Software-Define Secure Networks The Future of Network Security for Digital Learning SIGS, 5.Juli 2015 Klaus Ernst, Systems Engineer Juniper Networks
Threat Landscape Feels like Treading Water 2017 IT Priorities Mobile Learning Broadband & Network Capacity Cyber Security High Risk Top Security Concerns Phishing Denial of Service Ransomware Source: CoSN IT Leadership Survey Source: CoSN Infrastructure Survey
Network Security Today Inline Intrusion Prevention Unified Threat Management Layered on top of the networkbuilt on perimeter model Outside (Untrusted) Internal (Trusted) Data Loss Prevention Designed to trust inside activity. Easy Lateral Threat Propagation Limited Threat Visibility. Relies mostly on traditional firewalls for data and insight Application Security Advanced Threat Prevention Today s network security is inadequate to effectively detect and stop evolving threats
Traditional infrastructure and network security today Network Security today follows a UNTRUST / TRUST Model Sally School District Network
Traditional infrastructure and network security today Network Security today follows a UNTRUST / TRUST Model Network compromised workflow Sally School District Network
Software Defined Secure Network Delivers Zero Trust Security Model Perimeter Secure Network Outside (Untrusted) Simplified Security Policy Block Lateral Threat Propagation Internal (Also Untrusted) Comprehensive Visibility
SDSN Phase-1 Recap
Campus Network: Infected Host Workflow CAMPUS Internet SRX Series Cluster 3 rd Party Feeds SKY ATP POLICY Policy defined in Policy Engine Infected Hosts with Threat Level >8 should be quarantined Core / Distribution SRX Policy & Feeds SD ND Threat Feeds SDSN Policy Engine DETECTION Sky ATP Threat Feeds Custom Feeds (e.g: Attivo, Vectra) Access Switch ACLs ENFORCEMENT Access and aggregation switches quarantine infected host SRX policy enforcement Block Port or Q-VLAN
SDSN Threat Remediation Use Case Manual Threat Workflows Automated Threat Remediation Feed Feed Incident Response Net-Sec Operations Endpoint Security TKT Malware Found TKT Multiple Teams Threat Detection Enforcement Delays Vendor specific threat feeds Cohesive Threat Management System Automation across Network & Security Open API and 3 rd Party Threat Feed Collation
SDSN Phase-1 (FRS 2016) Use Case: Threat Remediation of infected hosts DETECTION Sky ATP Known & Day-0 Malware analysis, Sandboxing, Infected Host identification, Command & Control, GeoIP POLICY Simplified Threat Remediation Policy (Block, Quarantine, Track) defined in Security Director Policy Enforcer ENFORCEMENT Juniper: SRX, vsrx, EX and QFX Key Features Security Fabric including Firewalls and Switches Infected Host Blocking Perimeter Firewall level for north south traffic EX/QFX switches to protect from lateral movement of threats Infected Host Tracking Track infected host movement in network, and Quarantine or block infected hosts even if IP address changes Customer Benefits Automates threat remediation workflows Real-time remediation of infected hosts Reduced time to remediate = Reduced exposure to attacks Leverage Network (EX/QFX) and Firewall (SRX/vSRX) to take remediation actions to address lateral movement of attacks inside the network in addition to limiting attacks from outside world
SDSN Phase-2 Overview
Threat Remediation Enhancements Use Case: 3 rd Party Switch and Wireless Support ENFORCEMENT Juniper: SRX, vsrx, QFX and EX (+Fusion Support) 3 rd Party: Access Switches with Radius(AAA) configured SKY ATP 3 rd Party Access Switch Radius messages Policy Enforcer Connector Framework 3 rd Party Connector Wireless: WLCs with Radius(AAA) configured Key Features Security Fabric to support 3 rd party switches and wireless Infected Host Blocking Juniper & 3 rd party switches to protect from lateral movement of threats Infected Host Tracking Track infected host movement in network, and Quarantine or block infected hosts even if IP address changes Radius Server Customer Benefits Automates threat remediation workflows Real-time remediation of infected hosts Reduced time to remediate = Reduced exposure to attacks Network vendor agnostic mechanism for threat remediation
SDSN Phase 2 Multi Vendor support SKY ATP Policy Enforcer Policy Controller Feed Collector Multi Vendor Wired and Wireless support EX/QFX SRX Cisco S/W EX/Cisco Radius Access Server Juniper 3 rd Party Wireless Connector Framework Connector API Junos Space SW Micro 3 rd Party SW Connector ForeScout Connector Cloud Feed Server 3 rd Party Feed Server Security Fabric including SRX Firewalls Juniper or Third Party Switches Wireless Components Threat Intelligence from SKY ATP Cloud Feeds Third Party Feeds Infected Host Tracking and Enforcement in one of these modes: On Juniper Switches natively via Junos Space S/W Micro Service On 3 rd Party /Juniper Switches and Wireless Access Controller via AAA Server (802.1X). On third party wired and wireless access infrastructure via ForeScout integration.
EX/QF X SDSN in a non Juniper Switched Network 2 SRX Cisco S/W 1 7 SKY ATP 6 EX/Cisco 3 Radius Access Server Juniper 3 rd Party Wireless 5 Policy Enforcer Policy Controller Connector Framework Connector API 3 rd Party SW Connector 4 Feed Collector Cloud Feed Server Remote Feed Server 1. End user authenticates to network via 802.1x or mac authentication 2. Sky detects End Point getting the infected 3. Policy Enforcer downloads the Infected Host Feed. 4. PE enforces the Infected Host policy with the 3 rd Party SW Connector calling the generic API 5. 3 rd Party Connector queries AAA Server for Endpoint details for Infected Host IP initiates CoA for the Infected Host mac. 6. CoA action could be block or quarantine vlan. 7. Enforcement happens on the NAC device End Point authenticated on. 8. Policy enforcer Communicated the end host details back to sky
SDSN Phase-2 Open Eco-System
Custom Feed API Support Use Case: Threat Remediation of infected hosts leveraging 3 rd party threat feeds DETECTION (Phase-1) Sky ATP Command and Control Infected Host SKY ATP Policy Enforcer Sky Feeds Feed Collector Remote Feed Server Feed API Poll for updates 3 rd Party Feeds ENHANCED DETECTION (Phase-2) Now supports 3 rd Party Feeds Blacklist Whitelist Dynamic Address Infected Host Feed Server Key Features Blacklist: Entities in blacklist always get blocked by SRX Whitelist: Entities in whitelist always get accepted by SRX Dynamic Address: Entities in Dynamic Address Group can be used in firewall policy of SRX Infected Host: Threat Prevention Policy enforced for entities identified as infected hosts Customer Benefits Enables customers to leverage existing, trusted threat feed sources to take threat remediation actions w/ Policy Enforcer Flexible mechanisms to synchronize threat information Push to PE with Threat Feed API, or Configure PE to poll from remote feed server
Infected Host Feed 1. Adds supported for 3 rd Party Infected Host Feed 2. IH Feed can be 1. Local File 2. Remote Feed server POST <context>/api/v1/controller/customfeeds/<feedtype>/param/<inputt ype>/<name> 3.. APIs to push IH feeds to PE. Body: "customfeed": { "domain": "SD domain name", "description": "infected IPs", "content": {"add": ["1.2.3.4","2.3.4.5"], {"delete": ["1.3.4.5"]} }
SDSN Phase-2 Vmware NSX Integration
NSX Integration Initial vsrx Provisioning Cloud Admin NSX Manager 1 SD Policy Enforcer Security Admin 0 NSX deployed and SD/PE installed 1 SD Registers vsrx Service w/ NSX 2 4 2 NSX provisions vsrx on all NSX hosts 3 VM VM vsrx VM VM vsrx 3 NSX provisions vsrx redirection rules DFW DFW DFW DFW vsrx vsrx vsrx vsrx 4 SD provisions licenses & default policy for vsrx NSX Virtual Switch ESXi Host-1 NSX Virtual Switch ESXi Host-2 Initial Provisioning Complete vsrx sees no traffic at this stage ToR Switch
Workflow Integrating vcenter and NSX Manager
Workflow Auto import NSX Security Groups as Dynamic Address Groups
SDSN Phase-2: Summary Pervasive Security, Without Complexity SDSN Vision Phase-2 Juniper SRX & Sky ATP Juniper, 3 rd Party Switching & Wireless Vmware NSX for Private Cloud Threat Remediation & Micro-segmentation
Change in Mindset Hardware defined Perimeter Manual enforcement Configuration driven Closed ecosystem Software/cloud defined Pervasive Automated Business driven Open framework