SECURING THE DATACENTER CAIO KLEIN SEGURINFO 2014 1 Copyright 2013 Juniper Networks, Inc.
SECURITY AT JUNIPER Customer segments Service providers, enterprise Business segments Routing, switching, security Security innovation & leadership Invest more than 20% of revenue on R&D Leader in high-end firewalls and remote access SSL VPN Pioneer in Intrusion Deception technology DDoS advanced technology First to deliver purpose-built virtual firewall SC Magazine 2013 best cloud and SSL VPN solution Tech Target s 2013 reader s choice gold awards for virtual security, IDP, and NAC 2 Copyright 2013 Juniper Networks, Inc. Access Apps Networks Mgmt Mobility Campus Data center Cloud Products
TRANSLATING BUSINESS DRIVERS TO SECURITY REQUIREMENTS Business drivers IT initiatives Security requirements CIO CTO CSO Employee productivity BYOD Broad device coverage Business agility New applications and cloud services Flexible deployment options Cost efficiency and optimization Technology consolidation and modernization Scalability and simplicity 3
TRENDS THAT AFFECT THE DATA CENTER CHANGING IT LANDSCAPE EVOLUTION OF THREATS COSTS AND RISK INCREASE Mobility Cloud & virtualization Massive traffic increase Targeted attacks Sophisticated tools Economics favor bad actors Broader attack surface Brand impact Financial impact 4
DDoS SECURE ADVANCED DDoS MITIGATION TECHNOLOGY FOR YOUR NETWORK AND APPLICATIONS 5 Copyright 2013 Juniper Networks, Inc.
TARGETED ATTACKS ON THE RISE Targeted, deliberate, and expensive Money Intellectual property Records Fact 70% of all threats are at the Web application layer* 70+% of organizations have been hacked in the past two years through insecure Web apps*** Yet 66% of breaches took months or more to discover** Business Impact Average cost incurred from a successful breach: $8.9M** Average annual cost incurred from a DDoS attack: $3.5M*** 6 Source: * Gartner ** 2012 Cost of Cyber Crime Study, Ponemon Institute, 2012 *** Ponemon Institute, 2013
EVOLVING DDoS ATTACK COMPLEXITY Signature-Based Scrubbers Volumetric Low-and-slow Stealth Challenge: Creating signatures for new attacks Challenge: Maintaining Known signatures of attacks Emerging Threats Challenge: manual management of IP thresholds in dynamic networks Thresholds & Netflow Analysis 7 Known Newness Unknown
DDoS ATTACK VECTORS Easy to detect VOLUMETRIC Attacks are getting bigger in size Frequency of attacks increasing at a moderate rate ANYTHING THAT MAKES THE RESOURCES BUSY Flash mobs organized via social media Overwhelming legitimate requests for tickets for a big event available in a very short period of time LOW AND SLOW Growing faster than volumetric 25% of attacks in 2013 (source: Gartner) More sophisticated & difficult to detect Target back-end weaknesses Small volume of requests can take out a large Web site 8
INTRODUCING DDoS SECURE Prevents volumetric and application-level Low and Slow DDoS attacks Comprehensive Anti-DDoS Solution Detects and mitigates multi-vector DDOS attacks, including those that target specific applications Ensures availability for legitimate users while blocking malicious traffic, even under the most extreme attack conditions Normal Traffic DDoS Attack Traffic Normal Traffic Benefits 80% effective 10 minutes after installation 99.999% effective after 6-12 hours Signature-free dynamic heuristic technology No tuning or thresholds required (install and forget) Flexible deployment options (physical and virtual) Heuristic Analysis 9
KEY CONCEPT: CHARM ALGORITHM CHARM: Real-time risk score for each source IP Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular Algorithms updated regularly with characteristics of new attacks 100 Initial 50 Human-like Per Packet 0 Machine-like 10
DDoS SECURE HOW DOES IT WORK Packet validated against pre-defined RFC filters Malformed and mis-sequenced packets dropped Individual IP addresses assigned CHARM value Value assigned based on IP behaviours Mechanistic Traffic First Time Traffic Humanistic, Trusted Traffic Low CHARM Value Medium CHARM Value High CHARM Value 11
DDoS SECURE HOW DOES IT WORK (CONT D) Access dependent on CHARM threshold of target resource Below threshold packets dropped Above threshold allowed uninterrupted access Minimal (if any) false positives CHARM threshold changes dynamically with resource response state Full stateful engine measures response times Dynamic and self-learning resource limitations No server Agents 12
DDoS SECURE PACKET FLOW SEQUENCE Dynamic Resource Control IP Behavior Table Resource CHARM Threshold 1 Validates data packet Validates against defined filters Validates packet against RFCs Validates packet sequencing TCP connection state 3 Behavior is recorded 4 Calculates CHARM Threshold Supports up to 32M profiles Profiles aged on least used basis Responsiveness of resource Packet Enters Syntax Screener OK So Far CHARM Generator With CHARM Value CHARM Screener Packet Exits Drop Packet 2 Calculates CHARM value for data packet References IP behavior table Function of time and historical behavior Better behaved = better CHARM 5 Drop Packet Allow or Drop CHARM threshold CHARM value 13
DDoS SECURE RESOURCE MANAGEMENT Dynamic Resource Control Example Resource 1 Resource 2 Resource 3 Resource N In The this attack example, traffic Resource to 2 s Resource response 2 reduces time starts as the to degrade attackers and switch the the CHARM attack pass to Resource threshold 3. is increased to start the process of rate limiting Once again, the bad DDoS traffic. Secure responds dynamically by At increasing this point the the pass good traffic threshold will continue for Resource to 3 pass limiting unhindered bad traffic. whilst the attackers will start to believe their attack has been successful as their request fails. 14
HEURISTIC MITIGATION IN ACTION Normal Internet Traffic Normal Internet Traffic DDoS Attack Traffic Resources Normal Internet Traffic DDoS Secure Heuristic Analysis Management PC DDoS Attack Traffic Normal Internet traffic flows through the DDoS Secure appliance, while the software analyzes the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal (<1ms) latency. 15
DNS REFLECTIVE / AMPLIFICATION 16
DNS RESOLVER PROTECTION 1 Inline Inspection 2 Inbound Traffic Measurement JDDS 3 Measurement on App Response SRX DNS Resolvers Juniper DDoS Secure (JDDS) Sits passively inline Measures both inbound and outbound traffic flow Monitors DNS Resource Records by Domain Monitors Responses from Resolver Monitors Resolver s Recursive Activity HTTP HTTPS (SSL & TLS) DNS VoIP / SIP Native App Protection Eliminates DNS Reflection Attacks & Backscatter 17
THE WORLD S MOST ADVANCED HEURISTIC DDoS TECHNOLOGY 18
WEBAPP SECURE THE SMARTEST WAY TO PROTECT WEBSITES AND WEBAPPS FROM ATTACKS 19 Copyright 2013 Juniper Networks, Inc.
THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 20
DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Firewall App Server Database Server Configuration 21
TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 22
JUNOS SPOTLIGHT SECURE Junos Spotlight Secure Global Attacker Intelligence Service Attacker from San Francisco Junos WebApp Secure protected site in UK Attacker fingerprint uploaded Attacker fingerprint available for all sites protected by Junos WebApp Secure Detect Anywhere, Stop Everywhere 23
FINGERPRINT OF AN ATTACKER Timezone Browser version Fonts Browser addons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address nearly zero 24
SMART PROFILE OF ATTACKER Attacker local name (on machine) Attacker global name (in Spotlight) Attacker threat level Incident history 25
RESPOND AND DECEIVE Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 26
VIRTUAL SECURITY & FIREFLY SUITE 27 Copyright 2013 Juniper Networks, Inc.
MARKET SITUATION, BY GARTNER By 2016 public cloud infrastructure will include and be managed as critical national infrastructure regulations by the U.S. of over VPN/Firewall 20% market will be deployed in a virtual element. By 2015 10% of over all IT security products capabilities will be delivered in/ from the cloud. By 2015 100% Cloud as a delivery model will shape buying and prioritization of security. 131B Worldwide public cloud services 28
CLOUD & MSSP MARKET TRENDS FROM TO Legacy Model of the Business Network Physical Networks Elements Traditional Security Perimeters Corp. Managed, Static Apps Overprovisioned Hardware Controlled & Defined User/Admin Roles Virtual Networks Elements and Overlays Blurred Boundaries, Everyone Is an Insider SaaS, User-Chosen Apps, Rogue Clouds Elastic Compute, Security and Storage Self Provisioned Security, Virtual Admins Today s Flexible, Proactive Business Network Simple Isolated Security Management Specialized, Intelligent & Coordinated Identity-based Security Management 29
INTRODUCING THE FIREFLY SUITE fully virtualized security solution Protecting virtual applications and workloads in public or private clouds. with Juniper Firefly host PROVIDING PROTECTION FOR THE CLOUD AND firefly perimeter & Junos space virtual director providing PROTECTION FROM THE CLOUD: OSS/BSS Customer Portal Security for virtual assets Junos Space Security and Virtual Director Monitoring and control Intelligence and automation Internet MX Universal Router SRX VM VM VM VM Firefly Perimeter Enterprise WAN MX Hybrid Cloud Hypervisor Firefly Host Virtualized Host Multi-tenant 30
FIREFLY PERIMETER 31 Copyright 2013 Juniper Networks, Inc.
FIREFLY PERIMETER Availability: JAN 15 2014 Official Public Launch! (VMware and Contrail) Secure Virtual version of the SRX; provides north / south firewall (5Gbps), NAT, routing, VPN connectivity features in a flexible virtual machine format VM VM VM VM Firefly Perimeter 32
A CLOSER LOOK AT FIREFLY PERIMETER Fully-tested Junos-based SRX code in a VM provides all Junos-related automation and connectivity options in addition to firewall Junos Routing Protocols and SDK Junos Rich & Extensible Security Stack Perimeter Security Firewall VPN NAT Network Admission Control Content Anti-Virus IPS Full IDP Feature Set Web Filtering Anti-Spam Application Application Awareness Identity Awareness CLI, JWeb, SNMP, JSpace- SD, Hypervisor Management, HA/FT 33
JUNOSV FIREFLY PERIMETER HA Virtualized Environment Virtualized Environment Firefly Perim Customer 1 (Active) Firefly Perim Customer 2 (Passive) VM VM Firefly Perim Customer 1 (Passive) Firefly Perim Customer 2 (Active) VM VM HYPERVISOR HYPERVISOR Firefly Perimeter will support Chassis Clustering (both Active-Active as well as Active- Passive modes). This support provides full stateful failover for any connections being processed. In addition, it will be possible for the cluster members to span hypervisors. 34
FIREFLY HOST 35 Copyright 2013 Juniper Networks, Inc.
FIREFLY HOST (FORMERLY VGW) AVAILABILITY: VMWARE NOW, CONTRAIL SCOPING FOR 2014 Security Suite integrated into Hypervisor Kernel Provides East/West Firewall (35+Gbps), AV, IDS, Compliance, Introspection, Network Monitoring The Firefly Host ENGINE FULL FW IMPLEMENTATION IN THE KERNEL STATEFUL FW PER-VM POLICY Firefly Host SECURITY VM POLICY FROM MGMT TO ENGINE LOGGING FROM ENGINE TO MGMT IDS ENGINE DEPLOYED AS HA PAIR DELIVERED AS VIRTUAL APPLIANCE VM VM1 VM2 VM3 Firefly Host Engine VMWARE DVFILTER VMWARE VSWITCH OR CISCO 1000V ESX Kernel ESX Host HYPERVISOR 36
Complete firewall protection for any network traffic to or from a VM SECURE Antivirus components controlled centrally (scanner config, alert viewing, infected file remediation) 37 IDS, send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set
Network visibility, All VM traffic flows stored in database and available for analysis MONITOR AND CONTROL Pre-defined and customizable Reports Compliance module includes pre-defined rules based on virtual security best practices as well as customers rules 38
Introspection, agent-less ability to scan a VM s virtual disk contents to understand what s installed INTELLIGENCE AND AUTOMATION Smart Groups allow for the use of attributes to create dynamic system associations Open and ready for innovation with reach sets of API s 39
VIRTUAL SECURITY AND SDN 40 Copyright 2013 Juniper Networks, Inc.
JUNIPER VIRTUALIZED SECURITY PORTFOLIO THE FLEXIBILITY OF CHOICE VIRTUAL SECURITY & CONNECTIVITY Internet SOLUTION Complete line-up of Virtual Security Services and Connectivity Options! Pulse SA Virtual Pulse UAC Virtual Internal LAN Firefly WebApp Secure Virtual DDoS Secure Virtual Secure Analytics Virtual DMZ Web Apps Protect critical asset against internal or external attack Utilize Intrusion Deception to uniquely defend web applications and increase complexity and cost of attack for bad actors Break attack automation with fake attack paths and responses that intelligently match attacker skillset while leaving legitimate users experience unaffected Provide connectivity (SSLVPN, NAC) via virtualized form factor Filter Distributed-Denial-of-Service attacks User 41
SECURITY SERVICES ARE KEY ELEMENT IN SDN SOFTWARE-BASED SOLUTION, ENABLING CROSS-SELL & UPSELL OPPORTUNITIES WITH CONTRAIL INTEGRATION AND SUPPORT FOR SDN Reduced OPEX Flexible choices Elastic scaling of Security Services Firefly Perimeter DDoS Secure WebApp Secure Pulse SA Secure Analytics Other services 3rd party services Reduced CAPEX Contrail Controller + vrouter NEW FLEXIBLE AND DYNAMIC APPROACH x86 Server/x86 Blade Virtual Infrastructure (OpenStack, etc.) 42
VIRTUAL SECURITY WITH CONTRAIL Old School Contrail (NFV + SDN) Ordering Weeks / months Instantly HW cost High custom HW Commodity x86 Deployment Cabling click Scale Limited Elastic Retirement Depreciation Re provisioning Investment Protection Low High Resource limitation High Service Chaining 43
SUMMARY Intrusion prevention by Deception is the smartest tool to keep attackers away from your Web Application Smarter Heuristic is required to identify DDoS and protect your resources from unavailability Security Virtualization is mandatory on the Cloud environment The complexity of virtual environments also requires orchestration (NFV + SDN) 44 Copyright 2013 Juniper Networks, Inc.
Thank you 45 Copyright 2013 Juniper Networks, Inc.