Securing Networks With Juniper

8/2/2019 Securing Networks With Juniper

http://slidepdf.com/reader/full/securing-networks-with-juniper 1/24

1

Securing Netw orks w it h

Juniper Netw orks

Juniper Secur it y Feat ures

Jean- Marc Uzé

Liaison Research, Education and GovernmentNetw orks and I nstit ut ions, EMEA

[email protected]

TF- CSI RT Meeting, 26/ 09/ 02

u Introduction

u Juniper Netw orks Routers Architectur e

u Router Prot ect ion

u Encryption of Traffic

u Source Address Verif icati on

u Real-t im e Traf fic Analysis

u I / O Filt ers and Rate Limit ing

u Summary

2

Agenda



2

Juniper Networks, Inc. Copyright © 2002 3

Cyber At t acks I ncreasing

Packet

Sniffers

IP

Spoofing

Denial of

Service

Attacks

Automated

Scanning

Tools

Distributed

Denial of

Service Attacks

Email

Script

Attacks

Se lf-Propagating

Automated

Distributed Attacks

u Frequencyv Over 4,000 Distr ibut ed DoS att acks a w eek

u Sophisticationv Distr ibut ed DoS att acks hard t o detect & stop

v Network elements recent ly targeted

u Impactv Yahoo, eBay, Microsoft mak e headlines

v Cloud 9 ( UK) I SP out of business

1994 1996 1998 2000

Host Based At tacks Netw ork Based At t acks At t acks Target Netw ork

Source: Published CERT figures


Today’s Securi t y Compromises

u Enable securi ty at specific

points on the netw ork

u As platforms, int erfaces

or sof t w are al low

u Does not provide reliable

security

u Security enabled after

att ack is detected

u High operational effor t

u Perform ance SLAs affected

Partial

Attack StartsTracing Blocking

Attack Ends

Time

Performance

Reactive

SLASLA

TargetTarget



3


Securi t y Wit hout Compr omise

u Ubiquitousv Juniper Netw orks: Single I mage, Securit y on All I nterf aces

u Continuousv Juniper Netw orks: Low impact – turn i t on i t , leave i t on

u Economicalv Juniper Netw orks: I ncluded in the basic platform

u Provenv Juniper Networks: Shipping since 2000 and in use in

product ion netw orks around the w or ld

Let’s You, Rather Than Your Equipment,

Dictate Your Netw ork Securit y Policy.


Prot ect ing and Enabl ing Revenues

uCustomer Retent ion

v I ncreased customer sati sfact ion

vMatch compet it ive securi t y service off erings

uNew Services

v Lawful I nterceptv I nt rusion Detect ion Services

vHigh Speed Encrypted VPNs

v Att ack Resist ant Web Host ing

vDenial of Service Protect ion/ Contr ol

v Spoofing Prot ect ion



4


JUNOS Security Related Features

UserUserAdministrationAdministrationTacasTacas+ / Radius+ / Radius

ProtocolProtocolAuthenticationAuthentication

JUNOS 5.xJUNOS 5.x20012001



H/ W Based Packet Filterin gH/ W Based Packet Filterin gI ndividual CommandI ndividual CommandAuthorizationAuthorizationTraffic PolicingTraffic PolicingFirewallFirewall SyslogsSyslogs / M I B / M I BH/ W Based Router ProtectionH/ W Based Router Protection

PortPort--MirroringMirroringI PSEC Encrypt ion ( Cont rolI PSEC Encrypt ion ( Cont roland Transit t raffic)and Transit t raffic)UnicastUnicast RPFRPFRadius Support forRadius Support forPPP/ CHAPPPP/ CHAPSNMPv3SNMPv3


Juniper Secur it y Featu res at aGlance

Exam ples of Available Safeguar dsExam ples of Available Safeguar ds

9. Hitless f i l ter implementation7. I / O f i l te rs to b lock a t tack

f lows

8. Rate l imi t ing

Suppression

6. Real-time DDOS attack

identif ication

5. Real t im e traff ic analysis (port

mir ro r ing) fo r Lawfu lI n tercept , IDS

Detection

3. I PSEC encrypt ion of customer

t ra f f i c

4. Source address verificat ion

1. Hardware based router

pro tec t ion

2. I PSEC encrypt ion of Contr olTraff ic

Prevention

Customer ProtectionI n f rast ruc ture Pro tec t ion



5

u Introduction







u Summary

9

Agenda


Syst em Archit ect ure

u Routing Engine

v Maintains routing t able andconstructs forwarding tableusing knowledge of thenetwork

u

Packet Forwarding Enginev Receives packet forwarding

table from Routin g Engine

v Copies packet s from an i nputinterface to an outputinterface

v Conducts incremental tableupdates wit hout forw ardinginterrupt ion

Update

Forwarding

Table

InternetInternet Processor IIProcessor II

Sw itch FabricSw itch Fabric

Forwarding

Table

Junos

Internet Software

Junos

I nternet Softw are

I / O Ca r dI / O Ca r d



6


I P I I ASI C Overview

u Leverages proven, predict able ASI C

forw arding technology

of I nternet Processor

u Provides breakthrough technology

to support performance-based,

enhanced Services

v Securi ty and bandwidt h control( I .e. f i l ter ing) at speed

v Visibi l i ty int o netw ork operat ions

at speed

u Delivers perform ance WI TH services

v Support ed on all interf aces

InternetInternetProcessor I IProcessor I I

InternetProcessor I I


u I P- I I enables signif icantfunct ional i ty w ith appl icat ionsto netw ork management

v Security

v Monitoring

v Accounting

IP - I IIP - I I

Multiple rules may be specified.Multiple rules may be specified.

Filt er Specif icationFilt er Specif ication

filter my-filter ip {

rule 10 {

protocol tcp ;

source-address 128.100.1/24 ;

port [ smtp ftp-data 666 1024-1536 ];

action {

reject tcp-reset ;

}

}

}

All Packets Handled By RouterAll Packets Handled By Router

Filters can act on highlighted fields, asFilters can act on highlighted fields, aswell as incoming interface identifier andwell as incoming interface identifier andpresence of I P optionspresence of I P options

MicrocodeMicrocode

Filters and route lookup are part ofFilters and route lookup are part ofsame programsame program

PacketHandlingPrograms

Log,syslogCount,

Sample,Forwarding-class,

Loss-priority,Policer

SilentSilent

DiscardDiscard

ForwardForward

TCP ResetTCP ResetOr I CMPOr I CMP

UnreachableUnreachable

I PI P

TCPTCP

Ver IHL ToS Total Len

ID Fragmentation

TTL Proto Hdr Checksum

Source Address

Destination Address

Source Port Dest Port

Sequence Number

Acknowledgement Number

Offset Flags Window

Checksum Urgent Pointer

CompileCompile

Rout ingRout ing

I nstanceI nstance

Filtering



7


Operating SystemOperating System

JUNOS I nt ernet Soft w are

u Comm on softw are across

entire product l ine

leverages stabil it y,

int eroperability, and a

w ide range of features

u Purpose built

for I nternet scale

u Modular design

for high r el iabi l i ty

u Best-in-class routi ngprotocol implementations

u Foundation for new

services wi th MPLS

tr aff ic engineering

P r o t o c o l s

I

n t e r f a c e M g m t

C h a s s i s M g m t

S N M P

S e c u r i t y


Traff ic Framew ork

u Management , Cont rol and Data planes

u Source, Dest inat ion and Type

Routi ng Contr ol

Routing Contr ol

I CMP Notif ication

User Data

I CMP Notif ication

User Data

Router Management

Router Management



8


Tools – Prevent , Det ect , Cont rol

u Forward

u Redirect

u Monitor

u Sample

u Count

u Logu Mark

u Limit

u Discard

Traffic

u Import f i l ters

u Export f i l t ers

u Mark

u Limitv Announcements

v Prefixes

Rout e Cont rol

u Introduction







u Summary

Agenda



9


JUNOS Default t o Secure

u Does not forward directed broadcasts

u Remot e management access to the rout er isdisabled. I t must be explicitl y enabledv telnet, f t p, ssh…

u No SNMP set support for editing configurationdata

u Default Mar t ian addresses


Comm unicat ing w it h the Rout er

u Secure Shel lv Ssh v1 / v2

v Support connexion limit + rate limit

u against SYN flood DoS att acks on the ssh port

v OpenSSH 3.0.2 since JUNOS 5.4

u Secure Copy Prot ocol (SCP)

v Uses the ssh encrypt ion and aut henticationinfr astr ucture t o securely copy f i les betw een hosts

u Central Aut hentif icat ionv TACACS+ / RADI US

v User classes w it h specific privi leges

u File Records and Command Event s



10


Hardw are-Based Rout er

Protection

u Router’s control plane is complex and int ell igence

v Need t o be CPU based

v Protocols need processing pow er for fast updat es and t o

minim ize convergence tim e.

u Attacks launched at rou ters include sending:

v Forged rou t ing packet s (BGP,OSPF,RI P,et c..)

v Bogus management tr affi c (I CMP, SNMP, SSH,etc)

u Attacker can easily launch high speed attacks

v Rates in excess of 40M/ second

v CPU based filt ering u nable to k eep upv Att acks consume CPU resources needed for cont rol t raff ic.

v Danger of protocol time-out s, leading to netw ork instabilit ies.


Hardw are Based Rout erProtection

u Hardw are based filt ering advantagesv Hardw are drops at tack (“unt rusted”) t raf f ic

v CPU free to pr ocess “ tru sted” contr ol t raff ic

u One filt er applied to the “loopback”v Prot ects t he router and all in terfaces

v Provides ease of m anagementv No need to configure addit ional f i lt ers

when adding new interfaces



11


firewall {

filter protect-RE {

term established {

from {

protocol tcp;

tcp-established;

}

then accept;

}

term trusted-traffic {

from {

source-address {

10.10.10.0/24;

10.10.11.0/24;

10.10.12.0/24;

10.10.17.0/24;

10.10.18.0/24;

} protocol [icmp tcp ospf udp];

destination-port [bgp domain ftp ftp-

datasnmp ssh ntp] ;

}

then accept;

term default {

then {

log;

discard;

}

}

}

Hardw are Based Rout er

Protection

u Define “t rusted” sourceaddresses

u Define protocols and port s thatneed to communicate

u Accept desired t raffic anddiscard everything else

u One filt er applied to t heloopback in terface protectsrouter and all in terfaces

u Introduction







u Summary

22

Agenda



12


I PSec Encryption of Cont rol Traffic

u Encrypt Cont rol Traff ic Betw een Routers

u Encryp t ion uses ESP in Transport Mode

u ESP Prov ides Secure Communicat ion for crit icalcontrol / rout ing traff ic

u Prot ect s fr om att acks against cont rol plane


I PSec Encrypt ion of Custom erTraffic

u Encrypt ion Services PI C provides capabili t ies t oother in terf aces on t he router for Encryption andKey Exchange ( I KE)

u Provides high-bandw idth encrypti on for tr ansitt raffic at 800 Mbps (half-du plex)

u Applied via t he Packet Forw arding Enginev off load th e encrypt ion and decrypt ion tasks from

Routin g Engine pr ocessor

u Delivers Private and Secure comm unicati on ofmission-criti cal customer t raffi c

u Provides up to 1,000 t unnels per PI C

u Can Scale Using Mul t iple PI Cs



13


I PSec Encrypt ion of Custom er

Traffic

u Crypt o PIC highlight s:

v Tunnel/ Transport Mode

u Tunnel mode for data tr affic

v Authentication Algorithms

u MD5

u SHA-1

v Encryption Algorithms

u DES

u 3-DES

v I KE Featu res

u Support for automat ed key management using Diffie- Hellman keyestablishment

u Main/ Aggressive mode support ed for I KE SA setup

u Quick Mode support ed for I PSec SA setup

u Introduction



u Encryption of Traff ic




u Summary

26

Agenda



14


Source Address Verif icat ion

u Why it is needed:v I P address spoofing is a technique u sed in DOS att acks

v Att acker pr etends to be someone else

v Makes it dif f icult to t race back t he attacks

v Comm on Operating System s let users spoof machine’s I Paddress access (UNIX, LI NUX, Win dow s XP)

u How it is done:v Route t able look-up p erform ed on I P source address

v Router determines if tr aff ic is arr ivin g on expected path

u traffic is acceptedu normal destination based look up is performed

v I f t raf f ic is not arr iv ing on a the expected path

u then it is dropped



u Juniper Soluti onv uRPF can be configur ed per- interface/ sub-i nterface

v Supports both I Pv4 and I Pv6

v Packet/ Byte counters for tr aff ic fail ing t he uRPF check

v Addit ional f i lt ering available for t raff ic fail ing check:

u police/ reject

u Can syslog the rejected tr affic for later analysisv Two modes available:

u Active-paths:

v uRPF only considers the best pat h tow ard a parti culardestination

u Feasible-paths:v uRPF considers all t he feasible paths. This is used wher e

routing is asymmetr ical.



15



Data Center

10.10.10.0/24

so-0/0 / 0 .0

so-1/0 / 0 .0

Attack wi th

Sourceaddress=10.10.10.1

uRPF

10.10.10.0/24 * [BGP/ 170]

>v ia so-1 /0 / 0 /0 .0

11.11.11.0/24

u Introduction







u Summary

30

Agenda



16


Real-t ime Traf fi c Analysis

u Sampling and cflowd format export (v5 + v8)

u since JUNOS 5.4: Passive Monit oring PI Cv Appl icat ion is pr imar ly for secui ty and t raf f ic analysis

v Monit ors I Pv4 packet s and flow s over SONET on:

u OC-3c, OC-12 c and OC-4 8c

u PPP or HDLC (Cisco) layer 2 encapsulations

v Generates cf low d v5 records for export t o collector nodes

u I PSec or GRE tu nnels can be used for expor ti ng



u Juniper Port Mirrorin g capabilityv Copy of sampled packet can be sent t o arbit rary in terf ace

v Any I nterf ace and speed up to 100% of selected packets

v N num ber of ingress port s to single destinat ion port

v Work in pr ogress wit h I DS vendor

u Discussions ongoing with high-speed analytical securityapplication developers (OC48)



17


Mirrored Traf f ic

Int rusion Detect ion SystemIntr usion Detect ion System

Data Center



Real-t ime DDoS I dent if icat ion

u Preparation

v Pre-config ure Destinat ion Class Usage (DCU) on customer-facing ingress interfaces

v Accounting feature t ypically for bill ing

v Supported in JUNOS 4.3 ( 12/ 2000) and beyond

v Counts packets, bytes destin ed for each of up to 16communit ies per interface

v Count ers retr ievable via SNMPv Note: Source Class Usage is also supported (since JUNOS 5.4)

u During Att ack

v Use BGP to announce victim ’s / 32 host address wit h specialcommunity

v Trigger SNMP polling of DCU counters on all ingress interf aces

v Apply heuristic t o identify likely att ack sources



18



Attacker Network

Vic t im Ne twor k

NOC

Switch

Attacker Network

User Networ k

Attack Network

Attack Network

User Networ k

ServiceProvider



Attacker Network

V ic t im Ne twor kSwitch

At tac k er Ne twor k

User Netw ork

Attack Network

Attack Network

User Network

Service

Provider

NOC

128.8.128.80128.8.128.80

128.8.128.80/ 32128.8.128.80/ 32

Community 100:100Community 100:100



19



u Introduction







u Summary

38

Agenda



20


I / O Filt ers To Block At t ack Flow s

u DOS at t acks need t o bedetected and stopped

u I nterf ace filt ers can beapplied t o block onlyattack f low s

u Filters can be applied toany interf ace type

u Filt ers can be applied bothon inbound and out bound

/* apply the filter to the ingress point of

the network */

so-0/2/2 {

unit 0 {

family inet {

filter {

input block-attack;

}

address 151.1.1.1/30;

}

}

}

/* This is the filter which blocks the

attacks */

firewall {

filter block-attack {

term bad-guy {

from {source-address {

10.10.10.1/32

}

protocol icmp;

}

then {

discard;

log;

}

}

}


Rate Lim it ing

u Suppression/ Rate Limi t ing Advantagesv Protects router of customer by lim it in g tr aff ic based on

protocol/ port / source and dest inat ion addresses

u Juniper Advantage

v Architectural reasons we performu I nternet Processor ASI C not tied t o an int erface or r elease

v Behavior under att ack

u Stable operation, routing and management t raffic unaffected



21


Hitl ess Filt er I mplement ation

u Can be applied immediately aft er identif icat ion ofoffending tr aff ic

u Application of filters does not create short-termdegraded condit ion as fi lt ers t ake eff ect

u Size and complexi t y of fil t er independent offorw arding performance


Traff ic I nt errupt ion During Fi l t erCompilation

NOC

NOC operator appliesNOC operator applies

or changes filtersor changes filters

Traffic flowTraffic flow

Attack flowAttack flow

NOC

All traffic gets dropAll traffic gets drop

During filter compilationDuring filter compilationNOC operator appliesNOC operator applies






22


No I nterrupt ion With At omic

Updates

NOC





NOC

Attack tr affic gets droppedAttack tr affic gets dropped





u Introduction







u Summary

44

Agenda



23


Next St eps

uOn going Dialog w ith security t eam

v Ensuring existi ng securit y features are active

v Awareness of upcoming securi t y issues

uBest Pract ices

vWhit e Papers

uSecurit y consult ing and t raining

Juniper Netw orksJuniper Netw orks – – the Trusted Sourcethe Trusted Source


Fur t her References

u Juniper Netw orks Whit epapersv Rate-l imit ing and Traff ic-poli cing Features

v Fortif ying t he Core

v Visibil it y into Netw ork Operations

v Minimizing the Effects of DoS Attacks

v Juniper Netw orks Router Securit y

u Available fr omht tp : / / ww w. jun iper .net / techcenter



Thank You [email protected]

Securing Networks With Juniper

Documents

Transcript of Securing Networks With Juniper