FIREWALL INTELLIGENCE. 1 Copyright 2014 Juniper Networks, Inc.

Transcription

1 FIREWALL INTELLIGENCE 1

2 AGENDA SLIDE Introduction to Firewall Intelligence Overview Use Cases Demo / Screenshots Questions? 2

3 THE NEXT LEAP FORWARD FOR THE FIREWALL LAYER Next Gen Firewall Intelligent Firewall STATIC DYNAMIC 1 Traditional Firewall 3 LAYER 3

4 THE NEED FOR FIREWALL INTELLIGENCE The ability to attack is outpacing the ability for many to defend themselves. As the threats and markets that drive them continue to evolve, so too do the ways companies defend themselves. There is no silver bullet for security. Solutions must evolve from a collection of static standalone devices to an ecosystem of collaborating devices. Static firewalls may work for policy enforcement (ex: Firewall, AppFirewall) but is not good enough for threat detection and mitigation. Customer need the ability to include real-time threat feeds from any source that make sense for their specific industry, and not be locked into a single vendors feeds. 4

5 FIREWALL INTELLIGENCE ECOSYSTEM Data Feeds Spotlight Cloud Attacker Fingerprints Spotlight Intelligence Spotlight Connector SRX Firewalls WebApp Secure Custom Intelligence Feeds 5

6 AGENDA SLIDE Introduction to Firewall Intelligence Overview Use Cases Demo / Screenshots Questions? 6

7 CHALLENGES WITH EXISTING FEED SOLUTIONS Many of existing feed solutions does not provide good enough coverage since the feed is either too small or is not updated often enough Many of existing feed solution generates too many false positives. This provides two big challenges for the customers: It prevents admin from taking action based on feed data, due to the risk of blocking valid traffic. Due to the amount of false positives it is very hard for administrators to find the infected devices among all the false positives. Junipers Security Intelligence team takes a large set of both internal and external feeds, analyzes them in different test beds to then generate relevant and accurate feeds of data to our customers. 7

8 SPOTLIGHT CLOUD THE SECURITY INTELLIGENCE ENGINE Hacker Fingerprints Third Party Feeds Open Source Feeds Spotlight Cloud Juniper Security Intelligence Feeds` Internal Feeds Feed Validation - False Positive vs True Positive testing - Correlation between feeds - Machine based learning - 8

9 OVERVIEW OF THE SECURITY INTELLIGENCE SOLUTION Information Sources Spotlight Connector Enforcement Points Security Director Spotlight Cloud Spotlight Connector Custom whitelist/blacklist 9

10 COMPONENTS IN THE SECURITY INTELLIGENCE SOLUTION Information Sources Junos Space Platform (13.3r1) Enforcement Points Spotlight Cloud (C&C + GeoIP feed) Security Director (13.3r2) SRX Branch (2G) 12.1x46-D25* (550/650) 100s/200s TBD SRX 1k/3k 12.1x46-D25* WebAppSecure (5.5) (Attacker IP and Fingerprint feed) Spotlight Connector Custom whitelist/blacklist (IP list feed) SRX 5k 12.1x46-D25* * The exact Junos release is not yet committed and may change 10

11 AGENDA SLIDE Introduction to Firewall Intelligence Overview Use Cases Demo / Screenshots Questions? 11

12 WHAT CAN YOU DO WITH A SECURITY INTELLIGENCE ECOSYSTEM? Stop bots & detect infections w/ Command & Control blocking Custom intelligencebased controls Block hackers w/ attacker fingerprints And there will be more High speed incident response flexibility Dynamically control GEOIP traffic 12

13 USE-CASE #1: DETECTION OF INFECTED HOSTS Spotlight Cloud IP/URL feed Spotlight Connector IP/URL feed Internet SRX Command & Control Blocking Infected devices tries to connect to a known Command & Control server on the Internet. SRX mitigates the traffic based on a real-time feed of known Command & Control IP:s and URL:s from the Spotlight cloud. The feed data is dynamically loaded and does not require any commit or configuration change. 13

14 USE-CASE #2: GEOIP BASED TRAFFIC INSPECTION Dynamic Address Groups Dynamic Address Groups can be used as either Source Address or Destination Address in a firewall rule. A Dynamic Address Group is updated dynamically and does not require any configuration commit. The following type of feeds are supported in the first version: Custom IP-list feeds (from file) GeoIP feed (from Spotlight Cloud) 14

15 USE-CASE #3: CUSTOM IP FEEDS Blocking or changing inspection depth based on a custom feed of addresses. IP feed IP feed Internet Customer gets a list of IP addresses, from a trusted third party, that they want to use for policy enforcement. The file is posted on a webserver. The Connector polls this file on a given interval and updates the SRX dynamically with the IP:s, without any commit or configuration change required. Spotlight Connector The feed can either be used as simple blacklist, or it can be assigned to a dynamic address group and used for source or destination match in the firewall policy. 15

16 AGENDA SLIDE Introduction to Firewall Intelligence Overview Use Cases Demo / Screenshots Questions? 16

17 POLICY DEMO #1 Security Intelligence Policy - Command&Control - Attacker Fingerprints - Custom Blocklists 17 Copyright Juniper Networks, Inc.

18 HOW DO YOU CONFIGURE YOUR SRX FIREWALL FOR INTELLIGENCE? Information Source Profiles Policies Rules Identify the source of the intelligence Define what SRX does w/ the intelligence Use automated settings or customize your own Combine different profiles into a Security Intelligence policy Add Security Intelligence policies into Firewall policies 18

19 INTRODUCTION TO SD This is Security Director, is our central management platform that can manage thousands of SRX firewalls. From this platform you can configure - Firewall policies - VPN - Intrusion Prevention - NAT - (also normal Device Setting)..and - SECURITY INTELLIGENCE that we are going to talk about now 19

20 This is the landing page for Security Intelligence. SECURITY INTELLIGENCE OVERVIEW Information Sources. These sources provides intelligent real-time feed data to the Spotlight Connector. Example of feed-data is: - GeoIP (country-to-ip) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party) Spotlight Connector Central connection point between feeds and devices. Provides control and intelligence to the solution. Security Devices This is our family of SRX firewalls that will turn the security intelligence into actions and visibility. 20

21 Information Sources INFORMATION SOURCES We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for. 21

22 PROFILES #1(2) Security Intelligence Profiles On this page the administrator configures profiles for what actions to take for a specific feed and for a specific Threat Level. Juniper provides Recommended Actions (that is why the settings are grey). If you want to change the default settings just change the Action from Default to Custom In the first release we support the following actions: - Permit - Block - Redirect With message, block-page or URL redirect 22

23 PROFILES #2(2) Feed categories that support threat levels in the first release are: - Command&Control - JWAS Attacker Fingerprints By changing from default to Custom you can now modify the default actions and log-levels as you need. 23

24 Policies SECINTEL POLICIES To make it easier to combine profiles and apply them consistently across multiple firewall rules, we have Policies. In the Policy you will select the profiles that you want to include. If you want to test a different profile you can easily just change it here and it will apply across all your firewall rules where you have referenced this policy. 24

25 Firewall Rulebase FIREWALL RULEBASE It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering 25

26 POLICY #2 Dynamic Addressbook - Custom IP Feeds - GeoIP 26 Copyright Juniper Networks, Inc.

27 SECURITY INTELLIGENCE OVERVIEW This is the landing page for Security Intelligence. Information Sources. These sources provides intelligent real-time feed data to the Spotlight Connector. Example of feed-data is: - GeoIP (country-to-ip) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party) Spotlight Connector Central connection point between feeds and devices. Provides control and intelligence to the solution. Security Devices This is our family of SRX firewalls that will turn the security intelligence into actions and visibility. 27

28 Information Sources INFORMATION SOURCES We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for. 28

29 DYNAMIC ADDRESS GROUPS Dynamic Address Groups Address Groups has existed for a very long time on firewalls. They enable admins to statically group addresses together so that they can be used throughout the firewall rule base. Dynamic Address Groups takes this one step further by allowing both firewall admins and non-firewall admins to dynamically feed IP addresses into a group that does not require any configure change nor commit on the firewall. Dynamic Address Groups supports two different type of feeds: - Custom IP lists - GeoIP (Country to IP Mapping) 29

30 USING DYNAMIC ADDRESS GROUPS IN FIREWALL RULEBASE You can use dynamic address groups both as Source Address and Destination Address in the firewall rulebase. This means that you can either block, or change the inspection level based on information in the feed. Example (above) - We want to block all outgoing traffic that has unwanted countries as destination, but for Suspicious Countries we permit the traffic but add IPS inspection. 30

31 VISIBILITY (STRM/JSA) 31 Copyright Juniper Networks, Inc.

32 CLIENT THREAT DASHBOARD 32

33 CLIENT THREAT DASHBOARD SRX-IPS Attack against Client WebBrowser SRX- C&C (Firewall Intelligence) Top Blocked Destination Countries SRX- Dynamic Blacklist (Firewall Intelligence) Top Blocked Countries SRX-AppFW Blocked Tunneling Applications SRX- C&C (Firewall Intelligence) Top Blocked Users SRX- Dynamic Blacklist (Firewall Intelligence) Top Blocked Users 33

34 SERVER THREAT DASHBOARD 34

35 SERVER THREAT DASHBOARD JWAS Top Deception Events SRX- IPS Top Attack Categories SRX- Fingerprint (Firewall Intelligence) Top Protected Internal Assets JWAS Top Attacked URL:s SRX- IPS Top Attacks SRX- Fingerprint (Firewall Intelligence) Top Threat Levels 35

36 QUESTIONS? 36 Copyright Juniper Networks, Inc.