Zero Trust Security with Software-Defined Secure Networks Srinivas Nimmagadda and Pradeep Nair Juniper Networks
This statement of direction sets forth Juniper Networks current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation. This presentation contains proprietary roadmap information and should not be discussed or shared without a signed non-disclosure agreement (NDA).
Objectives Security Architectural Challenges Introduce SDSN SDSN for Campus & Branch SDSN for Multicloud Demo(s)
Security Challenge THREAT SOPHISTICATION Advanced, Persistent, Targeted Attacks Automated Workflows Insider Attacks CLOUD & IOT Application Agility and Scale (Cloud) Diversity and Scale (IOT) CURRENT SECURITY Perimeter Only Security Complex Rule Sets Manual Workflows
Software Defined Secure Network Detection Machine Learning & AI Malware Detection Intrusion Prevention, SIEM (JSA) Threat Feeds: Command & Control, GeoIP etc Policy User intent based policy model Robust visibility and management Enforcement Perimeter Firewalls, Switches & Routers SDN Platforms (Vmware NSX, Contrail) Public Cloud (AWS etc) Network as a Security Enforcement System
Network role in Security Firewall Switch Router SDN Stateful but perimeter oriented Closest to the End- Point, stateless Network Edge, and stateless Closest to Applications Content Inspection User & APP IPS, AV URL etc Remove/Quarantine from Network BGP Flowspec Blackhole Honeypot DDoS Dynamic network service chain
Zero Trust Security Model Perimeter Security Secure Network Perimeter Perimeter Outside (Untrusted) Outside (Untrusted) Internal (Trusted) Internal (Also Untrusted) Hyper-connected Network with Security at Perimeter Lateral Threat Propagation Secure Network Block Lateral Threat Propagation Complex Security Policies Limited Visibility User Intent Based Policies Comprehensive Visibility
SDSN Campus Threat Remediation
SDSN Threat Management Manual Threat Workflows Threat Management Automation Feed Feed Incident Response Malware Found Net-Sec Operations TKT Endpoint Security TKT CnC & Geo IP Feeds Sky Advanced Threat Prevention SDSN Policy Enforcer Custom/3 rd Party Feeds JSA/SIEM Multiple Teams Vendor specific threat feeds Cohesive Threat Management System Open API and 3 rd Party Threat Feed Collation Threat Detection Enforcement Delays Automation across Network & Security
Physical Network Level Threat Remediation Real-time remediation of infected hosts SKY ATP SDSN Policy Enforcer Mobility of infected end points across different networks 3 rd Party Access Switch Radius messages Connector Framework N/W Connector Reduced time to remediate = Reduced exposure to attacks Threat remediation for IP-based IoT devices Radius Server THREAT DETECTION Malware: Zero-Day & Known Malware w/ SkyATP Command & Control: Botnet Traffic GeoIP: Geo specific security controls Custom Threat Feeds: Custom Blacklist, Whitelist, IPFilter, DDoS and other threat feeds ENFORCEMENT Juniper: SRX, vsrx, QFX and EX 3 rd Party: Access Switches with Forescout, Aruba Clearpass or Cisco ISE configured Wireless: WLCs with Radius(AAA) configured
SDSN for Multicloud
SDSN - Journey to Multicloud Threat Remediation Campus Malware Protection (New) DDoS Threat Feeds MX BGP Flowspec (1H 2018) JSA Integration User Intent Policy Sites & Policy Groups (New) Dynamic Policy Actions (New) Meta Data Policies Multicloud (New) VMware NSX (1H 2018) Contrail (1H 2018) AWS
Dynamic Policy Actions Evaluate this condition Take corresponding Actions NORMAL ACCESS POLICY SRC DEST CONDITION ACTIONS ENABLE ADDITIONAL LOGGING & IPS EMPLOYEES INTERNET VIDEO THREAT LEVEL = GREEN THREAT LEVEL = ORANGE PERMIT PERMIT LOG IPS DISABLE SERVICE ACCESS THREAT LEVEL = RED DENY Benefits: 1. Security policy that dynamically adapts to ever changing security environment 2. No need to hire developers, but still achieve agility with DevOps model 3. OpEx savings
Application Evolution Physical DC Virtual DC Private Cloud Multicloud Separate Application, Server, Network, Security and Storage teams 2-6 weeks to provision Ticket oriented workflows Virtualization Few minutes to provision Compute, but weeks to provision Network & Security Shorter lifespan of apps Containerization & microservices Scale and average life span Automation Consistent Policy across domains Compliance and Monitoring DevOps
Repeat for each application Repeat 2-6 WEEKS IT Operational Models Changing Traditional IT (Waterfall) Model Cloud Operational Model DEVELOPMENT TEAM Builds the application(s) CLOUD (SECURITY) TEAM Blue Prints and Templates for ALL Applications based on meta-data SERVER TEAM: Procure Servers NETWORK TEAM: Provision Network SECURITY TEAM: Secure Application STORAGE TEAM: Provision Storage DEVELOPMENT TEAM Builds the application(s) OPERATIONS TEAM Launch and Operate Apps & Infra DEV/OPS TEAM Launch and Operate Apps & Infra
META DATA BASED POLICIES Security Team DevOps Team 1. DEFINE META DATA 2. CREATE RULES 3. ASSIGN META-DATA Attribute STAGE PCI Possible Values DEVTEST, STAGING, PROD TRUE, FALSE SRC DEST ACTIONS STAGE=DEVTEST STAGE=PROD <AND> PCI = TRUE DENY Name IP Address Foo 70.20.1.6 META-DATA STAGE=DEVTEST PCI=FALSE <custom> <custom> Rules with DAG Benefits: 1. Better fit for cloud based policy workflows 2. Contextual picture about each end point in the network 3. Portable policy across different domains SRX Bar 80.10.2.4 STAGE=PROD DAG Updates Do not require commit
VMware NSX Integration
VMware NSX Micro-Segmentation SRX Perimeter firewall DMZ VLAN vsrx for East-West traffic SRX Inside firewall App VLAN Finance HR IT Traffic between apps on same VLAN can now be firewalled DB VLAN Finance HR IT vsrx protects lateral movement of attacks inside the network Dynamic VM posture based security orchestration Services VLAN Finance HR IT Visibility for east-west traffic AD NTP DHCP DNS CERT
NSX Integration Initial vsrx Provisioning Cloud Admin NSX Manager 1 SD Policy Enforcer Security Admin 0 NSX deployed and SD/PE installed 1 SD Registers vsrx Service w/ NSX 2 4 2 NSX provisions vsrx on all NSX hosts 3 VM VM vsrx VM VM vsrx 3 NSX provisions vsrx redirection rules DFW DFW DFW DFW vsrx vsrx vsrx vsrx 4 SD provisions licenses & default policy for vsrx NSX Virtual Switch ESXi Host-1 NSX Virtual Switch ESXi Host-2 Initial Provisioning Complete vsrx sees no traffic at this stage ToR Switch
NSX Integration Policy Management Cloud Admin 1 NSX Manager 3 SD Policy Enforcer Security Admin 0 NSX Security Groups = VM groups 1 NSX admin creates traffic redirection to vsrx SRC=Any, DEST=PCI_SG, ACTION=REDIRECT-vSRX 4 2 NSX provisions traffic redirection policy for vsrx for all VMs 2 VM VM vsrx VM VM DFW DFW DFW DFW vsrx 3 NSX sends SG & SG members to PE PE creates Dynamic Address Groups for SD Security Admin can use NSX SGs in Policy Policy could be for N-S (Physical SRX) and E-W (NSX vsrx) vsrx vsrx vsrx vsrx NSX Virtual Switch NSX Virtual Switch ESXi Host-1 ESXi Host-2 4 SD pushes out policy to vsrx Ongoing synchronization of NSX SGs with PE & SD ToR Switch
VMCI channel VMCI channel Packet Flow Host to Host Traffic 1 Source VM on Host-1 sends traffic through vnic Kernel Space User Space 1 2 3 ESXi Host-1 VM VM vsrx 4 DFW DFW Redirect Redirect NSX Virtual Switch Kernel Space User Space 9 8 6 ESXi Host-2 VM VM vsrx 7 DFW DFW Redirect Redirect NSX Virtual Switch 2 NSX DFW processes the traffic 3 Redirect rules decide whether to forward traffic to vsrx 4 vsrx processes traffic 5 Physical Network transports traffic to destination host 6 Redirect rules decide whether to forward traffic to vsrx 5 7 vsrx processes traffic ToR Switch 8 DFW processes traffic 9 Destination VM receives traffic
Dynamic Threat Remediation Policy Enforcer 1. Perimeter SRX forwards relevant traffic to SKY ATP 2. SKY ATP identifies Malware and Infected Hosts, and passes this information to Policy Enforcer SKY ATP Infected Host Feed Security Director Assign Security TAG to infected hosts 3. Policy Enforcer 1. Pushes policy to SRX through SD related to infected host access 2. Tags infected VMs using NSX Manager SRX or vsrx DMZ VLAN
Why Juniper for NSX? Single Management Foot Print vcenter License Model For North-South Traffic (SRX/vSRX) and for East-West Traffic (vsrx on NSX) Visibility and reporting for N-S and E-W traffic vsrx requires least amount of resources (2 vcpu) and delivers high performance NGFW solution vcenter integration helps identify the VMs troubleshooting purposes Single License for: vsrx AppFW & IPS subscriptions Security Director Policy Enforcer Support
SDSN Contrail Integration SKY ATP Threat Mitigation Connect to Quarantine Virtual Network Block Access to PCI Network Security Group changes SRX Series Cluster Contrail Controller Green Virtual Network vrouter Red Virtual Network Micro Segmentation Security Policy in SD/PE for vsrx (L7, IPS etc) Contrail inventory and security TAG synchronization with vsrx VM G1 VM G2 VM G3 Quarantine Virtual Network VM R1 VM R2 VM R3
SDSN AWS Integration CHALLENGES Security Policy needs to support agile workloads SD Policy Enforcer Dept = HR Compliance for Amazon Virtual Private Cloud workloads Lateral threat propagation inside Amazon VPC SD Policy Based on Meta Data vsrx App = HRMS PCI = FALSE SDSN SOLUTION (how SDSN addresses above challenges) SD Inventory & Meta Data AWS Inventory & Meta Data Sync Dept = FIN App = PAYROLL PCI = TRUE Dept = IT App = CMDB PCI = False Instantiates and manages VPC specific virtual SRX instances Policy Enforcer supports meta-data based policies to support agile workloads Access Control (L3, L7 FW), IPS and Threat Policies based on meta-data AWS workload inventory and meta-data sync up with Security Director Amazon Virtual Private Cloud
DEMO
Change in Mindset Hardware defined Perimeter Manual enforcement Configuration driven Closed ecosystem Software/cloud defined Pervasive Automated Business driven Open framework
RESOURCES SECURITY SESSIONS Security NOW: Stop Threats Faster. (Business Solutions) Securing the Multicloud (Technology Focus) Extending Enterprise Security to Multicloud and Public Cloud (Technology Focus) SDSN Reference Material Google Juniper SDSN https://www.juniper.net/us /en/productsservices/what-is/sdsn/
THANK YOU