Securing Networks with Juniper Networks

Securing Networks with Juniper Networks Juniper Security Features Jean-Marc Uzé Liaison Research, Education and Government Networks and Institutions, EMEA juze@juniper.net TF-CSIRT Meeting, 26/09/02 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 2 1

Cyber Attacks Increasing Frequency Over 4,000 Distributed DoS attacks a week Sophistication Distributed DoS attacks hard to detect & stop Network elements recently targeted Impact Yahoo, ebay, Microsoft make headlines Cloud 9 (UK) ISP out of business Packet Sniffers IP Spoofing Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks Email Script Attacks Self-Propagating Automated Distributed Attacks 1994 1996 1998 2000 Host Based Attacks Network Based Attacks Attacks Target Network Source: Published CERT figures Juniper Networks, Inc. Copyright 2002 3 Today s Security Compromises Attack Starts Tracing Blocking Attack Ends Performance SLA Target Partial Enable security at specific points on the network As platforms, interfaces or software allow Does not provide reliable security Time Reactive Security enabled after attack is detected High operational effort Performance SLAs affected Juniper Networks, Inc. Copyright 2002 4 2

Ubiquitous Security Without Compromise Juniper Networks: Single Image, Security on All Interfaces Continuous Juniper Networks: Low impact turn it on it, leave it on Economical Juniper Networks: Included in the basic platform Proven Juniper Networks: Shipping since 2000 and in use in production networks around the world Let s You, Rather Than Your Equipment, Dictate Your Network Security Policy. Juniper Networks, Inc. Copyright 2002 5 Protecting and Enabling Revenues Customer Retention Increased customer satisfaction Match competitive security service offerings New Services Lawful Intercept Intrusion Detection Services High Speed Encrypted VPNs Attack Resistant Web Hosting Denial of Service Protection/Control Spoofing Protection Juniper Networks, Inc. Copyright 2002 6 3

JUNOS Security Related Features User Administration Tacas+/Radius Protocol Authentication H/W Based Packet Filtering Individual Command Authorization Traffic Policing Firewall Syslogs/MIB H/W Based Router Protection Port-Mirroring IPSEC Encryption (Control and Transit traffic) Unicast RPF Radius Support for PPP/CHAP SNMPv3 JUNOS 3.x 1998 JUNOS 4.x JUNOS 5.x 1999 2001 Juniper Networks, Inc. Copyright 2002 7 Juniper Security Features at a Glance Examples of Available Safeguards Prevention Infrastructure Protection 1. Hardware based router protection Customer Protection 3. IPSEC encryption of customer traffic 2. IPSEC encryption of Control Traffic 4. Source address verification Detection 5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS 6. Real-time DDOS attack identification Suppression 7. I/O filters to block attack flows 8. Rate limiting 9. Hitless filter implementation Juniper Networks, Inc. Copyright 2002 8 4

Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 9 System Architecture Junos Internet Software Update Internet I/O Card Forwarding Table Forwarding Table Switch Fabric Processor II I/O Card Routing Engine Maintains routing table and constructs forwarding table using knowledge of the network Packet Forwarding Engine Receives packet forwarding table from Routing Engine Copies packets from an input interface to an output interface Conducts incremental table updates without forwarding interruption Juniper Networks, Inc. Copyright 2002 10 5

IP II ASIC Overview Internet Processor II Leverages proven, predictable ASIC forwarding technology of Internet Processor Provides breakthrough technology to support performance-based, enhanced Services Security and bandwidth control (I.e. filtering) at speed Visibility into network operations at speed Delivers performance WITH services Supported on all interfaces Juniper Networks, Inc. Copyright 2002 11 Filtering IP-II enables significant functionality with applications to network management Security Monitoring Accounting Filter Specification filter my-filter ip { rule 10 { protocol tcp ; source-address 128.100.1/24 ; port [ smtp ftp-data 666 1024-1536 ]; action { reject tcp-reset ; Multiple rules may be specified. IP TCP All Packets Handled By Router Ver IHL ToS Total Len ID Fragmentation TTL Proto Hdr Checksum Source Address Destination Address Source Port Dest Port Sequence Number Acknowledgement Number Offset Flags Window Checksum Urgent Pointer Filters can act on highlighted fields, as well as incoming interface identifier and presence of IP options IP-II Packet Handling Programs Compile Microcode Log, syslog Count, Sample, Forwarding-class, Loss-priority, Policer Filters and route lookup are part of same program Juniper Networks, Inc. Copyright 2002 12 Forward Silent Discard TCP Reset Or ICMP Unreachable Routing Instance 6

JUNOS Internet Software Common software across entire product line leverages stability, interoperability, and a wide range of features Purpose built for Internet scale Modular design for high reliability Best-in-class routing protocol implementations Foundation for new services with MPLS traffic engineering Protocols Interface Mgmt Chassis Mgmt SNMP Operating System Security Juniper Networks, Inc. Copyright 2002 13 Traffic Framework Management, Control and Data planes Source, Destination and Type Router Management Router Management Routing Control Routing Control ICMP Notification ICMP Notification User Data User Data Juniper Networks, Inc. Copyright 2002 14 7

Tools Prevent, Detect, Control Traffic Forward Redirect Monitor Sample Count Log Mark Limit Discard Route Control Import filters Export filters Mark Limit Announcements Prefixes Juniper Networks, Inc. Copyright 2002 15 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 8

JUNOS Default to Secure Does not forward directed broadcasts Remote management access to the router is disabled. It must be explicitly enabled telnet, ftp, ssh No SNMP set support for editing configuration data Default Martian addresses Juniper Networks, Inc. Copyright 2002 17 Secure Shell Ssh v1 / v2 Communicating with the Router Support connexion limit + rate limit against SYN flood DoS attacks on the ssh port OpenSSH 3.0.2 since JUNOS 5.4 Secure Copy Protocol (SCP) Uses the ssh encryption and authentication infrastructure to securely copy files between hosts Central Authentification TACACS + / RADIUS User classes with specific privileges File Records and Command Events Juniper Networks, Inc. Copyright 2002 18 9

Hardware-Based Router Protection Router s control plane is complex and intelligence Need to be CPU based Protocols need processing power for fast updates and to minimize convergence time. Attacks launched at routers include sending: Forged routing packets (BGP,OSPF,RIP,etc..) Bogus management traffic (ICMP, SNMP, SSH,etc) Attacker can easily launch high speed attacks Rates in excess of 40M/second CPU based filtering unable to keep up Attacks consume CPU resources needed for control traffic. Danger of protocol time-outs, leading to network instabilities. Juniper Networks, Inc. Copyright 2002 19 Hardware Based Router Protection Hardware based filtering advantages Hardware drops attack ( untrusted ) traffic CPU free to process trusted control traffic One filter applied to the loopback Protects the router and all interfaces Provides ease of management No need to configure additional filters when adding new interfaces Juniper Networks, Inc. Copyright 2002 20 10

Hardware Based Router Protection Define trusted source addresses Define protocols and ports that need to communicate Accept desired traffic and discard everything else One filter applied to the loopback interface protects router and all interfaces firewall { filter protect-re { term established { from { protocol tcp; tcp-established; then accept; term trusted-traffic { from { source-address { 10.10.10.0/24; 10.10.11.0/24; 10.10.12.0/24; 10.10.17.0/24; 10.10.18.0/24; protocol [icmp tcp ospf udp]; destination-port [bgp domain ftp ftpdatasnmp ssh ntp] ; then accept; term default { then { log; discard; Juniper Networks, Inc. Copyright 2002 21 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 22 11

IPSec Encryption of Control Traffic Encrypt Control Traffic Between Routers Encryption uses ESP in Transport Mode ESP Provides Secure Communication for critical control/routing traffic Protects from attacks against control plane Juniper Networks, Inc. Copyright 2002 23 IPSec Encryption of Customer Traffic Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE) Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex) Applied via the Packet Forwarding Engine offload the encryption and decryption tasks from Routing Engine processor Delivers Private and Secure communication of mission-critical customer traffic Provides up to 1,000 tunnels per PIC Can Scale Using Multiple PICs Juniper Networks, Inc. Copyright 2002 24 12

IPSec Encryption of Customer Traffic Crypto PIC highlights: Tunnel/Transport Mode Tunnel mode for data traffic Authentication Algorithms MD5 SHA-1 Encryption Algorithms DES 3-DES IKE Features Support for automated key management using Diffie-Hellman key establishment Main/Aggressive mode supported for IKE SA setup Quick Mode supported for IPSec SA setup Juniper Networks, Inc. Copyright 2002 25 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 26 13

Source Address Verification Why it is needed: IP address spoofing is a technique used in DOS attacks Attacker pretends to be someone else Makes it difficult to trace back the attacks Common Operating Systems let users spoof machine s IP address access (UNIX, LINUX, Windows XP) How it is done: Route table look-up performed on IP source address Router determines if traffic is arriving on expected path traffic is accepted normal destination based look up is performed If traffic is not arriving on a the expected path then it is dropped Juniper Networks, Inc. Copyright 2002 27 Source Address Verification Juniper Solution urpf can be configured per-interface/sub-interface Supports both IPv4 and IPv6 Packet/Byte counters for traffic failing the urpf check Additional filtering available for traffic failing check: police/reject Can syslog the rejected traffic for later analysis Two modes available: Active-paths: urpf only considers the best path toward a particular destination Feasible-paths: urpf considers all the feasible paths. This is used where routing is asymmetrical. Juniper Networks, Inc. Copyright 2002 28 14

Source Address Verification 10.10.10.0/24 Data Center so-1/0/0.0 10.10.10.0/24 *[BGP/170] >via so-1/0/0/0.0 so-0/0/0.0 Attack with Source address=10.10.10.1 urpf 11.11.11.0/24 Juniper Networks, Inc. Copyright 2002 29 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 30 15

Real-time Traffic Analysis Sampling and cflowd format export (v5 + v8) since JUNOS 5.4: Passive Monitoring PIC Application is primarly for secuity and traffic analysis Monitors IPv4 packets and flows over SONET on: OC-3c, OC-12c and OC-48c PPP or HDLC (Cisco) layer 2 encapsulations Generates cflowd v5 records for export to collector nodes IPSec or GRE tunnels can be used for exporting Juniper Networks, Inc. Copyright 2002 31 Real-time Traffic Analysis Juniper Port Mirroring capability Copy of sampled packet can be sent to arbitrary interface Any Interface and speed up to 100% of selected packets N number of ingress ports to single destination port Work in progress with IDS vendor Discussions ongoing with high-speed analytical security application developers (OC48) Juniper Networks, Inc. Copyright 2002 32 16

Real-time Traffic Analysis Data Center Mirrored Traffic Intrusion Detection System Juniper Networks, Inc. Copyright 2002 33 Preparation Real-time DDoS Identification Pre-configure Destination Class Usage (DCU) on customerfacing ingress interfaces Accounting feature typically for billing Supported in JUNOS 4.3 (12/2000) and beyond Counts packets, bytes destined for each of up to 16 communities per interface Counters retrievable via SNMP Note: Source Class Usage is also supported (since JUNOS 5.4) During Attack Use BGP to announce victim s /32 host address with special community Trigger SNMP polling of DCU counters on all ingress interfaces Apply heuristic to identify likely attack sources Juniper Networks, Inc. Copyright 2002 34 17

Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch Victim Network Attacker Network User Network NOC Attack Network User Network 35 Juniper Networks, Inc. Copyright 2002 Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch 128.8.128.80/32 Community 100:100 Victim Network Attacker Network 128.8.128.80 User Network NOC Attack Network Juniper Networks, Inc. Copyright 2002 User Network 36 18

Real-time DDoS Identification Juniper Networks, Inc. Copyright 2002 37 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 38 19

I/O Filters To Block Attack Flows DOS attacks need to be detected and stopped Interface filters can be applied to block only attack flows Filters can be applied to any interface type Filters can be applied both on inbound and outbound /* apply the filter to the ingress point of the network */ so-0/2/2 { unit 0 { family inet { filter { input block-attack; address 151.1.1.1/30; /* This is the filter which blocks the attacks */ firewall { filter block-attack { term bad-guy { from { source-address { 10.10.10.1/32 protocol icmp; then { discard; log; Juniper Networks, Inc. Copyright 2002 39 Rate Limiting Suppression/Rate Limiting Advantages Protects router of customer by limiting traffic based on protocol/port/source and destination addresses Juniper Advantage Architectural reasons we perform Internet Processor ASIC not tied to an interface or release Behavior under attack Stable operation, routing and management traffic unaffected Juniper Networks, Inc. Copyright 2002 40 20

Hitless Filter Implementation Can be applied immediately after identification of offending traffic Application of filters does not create short-term degraded condition as filters take effect Size and complexity of filter independent of forwarding performance Juniper Networks, Inc. Copyright 2002 41 Traffic Interruption During Filter Compilation Traffic flow All traffic gets drop During filter compilation Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright 2002 42 21

No Interruption With Atomic Updates Traffic flow Attack traffic gets dropped Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright 2002 43 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 44 22

Next Steps On going Dialog with security team Ensuring existing security features are active Awareness of upcoming security issues Best Practices White Papers Security consulting and training Juniper Networks the Trusted Source Juniper Networks, Inc. Copyright 2002 45 Further References Juniper Networks Whitepapers Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks Juniper Networks Router Security Available from http://www.juniper.net/techcenter Juniper Networks, Inc. Copyright 2002 46 23

Thank You juze@juniper.net 24