Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks...

23
Juniper Software Defined Secure Networks Christoph Plum, [email protected] Systems Engineer

Transcript of Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks...

Page 1: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Juniper Software Defined Secure NetworksChristoph Plum, [email protected] Engineer

Page 2: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Legal Disclaimer

This product roadmap sets forth Juniper Networks’ current intention and is subject to

change at any time without notice. No purchases are contingent upon Juniper

Networks delivering any feature or functionality depicted on this roadmap.

Page 3: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

• Device proliferation and BYOD

• IoT based attacks• Hybrid cloud deployments

growing

• Zero day attacks• Advanced, persistent,

targeted attacks• Adaptive malware

• Virtualization and SDN• Applications, data,

management in the cloud• Application proliferation

Security is in Transformation

INFRASTRUCTURETHREAT SOPHISTICATION CLOUD

Page 4: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Multiple vendors and interfaces

Intelligence not shared –Illicit behavior not detected

Isolated security functions

Advanced Threat Prevention

Intrusion Prevention

ApplicationSecurity

Specialized Security Doesn’t Work

Data Loss Prevention

010101001010101010111011011101010110101001010111001101110101

Endpoint Protection

Page 5: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Strategy for Futureproof Cybersecurity

ANY VENDOR

Open ecosystem for threat intel sharing and integration

Consistent, automated defense across diverse

environments

ANY CLOUDANY NETWORK ASSETS

Unified enforcement domain

Keep your organization safe from cyber criminals with a unified cybersecurity platform from Juniper Networks, powered by automation, machine learning and real-time intelligence

Page 6: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Infection is Easy

!

Arrivals Departureswww.pdf.com

Page 7: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

And Can Spread Without Resistance

!

Page 8: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

SDSN Stops the Threat

Command & Control Server

Quarantined

Security Director + Policy Enforcer

01010101010101010 01110101 01101110 01101001 01110000

SRX/vSRX

Sky ATP

Juniper or 3rd

Party Switch

Infected LaptopMAC: 3A-34-52-C4-69-b4

IP: 172.16.254.3

Page 9: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Demanding Software Defined Secure Networks

Global Policy Orchestration, Policy Engine

Open and Unified Threat Detection

Dynamic, Automated Enforcement

IDSDeception Sandbox

AV NGFW

AnalyticsIPS NAT

Uncoordinated and firewall focused

Orchestrated, holistic system encompassing security + infrastructure

Page 10: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Software Defined Secure Network

Threat intelligence from multiple sources: Threat-Hunting, analytics, correlation, forensics to identify, report and rate offences

Create and centrally manage security policy through user-intent based system

Enforce policy in near real time across the network; ability to adapt to network changes

Detection

Enforcement

PolicyDynamic and Adaptive

Policy Engine

Your Enterprise Network

SecurityIntelligence

Threat Defense:Cloud and/or

Enterprise-basedThreat Detection

Campus & Branch

Data Center

PublicCloud

PrivateCloud

Policy

Detection

Detection

Enforcement

Enforcement

Page 11: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Detection• Fast, effective protection from advanced threats• Integrated threat intelligencePolicy• Adaptive enforcement to firewalls, switches, 3rd

party devices and routers• Robust visibility and managementEnforcement• Consistent protection across physical/virtual• Open and programmable environment

Software Defined Secure Networks (SDSN)Unified Security Platform

Network as a single enforcement domain - Every element is a policy enforcement point

Third PartyThreat Intel

Security Director + Policy EnforcerPolicy Enforcement, Visibility, Automation

SRX Physical Firewall

vSRXVirtual Firewall

Juniper Cloud

Sky Advanced Threat Prevention (ATP)

Spotlight SecureThreat Intelligence

MX Routers*

EX & QFX Switches

Third Party Elements

DETECTION

POLICY

DETECTION

ENFORCEMENT

*Roadmap, subject to change

Page 12: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Sky Advanced Threat Prevention (ATP)

101110000 SRX/vSRX

Sandbox

Analysis

MachineLearning

Sky ATP

Custom and Third

Party Intel

C&C Geo IP

Zero DaysMalware

01101010 011

• Protects against advanced malware like ransomware

• Stops advanced persistent threats

• Analysts web and email files• European Data Center for data

sovereignty• FedRAMP certified

Page 13: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Cloud Infrastructure

Multiple Anti-Virus

Cache

InlineBlocking

Sandbox

Static Analysis

Sky Advanced Threat Prevention Cloud

Potentially malicious files

BehavioralAnalysis Deception

Machine Learning

• Verdicts determined at every level

• Additive verdict determination ensures accuracy

• Over 50 deception techniques employed to trick malware into exposing itself

Page 14: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Sky ATP

Page 15: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

SuspectedIncidentsServers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

AutomatedOffenseIdentification• Unlimited data collection, storage and analysis

• Built in data classification

• Automatic asset, service and user discovery and profiling

• Real-time correlation and threat intelligence

• Activity baselining and anomaly detection

• Detects incidentsof the box

Embedded Intelligence

Prioritized Incidents

JSA in a nutshell - Automated offense identification

Page 16: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Detection• Fast, effective protection from advanced threats• Integrated threat intelligencePolicy• Adaptive enforcement to firewalls, switches, 3rd

party devices and routers• Robust visibility and managementEnforcement• Consistent protection across physical/virtual• Open and programmable environment

Software Defined Secure Networks (SDSN)Unified Security Platform

Network as a single enforcement domain - Every element is a policy enforcement point

Third PartyThreat Intel

Security Director + Policy EnforcerPolicy Enforcement, Visibility, Automation

SRX Physical Firewall

vSRXVirtual Firewall

Juniper Cloud

Sky Advanced Threat Prevention (ATP)

Spotlight SecureThreat Intelligence

MX Routers*

EX & QFX Switches

Third Party Elements

DETECTION

POLICY

DETECTION

ENFORCEMENT

*Roadmap, subject to change

Page 17: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Policy Enforcer

Extend Enforcement to Access Layer

(Juniper & 3rd Party)

Block, Quarantine, Release, and Track

Automate Pervasive Enforcement

Micro-segmentation with vSRX & Vmware NSX

Page 18: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

SDSN

Security Fabric including Firewalls and SwitchesInfected Host Blocking

Perimeter Firewall level for north – south trafficEX/QFX switches to protect from lateral movement of threats

Infected Host TrackingTrack infected host movement in network, andQuarantine or block infected hosts even if IP address changes

KeyFeatures

Use Case: Threat Remediation of infected hosts

DETECTIONSky ATP – Known & Day-0 Malware analysis, Sandboxing, Infected Host identification, Command & Control, GeoIP

POLICYSimplified Threat Remediation Policy (Block, Quarantine, Track) defined in Security Director Policy Enforcer

ENFORCEMENTJuniper: SRX, vSRX, EX and QFX

Automates threat remediation workflowsReal-time remediation of infected hosts Reduced time to remediate = Reduced exposure to attacksLeverage Network (EX/QFX) and Firewall (SRX/vSRX) to take remediation actions to address lateral movement of attacks inside the network in addition to limiting attacks from outside world

CustomerBenefits

Page 19: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Understanding SDSNSKY ATP Security Fabric

• SRX Firewalls • Juniper EX and QFX switches

Sky Realm• SRX and PE registered

Threat Intelligence from • SKY ATP Cloud Feeds

Enforcement• On SRX via Security Director

• ATP policy pushed to SRX from SD

• SRX pulls Infected host feed from PE

• On EX/QFX Switches• S/W micro service collects

and Maintain IP/MAC binding of hosts

• Commits a MAC F/W filter on switch for enforcement

S/W Micro

Service

Policy Enforcer

Security Director

SRX Detection

Layer

EX/QFX

Management

Feeds

Enforcement

Secure Fabric

Page 20: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Private Cloud

NSX– vSRX Micro-segmentationMeta-Data&SGSyncvSRX Policies

Policy Enforcer Phase 2 – Overview

Threat Remediation

• EXinFusionMode• 3rdPartySwitches• Wireless&TrunkPort

3rd Party Eco-System

3rd PartyThreatFeeds• Whitelist,BlacklistandInfectedHostthreatfeeds

3rd PartyEnforcement• SouthboundAPIfor3rd parties

Page 21: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

3rd Party Access Switch

Radius Server

Radiusmessages

Threat Remediation Enhancements

Security Fabric to support 3rd party switches and wirelessInfected Host Blocking

Juniper & 3rd party switches to protect from lateral movement of threats

Infected Host TrackingTrack infected host movement in network, andQuarantine or block infected hosts even if IP address changes

KeyFeatures

Use Case: 3rd Party Switch and Wireless Support

Automates threat remediation workflowsReal-time remediation of infected hosts Reduced time to remediate = Reduced exposure to attacksNetwork vendor agnostic mechanism for threat remediation

CustomerBenefits

ENFORCEMENTJuniper: SRX, vSRX, QFX and EX (+Fusion Support)

3rd Party: Access Switches with Radius(AAA) configured

Wireless: WLCs with Radius(AAA) configured

Policy Enforcer

Connector Framework

3rd Party Connector

SKY ATP

Page 22: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

SDSN Phase-3

• User Intent Policy • Hybrid Cloud Support

• AWS• Contrail

• Additional Threat Remediation• JSA, Cisco ISE, Forescout

KeyFeatures

SDSN is a huge differentiator for Juniper

Complete Threat Remediation Use CaseAdditional NAC vendor support , and JSA

Introduce User Intent Based Policy ModelSimplicity of policy to support agile applications & usersSupport Private & Public CloudWith vSRX on VMware NSX, Contrail, AWS

• Flexible and extensible policy - Security Policy is tied to a business intent and not to a network topology

• Enhanced user experience and optimized network operation -Unified Security Policy across all Juniper Product Lines

• Ubiquitous and multi-vendor enablement – work with 3rd party devices and works on-premise as well in the Cloud

CustomerBenefits

Page 23: Juniper Software Defined Secure Networks - Startseite · Juniper Software Defined Secure Networks Christoph Plum, cplum@juniper.net ... • SRX Firewalls • Juniper EX and QFX switches

Thank you