecture support. SRX Series Services Gateways SRX Series Services Gateways are high-performance network security solutions that deliver security, routing, and networking capability. Built specifically for security, the SRX Series offers next-generation firewall, application visibility and control, IPS, as well as other security services. The SRX Series packs high port density, advanced security, and flexible connectivity into easily managed platforms. The SRX Series is at the core of securing the network, and it is integrated with the other solutions to secure applications and secure access. Firefly Host Firefly Host is a comprehensive virtualization security solution that includes a high-performance, hypervisor-based stateful firewall, integrated intrusion detection system (IDS), virtualization-specific antivirus protection, and unrivaled scalability for managing multitenant cloud security. Firefly Host brings forward powerful features that offer layers of defenses and automated security as well as compliance enforcement within virtual networks. 18 Copyright 2014, Juniper Networks, Inc.

19 Juniper Security Capabilities Juniper Security Products Secure Access Secure Connectivity Device Management Access Control Management and Intelligence Threat Intelligence Secure Access Junos Pulse Secure Access Service Junos Pulse Juniper Endpoint Profiler Junos Pulse Acess Control Service Management and Intelligence Spotlight Secure Secure Applications Web App Security Secure Network Application Use and Content Unified Threat Management Policy Control and Management Security Information and Event Management Secure Applications Web App Security Secure Network AppSecure Unified Threat Management Junos Space Security Director Secure Analytics Stateful Firewall DDoS Protection Virtual Firewall SDN Services SRX Series Services Gateways DDoS Secure Firefly Host Contrail Figure 9: Notional architecture of Juniper Networks end-to-end continuous monitoring capabilities For boundary protection: The Juniper Networks SRX Series Services Gateways with Firefly Host integration deliver the security necessary for today s data center with its mix of physical and virtualized workloads. The SRX Series delivers zone-based segregation at the data center perimeter. Firefly Host integrates the knowledge collected in SRX Series zones to ensure that zone integrity is enforced on the hypervisor. Specifically, Firefly Host then uses that information with the Firefly Host management system (i.e., Security Design for Firefly Host) to create VM Smart Groups so that users of Firefly Host can see VM-to-zone attachments, create additional inter-vm zone policies, and incorporate zone knowledge into compliance checks (for example, is a Client X VM connected to a Client Y zone?). Together, these solutions deliver stateful firewall and optional malware detection for inter-zone and inter-vm traffic; compliance monitoring and enforcement of SRX Series zones within the virtualized environment; and automated quarantine of VMs that violate access, regulatory, or zone policies. Figure 10 illustrates this solution. VM1 VM2 VM3 Firefly Host Firewall Event Syslogs Netflow for Inter-VM Traffic Firefly Host VMware vsphere Zone Synchronization and Traffic Monitoring to IPS Network EX Series Switches SRX Series Figure 10: Integrated SRX Series and Firefly Host solution Copyright 2014, Juniper Networks, Inc. 19

20 From a data center infrastructure and application integrity perspective: Threats include disruption of availability and hacking/data breaches of Web applications. DDoS protection ensures that applications remain online and responsive to legitimate users. Intrusion deception accurately identifies hackers and enables flexible countermeasures both at the application layer and, through tight intelligence integration, at the network firewall. The Juniper security product line provides the most comprehensive data center protection regimen of its kind, complementing the protections of nextgeneration firewalls, reputation feeds, IPS, and Web application firewalls. WebApp Secure WebApp Secure takes Web application protection to the next level, using the latest intrusion deception technology to definitively identify and mislead attackers while simultaneously profiling and fingerprinting them. Deployed in front of application servers behind the firewall, WebApp Secure is enhanced with the integration of security intelligence from other sources provided by Spotlight Secure. With this integrated intelligence, Juniper delivers threat mitigation with significantly better accuracy compared to IP-address-only approaches, like current next-generation firewalls and reputation feeds. With Spotlight Secure, agencies can monitor and identify hackers as they move from target to target around the world. WebApp Secure also provides a level of additional information and advanced analysis that Big Data security technologies can t provide when addressing issues around user Web activity and how those activities impact risk within the IT environment. WebApp Secure is integrated with the SRX Series to extend the ability of the SRX Series to block attackers that are identified at the security perimeter, and it is particularly effective in blocking high volume automated hacking tools. Spotlight Secure Spotlight Secure is a new cloud-based threat intelligence solution that will identify individual attackers at the device level (versus the IP address) and track them in a global database. The product creates a persistent fingerprint of attacker devices based on more than 200 unique attributes, delivering precise IDs to block attackers without the false positives that could impact valid users. Once an attacker is identified and fingerprinted on a subscriber s network using WebApp Secure, the global Spotlight Secure threat intelligence solution immediately shares the attacker profile with other subscribers, providing an advanced real-time security solution across multiple networks. DDoS Secure DDoS Secure delivers fully automated DDoS protection for websites and Web applications. This solution uses a unique, behavior-based approach to DDoS mitigation that provides protection for high volume attacks, as well as advanced low-and-slow application attacks with minimal false positives. DDoS Secure can be deployed as a hardware appliance or as a virtual machine (VM) in private, public, or hybrid cloud environments. Unified Access Control UAC combines user identity, device type and integrity reports, and user location information to create a unique, dynamic access control policy per user and per session. UAC incorporates different levels of session-specific policy to create extremely granular access control that is easy to deploy, maintain, and dynamically modify. As the centralized policy decision point, UAC is integrated with the SRX Series, with the latter acting as the enforcement point to block unauthorized network access. UAC may be deployed as a dedicated appliance on the MAG Series gateways, or as a virtual appliance. Juniper Networks Unified Access Control comprised of the Junos Pulse Access Control Service running on MAG Series Junos Pulse Gateways ensures that users are authorized to access the network and data center resources before being granted access, and that their devices comply to a baseline of security policy at time of connect and throughout their network session. UAC is a uniquely extensible, open solution that delivers granular access control to the entire distributed enterprise, from remote users and branch offices to the data center, while reducing cost and complexity. UAC addresses myriad network challenges such as effective network segmentation or enclaves, insider threats, guest access, bring your own device (BYOD), and regulatory compliance to protect an organization s networks, missioncritical applications, and sensitive data. Junos Pulse For endpoint compliance and integrity, Juniper offers Junos Pulse including Host Checker, and Junos Pulse Mobile Security Suite. Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, NAC, mobile security, online meetings and collaboration, and application acceleration, through a simple yet elegant user interface. It delivers optimal connectivity to end users depending on their device type and security state, location, identity, and adherence to corporate access control policies. Junos Pulse uses industry and open standards such as the TNC specifications, and it serves as a platform for integration of select third-party, best-in-class security, access, and connectivity applications. 20 Copyright 2014, Juniper Networks, Inc.