Juniper Networks Education and Certification...

Copyright © 2013 Juniper Networks, Inc.

Juniper Networks Education and Certification ProgramQuarterly UpdateMay 2014

Copyright © 2013 Juniper Networks, Inc. 2

WELCOMEThank you for joining us!Introducing today’s speakers

• Lawrence Rust , Education Services Marketing Manager• Liz Burns, Director, Education Services Programs• Kieran Milne, JNCP Technical Lead• GUEST SPEAKER – Swastik Bihani, Director, Counter

Security

3 Copyright © 2013 Juniper Networks, Inc.

AGENDAJuniper Authorized Training

• What is happening around the globe

Updates• JNCP• New exams and courses• Learning resources

DDoS Secure• How does it work in the real world?

Keeping In TouchQuestions

Certification Program


WORLDWIDE JUNIPER EDUCATION SERVICES

Note that editable maps increase overall file size. These can be ungrouped and modified.

Value of Juniper Authorized Training Around the Globe• Expanding our footprint through global partnerships

• Partnerships include certification and standards

Juniper Networks Authorized Education Partner (JNAEP)Juniper Networks Academic Alliance (JNAA)


JUNIPER EDUCATION AROUND THE GLOBEAMERICAS UPDATENEW - Hybrid Delivery• Combine classroom and online delivery to maximize impact/benefit• JNCI delivered live in customer location with simultaneous online

classroom• Perfect for geographically distributed teams with limited travel budget

Prescriptive Training• Customized learning programs• Designed to model customer staff structure and unique requirements• Includes Juniper certification to tie learning to industry benchmarks

To learn more http://www.juniper.net/us/en/training/prescriptive/

[email protected]


JUNIPER EDUCATION AROUND THE GLOBEEUROPE, MIDDLE EAST, AFRICA

Expanding Juniper Networks foot print via JNAA• Training and certification event at Queen Mary University

of London• Find out more about JNAA

http://www.juniper.net/us/en/training/academicalliance/

Popular Courses• Configuring and Monitoring Contrail (CMC)

• Courses in UK and AMS in June

• Junos Mobile Backhaul (JMBH)https://learningportal.juniper.net/juniper/user_courses.aspx

[email protected]


JUNIPER EDUCATION AROUND THE GLOBEASIA PACIFIC, CHINA

Expanding through JNAEPs• Thailand: Vnohow

• Indonesia: P.T. Informatika Solusi Bisnis (Netlearn)

• Philippine: Dataciphers

• Singapore: Greensys SG

JNAEP’s accept Juniper Training Credits (JTC’s)

Find all JNAEP information and schedules on Education Services websitehttp://www.juniper.net/us/en/training/technical_education/authorized_education.html

[email protected]


JNCP INITIATIVES1ST ANNUAL JNCP BLOGGING CONTEST

Show your thought leadership and get published!• Must be active JNCIS or above to participate

• Write about a technical topic and/or your journey to certification

• Each submission evaluated against defined criteria

• Accepted articles posted to My Certification Journey blog http://forums.juniper.net/t5/My-Certification-Journey/bg-p/CertJourney

• Drawings for fun prizes

Look for more details the second week of June


Ass

ocia

teP

rofe

ssio

nal

Spe

cial

ist

Exp

ert

JNCIA -Junos

JNCIS-SP JNCIS-SEC

JNCIS-ENT

JNCIP-SP JNCIP-ENT

JNCIP-SEC

JNCIE-SP JNCIE-ENT

JNCIE-SEC

JNCSP-SP

JNCSP-ENT

JNCSP-SEC

JNCIP-SP JNCIP-ENT JNCIP-SECP P P

Network Engineer Support Specialist

JNCIA-E

JNCIS-E

JNCIP-E

JNCIS-FWV

JNCIS-WLAN

JNCIS-SA

JNCIS-AC

JNCIS-QF

JNCIA-IDP

P Out-of-trackPrerequisite

=

Product/Technology Track

JNCIS-ENTP

Information current as of March 2014

Service Provider Routing andSwitching

Enterprise Routing

andSwitching

JunosSecurity

Service Provider Routing and

Switching

Enterprise Routingand

Switching

JunosSecurity

E Series Firewall/VPN

WirelessLAN

JunosPulse

Secure Access

JunosPulse

Access Control

QFabric IDPSeries


EXAM UPDATES – JNCIE (NEW FORMS)

• JNCIE-SP• New forms in development• Begin use in Q2 2014

• JNCIE-ENT• New forms in development• Begin use in Q2 2014

• JNCIE-SEC• New forms start development in Q3 2014• Begin use in 2015

NO changes to exam objectivesAll preparation/study resources remain valid


ONGOING UPDATES FOR JNCP EXAMS

JNCP exams are updated on an ongoing basis• JNCIA up to JNCIE level

• Exams are updated/refreshed on a development cycle• Sometimes ‘visible’ (ex. JNCIA-Junos .. JN0-101 -> JN0-102)

• Sometimes not

• Ensures ‘freshness’ of item pool

• Ensures security of exams


FREE EXAM VOUCHERS IN STUDENT KITS

See the full list @

www.juniper.net/training/news


Q2 2014

New• JNCIE-SEC Bootcamp – LIVE

• Configuring and Monitoring Contrail (CMC) – LIVE

Updates• Junos Unified Threat Management

(JUTM)

• Junos Space Essentials (JSE)

• Junos Space for the Enterprise (JS-ENT)

• -> Split into courses for Security Director & Network Director

NEW AND UPDATED COURSEWARE

Q3 2014

New• Junos Enterprise Switching -

Enhanced Layer 2 software (JEX-ELS)

Updates• Junos Pulse Secure Access (JPSA)• Configuring and Monitoring QFabric

Systems (CMQS)• Troubleshooting QFabric Systems

(TQS)


OTHER LEARNING RESOURCES

JNCP Website Resources pagehttp://www.juniper.net/us/en/training/certification/resources.html

J-Net•Training, Certification Career Forum

• http://forums.juniper.net > Training, Certification, and Career Topics

•My Certification Journey blog

• http://forums.juniper.net/t5/My-Certification-Journey/bg-p/CertJourney

•Day One Books

• http://www.juniper.net/dayone


JUNOS GENIUS—CERTIFICATION PREPARATION APP

Unlock your Genius … www.juniper.net/junosgenius

• Version 1.2 adds JNCIS-SEC and JNCIS-ENT

• Improved randomization of questions

• More instructors to challenge• And more device achievements

• Pinch/spread functionality in ‘My Network’

• Improved sharing of ‘My Network’ diagrams viasocial media

• JNCIS-SP deck available in Q3


JUNIPER LEARNING BYTES…EXPAND YOUR KNOWLEDGE BIT BY BIT

• What are Learning Bytes??• Short and concise tips and instructions on specific features and functions of

Juniper technologies

• Taught by training experts

• Relevant for all skill levels

• Video-based…learn when you want, in the office or on the go

• Free of charge!


OUR NEWEST LEARNING BYTES─EXPAND YOUR KNOWLEDGE BIT BY BIT

TitleConfigure a CA Profile to Verify CertificatesConfiguring route-based site-to-site IPSec VPN on the SRXIntroduction to Enhanced Layer 2 Software (ELS)Introduction to Routing Instances: Routing Instance BasicsJunos Space Network Director Image ManagementOSPFv2 Adjacency FormationOSPFv2 Neighbor/Adjacency TimersSwitching Basics on the EX Series SwitchesVirtual Chassis TroubleshootingVRF-table-label

www.juniper.net/learningbytes or www.youtube.com/junipernetworks


DDOS SECURE

SWASTIK BIHANI


1999SANS discovers first botnet.

2000DDoS attacks take out eBay, CNN and Yahoo!

First DDoSMitigation Appliance launched.

2003First DDoSProxy Service launched.

2006Anonymous DDoS Habbowebsite.

2008Russia accused of DDoSagainst Georgian Govt website.

2009Iranian voters “flash crowd” government sites to protest vote rigging.

2010WikileaksOperation Payback attack Visa and Paypal.

2011LOIC popularized by Anonymous and LulzSec

2012DDoSbecomes mainstream with attacks on US banks.

2013Mobile applications being used to launch DDoS attacks

2014Largest attack of ~400Gbps seen against French targets using reflective attacks

DDOS EVOLUTION


DDOS SOLUTIONS

Clean Pipe On-Premises

DDoS Secure


KEY CONCEPT: CHARM

• Simple example: real human traffic typically bursty and irregular; machine/bot traffic is regular

• Algorithms updated regularly with characteristics of new attacks

CHARM: Real-time risk score for each source IP

0

100

Initial 50

Human-like

Machine-like

Per packet


• SIP/DNS/URL and SIP Response Time• SIP/DNS/URL Rate, Pending counts• HTTP Server Error Codes

KEY CONCEPT: RESOURCE HEALTHResource health: real-time view of status for every discrete “thing” on protected interface using stateful analysis resource responsiveness

Internet Traffic

Internet Traffic

Resources

Internet Traffic

DDoS Secure

L7

L3-4Exa

mpl

es

• Backlog queue (per resource, per port)• TCP stats: SYN, SYN-ACK, CLS, RST, etc


RESOURCE MANAGEMENT

In this example, Resource 2’s response time starts to degrade and the CHARM pass threshold is increased to start the process of rate limiting the bad traffic.

At this point the good traffic will continue to pass unhindered whilst the attackers will start to believe their attack has been successful as their request fails.

Resource 1 Resource 2 Resource 3 Resource ‘N’

The attack traffic to Resource 2 reduces as the attackers switch the attack to Resource 3.

Once again, Junos DDoS Secure responds dynamically by increasing the pass threshold for Resource 3 Limiting bad traffic.

Resource Control


KEY CURRENT PROBLEMS WE’RE SOLVING

• Compromised Mobile Handsets

• Network Usage in Amplification Attacks

Mobile SPMobile SP



Mobile SP

• Zero day attacks mainly targeted at Financials

• Enterprises being the recipients of Amplification Attacks

EnterprisesEnterprises



Enterprises


MOBILE NETWORK – DDOS USE CASES



Mobile SPMobile SP



Mobile SP1.

2.

Identifying Offending Handsets – RAN Protection

Preventing DNS Server Participation

In Reflection Attacks


MOBILE NETWORK – RAN PROTECTION

Internet

MME

S6a

SGW PGW

S11

S1-UUE

S5

SGi

HSS

SecGWSRX

SCTP-FW

S1-MME

PCRF

JDDS

eNodeBCluster

STRMServer

AggrRtr

Core Rtr

S1-U

S1-MME

Gx

PERtr

JDDS

SRX FW

Access Network Core Network Network Interconnect

Data Center

LTE RAN

• Malware• AV• Web Filtering• CGN• FW

•DNS•WEB•SIP

JDDS

• Expensive RAN Network resource consumption

• Blacklisting of Network IP addresses

MobileMobileMobile

1


MOBILE NETWORK – DNS ATTACKS

Internet

MME

S6a

SGW PGW

S11

S1-UUE

S5

SGi

HSS

SecGWSRX

SCTP-FW

S1-MME

PCRF

JDDS

eNodeBCluster

STRMServer

AggrRtr

Core Rtr

S1-U

S1-MME

Gx

PERtr

JDDS

SRX FW

Access Network Core Network Network Interconnect

Data Center

LTE RAN

• Malware• AV• Web Filtering• CGN• FW

•DNS•WEB•SIP

JDDS

Participation in a DNS/NTP Amplification Attack

MobileMobileMobile

2


HOW IT WORKS – DNS AMPLIFICATION (1/2)

client01

server0153

123

server0253

JDDS

IP1 � REQ A cnn.comIP1 � REQ MX cnn.comIP1 � REQ A juniper.net……………….IP1 � REQ PTR cnn.com


HOW IT WORKS – DNS AMPLIFICATION (2/2)client01

client02

client03

Attacker X

server0153

123

server0253

server03123

Attacker Y

JDDS

IPAttack � REQ A cnn.comIPAttack � REQ A cnn.comIPAttack � REQ A cnn.com……………….IPAttack � REQ A cnn.com

IPAttack

IPAttack

Decrease in CHARM Score for IPAttack

CHARM Threshold Increase for DNS


DDOS BUSINESS DRIVERS: ENTERPRISE

1.

2.

3.

Worldwide Attack SizesReaching 400Gbps

Increase in SophisticatedLayer 7 Attacks

Business Loss & Downtime From Zero-Day Attacks



EnterprisesEnterprises



Enterprises


DNS ATTACK PREVENTION

JDDS aggressively rate limits (10 pps) inbound DNS responses that do not correspond to an outbound DNS query


Innovation in Intelligence Exchange

VERISIGN PARTNERSHIP – HYBRID DDOS

1Cloud Layer- Aggregate Capacity- Globally Distributed- BGP or DNS enabled

2

On-Prem Systems- Application Intelligence- Signature-free, heuristics based full L7 Detection- “Always On” Mitigation

3

Hybrid Signaling- Phase 1: BL/WL, Attack Info (Src, Size, Dest, Type)- Phase 2: Bidirectional API level integration- Phase 3: Open Standards for Threat Signaling

Juniper DDoS Secure

Verisign Cloud DDoS


USE CASE EXAMPLE – MULTI VECTOR THREATS

VOLUMETRICATTACKS

LEGITIMATE USERS

STEALTHYATTACKS

Volumetric Attacks

CUSTOMER PREMISES

Critical Applications

Good traffic

Threat Information, Black/White List

VERISIGN CLOUD LAYER


USE CASE EXAMPLE – MULTI VECTOR THREATS

VOLUMETRICATTACKS

LEGITIMATE USERS

STEALTHYATTACKS

VERISIGN CLOUD LAYER

Critical Applications

Good traffic

CUSTOMER PREMISES


JUNIPER PORTFOLIO – BETTER TOGETHER

1 Data Center EdgeJuniper DDoS Secure

MX Routing Infrastructure

BGP Flowspec2 Upstream Signaling

3 MX Infrastructure (Policy)


JUNIPER DDOS SECURE

Don’t Chase Attacks : ‘Protect the Resource’ Philosophy

Relevant Solution : Immediate protection for the latest set of attacks

Innovation – Hybrid solution with a commitment to Open Standards


THANK YOU


Program Director - Liz Burns – [email protected]

Certification Program website: www.juniper.net/certification

Customer Service alias: [email protected]

KEEPING IN TOUCH

@JuniperCertify

Training, Certification and Career forum

LinkedIn – multiple LinkedIn groups

Juniper Networks Education and Certification...

Documents

Transcript of Juniper Networks Education and Certification...