SECURE THE DATACENTER Dennis de Leest Sr. Systems Engineer
PURE PLAY IN HIGH-PERFORMANCE NETWORKING Breadth First 10 Years of Today s Of Juniper: Portfolio 1996-2006 Core Edge Access & Data Center WAN Campus & Consumer & Aggregation Branch Business Device T M PTX E M MX SRX MobileNext MediaFlow ACX MX QFX MX EX SRX vgw MediaFlow MX SRX M NetScreen EX SRX MX WLAN Junos Pulse Junos Pulse Converged Supercore Universal Edge Universal Access 3-2-1 Architecture & Physical + Virtual Security Simplified Payas-you-Grow MPLS Wired/Wireless convergence & Unified Policy Best-of-breed Mobile Security 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 3 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 4 Copyright 2013 Juniper Networks, Inc. www.juniper.net
IMPLICATIONS OF WEB APP VULNERABILITY 1 Direct Theft of Web App Data 2 Compromise Web app and use as DMZ pivot point 3 Targeted Drive-By Campaign 5 Copyright 2013 Juniper Networks, Inc. www.juniper.net
DIRECT THEFT OF WEB APP DATA SQL Injection gives hacker access to database WebApp Database Credit card info Customer data Account records Credentials 6 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COMPROMISE DMZ AND MOVE LATERALLY 1 Own Web Server, Install Backdoor WebApp 2 Attack into PCI Zone from DMZ 3 Exfiltrate data through backdoor Internet PCI Data 7 Copyright 2013 Juniper Networks, Inc. www.juniper.net
TARGETED DRIVE-BY CAMPAIGNS 1 Attack Web app, Embed malicious link 2 Infect employees, partners, customers with backdoor 3 Steal data 8 Copyright 2013 Juniper Networks, Inc. www.juniper.net
WEB APP FIREWALLS MISS THE MARK report having a Web App Firewall 1in6 66% that is deployed in block mode say next gen security is ineffective on SQL injection attacks against Web apps High false positives block real customers Complex policies Hackers bypass signature based detection Not in block mode = expensive log file Source: Efficacy of Emerging Network Security Technologies, Ponemon, 2013 9 Copyright 2013 Juniper Networks, Inc. www.juniper.net
MOZZART BET Background 2 nd Largest Online Gaming Site in Europe Online Attacks put Millions of Euros at Stake Needed Active Protection vs. Post-Event Log Analysis Products Bought WebApp Secure & Spotlight Secure After a 3 month bake-off with WAFs, we chose WebApp Secure for it s lowest false positive, real-time attacker visibility and operational efficiency. -- Cedomir Novakovic, Sr. System Engineer 10 Copyright 2013 Juniper Networks, Inc. www.juniper.net
THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 11 Copyright 2013 Juniper Networks, Inc. www.juniper.net
THE ANATOMY OF A WEB ATTACK Phase 5 Maintenance Phase 1 Reconnaissance Phase 4 Automation Phase 2 Attack Vector Establishment Phase 3 Implementation Web App Firewall 12 Copyright 2013 Juniper Networks, Inc. www.juniper.net
INTRUSION DECEPTION: DETECTING WITH NEAR- ZERO FALSE POSITIVES, NO TUNING Client Junos WebApp Secure App Server Injected Tar Traps Query String Parameters Web App Response Query String Parameters HTML Hidden Input Fields HTML Hidden Input Fields Server Configura6on (.htpasswd) Server Configura6on (.htpasswd) 404 Not Found Any Manipulation of a Tar Trap = Malicious 13 Copyright 2013 Juniper Networks, Inc. www.juniper.net
TRACKING BEYOND THE IP Persistent Token Persists in all browsers even with privacy controls enabled. Site specific. Fingerprint Analyze environment and connection. Not site specific. 14 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CHANGE THE ECONOMICS: DECEPTIVE RESPONSES Feed Fake Data Strip Inputs Force Logout CAPTCHA Slow Connection 15 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stop hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 16 Copyright 2013 Juniper Networks, Inc. www.juniper.net
FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 17 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service New Attacker fingerprint uploaded Russia Attacker from San Francisco Junos WebApp Secure protected site in UK India South Africa Detect Anywhere, Stop Everywhere 18 Copyright 2013 Juniper Networks, Inc. www.juniper.net Australia
JWAS + SPOTLIGHT TECHNOLOGY DETAILS Network Perimeter Client Firewall App Server Database Mary13 1 st Page Requested Super Cookie Inserted Finger Print Code Delivered 19 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HOW DOES IT WORK?? Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 20 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HOW DOES IT WORK?? Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 21 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ATTACKER TRIPS A TAR TRAP Tar Traps Mary13 = Attacker Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configura6on 22 Copyright 2013 Juniper Networks, Inc. www.juniper.net
UPDATING SPOTLIGHT Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 23 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SOPTLIGHT UPDATE Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 Mary13 JWAS Customer A JWAS Customer B 24 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SPOTLIGHT LOOKUP Global Name Local Name JWAS Device Bob112 Mary13 4X12J8? Joe196 JWAS Customer A JWAS Customer B 25 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SPOTLIGHT MATCH Global Name Local Name JWAS Device Bob112 Mary13 4X12J8? Joe196 JWAS Customer A JWAS Customer B 26 Copyright 2013 Juniper Networks, Inc. www.juniper.net
DETECT ANYWHERE, ENFORCE EVERYWHERE Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 Joe196 M391LT? Joe196 JWAS Customer A JWAS Customer B 27 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stop hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall SRX Integration Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 28 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX INTEGRATION: BLOCK HIGH-VOLUME ATTACKS AT THE FIREWALL 1) Traffic from vulnerability scanner 2) WebApp Secure identifies attack SRX 3) Send IP address to SRX for enforcement WebApp Secure Web Servers SRX Configuration: Enable netconf port 830 Setup specific JWAS Filter Bind on interface Filter updated by JWAS Web App Secure Configuration: Enter SRX information Activate SRX Counter Response (manual or automatic) Update SRX filter Periodically checks SRX filter 29 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 30 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS DDOS SECURE HIGHLIGHTS Mature Product Highly Differentiated Webscreen acquisition (Feb 2013) 13 years of development Low-and-slow application attack protection New attacks: protects before signatures exist $60B in revenue protected High tech, low touch: fire-and-forget 31 Copyright 2013 Juniper Networks, Inc. www.juniper.net
KEY CONCEPT: CHARM CHARM: Real-time risk score for each source IP 100 Initial 50 Human-like Per packet Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular 0 Machine-like Algorithms updated regularly with characteristics of new attacks 32 Copyright 2013 Juniper Networks, Inc. www.juniper.net
KEY CONCEPT: RESOURCE HEALTH Resource health: real-time view of status for every discrete thing on protected interface, based on stateful analysis of source and resource responsiveness Internet Traffic Internet Traffic Resources Internet Traffic DDoS Secure Examples L7 L3-4 SIP/DNS/URL and SIP Response Time SIP/DNS/URL Rate, Pending counts HTTP Server Error Codes Backlog Queue (per resource, per port) TCP stats: SYN, SYN-ACK, CLS, RST, etc 33 Copyright 2013 Juniper Networks, Inc. www.juniper.net
DDOS MITIGATION: CHARM AND RESOURCE HEALTH Dynamically Adjust CHARM Threshold Based on Health CHARM Required to Access The In this attack example, traffic Resource to Resource 2 s response 2 reduces time starts as the to attackers degrade and switch the the CHARM attack to Resource pass threshold 3. is increased to start the process of rate Once limiting again, the bad Junos traffic. DDoS Secure responds dynamically At this point by the increasing good traffic the will pass continue threshold to pass for Resource unhindered 3 whilst Limiting the bad traffic. attackers will start to believe their attack has been successful as their request fails. Resource 1 Resource 2 Resource 3 Resource N 34 Copyright 2013 Juniper Networks, Inc. www.juniper.net
de JUNIPER COUNTER SECURITY PORTFOLIO Junos WebApp Secure Intrusion Deception Junos Spotlight Secure Attacker Intelligence Service Junos DDoS Secure Volumetric and Low and Slow Protection 35 Copyright 2013 Juniper Networks, Inc. www.juniper.net