SECURING THE DATACENTER · Cost efficiency and optimization . BYOD . New applications and cloud...
Transcript of SECURING THE DATACENTER · Cost efficiency and optimization . BYOD . New applications and cloud...
Copyright © 2014 Juniper Networks, Inc. 1 Copyright © 2013 Juniper Networks, Inc.
SECURING THE DATACENTER
CAIO KLEIN SEGURINFO 2014
2 Copyright © 2013 Juniper Networks, Inc. Access Apps Networks Mgmt Mobility Campus Data center Cloud Products
SECURITY AT JUNIPER
Security innovation & leadership
Customer segments Service providers, enterprise
Business segments Routing, switching, security
Invest more than 20% of revenue on R&D
Leader in high-end firewalls and remote access SSL VPN
Pioneer in Intrusion Deception technology
DDoS advanced technology
First to deliver purpose-built virtual firewall
SC Magazine 2013 best cloud and SSL VPN solution
Tech Target’s 2013 reader’s choice gold awards for virtual security, IDP, and NAC
Copyright © 2014 Juniper Networks, Inc. 3
Security requirements
TRANSLATING BUSINESS DRIVERS TO SECURITY REQUIREMENTS
IT initiatives Business drivers
CIO CTO CSO
Business agility
Cost efficiency and optimization
BYOD
New applications and cloud services
Technology consolidation and modernization
Broad device coverage
Flexible deployment options
Scalability and simplicity
Employee productivity
Copyright © 2014 Juniper Networks, Inc. 4
TRENDS THAT AFFECT THE DATA CENTER
Broader attack surface
Brand impact
Financial impact
COSTS AND RISK INCREASE
CHANGING IT LANDSCAPE
Mobility
Cloud & virtualization
Massive traffic increase
Targeted attacks
Sophisticated tools
Economics favor bad actors
EVOLUTION OF THREATS
Copyright © 2014 Juniper Networks, Inc. 5 Copyright © 2013 Juniper Networks, Inc.
DDoS SECURE ADVANCED DDoS MITIGATION TECHNOLOGY FOR YOUR NETWORK AND APPLICATIONS
Copyright © 2014 Juniper Networks, Inc. 6
Money Intellectual
property Records
Targeted, deliberate, and expensive
TARGETED ATTACKS ON THE RISE
Fact • 70% of all threats are at the Web application layer* • 70+% of organizations have been hacked in the
past two years through insecure Web apps*** • Yet 66% of breaches took months or more to
discover** Business Impact • Average cost incurred from a successful breach:
$8.9M** • Average annual cost incurred from a DDoS attack:
$3.5M***
Source: * Gartner ** 2012 Cost of Cyber Crime Study, Ponemon Institute, 2012 *** Ponemon Institute, 2013
Copyright © 2014 Juniper Networks, Inc. 7
Thresholds & Netflow Analysis
EVOLVING DDoS ATTACK COMPLEXITY Signature-Based
Scrubbers
Emerging Threats St
ealth
Newness Known Unknown
Volu
met
ric
Low
-and
-slo
w
Challenge: manual management
of IP thresholds in dynamic networks
Challenge: Creating signatures
for new attacks
Challenge: Maintaining Known
signatures of attacks
Copyright © 2014 Juniper Networks, Inc. 8
• Easy to detect
• Attacks are getting bigger in size
• Frequency of attacks increasing at a moderate rate
• Flash mobs organized via social media
• Overwhelming legitimate requests for tickets for a big event available in a very short period of time
• Growing faster than volumetric – 25% of attacks in 2013 (source: Gartner)
• More sophisticated & difficult to detect
• Target back-end weaknesses
• Small volume of requests can take out a large Web site
DDoS ATTACK VECTORS
VOLUMETRIC ANYTHING THAT MAKES THE RESOURCES BUSY LOW AND SLOW
Copyright © 2014 Juniper Networks, Inc. 9
Prevents volumetric and application-level “Low and Slow” DDoS attacks INTRODUCING DDoS SECURE
Heuristic Analysis
Normal Traffic
DDoS Attack Traffic
Normal Traffic
Benefits
Comprehensive Anti-DDoS Solution • Detects and mitigates multi-vector DDOS attacks,
including those that target specific applications • Ensures availability for legitimate users while
blocking malicious traffic, even under the most extreme attack conditions
• 80% effective 10 minutes after installation • 99.999% effective after 6-12 hours • Signature-free dynamic heuristic technology • No tuning or thresholds required (install and forget) • Flexible deployment options (physical and virtual)
Copyright © 2014 Juniper Networks, Inc. 10
CHARM: Real-time risk score for each source IP
KEY CONCEPT: CHARM ALGORITHM
• Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular
• Algorithms updated regularly with characteristics of new attacks
0
100
Initial 50
Human-like
Machine-like
Per Packet
Copyright © 2014 Juniper Networks, Inc. 11
DDoS SECURE – HOW DOES IT WORK • Packet validated against
pre-defined RFC filters • Malformed and
mis-sequenced packets dropped
• Individual IP addresses assigned CHARM value
• Value assigned based on IP behaviours
Low CHARM Value
Medium CHARM Value
High CHARM Value
Mechanistic Traffic
First Time Traffic
Humanistic, Trusted Traffic
Copyright © 2014 Juniper Networks, Inc. 12
CHARM threshold changes dynamically with resource response state
Access dependent on CHARM threshold of target resource
DDoS SECURE – HOW DOES IT WORK (CONT’D)
• Below threshold packets dropped
• Above threshold allowed uninterrupted access
• Minimal (if any) false positives
• Full stateful engine measures response times
• Dynamic and self-learning resource limitations
• No server Agents
Copyright © 2014 Juniper Networks, Inc. 13
Dynamic Resource Control
DDoS SECURE PACKET FLOW SEQUENCE
Drop Packet
IP Behavior Table Resource CHARM Threshold
Drop Packet
Packet Enters
Syntax Screener
OK So Far
CHARM Generator
With CHARM
Value
CHARM Screener
Packet Exits
Validates data packet • Validates against defined filters • Validates packet against RFCs • Validates packet sequencing • TCP connection state
1
Calculates CHARM value for data packet • References IP behavior table • Function of time and historical behavior • Better behaved = better CHARM
2
Behavior is recorded • Supports up to
32M profiles • Profiles aged on least
used basis
3 Calculates CHARM Threshold • Responsiveness
of resource
4
Allow or Drop • CHARM threshold • CHARM value
5
Copyright © 2014 Juniper Networks, Inc. 14
Dynamic Resource Control Example DDoS SECURE RESOURCE MANAGEMENT
In this example, Resource 2’s response time starts to degrade and the CHARM pass threshold is increased to start the process of rate limiting the bad traffic. At this point the good traffic will continue to pass unhindered whilst the attackers will start to believe their attack has been successful as their request fails.
Resource 1 Resource 2 Resource 3 Resource ‘N’
The attack traffic to Resource 2 reduces as the attackers switch the attack to Resource 3. Once again, DDoS Secure responds dynamically by increasing the pass threshold for Resource 3 limiting bad traffic.
Copyright © 2014 Juniper Networks, Inc. 15
HEURISTIC MITIGATION IN ACTION
DDoS Secure Heuristic Analysis
DDoS Attack Traffic
Management PC
Normal Internet Traffic
DDoS Attack Traffic
Normal Internet Traffic
Normal Internet traffic flows through the DDoS Secure appliance, while the software analyzes the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal (<1ms) latency.
Normal Internet Traffic
Resources
Copyright © 2014 Juniper Networks, Inc. 16
DNS REFLECTIVE / AMPLIFICATION
Copyright © 2014 Juniper Networks, Inc. 17
DNS RESOLVER PROTECTION
Measurement on App Response JDDS SRX DNS Resolvers
Inline Inspection Inbound Traffic Measurement
Eliminates DNS Reflection Attacks & Backscatter
1 2
3
• Sits passively inline • Measures both inbound and outbound traffic flow
• Monitors DNS Resource Records by Domain • Monitors Responses from Resolver • Monitors Resolver’s Recursive Activity
• HTTP • HTTPS (SSL & TLS) • DNS • VoIP / SIP
Juniper DDoS Secure (JDDS)
Native App Protection
Copyright © 2014 Juniper Networks, Inc. 18
THE WORLD’S MOST ADVANCED HEURISTIC DDoS TECHNOLOGY
Copyright © 2014 Juniper Networks, Inc. 19 Copyright © 2013 Juniper Networks, Inc.
WEBAPP SECURE THE SMARTEST WAY TO PROTECT WEBSITES AND WEBAPPS FROM ATTACKS
Copyright © 2014 Juniper Networks, Inc. 20
THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY
“Tar Traps” detect threats without false
positives.
Track IPs, browsers, software and scripts.
Understand attacker’s capabilities
and intents.
Adaptive responses, including block,
warn and deceive.
Detect Track Profile Respond
Copyright © 2014 Juniper Networks, Inc. 21
DETECTION BY DECEPTION
App Server
Server Configuration
Network Perimeter
Database Firewall
Query String Parameters
Tar Traps
Hidden Input Fields
Copyright © 2014 Juniper Networks, Inc. 22
TRACK ATTACKERS BEYOND THE IP
Track Software and Script Attacks Fingerprinting
HTTP communications.
Track Browser Attacks Persistent Token
Capacity to persist in all browsers including various privacy control features.
Track IP Address
Copyright © 2014 Juniper Networks, Inc. 23
JUNOS SPOTLIGHT SECURE
Attacker from San Francisco
Junos Spotlight Secure Global Attacker Intelligence Service
Junos WebApp Secure protected site in UK
Attacker fingerprint uploaded
Attacker fingerprint available for all sites protected by Junos
WebApp Secure
Detect Anywhere, Stop Everywhere
Copyright © 2014 Juniper Networks, Inc. 24
FINGERPRINT OF AN ATTACKER Browser version
Fonts
Browser add-ons
Timezone
IP Address
attributes used to create the fingerprint.
200+
availability of fingerprints
~ Real Time
nearly zero
Copyright © 2014 Juniper Networks, Inc. 25
SMART PROFILE OF ATTACKER Attacker local
name (on machine)
Incident history
Attacker threat level
Attacker global name
(in Spotlight)
Copyright © 2014 Juniper Networks, Inc. 26
RESPOND AND DECEIVE Junos WebApp Secure Responses
Human Hacker Botnet
Targeted Scan IP Scan
Scripts &Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
Copyright © 2014 Juniper Networks, Inc. 27 Copyright © 2013 Juniper Networks, Inc.
VIRTUAL SECURITY & FIREFLY SUITE
Copyright © 2014 Juniper Networks, Inc. 28
MARKET SITUATION, BY GARTNER By 2016 public cloud infrastructure will include and be managed as critical national infrastructure regulations by the U.S.
20% of over VPN/Firewall market will be deployed in a virtual element. By 2015
100% Cloud as a delivery model will shape buy-ing and prioritization of security.
10% of over all IT security products capabilities will be delivered in/ from the cloud. By 2015
Worldwide public cloud services 131B
Copyright © 2014 Juniper Networks, Inc. 29
FROM TO
CLOUD & MSSP MARKET TRENDS
Physical Networks Elements Virtual Networks Elements and Overlays
Traditional Security Perimeters Blurred Boundaries, Everyone Is an Insider
Overprovisioned Hardware Elastic Compute, Security and Storage
Controlled & Defined User/Admin Roles Self Provisioned Security, Virtual Admins
Corp. Managed, Static Apps SaaS, User-Chosen Apps, Rogue Clouds
Simple Isolated Security Management Specialized, Intelligent & Coordinated Identity-based Security Management
Lega
cy M
odel
of
th
e B
usin
ess
Net
wor
k
Today’s Flexible, Proactive B
usiness Netw
ork
Copyright © 2014 Juniper Networks, Inc. 30
INTRODUCING THE FIREFLY SUITE
Security for virtual assets Monitoring and control Intelligence and automation
SRX
Hybrid Cloud
Junos Space Security and
Virtual Director
MX Universal
Router
Internet
OSS/BSS Customer Portal
Virtualized Host Multi-tenant
MX WAN Enterprise Hypervisor Firefly
Host
VM VM VM VM
Firefly Perimeter
fully virtualized security solution Protecting virtual applications and workloads in public or private clouds.
with Juniper Firefly host PROVIDING PROTECTION FOR THE CLOUD AND firefly perimeter & Junos space virtual director providing PROTECTION FROM THE CLOUD:
Copyright © 2014 Juniper Networks, Inc. 31 Copyright © 2013 Juniper Networks, Inc.
FIREFLY PERIMETER
Copyright © 2014 Juniper Networks, Inc. 32
FIREFLY PERIMETER
Firefly Perimeter
VM VM Virtual version of the SRX; provides north / south firewall (5Gbps), NAT, routing, VPN connectivity features in a flexible virtual machine format
Availability: JAN 15 2014 Official Public Launch! (VMware and Contrail)
VM VM
Secure
Copyright © 2014 Juniper Networks, Inc. 33
A CLOSER LOOK AT FIREFLY PERIMETER
Firewall
VPN
NAT
Network Admission Control
Perimeter Security
Anti-Virus
IPS Full IDP Feature Set
Web Filtering
Anti-Spam
Content
Application Awareness
Identity Awareness
Application
CLI, JWeb, SNMP, JSpace- SD, Hypervisor Management, HA/FT
Junos Routing Protocols and SDK
Junos Rich & Extensible Security Stack
Fully-tested Junos-based SRX code in a VM provides all Junos-related automation and connectivity options in addition to firewall
Copyright © 2014 Juniper Networks, Inc. 34
JUNOSV FIREFLY PERIMETER HA
Firefly Perimeter will support ‘Chassis Clustering’ (both Active-Active as well as Active-Passive modes). This support provides full stateful failover for any connections being processed. In addition, it will be possible for the cluster members to span hypervisors.
HYPERVISOR
VM VM
Virtualized Environment
HYPERVISOR
VM VM
Virtualized Environment
Firefly Perim Customer 1
(Active)
Firefly Perim Customer 1 (Passive)
Firefly Perim Customer 2
(Active)
Firefly Perim Customer 2 (Passive)
Copyright © 2014 Juniper Networks, Inc. 35 Copyright © 2013 Juniper Networks, Inc.
FIREFLY HOST
Copyright © 2014 Juniper Networks, Inc. 36
Security Suite integrated into Hypervisor Kernel Provides East/West Firewall (35+Gbps), AV, IDS, Compliance, Introspection, Network Monitoring
AVAILABILITY: VMWARE NOW, CONTRAIL SCOPING FOR 2014 FIREFLY HOST (FORMERLY VGW)
Firefly Host Engine
VM VM1 VM2 VM3
VMWARE DVFILTER VMWARE VSWITCH OR
CISCO 1000V
HYPERVISOR
ESX Kernel
ES
X H
ost
Firefly Host SECURITY VM • POLICY FROM MGMT TO ENGINE • LOGGING FROM ENGINE TO MGMT • IDS ENGINE • DEPLOYED AS HA PAIR • DELIVERED AS VIRTUAL APPLIANCE
The Firefly Host ENGINE • FULL FW
IMPLEMENTATION IN THE KERNEL
• STATEFUL FW • PER-VM POLICY
Copyright © 2014 Juniper Networks, Inc. 37
SECURE
Complete firewall protection
for any network traffic to or from a VM
Antivirus components controlled centrally (scanner config, alert viewing, infected file remediation)
IDS, send selectable traffic flows to internal IDS engine for deep-packet analysis against dynamic signature set
Copyright © 2014 Juniper Networks, Inc. 38
MONITOR AND
CONTROL
Network visibility, All VM traffic flows stored in database and available for analysis
Pre-defined and customizable Reports
Compliance module
includes pre-defined rules based on virtual security best practices as well as customers rules
Copyright © 2014 Juniper Networks, Inc. 39
Introspection, agent-less ability to scan a VM’s virtual disk contents to understand what’s installed
Smart Groups allow for the use of attributes to create dynamic system associations
Open and ready for
innovation with reach sets of API’s
INTELLIGENCE AND
AUTOMATION
Copyright © 2014 Juniper Networks, Inc. 40 Copyright © 2013 Juniper Networks, Inc.
VIRTUAL SECURITY AND SDN
Copyright © 2014 Juniper Networks, Inc. 41
Complete line-up of Virtual Security Services and Connectivity Options!
• Protect critical asset against internal or external attack
• Utilize Intrusion Deception to uniquely defend web applications and increase complexity and cost of attack for bad actors
• Break attack automation with “fake” attack paths and responses that intelligently match attacker skillset while leaving legitimate users’ experience unaffected
• Provide connectivity (SSLVPN, NAC) via virtualized form factor
• Filter Distributed-Denial-of-Service attacks
DMZ
Web Apps
Internet
Internal LAN
User
Pulse SA Virtual Pulse UAC Virtual
VIRTUAL SECURITY & CONNECTIVITY
JUNIPER VIRTUALIZED SECURITY PORTFOLIO THE FLEXIBILITY OF CHOICE
SOLUTION
DDoS Secure Virtual
Firefly
WebApp Secure Virtual
Secure Analytics Virtual
Copyright © 2014 Juniper Networks, Inc. 42
SECURITY SERVICES ARE KEY ELEMENT IN SDN
Fire
fly P
erim
eter
DD
oS S
ecur
e
Web
App
Sec
ure
Pul
se S
A
Sec
ure
Ana
lytic
s
Oth
er s
ervi
ces
3rd
party
ser
vice
s
x86 Server/x86 Blade
Contrail Controller + vRouter
Virtual Infrastructure (OpenStack, etc.)
SOFTWARE-BASED SOLUTION, ENABLING CROSS-SELL & UPSELL OPPORTUNITIES WITH CONTRAIL INTEGRATION AND SUPPORT FOR SDN
NEW FLEXIBLE AND DYNAMIC APPROACH
• Reduced OPEX
• Flexible choices
• Elastic scaling of Security Services
• Reduced CAPEX
Copyright © 2014 Juniper Networks, Inc. 43
VIRTUAL SECURITY WITH CONTRAIL
Old School Contrail (NFV + SDN)
Ordering Weeks / months Instantly
HW cost High custom HW Commodity x86
Deployment Cabling “ click”
Scale Limited Elastic
Retirement Depreciation Re provisioning
Investment Protection Low High
Resource limitation High Service Chaining
44 Copyright © 2013 Juniper Networks, Inc.
SUMMARY • Intrusion prevention by Deception is the smartest tool to keep
attackers away from your Web Application • Smarter Heuristic is required to identify DDoS and protect your
resources from unavailability • Security Virtualization is mandatory on the Cloud environment • The complexity of virtual environments also requires orchestration
(NFV + SDN)
45 Copyright © 2013 Juniper Networks, Inc.
Thank you