Juniper idp overview

Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Juniper NetworksIntrusion Detection & Prevention

June 2006

3Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Agenda

Security Market Climate•IPS & Security Market

•Market Drivers

Juniper Networks IDP Product Overview•Complete Solution – Security Team

•Product Features

•Product Offering

Management with Juniper Networks NSM Summary


IPS and Security Market


Security Market

IPS technology is a mainstream part of network security for companies of all sizes

Keeping up with new security threats and finding integrated management systems remain key concerns for security admins

Assuring business critical applications have predictable quality of service over nonessential apps like P2P and IM

Need Visibility, Control and Ease of Use


Worldwide IPS Market Market focus on IPS technology exemplified by market forecast Worldwide IDS/IPS revenue expected to top $800 Million by year 2009 Network-based products continue to account for more than 2/3 of

total revenue

277384

427

544603

667752

790 819

0

100

200

300

400

500

600

700

800

900

Revenue($ Million)

CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09

Year

World Wide IDS/IPS Product Revenue

Network-based

Host-based

Source: Network Security Appliance and Software Quarterly Worldwide Market Share and Forecast for 1Q06


Customer Drivers


Fear of external network attack and internal noncompliance

External attacks remain the top reason for purchasing security appliances•Failure to block viruses, attacks or malware

directly impact end-users

A growing concern meanwhile is ensuring users on the network are doing what they’re supposed to be doing

Direct impact to end-users

•Quantifiable loss of productivity•Impact to revenue•Headaches to administrators•Unauthorized access to critical data


Firewall alone is not enough

Every organization is connected to the Internet and deploys some form of firewall

Most enterprise realize firewall alone is not sufficient to block sophisticated attacks

Vuln

erab

ility

Disco

vere

dAd

viso

ryIs

sued

Expl

oits

Rele

ased

Wor

mRe

leas

ed

Getting Shorter

Lifecycle of Vulnerabilities and Threats


Business compliance

Need to enforce business practices including types and version of applications

Need to ensure non-business applications does not hinder critical business applications

practices


New Technology Adoption

Adoptions of new technologies continue to increase

Enterprises are not satisfied to wait until security “catches up”

Convergence of networks open up the infrastructure to new attacks

New Technologies = New Risks


Not Only for Enterprise Service Providers

face similar security concerns as enterprise

Keeping ahead of new security threats considered highest technical challenge by SP

Source: Service Provider Plans for VPNs and Security North America, Europe, and Asia Pacific 2006


IDP Product Overview

Security Team


The Juniper ApproachComplete Solution

Service Provider

Security Teams

Service Provider

Security Teams

Worldwide Juniper Security

Team

Worldwide Juniper Security

Team

Juniper CustomersJuniper Customers

Juniper ProductsJuniper Products

Technology Vendor

Relationships

Technology Vendor

Relationships

Internal ResearchInternal Research

3rd Party Security Teams

3rd Party Security Teams

Customer Security Team

Customer Security Team

Cooperative Security Research

Cooperative Security Research

Partner MSSP Intelligence

Partner MSSP Intelligence

DailyUpdates

DailyUpdates


The Basic Security Threat Landscape

Unknown Threats & Vulnerabilities

Known Threats but no knownways to protect

Known Threats with available protection


The Juniper Advantage

Superior protocol decoding and anomaly detection – the majority of the unknown

Dedicated teams researchingprotocols and standards

Provide breadth & depth of coverage

Give Security Experts bettertools to deal with the unknown Unknown Threats &

Vulnerabilities

Protocol Anomalies


Dedicated Security Team Dedicated team to research vulnerabilities and emerging

threats• Protocol decode expertise• Multiple research and vendor partnerships• Reverse engineering experts• Global honey pot network Industry-leading response time

• Daily and Emergency signature updates

• Customer Accuracy Program

• Team distributed globally

• Emergency update within an hour

www.juniper.net/security


Real-world Example Security Team’s Response

10:17 AM5/9/2006

Microsoft announces security bulletins; MS06-018, MS06-019, MS06-20 and posts patches for the vulnerabilities

10:21 AM+4 min

Juniper Networks announces coverage for vulnerabilities on all IDP platforms

11:50 AM+1hr 33min

TippingPoint provides mixed messages on coverage

11:58 AM+1hr 41min

ISS announces coverage only for MS06-019

End of Day No announcements from Cisco or McAfeeSymantec announces coverage only for MS06-019

Typical chain of events on recent Microsoft “Super Tuesday”



Product Features


Thwart Attacks at Every TurnMultiple Methods of Detection

•Traffic Anomaly Detection•Network Honeypot

Malicious Activities/Attacks

•Protocol Anomaly Detection•Stateful Signatures•Synflood Protector

•Backdoor Detection•IP Spoof Detection•Layer-2 Attack Detection

ReconRecon

Multiple Method of Detection

AttackAttack ProliferationProliferation

• Profiler • Security Explorer


Traffic Anomaly Detection

Method of identifying abnormal traffic usage No protocol anomalies or specific attack

patterns but unusual traffic usage/volume

Example: Ping Sweep•Scan the network to identify resources for possible

attack in the future - reconnaissance

•Ping sweep from external/suspicious source should alert administrator


Protocol Anomaly Detection

Protocols are well defined allowing accurate description of “normal” usage

“Abuse” or abnormal use of the protocol are detected by the IDP appliances

Example: FTP Bounce Attack

x.x.x.A

x.x.x.B

Please connect to x.x.x.B (so unauthorized client can receive data)

Please open FTP connection

x.x.x.B is not the authorized client machinePossible abuse of FTP protocolRequest denied!!!

FTP Server

FTP Client


Stateful Signatures

Look for attacks in context Avoid blindly scanning all traffic for particular

pattern•Improve efficiency

•Reduce false-positives

Example: Code Red Worm•Utilizes HTTP GET request for attack

•IDP appliance only scan for the specific request and not any other HTTP traffic


Backdoor Detection/Trojan

Well-known “Trojan horse” concept Challenge is to identify the attack when the

first line of defense has been overcome Heuristic method of analyzing interactive

traffic

Example: Traffic originating from web server•Web servers typically respond to requests for

information, not initiate one

•A sign of infected server/node


Features Addressing Customer Challenges

How can I uncover new network activities?

How can easily I find out what’s really running on my network?

I don’t want to block non-business apps but how else can I control it?

How can I make sure new technologies doesn’t translate to new threats?

Wireless is great but how can I secure it?


Security Explorer Interactive and dynamic

touchgraph providing comprehensive network and application layer views• Integrated with Log Viewer and

Profiler

Identifies what’s running on a network host • Uncovers attacks, peer IP

addresses, open ports, available applications and operating systems

NEW - IDP 4.0NEW - IDP 4.0


Enhanced Profiler Uncovers new activities and

traffic information across network and application levels

Identifies new protocols, applications and operating systems• Alerts on rogue hosts, servers or IP

addresses• Detect unwanted applications like

P2P and IM Records information on active

hosts, devices, protocols and services in various contexts • Instant Messaging alias, FTP

username, e-mail address, subject heading, etc… NEW - NSM 2006.1NEW - NSM 2006.1


Diffserv (DSCP) Marking

Controls bandwidth allocation based on specific types of application

Marks on a packet that match an IDP signature

Allows upstream router to enforce on markings (value 1-63) to assure quality of service on critical applications or appropriate response to nonessential apps

Available as an action per IDP rule for full granular control



Securing VoIP Applications New Protocol Decode – H.225 Assures that the VoIP signaling and control

protocol cannot be used as a source of network attacks or abuse

Protocol decode capability protects underlying vulnerability of protocol

Allows creation of custom attack objects with contexts

VoIP protection on top of existing SIP protocol support

Proactively prevent future exploitsNEW - IDP 4.0NEW - IDP 4.0


Securing Database Applications

New Protocol Decode – Oracle TNS Protects database applications from an

increasing number of exploits and buffer overflows in the internal network

Blocks unauthorized users to Oracle servers Protects the underlying vulnerability of

Oracle TNS protocol Prevents future threats at day zero



Securing Mobile Data Networks

New Inspection Capability – GTP Encapsulated Traffic •Protects an inherently unsecured traffic

•Supports UDP tunnel packets per GTPv0 and GTPv1

Ensures users on cellular network aren’t exposing the entire network to possible attacks

Carrier protection on top of existing inspection for GRE encapsulated traffic



Coordinated Threat Control Identify specific attacks originating from remote user via SSL

VPN and quarantine the user (and only the offending user)

Only from Juniper Networks !

Only from Juniper Networks !

Available IDP 3.2r2

Available IDP 3.2r2

Infected

Attack

1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched

2. IDP detect the attack and block requests to the internal resources

3. IDP sends identifying data to SA SSL VPN gateway

4. Based on data from IDP, SA quarantine and notifies the user

Attack

Identifying Data

Quarantine



Product Offering


IDP Product Overview -Timeline

2002

2004

20052006

•IDP platform introduced•Integrated Stateful Signature creation and updates•Protocol decodes•Secure response notices

•First and only IPS integrating Profiler for best-in-class network awareness

•Introduction of fully integrated multi-gigabit FW/VPN/IDP system (ISG 1000 and 2000)•First to introduce daily signature updates

•Next generation of network visibility and control•Consolidated security management solution

•First to introduce Integrated Threat Control for SSL and IDP appliances


Typical IPS DeploymentRegional

Head Office

Satellite Office

Main Office

NSM


IDP Product Line

•Med Bus•Large BO•Enterprise Perimeter

•Enterprise Perimeter

•Enterprise Perimeter •Internal LAN

IDP 50 @ 50Mbps

IDP 200 @ 200Mbps

IDP 600 @ 500Mbps

IDP 1100@ 1 Gbps

•SMB•Branch Office

•Service Provider•Large Enterprise Perimeter•Internal LAN

ISG 1000/2000


IDP Standalone – 1100 C/F

1100C

1100F

IDP 1100 C/FIDP 1100 C/FOptimal for large Optimal for large enterprise / Gig enterprise / Gig environmentsenvironments

Up to 1 Gbps throughput

500,000 max sessions

10 CG or 8 Fiber SX + 2 CG traffic, 1 CG mgmt & 1 CG HA ports

HA clustering option

Integrated bypass for CG traffic ports


High Availability Options

Standalone HA

state-sync

Third-party HA

state-sync

Bypass

Bypass Unit forFiber Gig networks- IDP 600F- IDP 1100F- ISG


Solutions for Every Need

Juniper IDP Standalone Appliances• 50 Mbps – 1 Gbps• HA Clustering• Centralized policy management

•Complement existing FW/VPN•Protect network segments

•DMZ•LAN•Departmental servers

Juniper ISG Series•Next-Gen Security ASIC (GigaScreen)•Multi-Gigabit FW/VPN/IDP•Centralized policy management

•High performance for demanding networks•Virtualization features •Granular rule-by-rule management


ISG – Under the hood

Integrated Best-of-breed Security & Networking gear

Multi-Gig 2-way Layer 7 IDP Security Modules Module “blades” available for ISG-1000 and

ISG-2000


ISG Series Architecture

I/OI/O I/OI/O I/OI/O I/OI/O

GigaScreen3 ASIC1GB RAM

Programmable Processors

GigaScreen3 ASIC1GB RAM

Programmable Processors

Security modulesSecurity modules

Dual 1Ghz PowerPC CPU

1GB RAM

Dual 1Ghz PowerPC CPU

1GB RAM

Management Processing• Dedicated processing helps ensure linear performance• High performance interconnect & flow setup

Security Module Processing• Dedicated processing for other security applications

Network Level Security Processing• ASIC-accelerated security

•Stateful FW, NAT, VPN, DoS/DDoS•Intelligent Intrusion Prevention session load balancing

•Embedded programmable processor facilitate new feature acceleration

Unmatched processing power!


ISG Series Summary: ISG 1000 and ISG 2000

ISG 1000 ISG 2000

Max Throughput: Firewall 1 Gbps 2 Gbps

Max Throughput: IPSec VPN (3DES/AES) 1 Gbps 1 Gbps

Packets per second: FW/VPN 1.5/1.5 Million 3/1.5 Million

Max sessions 500,000 1,000,000

VPN tunnels 2000 10000

Max Throughput: Deep Inspection 200 Mbps 300 Mbps

Max Throughput: IDP Up to 1 Gbps Up to 2 Gbps

Number of supported security modules (IDP)

Up to 2 Up to 3

Number of fixed I/O interfaces 4 – 10/100/1000 0

Max interfaces Up to 20 Up to 28

Number of I/O modules 2 4


Product Details

Juniper Firewall/VPN, with Screen OS Deep Inspection

Juniper Stand-alone IDP

Juniper ISG Series with IDP

Hardware •NS-5XT•NS-5GT•NS-25•NS-50•NS-204•NS-208•NS-500•ISG 1000•ISG 2000•NS-5200•NS-5400

•IDP 50•IDP 200•IDP 600C•IDP 600F•IDP 1100C•IDP 1100F

•ISG 2000 with IDP•ISG 1000 with IDP

Software ScreenOS 5.0, 5.1, 5.2 IDP 4.0 ScreenOS 5.0-IDP

Management

NSM NSM 2006.1 NSM 2004 FP3-IDP1


Management


3-Tier Management – Secure and Scalable

Distributed IDP Sensors

Distributed ISG with IDPCentralizedNSM Server

Common UserInterface

NSM

Standalone IDP appliances requires IDP 4.0 for NSM support


Customers with a Hybrid Network

Regional Head Office

Satellite OfficeMain Office FW Mgmt

IPS Mgmt

FWMgmt

IPSMgmt

FW Mgmt

IPSMgmt

Business Challenges• What is on my

network?• Who is on my

network? Product Challenges

• Complex network environments

• Multi-vendor FW and IPS systems

• Multiple Management Systems


Juniper Networks Customers

Regional Head Office

Satellite Office

Main OfficeNSM

Juniper Offering

• Juniper Networks IDPs & Firewalls

• Single Management System

• Single User Interface

Business Benefits

• Enhanced Network Visibility

• Granular Control

• Ease of Use


NSM Management Features

Scheduled Security Updates Automatically update devices with new attack objects.

Domains Service providers and distributed enterprises may use this mechanism to logically separate devices, policies, reports, objects, etc…

Role-based Administration granular approach in which all 100+ activities in the system may be assigned as separate permissions.

Object Locking Multiple administrators can safely and concurrently modify different objects in the system at the same time.

Audit Logs Sortable and filterable record of who made which changes to which objects in the system.

Device Templates Manage shared configuration such as sensor settings in one place.

Job Manager View pending and completed directives (such as device updates) and their status.

High Availability Active/passive high availability of the management server.

Scheduled Database Backups

Copies of the NSM database may be saved on a daily basis.

NEW - NSM 2006.1NEW - NSM 2006.1


Granular IDP Control w/NSM

Firewall and IDP management from same user interface

Configure attack detection

Configure desired response


Summary


Why Juniper Networks IDP products?

Security Coverage Product Innovation Trusted Company Market Recognition


Security Coverage Multiple prevention methods for protection against entire

'Vulnerability & Attack Lifecycle’ Complete packet capture and protocol decode @ Layer 7,

including VoIP protocols 2-way Layer 7 inspection: blocks attacks from client-to-server

and server-to-client 100% prevention and accuracy for Shellcode/buffer overflow

attacks 100% prevention in protecting against Microsoft

Vulnerabilities: Same day & Zero protection on “Patch Tuesday’s”

Comprehensive Spyware protection, including 700+ signatures and growing daily

Daily signature updates, including auto signature updates and auto policy push


Product Innovation Next generation of network visibility w/ Security Explorer Granular, Flexible Management solution for all Juniper

Networks security appliances Automatic custom reports Multi Gigabit Performance Multiple Deployment Options “Profile” the network to understand applications and network

traffic Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router

integration Custom Signature Editor / Open Signatures Database


Trusted Company

Financial Strength / $2 Billion in Revenue / Profitable / Cash Reserves

Investment in R&D 25% - 30% of revenue Product Roadmap – IDP plays a key role in

Juniper’s Infranet solution Global Support & Relationships


Market Recognition

Most decorated IPS product in 2005• Winner ‘Editors Choice’ – Network Computing: ‘The Great IPS Test’• Winner ‘Best Multifunction Appliance’ – Network Computing (Well-

Connected)• Winner ‘Best IPS Appliance’ – Network Computing (Well-Connected)• Winner ‘Product of the Year’ – SearchNetworking.com• Winner ‘Product of the Year’ – IDG Research / TechWorld• Winner ‘Best Deployment Scenario’ ISP Guide: City of Burbank, Juniper IDP

Customer• Awarded ‘NSS Certification’ for Industry Approved IPS: IDP 600F• Winner ‘Product of the Year’ – ISG 1000 - ZDnet Australia• Winner ‘Editors Choice’ – IDP 200 - ZDnet Australia


Thanks You!

Juniper idp overview

Technology

Transcript of Juniper idp overview