Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

Transcription

1 Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2 Tuncay Seyran

2 Security in a virtualized environment: same security risks + more TRADITIONAL SECURITY RISKS IMPACTING VIRTUAL ENVIRONMENTS NEW SECURITY RISKS EXCLUSIVE TO VIRTUAL ENVIRONMENTS Targeted Malware Thumb Drive theft Data Loss Audit Scope Creep Missing Security Updates and Patches Reliance on Traditional Barriers Accelerated Provisioning (clones, s/w scripts, etc.) Mixed-trust Workloads Security Left to Non-Traditional Security Staff VM Migrations Hypervisor Integrity Concerns Poor Visibility and Control Leveraging traditional security solutions transposed from physical server environments can become a major obstacle in your progress most pre-date x86 virtualization and were never designed to operate in this environment 2

3 Legacy security on Virtual Machines JUST DON T MAKE SENSE Performance degradation Multiple instances of anti-malware software + multiple instances of anti-malware signature database Wasteful duplication of the security software Potential gaps in security: - Scanning storms VM VM VM VM VM VM VM VM VM VM VM VM - Panic Attacks - Update Storms Hypervisor x86 Box 3

4 Virtual Security Solutions DO MAKE SENSE Higher guest virtual machine densities Higher performance for critical applications and business processes One virtual instance of anti-malware software + one virtual instance of anti-malware signature database Firefly Perimeter Easy deployment and automatic protection of the newly created virtual machine VM VM VM VM VM VM VM VM VM VM VM VM Higher return on investment Security gaps are eliminated (e.g. instant-on-gaps, scanning storms etc.) Hypervisor x86 Box 4

5 Next Generation Firewalls (defined by Gartner) Deep-packet inspection firewalls that move beyond port/protocol inspections and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system ( IPS ) which includes a commodity or nonenterprise firewall, or a firewall and IPS and in the same appliance that are not closely integrated. NOTE : we are not calling Firefly Perimeter NGFW until the AppSecure 2.0 release as part of Firefly Perimeter 5

6 What s New in FFP x47-d10.2 6

7 What s New in FFP x47-d10.2 Note that Dynamic VPN has been removed in this release 7

8 Unified Threat Management ( UTM ) Features Web Filtering ( redirect ) ( WF ) Enhanced Web Filtering ( EWF ) (Sophos) Antivirus ( SAV / AV Sophos) (Sophos) Antispam Filtering ( AS ) Content Filtering ( CF ) 8

9 UTM Information License is needed for UTM and IPS. In all cases to achieve HA, must purchase twice single amount. License for 1,3, or 5 year term Currently no hard key enforcements Initial / eval License is valid for six months SBL server matching stops when antispam license key is expired Local whitelist / blacklist matching continues after antispam license key is expired UTM will be turned on by default. This means some of the capacity numbers will cut by half even though UTM is not used. 9

10 UTM and Security Components ( current + future ) 10

11 SRX UTM Features and Partners 11

12 UTM ( current + future ) 12

13 How to Position UTM Services ( current + future) 13

14 Protecting your clients Different techniques address different problems when it comes to protecting clients from becoming infected while accessing the Internet Enhanced Web Filtering Proactively blocks categories of sites that may be used for spreading malware, or may be in violation of corporate policy Anti-virus and Anti-malware from Sophos Verifies that the site is not known for spreading malware (reputation-based filtering available with Sophos AV), and scans incoming files for viruses Intrusion Prevention System Inspects traffic at application layer against known and unknown attacks and blocks or logs those Anti-spam Prevents unwanted mail from disreputable senders Application Tracking ( future ) Provides visibility about what applications and nested applications are used Application Firewalling ( future ) Proactively blocks specific applications that may be used for spreading malware or may be in violation of corporate policy 14

15 Web Filtering Prevents access to inappropriate web content. Two types: Redirect web filtering solution ( license not needed ) Intercepts HTTP requests and forwards the server URL to external URL filtering server to determine block or permit ( provided by Websense ). Juniper local web filtering ( license not needed ) Decision making for blocking or permitting web access done on device after it identifies the category for URL from user defined categories stored on the device. 15

16 Enhanced Web filtering Enhanced web filtering ( license required ) Requests sent to the Websense ThreatSeeker Cloud ( TSC ) URL of the site is sent and Websense returns classification and reputation score Integrated URL filtering solution. Intercepts the HTTP and HTTPS requests and sends HTTP / HTTPS URL / source IP to Websense ThreatSeeker Cloud ( TSC ). HTTP request : URL is extracted HTTPS request : IP is extracted TSC categorizes URL into categories that are predefined. Provides site reputation information as well. 16

17 Enhanced Web Filtering cont d URL filtering profile can contain: One blacklist One whitelist Multiple user-defined & predefined categories, each with permit or block action Multiple site reputation handling categories, each with a permit or block action One default action with permit or block action 17

18 Antivirus Provided by Sophos. Less CPU intensive than full file based antivirus (full file not available for FFP). Smaller memory footprint. In the cloud antivirus solution. Virus pattern and malware database is located on external servers maintained by Sophos servers. No downloading and maintenance needed. Local internal cache to maintain query responses from external list server. 18

19 Antispam Filtering Provided by Sophos. Examines transmitted messages to identify spam. When is detected as spam, it will drop the message or tag the message header or subject field with a preprogrammed string. IP based Spam block list ( SBL ) is updated and maintained by Sophos ( Server based antispam filtering ) Optionally can create your own local whitelists and blacklists for filtering against ( Local list antispam filtering ) 19

20 Local List Antispam Filtering Can create lists against domain names, address, and / or IP addresses. Partial matching is capable for domain names but not IP addresses. Matching done in following manner Sender IP (whitelist / blacklist / SBL ) Sender domain ( whitelist / blacklist ) Sender ( whitelist / blacklist ) 20

21 Content Filtering Blocks or permits traffic based on MIME type, file extension, protocol command, and embedded object type. Content filtering evaluates traffic before all other UTM modules EXCEPT web filtering. Content filters available : MIME Pattern Filter : used to identify type of traffic in HTTP and MAIL protocols Block MIME list : to be blocked by the content filter Exception MIME list : not to be blocked ( higher priority than block list ) Block Extension List Protocol Command Block and Permit Lists Block and permit command lists are intended to be used in combination with permit list acting as an exception list to block list 21

22 Content Filtering cont d http, ftp, ( SMTP, IMAP, POP3 ) filtering protocol support. Types of content blocking supported only for HTTP : Block ActiveX Block Java applets Block cookies Block EXE files Block ZIP files 22

23 IPS Juniper provided predefined application signatures that detect TCP and UDP applications running on nonstandard ports. IPS sensor monitors network and detects suspicious and anomalous network traffic based on specific rules defined in IPS rulebases. Download predefined app signatures. Cannot create application signatures Note that attack signatures can be created Scheduled signature-packs usually ship at 2pm PST 23

24 IPS Policy & FW Integration 24

25 Firefly Perimeter Virtual Hardware Configuration CPU 2 vcpu, one for RE, one for flowd (PFE) Memory 2GB 3GB if UTM/IDP is enabled Disk 2 GB Currently these configurations are fixed Future versions will allow more tailoring of the configuration (memory, cpu, etc.) 25

26 Firefly Scale and Performance metrics Scale vram Required/Instance vcpus Required/Instance Max vnics/instance Max Zones Max Address Books Max Policies Max Policies with Count Max Applications/Policy Max Addresses/Address-set Max Firewall Sessions Max Pat Sessions (Source NAT with PAT) MAC/ARP Table Size Max VLANS Max OSPF Routes VMware & KVM 2GB K 256K 8K 4K 160K Performance 1 VMware KVM Firewall (UDP 1514B puts) 4.4 Gbps 1.1 Gbps Firewall (IMIX) 1.1 Gbps 221 Mbps Firewall Ramp Rate (TCP) 22K CPS 9K CPS Firewall Latency (512B UDP) 107 Micro Sec 114 Micro Sec Firewall IPv6 (UDP 512B pkts) 1.46 Gbps 374 Mbps NAT (UDP 1514B pkts) 4.4 Gbps 981 Mbps NAT (IMIX) 1.1 Gbps 218 Mbps NAT Ramp Rate (TCP) 19K CPS 8K CPS IPSec (3DES+SHA1, 1514B) 294 Mbps 195 Mbps IPSec (3DES+SHA1, IMIX) 132 Mbps 99 Mbps IPSec (3DES+SHA1, 64B) 50 Mbps 25 Mbps IKE Rate (3DES+SHA1,V1 or 2) 71 Tunnels/Sec 48 Tunnels/Sec EWF (44KB File) 251 Mbps (650 CPS Load) 62 Mbps (160 CPS Load) SAV (Allscan 44KB File) 280 Mbps (720 CPS Load) 116 Mbps (300 CPS Load) Max VRs Supported 5 HTTP Throughput 2 (Response Content 44KB File) 740 Mbps 385 Mbps IDP Session Scaling 2 32K HTTP CPS 2 (Response Content 64 bytes) 3000 CPS 2000 CPS 1 Reference platform for performance: Dell PowerEdge R820, ESXI 5.1, 24 Cores, Ghz CPUs 2 IDP Performance is based on default recommended IDP policy 26

27 FireFly Advanced Security capabilities matrix 27

28 Licensing Options with UTM / Security Add-Ons FFP with AppSecure and IDP FFP with Sophos AV, Sophos Anti-spam, Enhanced WF, AppSecure, IDP FFP with Sophos AV FFP with Enhanced Web Filtering Perpetual and subscription pricing is available BUT only subscription is available for Security Add-Ons Content filtering is available for free in all license options 28

29 Pricing No hard license keys required to activate the product or related features. License purchases are required for what is used but Juniper removed activation keys in the product to enable true Cloud/NFV (Network Function Virtualization) dynamic environments (cloning, auto-instantiation of vm's etc. all remain un-impacted). In the 'base' offering Firefly provides, full stateful firewalling, NAT, VPN and advanced routing (OSPF, BGP, MPLS, etc). Number of advanced security services (anti-virus, anti-spam, web url filtering, IPS) which can be purchased and activated ( all on a single virtual machine ). 29

30 New Pricing Models for Firefly 30

31 Pricing cont d Documentation Firefly FAQ Firefly Sales Presentation Firefly Pricing Guidelines 31

32 Thank You!!!