Secure Cloud-Ready Data Centers Juniper Networks
JUNIPER SECURITY LEADERSHIP A $1B BUSINESS Market Leadership Data Center with High- End Firewall #1 at 42% Secure Mobility with SSL VPN #1 at 25% Security Innovation Across device, network and application One Junos for Routing, Switching and Security Proven Reach & Scale Protecting 80%+ of smartphones in North America 24 of the Fortune 25 for Intelligent Networking with Secure Routing Security and Mobile Threat Research Teams secure connectivity GTM Scale with IBM, #2 at 22% Dell, Ericsson & NSN 2 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS Notoriety Profitability.gov /.com.me /.you Attacker Threats Sophistication (Maturity) Worms Trojans Type of Attack DOS Malware Botnets APT Virus New Devices New Applications Target Internet Information Services ERP 3 Copyright 2011 Juniper Networks, Inc. www.juniper.net
THREE DRAMATIC SHIFTS IN THE DATA CENTER Mega Consolidation Efficiency improvements and simplified administration Virtualization Cloud Services & Virtualization projects Service Oriented Architectures Web 2.0 and Application Mashups Each trend is driving changes in networking and security Sources: AFCOM Data Center Research, Gartner, KRC Research - 4 Copyright Copyright 2011 Juniper 2011 Juniper Networks, Networks, Inc. www.juniper.net Inc. www.juniper.net
DATA CENTER SRX DELIVERS CONSOLIDATED SECURITY AND NETWORKING Consolidation at Scale Scalable data center security More efficient infrastructure with modular SPCs and IOCs Carrier grade networking powering Top 130 Service Providers & nearly all of Fortune 500 Protecting online assets with AppSecure, IPS, FW, NAT, and more 6 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DATA CENTER SRX OFFERS NETWORKING AND SECURITY VIRTUALIZATION Virtualization Security Integrated virtual and physical security Inter-VM traffic protection with visibility to all network flows Dynamic VM security with VMsafe-certified, stateful firewall and virtualization-specific AV More effective hybrid infrastructure 7 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DATA CENTER SRX ENSURES APPLICATION VISIBILITY AND PROTECTION Next Generation Security Services Rapid response to evolving threats through layered, next-generation security services Control and enforcement of application usage Visibility into Web 2.0 threats with application security against latest attacks Scalable policy enforcement and management via Junos 8 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DATA CENTER SECURITY SOLUTION THAT SPANS PHYSICAL AND VIRTUAL NETWORKS Management and Security Services Security Design STRM Security Threat Response Manager Physical Services Virtual Firewall VM VM VM VM IPS vgw Series Hypervisor DoS DoS Prevention SRX Series AppSecure vgw Virtual Gateway 9 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SRX SERIES SERVICES GATEWAYS - NGFW 100G - Branch Campus Data Center Large enterprise Service Provider SRX5800 Enterprise DC Large Branch SRX5600 Branch SOHO/SME SRX1400 SRX3400 SRX3600 10G - 1G - SRX100 SRX210 SRX220 SRX240 SRX650 Best Security Product Award Integrated Routing, Switching and Security Unprecedented Scale Single Junos 10 Copyright 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE: APPLICATION INTELLIGENCE BRANCH TO DATA CENTER AppTrack AppFW AppQoS AppDoS IPS Understand security risks Block access to risky apps Prioritize important apps Protect apps from bot attacks Remediate security threats Address new user behaviors Allows user tailored policies Rate limit less important apps Allow legitimate user traffic Stay current with daily signatures Easy add-on security services for SRX gateways Delivers application visibility, enforcement and protection up to 100 Gbps Integrates nested application detection/ protection, control, & remediation Subscription service includes all modules and updates Juniper Security Lab provides 800+ application signatures 12 Copyright 2011 Juniper Networks, Inc. www.juniper.net
APPTRACK VISIBILITY FOR INFORMED RISK ANALYSIS AppTrack Monitor & Track Applications AppTrack View application by protocol, Web application, and utilization Analyze usage and trends Web 2.0 application visibility App usage monitoring Scalable, flexible logging & reporting Customize application monitoring Log and report across security solutions and systems 13 Copyright 2010 Juniper Networks, Inc. www.juniper.net
APPFW: BEYOND JUST FW OR APP CONTROL AppFW AppFW Control & Enforce Web 2.0 Apps Inspect ports and protocols HTTP Uncover tunneled apps Stop multiple threat types Dynamic application security Control nested apps, chat, file sharing and other Web 2.0 activities Web 2.0 policy enforcement Threat detection & prevention 14 Copyright 2010 Juniper Networks, Inc. www.juniper.net
BOTNET & DOS THREAT MITIGATION AppDoS AppDoS Protect Valuable On-line Business Detect and mitigate botnet activity Purchase Item Check bill Select Item View Item Botnet detection & remediation Uncover misuse of routine Web functionality Adapt security policy and QOS based on insights DoS monitoring & remediation Benchmark normal behavior to detect anomalies On-going anomaly detection 15 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPS FOR CUSTOMIZABLE PROTECTION IPS IPS AppSecure IPS VULNERABILITY Monitor & Mitigate Custom Attacks Detect and monitor suspicious behavior Other IPS s Exploits Tune open signatures to detect and mitigate tailored attacks On-going threat protection Uncover attacks exploiting encrypted methods Mobile traffic monitoring Custom attack mitigation Address vulnerabilities instead of everchanging exploits of the vulnerability 16 Copyright 2010 Juniper Networks, Inc. www.juniper.net
APPQOS FOR SCALE & PERFORMANCE AppQoS AppQoS Prioritize & Control App Bandwidth X Monitor Web 2.0 bandwidth consumption Throttle bit rates based on security and usage insights Dynamic application quality-of-service (QoS) Application prioritization Performance management Prioritize business critical apps 17 Copyright 2010 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION/CLOUD-SPECIFIC REQUIREMENTS Secure VMotion/Live-Migration VMs may migrate to an unsecured or lower trust-level zone Security should enable both migration and enforcement Hypervisor Protection New operating system means new attack surface Hypervisor connection attempts should be monitored Regulatory Compliance Isolating VMs, Access Control, Audit, etc. Segregating administrative duties inside the virtual network Tracking VM security profiles 18 Copyright 2011 Juniper Networks, Inc. www.juniper.net
APPROACHES TO SECURING VIRTUAL/CLOUD NETWORKS VLANs & Physical Segmentation Traditional Security Agents 1 2 3 Purpose Built Virtual Security VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 VS HYPERVISOR ESX/ESXi Host VS HYPERVISOR ESX/ESXi Host Virtual Security Layer VS ESX/ESXi Host HYPERVISOR Regular Thick Agent for FW & AV 19 Copyright 2011 Juniper Networks, Inc. www.juniper.net
THE VGW PURPOSE-BUILT APPROACH Kernel-level Stateful Inspection Continuous security processing Fault-tolerant operation HA for security VM and management Scalability at All Levels FW policy per VM Scale to 1000+ hosts Multi-center & split center support Granular, Tiered Defenses Integrated IDS, and AV Auto-security for new VMs Compliance and image enforcement Virtual Center 1 Partner Server (IDS, SIM, Syslog, Netflow) Security Design for vgw Packet Data 3 VM 2 VM1 VM2 VM3 THE vgw ENGINE VMWARE API s Any vswitch (Standard, DVS, 3 rd Party) HYPERVISOR VMware Kernel ESX or ESXi Host 21 Copyright 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL PERFORMANCE TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details 22 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW MODULES Main Dashboard view of virtual data center Firewall AntiVirus Compliance Firewall policy and logs AV protection w/ quarantine Alerts on VM/host non-compliance Network Traffic flows IDS Introspection Reports View of IDS alerts VM x-ray (OS, apps, etc.) Granular reports and scheduler 24 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW NETWORK VISIBILITY Benefits: Visibility to all VM communications Ability to spot design issues with security policies Single click to more detail on VMs Export flows for analysis See traffic flows Troubleshoot Navigate 25 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW FIREWALL Stateful firewall protection for all VM traffic Benefits: Granular VM isolation Automated VM policy Dynamic VM quarantine Global rules for applications Quarantine policies enforced at noncompliance Access control rules for VM Groups & VMs 26 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW IDS Integrated & tuneable IDS engine inspects for malware. Choose applications to inspect Easily review alerts Click on alert for details Set time periods to review data 27 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW ANTIVIRUS NEW! Optimal for virtualization where VM RAM & disk are at a premium. On-Demand and On-Access Scan Configurations AV Dashboard for quick status understanding File Quarantine 28 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW INTROSPECTION X-ray VMs and automate compliance enforcement Benefits: Know exactly what s installed in a VM Automatically attach relevant security policy! Define & enforce a gold image (template or VM) 29 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VGW COMPLIANCE Monitor and enforce cloud security best practices Benefits: Define rules on any VM or VM group Automatically quarantine VMs into an isolated network if they violate a rule Rules relevant to both VM and host configuration Classifications of checks (VMware best practices, etc.) Easily see rule violations 30 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLOUD-ENABLED SECURITY Securing the Flows Internet CLIENTS Secure VDI Support User App IDENTITY SSL VPN vgw VM 1 VM 2 VM 3 Hypervisor VM 4 Virtual Machines DMZ Virtualized Security Services HR ZONE FINANCE ZONE Policies Reporting JunosSpace STRM Management & Compliance Services 1. AppSecure DoS Protection 2. Firewall 3. Authentication 4. Encryption 5. NAT 6. Intrusion prevention 7. Real-time visibility 8. Traffic prioritization 33 Copyright 2011 Juniper Networks, Inc. www.juniper.net