Zero Trust Security with Software-Defined Secure Networks

Similar documents
Software-Define Secure Networks The Future of Network Security for Digital Learning

Policy Enforcer. Product Description. Data Sheet. Product Overview

SECURING THE MULTICLOUD

Journey to Secure and Automated Multi-cloud

Build a Software-Defined Network to Defend your Business

Stop Threats Faster. Vaishali Ghiya & Dwann Hall Juniper Networks

Software-Defined Secure Networks in Action

Security Everywhere Within Juniper Networks Mobile Cloud Architecture. Mobile World Congress 2017

Software Defined Secure Networks

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

Extending Enterprise Security to Multicloud and Public Cloud

CONTRAIL SECURITY. Contrail Cloud Networking & Security

Juniper Sky Advanced Threat Prevention

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Policy Enforcer. Policy Enforcer Connectors Guide. Modified: Copyright 2018, Juniper Networks, Inc.

ANIKET DAPTARI & RANJINI RAJENDRAN CONTRAIL TEAM

SDSN: Dynamic, Adaptive Multicloud Security

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

Software-Defined Secure Networks. Sergei Gotchev April 2016

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

AWS Reference Design Document

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

SECURE HYBRID CLOUD Solution

Remote Access VPN Helping enterprise businesses implement strong authentication for their remote workforce

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

JUNIPER SKY ADVANCED THREAT PREVENTION

Title DC Automation: It s a MARVEL!

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Software-Defined Secure Networks (SDSN) Using Third-Party Devices and Aruba ClearPass Policy Manager

Overview of the Juniper Networks Mobile Cloud Architecture

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Intelligent Edge Protection

Juniper Sky Advanced Threat Prevention

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Security Considerations for Cloud Readiness

Securing the Software-Defined Data Center

Disclaimer CONFIDENTIAL 2

Cloud-Enable Your District s Network For Digital Learning

Transforming the Network for the Digital Business

Juniper SD-WAN Alexandre Cezar Consulting Systems Engineer, Security/Cloud

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

Security Everywhere within the Juniper Networks Mobile Cloud Architecture. White Paper

Smart and Secured Infrastructure. Rajesh Kumar Technical Consultant

Segmentation. Threat Defense. Visibility

The Evolution of Data Center Security, Risk and Compliance

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

METAFABRIC ARCHITECTURE A SIMPLE, OPEN, AND SMART NETWORK FOR THE DATA CENTER

Infoblox as Part of the Ecosystem

VM-SERIES FOR VMWARE VM VM

Cisco Cloud Application Centric Infrastructure

Building a Software-Defined Secure Network for Healthcare

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Cisco Tetration Analytics

Transforming Security Part 2: From the Device to the Data Center

CHARTING THE FUTURE OF SOFTWARE DEFINED NETWORKING

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

JN0-210.juniper. Number: JN0-210 Passing Score: 800 Time Limit: 120 min.

Security Automation Connecting Your Silos

Agenda Basecamp The Journey So Far Enhancements Into the Fear Zone Climbing The VM-Series Performance Peak New VM-Series Models and Licensing Best Pra

Exploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer

NITA Based Offers and Services

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Cloud Workload Security Product Guide

Extending Enterprise Security to Public and Hybrid Clouds

Evolved Campus Core: An EVPN Framework for Campus Networks. Vincent Celindro JNCIE #69 / CCIE #8630

SYMANTEC DATA CENTER SECURITY

Open Security Controller - Security Orchestration for OpenStack

PROTECT WORKLOADS IN THE HYBRID CLOUD

Compare Security Analytics Solutions

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Network Virtualization Business Case

Getting Started Guide. VMware NSX Cloud services

Overview of the Juniper Mobile Cloud Architecture Laying the Foundation for a Next-gen Secure Distributed Telco Cloud. Mobile World Congress 2017

INTRODUCTION TO J-EDI: THE JUNIPER EVENT- DRIVEN INFRASTRUCTURE

Juniper Unite Cloud-Enabled Enterprise Reference Architecture

Več kot SDN - SDA arhitektura v uporabniških omrežjih

Junos Security Bundle, JSEC & AJSEC

Where is the Network Edge? MEC Deployment Options, Business Case & SDN Considerations

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

PSOACI Tetration Overview. Mike Herbert

Data Center Security. Fuat KILIÇ Consulting Systems

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Stop Threats Before They Stop You

VMware Cloud Provider Platform

Extending Enterprise Security to Public and Hybrid Clouds

Hybrid Cloud Solutions

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

Paloalto Networks PCNSA EXAM

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Qualys Cloud Platform

Kubernetes Integration Guide

Transcription:

Zero Trust Security with Software-Defined Secure Networks Srinivas Nimmagadda and Pradeep Nair Juniper Networks

This statement of direction sets forth Juniper Networks current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted in this presentation. This presentation contains proprietary roadmap information and should not be discussed or shared without a signed non-disclosure agreement (NDA).

Objectives Security Architectural Challenges Introduce SDSN SDSN for Campus & Branch SDSN for Multicloud Demo(s)

Security Challenge THREAT SOPHISTICATION Advanced, Persistent, Targeted Attacks Automated Workflows Insider Attacks CLOUD & IOT Application Agility and Scale (Cloud) Diversity and Scale (IOT) CURRENT SECURITY Perimeter Only Security Complex Rule Sets Manual Workflows

Software Defined Secure Network Detection Machine Learning & AI Malware Detection Intrusion Prevention, SIEM (JSA) Threat Feeds: Command & Control, GeoIP etc Policy User intent based policy model Robust visibility and management Enforcement Perimeter Firewalls, Switches & Routers SDN Platforms (Vmware NSX, Contrail) Public Cloud (AWS etc) Network as a Security Enforcement System

Network role in Security Firewall Switch Router SDN Stateful but perimeter oriented Closest to the End- Point, stateless Network Edge, and stateless Closest to Applications Content Inspection User & APP IPS, AV URL etc Remove/Quarantine from Network BGP Flowspec Blackhole Honeypot DDoS Dynamic network service chain

Zero Trust Security Model Perimeter Security Secure Network Perimeter Perimeter Outside (Untrusted) Outside (Untrusted) Internal (Trusted) Internal (Also Untrusted) Hyper-connected Network with Security at Perimeter Lateral Threat Propagation Secure Network Block Lateral Threat Propagation Complex Security Policies Limited Visibility User Intent Based Policies Comprehensive Visibility

SDSN Campus Threat Remediation

SDSN Threat Management Manual Threat Workflows Threat Management Automation Feed Feed Incident Response Malware Found Net-Sec Operations TKT Endpoint Security TKT CnC & Geo IP Feeds Sky Advanced Threat Prevention SDSN Policy Enforcer Custom/3 rd Party Feeds JSA/SIEM Multiple Teams Vendor specific threat feeds Cohesive Threat Management System Open API and 3 rd Party Threat Feed Collation Threat Detection Enforcement Delays Automation across Network & Security

Physical Network Level Threat Remediation Real-time remediation of infected hosts SKY ATP SDSN Policy Enforcer Mobility of infected end points across different networks 3 rd Party Access Switch Radius messages Connector Framework N/W Connector Reduced time to remediate = Reduced exposure to attacks Threat remediation for IP-based IoT devices Radius Server THREAT DETECTION Malware: Zero-Day & Known Malware w/ SkyATP Command & Control: Botnet Traffic GeoIP: Geo specific security controls Custom Threat Feeds: Custom Blacklist, Whitelist, IPFilter, DDoS and other threat feeds ENFORCEMENT Juniper: SRX, vsrx, QFX and EX 3 rd Party: Access Switches with Forescout, Aruba Clearpass or Cisco ISE configured Wireless: WLCs with Radius(AAA) configured

SDSN for Multicloud

SDSN - Journey to Multicloud Threat Remediation Campus Malware Protection (New) DDoS Threat Feeds MX BGP Flowspec (1H 2018) JSA Integration User Intent Policy Sites & Policy Groups (New) Dynamic Policy Actions (New) Meta Data Policies Multicloud (New) VMware NSX (1H 2018) Contrail (1H 2018) AWS

Dynamic Policy Actions Evaluate this condition Take corresponding Actions NORMAL ACCESS POLICY SRC DEST CONDITION ACTIONS ENABLE ADDITIONAL LOGGING & IPS EMPLOYEES INTERNET VIDEO THREAT LEVEL = GREEN THREAT LEVEL = ORANGE PERMIT PERMIT LOG IPS DISABLE SERVICE ACCESS THREAT LEVEL = RED DENY Benefits: 1. Security policy that dynamically adapts to ever changing security environment 2. No need to hire developers, but still achieve agility with DevOps model 3. OpEx savings

Application Evolution Physical DC Virtual DC Private Cloud Multicloud Separate Application, Server, Network, Security and Storage teams 2-6 weeks to provision Ticket oriented workflows Virtualization Few minutes to provision Compute, but weeks to provision Network & Security Shorter lifespan of apps Containerization & microservices Scale and average life span Automation Consistent Policy across domains Compliance and Monitoring DevOps

Repeat for each application Repeat 2-6 WEEKS IT Operational Models Changing Traditional IT (Waterfall) Model Cloud Operational Model DEVELOPMENT TEAM Builds the application(s) CLOUD (SECURITY) TEAM Blue Prints and Templates for ALL Applications based on meta-data SERVER TEAM: Procure Servers NETWORK TEAM: Provision Network SECURITY TEAM: Secure Application STORAGE TEAM: Provision Storage DEVELOPMENT TEAM Builds the application(s) OPERATIONS TEAM Launch and Operate Apps & Infra DEV/OPS TEAM Launch and Operate Apps & Infra

META DATA BASED POLICIES Security Team DevOps Team 1. DEFINE META DATA 2. CREATE RULES 3. ASSIGN META-DATA Attribute STAGE PCI Possible Values DEVTEST, STAGING, PROD TRUE, FALSE SRC DEST ACTIONS STAGE=DEVTEST STAGE=PROD <AND> PCI = TRUE DENY Name IP Address Foo 70.20.1.6 META-DATA STAGE=DEVTEST PCI=FALSE <custom> <custom> Rules with DAG Benefits: 1. Better fit for cloud based policy workflows 2. Contextual picture about each end point in the network 3. Portable policy across different domains SRX Bar 80.10.2.4 STAGE=PROD DAG Updates Do not require commit

VMware NSX Integration

VMware NSX Micro-Segmentation SRX Perimeter firewall DMZ VLAN vsrx for East-West traffic SRX Inside firewall App VLAN Finance HR IT Traffic between apps on same VLAN can now be firewalled DB VLAN Finance HR IT vsrx protects lateral movement of attacks inside the network Dynamic VM posture based security orchestration Services VLAN Finance HR IT Visibility for east-west traffic AD NTP DHCP DNS CERT

NSX Integration Initial vsrx Provisioning Cloud Admin NSX Manager 1 SD Policy Enforcer Security Admin 0 NSX deployed and SD/PE installed 1 SD Registers vsrx Service w/ NSX 2 4 2 NSX provisions vsrx on all NSX hosts 3 VM VM vsrx VM VM vsrx 3 NSX provisions vsrx redirection rules DFW DFW DFW DFW vsrx vsrx vsrx vsrx 4 SD provisions licenses & default policy for vsrx NSX Virtual Switch ESXi Host-1 NSX Virtual Switch ESXi Host-2 Initial Provisioning Complete vsrx sees no traffic at this stage ToR Switch

NSX Integration Policy Management Cloud Admin 1 NSX Manager 3 SD Policy Enforcer Security Admin 0 NSX Security Groups = VM groups 1 NSX admin creates traffic redirection to vsrx SRC=Any, DEST=PCI_SG, ACTION=REDIRECT-vSRX 4 2 NSX provisions traffic redirection policy for vsrx for all VMs 2 VM VM vsrx VM VM DFW DFW DFW DFW vsrx 3 NSX sends SG & SG members to PE PE creates Dynamic Address Groups for SD Security Admin can use NSX SGs in Policy Policy could be for N-S (Physical SRX) and E-W (NSX vsrx) vsrx vsrx vsrx vsrx NSX Virtual Switch NSX Virtual Switch ESXi Host-1 ESXi Host-2 4 SD pushes out policy to vsrx Ongoing synchronization of NSX SGs with PE & SD ToR Switch

VMCI channel VMCI channel Packet Flow Host to Host Traffic 1 Source VM on Host-1 sends traffic through vnic Kernel Space User Space 1 2 3 ESXi Host-1 VM VM vsrx 4 DFW DFW Redirect Redirect NSX Virtual Switch Kernel Space User Space 9 8 6 ESXi Host-2 VM VM vsrx 7 DFW DFW Redirect Redirect NSX Virtual Switch 2 NSX DFW processes the traffic 3 Redirect rules decide whether to forward traffic to vsrx 4 vsrx processes traffic 5 Physical Network transports traffic to destination host 6 Redirect rules decide whether to forward traffic to vsrx 5 7 vsrx processes traffic ToR Switch 8 DFW processes traffic 9 Destination VM receives traffic

Dynamic Threat Remediation Policy Enforcer 1. Perimeter SRX forwards relevant traffic to SKY ATP 2. SKY ATP identifies Malware and Infected Hosts, and passes this information to Policy Enforcer SKY ATP Infected Host Feed Security Director Assign Security TAG to infected hosts 3. Policy Enforcer 1. Pushes policy to SRX through SD related to infected host access 2. Tags infected VMs using NSX Manager SRX or vsrx DMZ VLAN

Why Juniper for NSX? Single Management Foot Print vcenter License Model For North-South Traffic (SRX/vSRX) and for East-West Traffic (vsrx on NSX) Visibility and reporting for N-S and E-W traffic vsrx requires least amount of resources (2 vcpu) and delivers high performance NGFW solution vcenter integration helps identify the VMs troubleshooting purposes Single License for: vsrx AppFW & IPS subscriptions Security Director Policy Enforcer Support

SDSN Contrail Integration SKY ATP Threat Mitigation Connect to Quarantine Virtual Network Block Access to PCI Network Security Group changes SRX Series Cluster Contrail Controller Green Virtual Network vrouter Red Virtual Network Micro Segmentation Security Policy in SD/PE for vsrx (L7, IPS etc) Contrail inventory and security TAG synchronization with vsrx VM G1 VM G2 VM G3 Quarantine Virtual Network VM R1 VM R2 VM R3

SDSN AWS Integration CHALLENGES Security Policy needs to support agile workloads SD Policy Enforcer Dept = HR Compliance for Amazon Virtual Private Cloud workloads Lateral threat propagation inside Amazon VPC SD Policy Based on Meta Data vsrx App = HRMS PCI = FALSE SDSN SOLUTION (how SDSN addresses above challenges) SD Inventory & Meta Data AWS Inventory & Meta Data Sync Dept = FIN App = PAYROLL PCI = TRUE Dept = IT App = CMDB PCI = False Instantiates and manages VPC specific virtual SRX instances Policy Enforcer supports meta-data based policies to support agile workloads Access Control (L3, L7 FW), IPS and Threat Policies based on meta-data AWS workload inventory and meta-data sync up with Security Director Amazon Virtual Private Cloud

DEMO

Change in Mindset Hardware defined Perimeter Manual enforcement Configuration driven Closed ecosystem Software/cloud defined Pervasive Automated Business driven Open framework

RESOURCES SECURITY SESSIONS Security NOW: Stop Threats Faster. (Business Solutions) Securing the Multicloud (Technology Focus) Extending Enterprise Security to Multicloud and Public Cloud (Technology Focus) SDSN Reference Material Google Juniper SDSN https://www.juniper.net/us /en/productsservices/what-is/sdsn/

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback