SECURE THE DATACENTER. Dennis de Leest Sr. Systems Engineer

Similar documents
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

IT SECURITY SEMINAR "STALLION " Security, NGFW fallacy & going Beyond IP? Juniper Networks - Jaro Pietikäinen

RETHINK SECURITY FOR UNKNOWN ATTACKS

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

The Threat Keeps Growing, Are we Doing it Wrong: David Naudé - Commercial Manager SA

SECURING THE DATACENTER

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

JUNIPER. One network for all demands MICHAEL FRITZ CEE PARTNER MANAGER. 1 Copyright 2010 Juniper Networks, Inc.

The Global Attacker Security Intelligence Service Explained

WEBAPP SECURE The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

EVOLVED DATA CENTER ARCHITECTURE

FIREWALL INTELLIGENCE. 1 Copyright 2014 Juniper Networks, Inc.

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Junos WebApp Secure (formerly Mykonos)

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

COORDINATED THREAT CONTROL

AGENDA. 資 訊 網 路 發 展 趨 勢 Juniper Cloud Solution Cloud Security 解 決 方 案 共 同 供 應 契 約 採 購 建 議 為 何 選 擇 Juniper

On-Premises DDoS Mitigation for the Enterprise

Where every interaction matters.

Secure Cloud-Ready Data Centers Juniper Networks

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Basic & Advanced Administration for Citrix NetScaler 9.2

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Next Generation IPS and Reputation Services

Check list for web developers

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

The Hillstone and Trend Micro Joint Solution

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

CUTTING THROUGH THE HYPE: WHAT IS TRUE NEXT GENERATION SECURITY?

Architecture Overview

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Cisco Security Intelligence Operations

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Cutting the Cost of Application Security

DECODING SOFTWARE DEFINED NETWORKING (SDN) Nico Siebelink Technical Director Northern Europe

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Vulnerability Management

CloudFlare advanced DDoS protection

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

NSFOCUS Web Application Firewall White Paper

NGFW is yesterdays news what is next in scope for the firewall in the threat intelligence age

How Web Application Security Can Prevent Malicious Attacks

FortiWeb 5.0, Web Application Firewall Course #251

Introduction to the Junos Operating System

Understanding and Responding to the Five Phases of Web Application Abuse

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Rational AppScan & Ounce Products

Course Title: Penetration Testing: Security Analysis

Web Application Defence. Architecture Paper

Firewall and UTM Solutions Guide

NETWORKING FOR DATA CENTER CONVERGENCE, VIRTUALIZATION & CLOUD. Debbie Montano, Chief Architect dmontano@juniper.net

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

ThreatSTOP Technology Overview

Datacenter Transformation

Enterprise-Grade Security from the Cloud

Radware Solutions for NGDC

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Juniper Unite Cloud-Enabled Enterprise Reference Architecture

Load Balancing Security Gateways WHITE PAPER

Innovations in Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Web Engineering Web Application Security Issues

Web Application Security 101

Cisco RSA Announcement Update

vsrx Services Gateway: Protecting the Hybrid Data Center

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Guidelines for Web applications protection with dedicated Web Application Firewall

How To Protect A Web Application From Attack From A Trusted Environment

ICTN Enterprise Database Security Issues and Solutions

Web Application Security

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

F5 and Microsoft Exchange Security Solutions

Complete Protection against Evolving DDoS Threats

Solution Brief. Secure and Assured Networking for Financial Services

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

How To Block A Ddos Attack On A Network With A Firewall

What is Web Security? Motivation

FortiDDos Size isn t everything

Acquia Cloud Edge Protect Powered by CloudFlare

The F5 Intelligent DNS Scale Reference Architecture.

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

Replacing Microsoft Forefront Threat Management Gateway with F5 BIG-IP. Dennis de Leest Sr. Systems Engineer Netherlands

The Web AppSec How-to: The Defenders Toolbox

13 Ways Through A Firewall

A Love Affair: Cyber Security, Big-data and Risk

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Transcription:

SECURE THE DATACENTER Dennis de Leest Sr. Systems Engineer

PURE PLAY IN HIGH-PERFORMANCE NETWORKING Breadth First 10 Years of Today s Of Juniper: Portfolio 1996-2006 Core Edge Access & Data Center WAN Campus & Consumer & Aggregation Branch Business Device T M PTX E M MX SRX MobileNext MediaFlow ACX MX QFX MX EX SRX vgw MediaFlow MX SRX M NetScreen EX SRX MX WLAN Junos Pulse Junos Pulse Converged Supercore Universal Edge Universal Access 3-2-1 Architecture & Physical + Virtual Security Simplified Payas-you-Grow MPLS Wired/Wireless convergence & Unified Policy Best-of-breed Mobile Security 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 3 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 4 Copyright 2013 Juniper Networks, Inc. www.juniper.net

IMPLICATIONS OF WEB APP VULNERABILITY 1 Direct Theft of Web App Data 2 Compromise Web app and use as DMZ pivot point 3 Targeted Drive-By Campaign 5 Copyright 2013 Juniper Networks, Inc. www.juniper.net

DIRECT THEFT OF WEB APP DATA SQL Injection gives hacker access to database WebApp Database Credit card info Customer data Account records Credentials 6 Copyright 2013 Juniper Networks, Inc. www.juniper.net

COMPROMISE DMZ AND MOVE LATERALLY 1 Own Web Server, Install Backdoor WebApp 2 Attack into PCI Zone from DMZ 3 Exfiltrate data through backdoor Internet PCI Data 7 Copyright 2013 Juniper Networks, Inc. www.juniper.net

TARGETED DRIVE-BY CAMPAIGNS 1 Attack Web app, Embed malicious link 2 Infect employees, partners, customers with backdoor 3 Steal data 8 Copyright 2013 Juniper Networks, Inc. www.juniper.net

WEB APP FIREWALLS MISS THE MARK report having a Web App Firewall 1in6 66% that is deployed in block mode say next gen security is ineffective on SQL injection attacks against Web apps High false positives block real customers Complex policies Hackers bypass signature based detection Not in block mode = expensive log file Source: Efficacy of Emerging Network Security Technologies, Ponemon, 2013 9 Copyright 2013 Juniper Networks, Inc. www.juniper.net

MOZZART BET Background 2 nd Largest Online Gaming Site in Europe Online Attacks put Millions of Euros at Stake Needed Active Protection vs. Post-Event Log Analysis Products Bought WebApp Secure & Spotlight Secure After a 3 month bake-off with WAFs, we chose WebApp Secure for it s lowest false positive, real-time attacker visibility and operational efficiency. -- Cedomir Novakovic, Sr. System Engineer 10 Copyright 2013 Juniper Networks, Inc. www.juniper.net

THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 11 Copyright 2013 Juniper Networks, Inc. www.juniper.net

THE ANATOMY OF A WEB ATTACK Phase 5 Maintenance Phase 1 Reconnaissance Phase 4 Automation Phase 2 Attack Vector Establishment Phase 3 Implementation Web App Firewall 12 Copyright 2013 Juniper Networks, Inc. www.juniper.net

INTRUSION DECEPTION: DETECTING WITH NEAR- ZERO FALSE POSITIVES, NO TUNING Client Junos WebApp Secure App Server Injected Tar Traps Query String Parameters Web App Response Query String Parameters HTML Hidden Input Fields HTML Hidden Input Fields Server Configura6on (.htpasswd) Server Configura6on (.htpasswd) 404 Not Found Any Manipulation of a Tar Trap = Malicious 13 Copyright 2013 Juniper Networks, Inc. www.juniper.net

TRACKING BEYOND THE IP Persistent Token Persists in all browsers even with privacy controls enabled. Site specific. Fingerprint Analyze environment and connection. Not site specific. 14 Copyright 2013 Juniper Networks, Inc. www.juniper.net

CHANGE THE ECONOMICS: DECEPTIVE RESPONSES Feed Fake Data Strip Inputs Force Logout CAPTCHA Slow Connection 15 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stop hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 16 Copyright 2013 Juniper Networks, Inc. www.juniper.net

FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 17 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service New Attacker fingerprint uploaded Russia Attacker from San Francisco Junos WebApp Secure protected site in UK India South Africa Detect Anywhere, Stop Everywhere 18 Copyright 2013 Juniper Networks, Inc. www.juniper.net Australia

JWAS + SPOTLIGHT TECHNOLOGY DETAILS Network Perimeter Client Firewall App Server Database Mary13 1 st Page Requested Super Cookie Inserted Finger Print Code Delivered 19 Copyright 2013 Juniper Networks, Inc. www.juniper.net

HOW DOES IT WORK?? Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 20 Copyright 2013 Juniper Networks, Inc. www.juniper.net

HOW DOES IT WORK?? Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 21 Copyright 2013 Juniper Networks, Inc. www.juniper.net

ATTACKER TRIPS A TAR TRAP Tar Traps Mary13 = Attacker Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configura6on 22 Copyright 2013 Juniper Networks, Inc. www.juniper.net

UPDATING SPOTLIGHT Spotlight Secure Mary13 JWAS Customer A JWAS Customer B 23 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SOPTLIGHT UPDATE Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 Mary13 JWAS Customer A JWAS Customer B 24 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SPOTLIGHT LOOKUP Global Name Local Name JWAS Device Bob112 Mary13 4X12J8? Joe196 JWAS Customer A JWAS Customer B 25 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SPOTLIGHT MATCH Global Name Local Name JWAS Device Bob112 Mary13 4X12J8? Joe196 JWAS Customer A JWAS Customer B 26 Copyright 2013 Juniper Networks, Inc. www.juniper.net

DETECT ANYWHERE, ENFORCE EVERYWHERE Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 Joe196 M391LT? Joe196 JWAS Customer A JWAS Customer B 27 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stop hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall SRX Integration Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 28 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SRX INTEGRATION: BLOCK HIGH-VOLUME ATTACKS AT THE FIREWALL 1) Traffic from vulnerability scanner 2) WebApp Secure identifies attack SRX 3) Send IP address to SRX for enforcement WebApp Secure Web Servers SRX Configuration: Enable netconf port 830 Setup specific JWAS Filter Bind on interface Filter updated by JWAS Web App Secure Configuration: Enter SRX information Activate SRX Counter Response (manual or automatic) Update SRX filter Periodically checks SRX filter 29 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNIPER IN THE DATACENTER: PROTECTING APPS Spotlight Secure Global a@acker fingerprint system Ac6onable beyond IP address DDoS Secure Low- and- slow and volumetric Signature free: stops new a@acks No tuning or thresholds WebApp Secure Intrusion Decep6on stops hacking Near- zero false posi6ves No tuning or Web App changes SRX Firewall Leading high- end firewall Proven datacenter scale Integra6on with WebApp Secure 30 Copyright 2013 Juniper Networks, Inc. www.juniper.net

JUNOS DDOS SECURE HIGHLIGHTS Mature Product Highly Differentiated Webscreen acquisition (Feb 2013) 13 years of development Low-and-slow application attack protection New attacks: protects before signatures exist $60B in revenue protected High tech, low touch: fire-and-forget 31 Copyright 2013 Juniper Networks, Inc. www.juniper.net

KEY CONCEPT: CHARM CHARM: Real-time risk score for each source IP 100 Initial 50 Human-like Per packet Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular 0 Machine-like Algorithms updated regularly with characteristics of new attacks 32 Copyright 2013 Juniper Networks, Inc. www.juniper.net

KEY CONCEPT: RESOURCE HEALTH Resource health: real-time view of status for every discrete thing on protected interface, based on stateful analysis of source and resource responsiveness Internet Traffic Internet Traffic Resources Internet Traffic DDoS Secure Examples L7 L3-4 SIP/DNS/URL and SIP Response Time SIP/DNS/URL Rate, Pending counts HTTP Server Error Codes Backlog Queue (per resource, per port) TCP stats: SYN, SYN-ACK, CLS, RST, etc 33 Copyright 2013 Juniper Networks, Inc. www.juniper.net

DDOS MITIGATION: CHARM AND RESOURCE HEALTH Dynamically Adjust CHARM Threshold Based on Health CHARM Required to Access The In this attack example, traffic Resource to Resource 2 s response 2 reduces time starts as the to attackers degrade and switch the the CHARM attack to Resource pass threshold 3. is increased to start the process of rate Once limiting again, the bad Junos traffic. DDoS Secure responds dynamically At this point by the increasing good traffic the will pass continue threshold to pass for Resource unhindered 3 whilst Limiting the bad traffic. attackers will start to believe their attack has been successful as their request fails. Resource 1 Resource 2 Resource 3 Resource N 34 Copyright 2013 Juniper Networks, Inc. www.juniper.net

de JUNIPER COUNTER SECURITY PORTFOLIO Junos WebApp Secure Intrusion Deception Junos Spotlight Secure Attacker Intelligence Service Junos DDoS Secure Volumetric and Low and Slow Protection 35 Copyright 2013 Juniper Networks, Inc. www.juniper.net

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information