Kunal Jha, Juniper Networks 1 1
Security Cloud Virtualization BYOD / Mobility SDN 2 2
Simplified Networking RakeshSingh@Juniper.net Senior Systems Engineer Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only
FIXED MODULAR Core Aggrega tion Access EX8216 1G-Copper EX8208 8x10G 1G-Fiber EX8200 Virtual Chassis 40x10G Extra-Scale EX6200 EX6200 48F EX9200 2008 2009 2010 2011 2012 2013+ Core Aggrega tion EX42000 Virtual Chassis EX4200 EX4500 Virtual Chassis EX3300 Virtual Chassis EX4550 SFP+ EX4550 10GT External RPS Access EX3200 EX4500 EX2200 EX4200-PX EX3300 EX2200-C 4 4
Deployed Extensively Over 19,000 customers, 15M+ ports Data center, campus, branch, SP Financials, healthcare, education #3 LAN switching vendor Why We Win Technology Flexibility Performance OPERATIONAL SIMPLICITY 5 5
Rigid, legacy model of I.T. THE REST OF THE DATA CENTER HAS ADVANCED DRAMATICALLY IN RECENT YEARS From To Applications On-Premise Apps Servers/ Dedicated Servers Compute Storage Dedicated Storage Software Services Virtualized Workloads Shared Storage Flexible, virtualized model 6 6
Rigid, legacy model of I.T. THE DATA CENTER NETWORK HAS NOT EVOLVED, AND IS NOW AN INHIBITOR From To Applications On-Premise Apps Servers/ Dedicated Servers Compute Storage Dedicated Storage Network Layers of Complexity Software Services Virtualized Workloads Shared Storage Experience? Economics? Flexible, virtualized model 7 7
Ethernet Network evolution 3-2-1 3. Legacy three-tier data center 2. Juniper two-tier data center 1. Juniper s data center fabric W Up to 75% of traffic E 8 8
Virtual chassis : advantage Core Switches 128 Gig Distribution Switches 10 Gig 10 Gig 10 Gig 10 Gig Access Switches 9 9
Multi Building campus Deployment example Utilize the same MM fiber One-switch LAN 1 to manage 1 to upgrade 1 software version No L2 Loop/No STP required High Availability Redundant Pwr/Cooling Redundant Switch Fabric Sub-second Convergence in case of device/link failure Integrated Access Security Integrated QoS for Voice/Video/Data Local L3/L2 processing Peer-peer traffic can be processed by VC ring itself, no need to load the core. Optimized for Voice and Video over IP as inter building bypasses the core switch. GbE/10GbE VCP Lab Bldg 2 EX4200 Virtual Chassis Classroom Bldg 3 EX4200 Virtual Chassis EX4200 Virtual Chassis 1GbE uplink Admin Bldg 1 One Virtual Chassis to Manage for the entire campus backbone 1GbE uplink Classroom Bldg 4 EX4200 Virtual Chassis Recreation Bldg 5 EX4200 Virtual Chassis GbE/10GbE VCP WAN 10 10
Distributed CORE with 8-member VC EX4200 A Location EX4200 EX4200 C Location EX4200 Single core switch to manage across all sites One core switch to manage across multiple sites EX4200 EX4500 EX4200 EX4500 Sites could be campus or DC or both common hardware and operating system Location B Location D Seamless virtual workload mobility across sites 11 11
TRANSFORM THE NETWORK One Network Flat, any-to-any connectivity Single device N=1 Switch Fabric Data Plane Flat Any-to-any Control Plane Single device Shared state A Fabric has the. Performance and simplicity of a single switch And the Scalability and resilience of a network 12 12
Chassis Switch End of Row Single point of management Cabling complexity 13 13
QFabric evolving the single switch model Director Fabric Route Engine Separate the I/O modules from the fabric and replace copper traces with fiber links. For redundancy add multiple Interconnect devices. Federated Control and Intelligent Nodes One logical switch Interconnect I/O Modules Node Chassis Switch QFabric 14 14
QFABRIC Family Summary Scalability Runs Junos QFX3000-M 10s to 768 ports QFX3000-G 10s to 6,144 ports Rich functionality Performance QFX3000-M Low jitter <3us on avg. Simplicity N=1 QFX3000-G Low jitter <5us on avg. Lossless DCB compliant Storage End-to-end FCoE FCoE/FC Gateway and FCoE/iSCSI Transit Switch Designed for Modern DC Virtualization and convergence Seamless Layer 2 and Layer 3 Flexible VLAN capability 15 15
Approaches To Securing Virtual servers: 1. VLAN Segmentation Each VM in separate VLAN Inter-VM communications must route through the firewall Drawback: Possibly complex VLAN networking 2. Agent-based Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs 3. Kernel-based Firewall VMs can securely share VLANs Inter-VM traffic always protected High-performance from implementing firewall in the kernel Micro-segmenting capabilities VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 ESX Host ESX Host FW as Kernel Module ESX Host HYPERVISOR HYPERVISOR HYPERVISOR FW Agents 16 16
vgw Firewall Performance TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details 17 17
Juniper is recognized industry leader in Security Leaders Quadrant in Four Categories: Network Access Control SIEM/STRM SSL VPN FW/IPSec VPN Visionaries Quadrant in: Intrusion Prevention Category Network Access Control SIEM/STRM SSL VPN Firewall/IPSec VPN SSL VPN Intrusion Prevention 18 18
Inconvenient Statistics 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute 19 19
WAF is not enough Bot Nets Targeted Scanners IP Scanners Reliance on signatures Static attack surface No understanding of attackers Reactive Manual Hacking 20 20
WAF is not enough WAFW00F can fingerprint WAF products protecting a website. Can already profile 20 WAF products. 21 Source: 21 http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py
5 attack Phases:- APT behaviour Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Silent Reconnaissance Attack Vector Establishment Attack Implementation Attack Automation Maintenance Attackers profile physical and virtual devices and applications Weaknesses in attack surface identified for attack Attacks launched to take control of device, application or VM. Can be used to begin further Reconnaissance Repeat attack to increase effectiveness, increase Profit or extract more data Evade patching and remediation measures to stop the attack WAF Plays Here Plays Here 22 22
The Junos WebApp Secure (MYKONOS) advantage Deception-based Security Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 23 23
Detection by Deception Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 24 24
Fingerprint of An Attacker Timezone Browser version Fonts Browser add-ons 200+ attributes used to create the fingerprint. ~ Real Time availability of fingerprints IP Address False Positives nearly zero 25 25
Smart Profile of Attacker Attacker local name (on machine) Attacker global name (in Spotlight) Attacker threat level Incident history 26 26
Respond and Deceive Junos WebApp Secure Responses Human Hacker Botnet Targeted Scan IP Scan Scripts &Tools Exploits Warn attacker Block user Force CAPTCHA Slow connection Simulate broken application Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 27 27
Solution Slides Mobility & BYOD 28 28
THE HISTORY OF BUSINESS CONNECTIVITY Terminals PCs Laptops Mobile Devices Serial Networks Ethernet Networks Casual Wireless Primarily Wireless 29 29
Juniper wireless today Over 6,000 Customers 1 M+ AP installed base since 2005 Healthcare Education (Higher Ed & K-12) Hospitality Presence in Fortune 500: Shell, Chevron, Alcoa, Audi, VW Many Mission Critical Environments: University Minnesota 18,000 AP, 300 Buildings, 1200 Acres Belfast Health & Social Care Trust 2,220 AP, 7 hospitals, 22,000 Staff Largest wlan patent portfolio today Proven Technology Track Record: Simple, Secure, Mobile Real Time Location Aware 17 issued patents, 49 pending Differentiating WLAN Innovations: Seamless roaming Life Cycle Management Intelligent Switching Controller Virtualization Identity Based Networking Unified Mobility Services 30 30
Juniper Networks Wireless LAN Evolution Fat AP Architecture Local Switching Thin AP Architecture Central Switching Juniper WLAN Architecture Local AND Central Switching Optimized for: x Security x Management x Reliability Performanc e Optimized for: Security Management x Reliability x Performanc 31 31 Copyright 2011 Juniper Networks, Inc. e www.juniper.net Optimized for: Security Management Reliability Performanc e
DISTRIBUTED SWITCHING MAXIMIZES SCALABILITY Centralized-Only Switching Breaks Down Under Increased Load from 802.11n Cisco & Aruba 10x increase exceeds controller capacity Distributed Switching Handles 802.11n without Breaking Down Juniper Internet Internet 11n increases load by up to 10x All traffic gets forwarded by controller Twice the traffic through network core 802.11n increases load up to 10x Can't scale without expensive upgrades Traffic can be forwarded by the AP Optimized traffic flows ideal for voice 802.11n has no impact on controller Scales in place without upgrades 32 32
RESILIENCY ADVANTAGE OF WLAN VIRTUALIZAION Hot Standby Approach - Aruba Controller Virtualization - Juniper Catastrophic failure dropped user sessions (imagine voice call) APs restart using hot standby controller No AP load balancing across controllers Fully loaded hot standby required Hitless failover even for active session (including voice calls) APs instantly remapped to in-service controller Dynamic AP load balancing across controllers No additional equipment required 33 33
Core differentiator: CONTROLLER CLUSTERING Competitors Complex Approach Vendor A Hot Stand-by or Back-up controller Vendor B Juniper s Simplified Approach Controller A Controller B Controller C Discrete controllers operate independently for AP redundancy configuration Harder to scale since adding capacity is cumbersome Limited resiliency APs mapped directly to controller & resets upon network/device failure Limited reliability N+1 (limited to number of designated back-up switches) Difficult to manage, highest cost of ownership Clustered controllers act collectively as single virtual controller for wireless configuration Easy to scale Capacity can be added in chunks, anywhere in the network Highest resiliency APs dynamically map to controllers optimized, auto AP load balancing Always-on reliability many-to-many redundancy all switches can serve as back-up Easiest to manage, lowest cost of ownership 34 34
35 35