Copyright © 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical Overview for X47D20 Release.
Juniper idp overview
-
Upload
mohamed-al-natour -
Category
Technology
-
view
1.506 -
download
1
Transcript of Juniper idp overview
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Juniper NetworksIntrusion Detection & Prevention
June 2006
3Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda
Security Market Climate•IPS & Security Market
•Market Drivers
Juniper Networks IDP Product Overview•Complete Solution – Security Team
•Product Features
•Product Offering
Management with Juniper Networks NSM Summary
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4
IPS and Security Market
5Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Market
IPS technology is a mainstream part of network security for companies of all sizes
Keeping up with new security threats and finding integrated management systems remain key concerns for security admins
Assuring business critical applications have predictable quality of service over nonessential apps like P2P and IM
Need Visibility, Control and Ease of Use
6Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Worldwide IPS Market Market focus on IPS technology exemplified by market forecast Worldwide IDS/IPS revenue expected to top $800 Million by year 2009 Network-based products continue to account for more than 2/3 of
total revenue
277384
427
544603
667752
790 819
0
100
200
300
400
500
600
700
800
900
Revenue($ Million)
CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09
Year
World Wide IDS/IPS Product Revenue
Network-based
Host-based
Source: Network Security Appliance and Software Quarterly Worldwide Market Share and Forecast for 1Q06
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7
Customer Drivers
8Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Fear of external network attack and internal noncompliance
External attacks remain the top reason for purchasing security appliances•Failure to block viruses, attacks or malware
directly impact end-users
A growing concern meanwhile is ensuring users on the network are doing what they’re supposed to be doing
Direct impact to end-users
•Quantifiable loss of productivity•Impact to revenue•Headaches to administrators•Unauthorized access to critical data
9Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Firewall alone is not enough
Every organization is connected to the Internet and deploys some form of firewall
Most enterprise realize firewall alone is not sufficient to block sophisticated attacks
Vuln
erab
ility
Disco
vere
dAd
viso
ryIs
sued
Expl
oits
Rele
ased
Wor
mRe
leas
ed
Getting Shorter
Lifecycle of Vulnerabilities and Threats
10Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Business compliance
Need to enforce business practices including types and version of applications
Need to ensure non-business applications does not hinder critical business applications
practices
11Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
New Technology Adoption
Adoptions of new technologies continue to increase
Enterprises are not satisfied to wait until security “catches up”
Convergence of networks open up the infrastructure to new attacks
New Technologies = New Risks
12Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Not Only for Enterprise Service Providers
face similar security concerns as enterprise
Keeping ahead of new security threats considered highest technical challenge by SP
Source: Service Provider Plans for VPNs and Security North America, Europe, and Asia Pacific 2006
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13
IDP Product Overview
Security Team
14Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
The Juniper ApproachComplete Solution
Service Provider
Security Teams
Service Provider
Security Teams
Worldwide Juniper Security
Team
Worldwide Juniper Security
Team
Juniper CustomersJuniper Customers
Juniper ProductsJuniper Products
Technology Vendor
Relationships
Technology Vendor
Relationships
Internal ResearchInternal Research
3rd Party Security Teams
3rd Party Security Teams
Customer Security Team
Customer Security Team
Cooperative Security Research
Cooperative Security Research
Partner MSSP Intelligence
Partner MSSP Intelligence
DailyUpdates
DailyUpdates
15Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
The Basic Security Threat Landscape
Unknown Threats & Vulnerabilities
Known Threats but no knownways to protect
Known Threats with available protection
16Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
The Juniper Advantage
Superior protocol decoding and anomaly detection – the majority of the unknown
Dedicated teams researchingprotocols and standards
Provide breadth & depth of coverage
Give Security Experts bettertools to deal with the unknown Unknown Threats &
Vulnerabilities
Protocol Anomalies
17Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Dedicated Security Team Dedicated team to research vulnerabilities and emerging
threats• Protocol decode expertise• Multiple research and vendor partnerships• Reverse engineering experts• Global honey pot network Industry-leading response time
• Daily and Emergency signature updates
• Customer Accuracy Program
• Team distributed globally
• Emergency update within an hour
www.juniper.net/security
18Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Real-world Example Security Team’s Response
10:17 AM5/9/2006
Microsoft announces security bulletins; MS06-018, MS06-019, MS06-20 and posts patches for the vulnerabilities
10:21 AM+4 min
Juniper Networks announces coverage for vulnerabilities on all IDP platforms
11:50 AM+1hr 33min
TippingPoint provides mixed messages on coverage
11:58 AM+1hr 41min
ISS announces coverage only for MS06-019
End of Day No announcements from Cisco or McAfeeSymantec announces coverage only for MS06-019
Typical chain of events on recent Microsoft “Super Tuesday”
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19
IDP Product Overview
Product Features
20Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Thwart Attacks at Every TurnMultiple Methods of Detection
•Traffic Anomaly Detection•Network Honeypot
Malicious Activities/Attacks
•Protocol Anomaly Detection•Stateful Signatures•Synflood Protector
•Backdoor Detection•IP Spoof Detection•Layer-2 Attack Detection
ReconRecon
Multiple Method of Detection
AttackAttack ProliferationProliferation
• Profiler • Security Explorer
21Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Traffic Anomaly Detection
Method of identifying abnormal traffic usage No protocol anomalies or specific attack
patterns but unusual traffic usage/volume
Example: Ping Sweep•Scan the network to identify resources for possible
attack in the future - reconnaissance
•Ping sweep from external/suspicious source should alert administrator
22Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Protocol Anomaly Detection
Protocols are well defined allowing accurate description of “normal” usage
“Abuse” or abnormal use of the protocol are detected by the IDP appliances
Example: FTP Bounce Attack
x.x.x.A
x.x.x.B
Please connect to x.x.x.B (so unauthorized client can receive data)
Please open FTP connection
x.x.x.B is not the authorized client machinePossible abuse of FTP protocolRequest denied!!!
FTP Server
FTP Client
23Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Stateful Signatures
Look for attacks in context Avoid blindly scanning all traffic for particular
pattern•Improve efficiency
•Reduce false-positives
Example: Code Red Worm•Utilizes HTTP GET request for attack
•IDP appliance only scan for the specific request and not any other HTTP traffic
24Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Backdoor Detection/Trojan
Well-known “Trojan horse” concept Challenge is to identify the attack when the
first line of defense has been overcome Heuristic method of analyzing interactive
traffic
Example: Traffic originating from web server•Web servers typically respond to requests for
information, not initiate one
•A sign of infected server/node
25Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Features Addressing Customer Challenges
How can I uncover new network activities?
How can easily I find out what’s really running on my network?
I don’t want to block non-business apps but how else can I control it?
How can I make sure new technologies doesn’t translate to new threats?
Wireless is great but how can I secure it?
26Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Explorer Interactive and dynamic
touchgraph providing comprehensive network and application layer views• Integrated with Log Viewer and
Profiler
Identifies what’s running on a network host • Uncovers attacks, peer IP
addresses, open ports, available applications and operating systems
NEW - IDP 4.0NEW - IDP 4.0
27Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Enhanced Profiler Uncovers new activities and
traffic information across network and application levels
Identifies new protocols, applications and operating systems• Alerts on rogue hosts, servers or IP
addresses• Detect unwanted applications like
P2P and IM Records information on active
hosts, devices, protocols and services in various contexts • Instant Messaging alias, FTP
username, e-mail address, subject heading, etc… NEW - NSM 2006.1NEW - NSM 2006.1
28Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Diffserv (DSCP) Marking
Controls bandwidth allocation based on specific types of application
Marks on a packet that match an IDP signature
Allows upstream router to enforce on markings (value 1-63) to assure quality of service on critical applications or appropriate response to nonessential apps
Available as an action per IDP rule for full granular control
NEW - IDP 4.0NEW - IDP 4.0
29Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing VoIP Applications New Protocol Decode – H.225 Assures that the VoIP signaling and control
protocol cannot be used as a source of network attacks or abuse
Protocol decode capability protects underlying vulnerability of protocol
Allows creation of custom attack objects with contexts
VoIP protection on top of existing SIP protocol support
Proactively prevent future exploitsNEW - IDP 4.0NEW - IDP 4.0
30Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Database Applications
New Protocol Decode – Oracle TNS Protects database applications from an
increasing number of exploits and buffer overflows in the internal network
Blocks unauthorized users to Oracle servers Protects the underlying vulnerability of
Oracle TNS protocol Prevents future threats at day zero
NEW - IDP 4.0NEW - IDP 4.0
31Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Mobile Data Networks
New Inspection Capability – GTP Encapsulated Traffic •Protects an inherently unsecured traffic
•Supports UDP tunnel packets per GTPv0 and GTPv1
Ensures users on cellular network aren’t exposing the entire network to possible attacks
Carrier protection on top of existing inspection for GRE encapsulated traffic
NEW - IDP 4.0NEW - IDP 4.0
32Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Coordinated Threat Control Identify specific attacks originating from remote user via SSL
VPN and quarantine the user (and only the offending user)
Only from Juniper Networks !
Only from Juniper Networks !
Available IDP 3.2r2
Available IDP 3.2r2
Infected
Attack
1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched
2. IDP detect the attack and block requests to the internal resources
3. IDP sends identifying data to SA SSL VPN gateway
4. Based on data from IDP, SA quarantine and notifies the user
Attack
Identifying Data
Quarantine
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33
IDP Product Overview
Product Offering
34Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IDP Product Overview -Timeline
2002
2004
20052006
•IDP platform introduced•Integrated Stateful Signature creation and updates•Protocol decodes•Secure response notices
•First and only IPS integrating Profiler for best-in-class network awareness
•Introduction of fully integrated multi-gigabit FW/VPN/IDP system (ISG 1000 and 2000)•First to introduce daily signature updates
•Next generation of network visibility and control•Consolidated security management solution
•First to introduce Integrated Threat Control for SSL and IDP appliances
35Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Typical IPS DeploymentRegional
Head Office
Satellite Office
Main Office
NSM
36Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IDP Product Line
•Med Bus•Large BO•Enterprise Perimeter
•Enterprise Perimeter
•Enterprise Perimeter •Internal LAN
IDP 50 @ 50Mbps
IDP 200 @ 200Mbps
IDP 600 @ 500Mbps
IDP 1100@ 1 Gbps
•SMB•Branch Office
•Service Provider•Large Enterprise Perimeter•Internal LAN
ISG 1000/2000
37Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IDP Standalone – 1100 C/F
1100C
1100F
IDP 1100 C/FIDP 1100 C/FOptimal for large Optimal for large enterprise / Gig enterprise / Gig environmentsenvironments
Up to 1 Gbps throughput
500,000 max sessions
10 CG or 8 Fiber SX + 2 CG traffic, 1 CG mgmt & 1 CG HA ports
HA clustering option
Integrated bypass for CG traffic ports
38Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
High Availability Options
Standalone HA
state-sync
Third-party HA
state-sync
Bypass
Bypass Unit forFiber Gig networks- IDP 600F- IDP 1100F- ISG
39Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Solutions for Every Need
Juniper IDP Standalone Appliances• 50 Mbps – 1 Gbps• HA Clustering• Centralized policy management
•Complement existing FW/VPN•Protect network segments
•DMZ•LAN•Departmental servers
Juniper ISG Series•Next-Gen Security ASIC (GigaScreen)•Multi-Gigabit FW/VPN/IDP•Centralized policy management
•High performance for demanding networks•Virtualization features •Granular rule-by-rule management
40Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ISG – Under the hood
Integrated Best-of-breed Security & Networking gear
Multi-Gig 2-way Layer 7 IDP Security Modules Module “blades” available for ISG-1000 and
ISG-2000
41Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ISG Series Architecture
I/OI/O I/OI/O I/OI/O I/OI/O
GigaScreen3 ASIC1GB RAM
Programmable Processors
GigaScreen3 ASIC1GB RAM
Programmable Processors
Security modulesSecurity modules
Dual 1Ghz PowerPC CPU
1GB RAM
Dual 1Ghz PowerPC CPU
1GB RAM
Management Processing• Dedicated processing helps ensure linear performance• High performance interconnect & flow setup
Security Module Processing• Dedicated processing for other security applications
Network Level Security Processing• ASIC-accelerated security
•Stateful FW, NAT, VPN, DoS/DDoS•Intelligent Intrusion Prevention session load balancing
•Embedded programmable processor facilitate new feature acceleration
Unmatched processing power!
42Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ISG Series Summary: ISG 1000 and ISG 2000
ISG 1000 ISG 2000
Max Throughput: Firewall 1 Gbps 2 Gbps
Max Throughput: IPSec VPN (3DES/AES) 1 Gbps 1 Gbps
Packets per second: FW/VPN 1.5/1.5 Million 3/1.5 Million
Max sessions 500,000 1,000,000
VPN tunnels 2000 10000
Max Throughput: Deep Inspection 200 Mbps 300 Mbps
Max Throughput: IDP Up to 1 Gbps Up to 2 Gbps
Number of supported security modules (IDP)
Up to 2 Up to 3
Number of fixed I/O interfaces 4 – 10/100/1000 0
Max interfaces Up to 20 Up to 28
Number of I/O modules 2 4
43Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Product Details
Juniper Firewall/VPN, with Screen OS Deep Inspection
Juniper Stand-alone IDP
Juniper ISG Series with IDP
Hardware •NS-5XT•NS-5GT•NS-25•NS-50•NS-204•NS-208•NS-500•ISG 1000•ISG 2000•NS-5200•NS-5400
•IDP 50•IDP 200•IDP 600C•IDP 600F•IDP 1100C•IDP 1100F
•ISG 2000 with IDP•ISG 1000 with IDP
Software ScreenOS 5.0, 5.1, 5.2 IDP 4.0 ScreenOS 5.0-IDP
Management
NSM NSM 2006.1 NSM 2004 FP3-IDP1
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 44
Management
45Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
3-Tier Management – Secure and Scalable
Distributed IDP Sensors
Distributed ISG with IDPCentralizedNSM Server
Common UserInterface
NSM
Standalone IDP appliances requires IDP 4.0 for NSM support
46Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Customers with a Hybrid Network
Regional Head Office
Satellite OfficeMain Office FW Mgmt
IPS Mgmt
FWMgmt
IPSMgmt
FW Mgmt
IPSMgmt
Business Challenges• What is on my
network?• Who is on my
network? Product Challenges
• Complex network environments
• Multi-vendor FW and IPS systems
• Multiple Management Systems
47Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper Networks Customers
Regional Head Office
Satellite Office
Main OfficeNSM
Juniper Offering
• Juniper Networks IDPs & Firewalls
• Single Management System
• Single User Interface
Business Benefits
• Enhanced Network Visibility
• Granular Control
• Ease of Use
48Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSM Management Features
Scheduled Security Updates Automatically update devices with new attack objects.
Domains Service providers and distributed enterprises may use this mechanism to logically separate devices, policies, reports, objects, etc…
Role-based Administration granular approach in which all 100+ activities in the system may be assigned as separate permissions.
Object Locking Multiple administrators can safely and concurrently modify different objects in the system at the same time.
Audit Logs Sortable and filterable record of who made which changes to which objects in the system.
Device Templates Manage shared configuration such as sensor settings in one place.
Job Manager View pending and completed directives (such as device updates) and their status.
High Availability Active/passive high availability of the management server.
Scheduled Database Backups
Copies of the NSM database may be saved on a daily basis.
NEW - NSM 2006.1NEW - NSM 2006.1
49Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Granular IDP Control w/NSM
Firewall and IDP management from same user interface
Configure attack detection
Configure desired response
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 50
Summary
51Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Why Juniper Networks IDP products?
Security Coverage Product Innovation Trusted Company Market Recognition
52Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Coverage Multiple prevention methods for protection against entire
'Vulnerability & Attack Lifecycle’ Complete packet capture and protocol decode @ Layer 7,
including VoIP protocols 2-way Layer 7 inspection: blocks attacks from client-to-server
and server-to-client 100% prevention and accuracy for Shellcode/buffer overflow
attacks 100% prevention in protecting against Microsoft
Vulnerabilities: Same day & Zero protection on “Patch Tuesday’s”
Comprehensive Spyware protection, including 700+ signatures and growing daily
Daily signature updates, including auto signature updates and auto policy push
53Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Product Innovation Next generation of network visibility w/ Security Explorer Granular, Flexible Management solution for all Juniper
Networks security appliances Automatic custom reports Multi Gigabit Performance Multiple Deployment Options “Profile” the network to understand applications and network
traffic Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router
integration Custom Signature Editor / Open Signatures Database
54Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Trusted Company
Financial Strength / $2 Billion in Revenue / Profitable / Cash Reserves
Investment in R&D 25% - 30% of revenue Product Roadmap – IDP plays a key role in
Juniper’s Infranet solution Global Support & Relationships
55Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Market Recognition
Most decorated IPS product in 2005• Winner ‘Editors Choice’ – Network Computing: ‘The Great IPS Test’• Winner ‘Best Multifunction Appliance’ – Network Computing (Well-
Connected)• Winner ‘Best IPS Appliance’ – Network Computing (Well-Connected)• Winner ‘Product of the Year’ – SearchNetworking.com• Winner ‘Product of the Year’ – IDG Research / TechWorld• Winner ‘Best Deployment Scenario’ ISP Guide: City of Burbank, Juniper IDP
Customer• Awarded ‘NSS Certification’ for Industry Approved IPS: IDP 600F• Winner ‘Product of the Year’ – ISG 1000 - ZDnet Australia• Winner ‘Editors Choice’ – IDP 200 - ZDnet Australia
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 56
Thanks You!