Juniper Security Update. Karel Hendrych Juniper Networks

Transcription

1 Juniper Security Update Karel Hendrych Juniper Networks

2 Agenda High End SRX security gateways Overview, SRX1400 JunOS update AppSecure Competitive 2 Copyright 2009 Juniper Networks, Inc. This product roadmap sets forth Juniper Networks current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this roadmap.

3 High End SRX security gateways

4 SRX / DATA CENTER SERVICES PLATFORMS Next-Gen Security Systems Scalable Performance Rich Standard Services Firewall VPN IPS Routing QoS AppSecure More to come Extensible Security Services Integrated Networking Services 8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps SRX U, 12 slot, 2RE*, 2+1 SCB, 2+2 AC, 3+1 DC, 120/30/30G, SRX M sess, 350kcps SRX5600 SRX5800 5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess, 175kcps ISG2000 NS-5400 SRX1400 3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess, 175kcps 3U, 3 CFM, 12GE or 3XGE+9GE, 1+1 PS, 10/2/2G,.5M sess [45kcps ISG1000 NS Copyright 2009 Juniper Networks, Inc. Note *: Redundant REs not currently supported

5 SRX1400 DETAILS Double-wide slot for processing resources SRX1400 NSPC or SRX3000 NPC & SPC Choice of Base Systems -GE or -XGE 12 GbE ports GbE & 10GbE ports 6x 10/100/1000 RJ45 6x 1000BASE-X SFP 2 HA or data Console port or 6x 10/100/1000 RJ45 3x 1000BASE-X SFP 2 HA or data 3x 10GbE SFP+ Console port Fan tray (rear) Management Module Expansion Slot Power Supply (FRU) Discrete Routing Engine Separate Control & Data Planes Two USB Aux port One SRX3000 IOC 2x 10GbE XFP 16x10/100/ x 1000BASE-X Future Items & next gen hardware AC or DC Optional 2nd (redundant) & hot swap power supply AC or DC 5 Copyright 2009 Juniper Networks, Inc.

6 SRX HE JunOS highlights (shipping) ALG - IPSEC, MS-RPC, SUN-RPC, DNS, SIP, SQL AppID decoupled from IDP 802.3AD LACP chassis cluster IPv6 flow, QoS, filters, mgmt, screen, A/P HA Dual HA data/control links IDP nested applications AppTrack AppDoS cps limit IDP packet capture TCP/UDP sweep screen Cone NAT with wild-card Multicast HA 6 Copyright 2009 Juniper Networks, Inc.

7 SRX HE JunOS 10.4 highlights (BETA) datapath-debug pcap support port mirroring IPv6 NAT, multicast, A/A HA NAT-PT, DNS ALG DS-lite, IPv4 tunnels over IPv6 networks VoIP ALG DSCP rewrite IPv6 syn-flood protections DHCPv6 SRX1400 platform session increase (SRX3600 up to 6M sessions) 7 Copyright 2009 Juniper Networks, Inc.

8 AppSecure

9 APPSECURE: APPID AS PART OF JUNOS SERVICES Forwarding Lookup AppID IPS Per Packet Policer Per Packet Filter Session Match? Per Packet Policer Per Packet Filter Per Packet Policer Per Packet Filter Per Packet Filter Per Packet Shaper Provide application visibility and context to additional services for enhanced, application-aware security 9 Copyright 2009 Juniper Networks, Inc.

10 APPSECURE SERVICE MODULES Flow Processing AI NAI Application Identification Engine AppTrack AppTrack ID Results AppDos IPS AppFW AppFW AppQoS AppQoS AppDos AppDoS Future Item 10 Copyright 2009 Juniper Networks, Inc.

11 APPSECURE: APPLICATION DENIAL OF SERVICE AppDoS Identifies attacking botnet traffic vs. legitimate clients based on application layer metrics and remediates against botnet traffic Employs multi-stage approach from server connection monitoring, deep protocol analysis to bot-client classification. Server connection monitoring Protocol analysis Bot-client classification 11 Copyright 2009 Juniper Networks, Inc.

12 APPSECURE : APPLICATION VISIBILITY SRX 12 Copyright 2009 Juniper Networks, Inc.

13 CONFIGURATION NESTED-APPLICATION DEFINITION Both predefined and custom nested-application definition are at [services application-identification nested-application] [edit services application-identification] nested-application junos:facebook { type FACEBOOK; index 311; protocol HTTP; signature NestedApplication:FACEBOOK { member m01 { context http-header-host; pattern ".*(facebook\.com fbcdn\.net)"; direction client-to-server; } } } 13 Copyright 2009 Juniper Networks, Inc.

14 High End SRX Competitive

15 Competetive Agenda Architecture High End ScreenOS platform packet flow High End SRX packet flow SRX Performance Integration of SRX with other security products 15 Copyright 2009 Juniper Networks, Inc.

16 High End ScreenOS platform packet flow

17 First Packet Flow IF1 IF2 1 Data Bus 2 ASIC 3 4 SDRAM Management Module Control Bus 1. Incoming Packet from I/O module into ASIC through Switch Fabric 2. ASIC parses the packet header and checks for the session match 3. If session match not found, ASIC passes first 64 bytes to management module through control bus. If Mgt module needs more info, it can access the packet in ASIC module s memory. Data Bus 4. Mgt module creates new session and forwards the packet info to ASIC module for transmission. 17 Copyright 2009 Juniper Networks, Inc.

18 Packet Flow Existing Session IF1 IF2 1 Session match found, ASIC handles packet directly 4 FIFO Bus 2 ASIC FIFO Bus 18 Copyright 2009 Juniper Networks, Inc. 3 Management Module SDRAM Control Bus 1. Incoming Packet from I/O module 2. Packet transfer to ASIC through 3. Session matched, and packet is placed in transmit queue of (NAT, IPSec encap/decap, screening for ASIC based attacks all happens at ASIC) 4. transfers the packet out through I/O module

19 High End SRX packet flow

20 Fabric IOC domain Fabric SPC domain PACKET FLOW SRX 3K: FIRST PACKET OF NEW FLOW 1. Packet Received by NP NP flow lookup, no match 2. NP sends packet to CP 3. CP chooses SPU, forwards packet SPU does session setup 4. Packet forwarded out egress port via NPC for queuing SWI NP CP SPU IOC #X NPC #R SPC #1 SWI NP SPU IOC #Y NPC #S SPC #N 20 Copyright 2009 Juniper Networks, Inc.

21 Fabric IOC domain Fabric SPC domain PACKET FLOW SRX 3K: SESSION SETUP MESSAGES 1. SPU sends insert session to CP 2. SPU sends insert session to ingress NP 3. SPU sends insert session to egress NP CP SWI NP SPU IOC #X NPC #R SPC #1 SWI NP SPU IOC #Y NPC #S SPC #N 21 Copyright 2009 Juniper Networks, Inc.

22 Fabric IOC domain Fabric SPC domain PACKET FLOW SRX 3K: FAST PATH 1. Packet Received by NP NP flow lookup, match 2. NP send packet to SPU - SPU does fast path processing 3. Packet forwarded to egress NP 4. Packet egresses card CP SWI NP SPU IOC #X NPC #R SPC #1 SWI NP SPU IOC #Y NPC #S SPC #N 22 Copyright 2009 Juniper Networks, Inc.

23 Integration of SRX with other security products

24 ENTERPRISE-WIDE ACCESS CONTROL Imagine a person on the road: Sales user s device is quarantined for automatic patch remediation User logs in from unpatched device Remediation successful; full network access granted Data NAC IC Finance Mobile User Internet SSL VPN SRX Firewall Video 4 Patch Remediation SSL session data pushed to NAC via IF-MAP IC pushes role-based FW policies to SRX User attempts to access Finance data, but is blocked 24 Copyright 2009 Juniper Networks, Inc Apps Corporate Data Center SRX senses attack, informs IC SSL VPN terminates user session IC removes SRX access

25 Q&A, Thank you! Karel Hendrych Juniper Networks