Protecting key applications in the Datacenter

Similar documents
SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Exam Questions JN0-633

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

THE EXPONENTIAL DATA CENTER

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

METAFABRIC ARCHITECTURE A SIMPLE, OPEN, AND SMART NETWORK FOR THE DATA CENTER

SRX als NGFW. Michel Tepper Consultant

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

SD-WAN / Hybrid WAN : Leveraging SDN-NFV for Networks Agility

Security Gateway Virtual Edition

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

vshield Quick Start Guide

SECURING THE MULTICLOUD

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

vshield Administration Guide

Kunal Jha, Juniper Networks

Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, O'REILLY. Tim Eberhard, andjames Quinn INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK

Dynamic Datacenter Security Solidex, November 2009

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

The vsphere 6.0 Advantages Over Hyper- V

WHAT S NEW FROM JUNIPER?

Securing VMware NSX MAY 2014

Build a Software-Defined Network to Defend your Business

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Stopping Advanced Persistent Threats In Cloud and DataCenters

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

White Paper. Juniper Networks Cloud Security

VM-SERIES FOR VMWARE VM VM

Security Gateway Virtual Edition

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

ENTERPRISE SECURITY MANAGEMENT. Frederick Verduyckt 20 September 2012

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Policy Enforcer. Product Description. Data Sheet. Product Overview

Network Virtualization Business Case

vcenter Operations Management Pack for NSX-vSphere

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Junos Security (JSEC)

Potpuna virtualizacija od servera do desktopa. Saša Hederić Senior Systems Engineer VMware Inc.

vrealize Operations Management Pack for NSX for vsphere 2.0

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

New Features in VMware vsphere (ESX 4)

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Systrome Next Gen Firewalls

Securing the Data Center against

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Security in Cloud Environments

VMware vsphere 4.0 The best platform for building cloud infrastructures

Zero Trust Security with Software-Defined Secure Networks

VMware Join the Virtual Revolution! Brian McNeil VMware National Partner Business Manager

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Features. HDX WAN optimization. QoS

Extending Enterprise Security to Multicloud and Public Cloud

Juniper Security Update. Karel Hendrych Juniper Networks

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

VMware vcloud Director for Service Providers

Comprehensive datacenter protection

Ethernet Fabrics- the logical step to Software Defined Networking (SDN) Frank Koelmel, Brocade

Junos Security Bundle, JSEC & AJSEC

Juniper Sky Advanced Threat Prevention

INSTALLATION RUNBOOK FOR. VNF (virtual firewall) 15.1X49-D30.3. Liberty. Application Type: vsrx Version: MOS Version: 8.0. OpenStack Version:

WatchGuard XTMv Setup Guide Fireware XTM v11.8

Kaspersky Security for Virtualization Frequently Asked Questions

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

What s New with VMware vcloud Director 8.0

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

Security Everywhere Within Juniper Networks Mobile Cloud Architecture. Mobile World Congress 2017

McAfee Network Security Platform 9.2

NSX Data Center Load Balancing and VPN Services

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

vedge Cloud Datasheet PRODUCT OVERVIEW DEPLOYMENT USE CASES EXTEND VIPTELA OVERLAY INTO PUBLIC CLOUD ENVIRONMENTS

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

WatchGuard XTMv Setup Guide

CAMPUS AND BRANCH RECAP. Ralph Wanders Consulting Systems Engineer

Disclaimer CONFIDENTIAL 2

Workload Mobility and Disaster Recovery to VMware Cloud IaaS Providers

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Protecting Physical and Virtual Workloads

DEPLOYING A VMWARE VCLOUD DIRECTOR INFRASTRUCTURE-AS-A-SERVICE (IAAS) SOLUTION WITH VMWARE CLOUD FOUNDATION : ARCHITECTURAL GUIDELINES

NET1846. Introduction to NSX. Milin Desai, VMware, Inc Kausum Kumar, VMware, Inc

Juniper Sky Advanced Threat Prevention

SDN TO BE OR NOT TO BE. Uwe Richter SE Director Russia/CIS, East and South East Europe

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

VMware vsphere: Taking Virtualization to the Next Level

JUNIPER SKY ADVANCED THREAT PREVENTION

VMware vsphere Beginner s Guide

ISG-600 Cloud Gateway

ITRI Cloud OS: An End-to-End OpenStack Solution

Stop Threats Faster. Vaishali Ghiya & Dwann Hall Juniper Networks

CONTRAIL SECURITY. Contrail Cloud Networking & Security

VMware vsphere. Administration VMware Inc. All rights reserved

2018 Cisco and/or its affiliates. All rights reserved.

1V0-642.exam.30q.

FIREFLY HOST. Product Description. Product Overview DATASHEET

IXIA PHANTOM VTAP WITH TAPFLOW FILTERING

User Role Firewall Policy

Detail the learning environment, remote access labs and course timings

Juniper SD-WAN Alexandre Cezar Consulting Systems Engineer, Security/Cloud

Transcription:

Protecting key applications in the Datacenter

SECURITY OUTLOOK Threats get more Sophisticated Flame, Shamoon, Gauss... Dirt Jumper (DDoS) toolkits blend attacks Mobile Malware is exploding APT s Corporate Cloud Applications Grow Security Boundary blurring into the cloud Data residing in multiple locations Public and Private Need to Secure all data at rest and in transit Identity management and trust between SP s and cloud providers is key Industry Megatrends CoIT/BYOD Virtualisation/Cloud Big Data Mobility Social Media Compliance Views on the toolsets New security approaches emerge Defence by Deception Secure The Hypervisor Virtualise the appliance Enhance existing security solutions Source : Canalys, March 2012 2 Copyright 2012 Juniper Networks, Inc. www.juniper.net

SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS Blended/Compound attacks L3/4 DoS L7 DoS L7 App exploits DC FABRIC Web services ~73% of all attacks are web based WAF/Signatures alone are insufficent New approaches required Hypervisor Hypervisor Hypervisor Compromised VMs Staging points for reconnaissance in APTs Physical security cannot detect cross-hypervisor traffic 3 Copyright 2012 Juniper Networks, Inc. www.juniper.net

DATACENTER SECURITY OVERVIEW Branch SRX High-End SRX JunosV Firefly Mykonos vgw Remote Branch Connectivity and Security Site-level Security and Zoning to separate customer traffic, ALGs, IPS for threat protection, etc. VM-level Security at an aggregated level - multi-tenant segmentation Web threat mitigation without false positives Inter-VM Security and inbound threat protection for all VMs combined Remote Office Branch SRX series Datacenter A Virtual Infrastructure VM-A VM-A VM-A Rack servers Firefly Datacenter B Virtual Infrastructure VM-B vgw vgw vgw VM-B VM-B High-end SRX MOBILE WORKER Junos Pulse Firefly Physical Data Center vgw vgw vgw Note Illustrated here are just a few use cases 4 Copyright 2012 Juniper Networks, Inc. www.juniper.net

MITIGATING BLENDED ATTACKS WITH DC SRX Screens L3/4 attack mitigation SYN flood UDP flood Protocol anomalies IPS L7 exploit prevention Signature based Zero day availability Scalable IPS processing AppDoS L7 DoS mitigation Context based DoS monitoring/protection Differentiate attack from genuine traffic AppFW/Apptrack App filtering/monitoring Protect applications whichever port they are deployed on Monitor app usage for IPS/AppDoS profiles 5 Copyright 2012 Juniper Networks, Inc. www.juniper.net

A CLOSER LOOK AT VSRX Security & Routing functionality delivered as a virtual machine Junos delivered as a virtual appliance on a choice of Hypervisors Runs on standard x86 hardware Full, proven Junos security and routing protocol suite Leverages proven SRX & VJX technology Performance optimized SMP kernel & multi-threaded flowd over multiple vcpus Supports Hypervisor VM functionality Example: vmotion, snapshots, HA/FT, Cloning, Management etc. Perimeter Firewall VPN NAT Network Admission Control Junos Routing Protocols and SDK Junos Rich & Extensible Security Stack Content Anti-Virus IPS Full IDP Feature Set Web Filtering Anti-Spam Application Application Awareness Identity Awareness CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT 6 Copyright 2012 Juniper Networks, Inc. www.juniper.net

EDGE DC SECURITY:- VIRTUAL INSTANCE SCALE Using x86 virtualization for unlimited, dynamic, private firewall scaling Option 1 (SRX & LSYS) Option 2 (Hypervisors & VJ-SR) Customer E Customer D Customer C Customer B Customer A Customer A Admin Firewall Routing NAT VPN ALG s Etc. VJ-SR Customer A Separate a single physical SRX into unique virtual instances on the device (Difficult beyond hundreds) HYPERVISORS Leverage x86 Hypervisors (KVM, VMware) to build unlimited pools of VJ-SRs! 7 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VIRTUALISATION WITH LOGICAL SYSTEMS LSYS 1 LSYS 2 LSYS 3 LSYS 4 LSYS 0 (VPLS DOMAIN) SRX ROOT LSYS Key Takeaways Maximum of 32 LSYS Uses an internal switch (VPLS domain) for communication between LSYS Important to minimise inter-lsys flows Inter-LSYS flows processed three times by ingress LSYS, VPLS domain, and egress LSYS Performance implications License-based no LSYS supported with standard SKUs Primary use cases Multi-tenant cloud/dc environments Departmental/Business Unit resource preservation (eg University deployment) Firewall physical consolidation 8 Copyright 2012 Juniper Networks, Inc. www.juniper.net

LSYS RESOURCE PROFILES JUNOS LSYS PROFILE PARAMETERS Firewall Policy Rules Zones Sessions IDP (Enable/Disable) NAT rules Addresses Applications (Services) CPU Utilization Log Rate Resource profiles defined and applied by global administrator Resource profiles broadly cover two parameter categories:- Configuration options, eg firewall policies, zones, NAT rules Compute resources, eg CPU cycles, concurrent sessions, log rates 9 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VIRTUALISATION WITH VRS/ZONES Zone Untrust A Zone Untrust B Zone Untrust C SRX VR A VR B VR C Key Takeaways Much greater scaling than LSYS 2,000 zones/vrs on SRX5800 No license required Generally simpler configuration Requires inter-vr routing not generally possible with static routes Primary use cases Firewall consolidation Service separation Zone Trust A Zone Trust B Zone Trust C 10 Copyright 2012 Juniper Networks, Inc. www.juniper.net

LOGICAL SYSTEMS v VRs/ZONEs LSYS ZONES /VRS Pros Resource separation Management isolation, including Space/Security Design Cons License required Extra configuration complexity Performance hits for sending traffic between LSYS Pros Simple configuration High scale No license Cons No resource protection usually a requirement in multi-tenant environments No true management isolation 11 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VSRX:- SAMPLE HIGH LEVEL DESIGN Cloud Service Provider segmenting tenants with VJ-SR and allowing inter-vm protection with vgw Cloud Service Provider Customer A Virtual Network Primary Site (Virtual and Non-Virtual) Customer A Customer B Hypervisors Branch Non-Virtual Network EX Series EX Series MX Series Internet Cloud- Connect CPE Customer B Primary Site (Non-Virtual) SRX 12 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VSRX USE CASE VIRTUALIZED DATACENTER ENVIRONMENTS Customer Goal Cloud Service Provider, Large enterprises who are virtualizing their datacenters Maximize efficiency and resource utilization; extend gains of virtualization to network infrastructure. Requirements Routing and/or security functionality without a standalone appliance. Under 2Gbps of traffic. Solution Deploy combined virtual security and routing appliance to maximize efficiency. Virtualized Environment Virtualized Environment VM1 VM2 VM3 VM4 Physical Firewall WAN VM1 VM2 VM3 VM4 WAN Datacenter: BEFORE Datacenter: AFTER 13 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VSRX PLANNING Routing NAT Firewall DHCP Family inet Family inet6 (packet mode) Static routing BGP OSPF RIP PIM MPLS/VPLS ALGs DNS FTP H323 MGCP MS-RPC PPTP RSH RTSP Hypervisors VMWare, KVM Initial Release Source NAT Destination NAT Static NAT Persistent NAT SCCP SIP SQL SUN-RPC TALK TFTP IKE-ESP Firewall policy Screens SYN cookie VPN Policy-based Route-based Dynamic VPN Manual key Auto key IKE phase 1 IKE phase 2 Anti-replay DHCP client DHCP server DHCP relay XAUTH DPD VPN monitor Tunnel mode AH & ESP des/3des/aes Sha-1/md5 Management Device Manager, Limited Virtual Systems Manager ROADMAP Features UTM, IDP, Clustering, AppSecure HyperV, Xen Hypervisors Junos SDK Juniper Portfolio Integration (vgw, QFabric, HW SRX, MX, etc.) Scale & Performance optimization Management Policy management APIs Enhancements to Virtual Systems Manager : Junos Space App 14 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VSRX MANAGEABILITY vsrx Device Management Virtual Systems Manager Junos Space Security Design CLI + Junos Scripts JWeb SNMP STRM (Logging and Reporting), Syslog, Traceroute Security Insight Junos LMS Policy Manager APIs App for Junos Space Platform Long term single provisioning point and systems manager for vgw and vsrx deployments Support for popular Cloud Management tools vcenter, RHEV-M, SCVMM, ServerCenter vcloud Director, CloudStack, OpenStack Features (Life Cycle Management): Provisioning Bootstrapping Troubleshooting/Debug Log management Reporting etc. 15 Copyright 2012 Juniper Networks, Inc. www.juniper.net

5 ATTACK PHASES:- APT BEHAVIOUR Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Silent Reconnaissance Attack Vector Establishment Attack Implementation Attack Automation Maintenance Attackers profile physical and virtual devices and applications Weaknesses in attack surface identified for attack Attacks launched to take control of device, application or VM. Can be used to begin further Reconnaissance Repeat attack to increase effectiveness, increase Profit or extract more data Evade patching and remediation measures to stop the attack 16 Copyright 2012 Juniper Networks, Inc. www.juniper.net

THE MYKONOS ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 17 Copyright 2012 Juniper Networks, Inc. www.juniper.net

DETECT THREATS BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 18 Copyright 2012 Juniper Networks, Inc. www.juniper.net

TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 19 Copyright 2012 Juniper Networks, Inc. www.juniper.net

SMART PROFILE OF ATTACKER Every attacker assigned a name Incident history Attacker threat level 20 Copyright 2012 Juniper Networks, Inc. www.juniper.net

RESPOND AND DECEIVE Mykonos Responses Warn attacker Human Hacker Botnet Targeted Scan IP Scan Block user Force CAPTCHA Slow connection Simulate broken application Scripts &Tools Exploits Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 21 Copyright 2012 Juniper Networks, Inc. www.juniper.net

APPROACHES TO SECURING VIRTUAL NETWORKS VLANs & Physical Segmentation Traditional Security Agents 1 2 3 Purpose Built Virtual Security VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 VS HYPERVISOR ESX/ESXi Host VS HYPERVISOR ESX/ESXi Host Virtual Security Layer VS ESX/ESXi Host HYPERVISOR Regular Thick Agent for FW & AV 22 Copyright 2012 Juniper Networks, Inc. www.juniper.net

THE VGW PURPOSE-BUILT APPROACH - VMWARE Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA) Virtual Center 1 Security Design for vgw VM 2 VM1 VM2 VM3 Virtualization-aware Secure VMotion scales to 1,000+ hosts Auto Secure detects/protects new VMs Granular, Tiered Defense Stateful firewall, integrated IDS, and AV Flexible Policy Enforcement zone, VM group, VM, individual vnic Partner Server (IDS, SIM, Syslog, Netflow) Packet Data 3 THE vgw ENGINE VMWARE API s Any vswitch (Standard, DVS, 3 rd Party) HYPERVISOR VMware Kernel ESX or ESXi Host 23 Copyright 2012 Juniper Networks, Inc. www.juniper.net

SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS 24 Copyright 2012 Juniper Networks, Inc. www.juniper.net

OPEN HYPERVISOR FRAMEWORK FOR KVM Environment Specific Tools and APIs Enhanced vgw Cloud SDK VM Management System (RHEV-M, UVMM, qemu, etc.) Optional VM Provisioning System (Service Providers, Large Enterprises) Communication via Libvirt or Juniper Protocol vgw KVM Manager vgw Protected KVM Host 1 vgw Protected KVM Host 2 vgw Protected KVM Host N vgw Cloud SDK Enhancements 1. new_vm_info_api & new_hypervisor_api 2. vgw Policy API s (improvements to existing API s) 3. vgw Management API s (updates, versions, etc.) 4. vgw Install API s (deploy SVMs, kernel modules, etc.) 25 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VGW AND MICROSOFT HYPER-V Hyper-V Integration Three Tiered Model SCVMM Integration Filter Extension in Extensible Switch System Center VMM 1 Security Design for vgw VM 2 Coming Soon! VM1 VM2 VM3 Supports Live Migration Granular, Tiered Defense for VMs Partner Server (IDS, SIM, Syslog, Netflow) Packet Data 3 THE vgw ENGINE Capture Extension WFP Extension Filter Extension Forwarding Extension Hyper-V Extensible Switch Physical Server Hyper-V Host 26 Copyright 2012 Juniper Networks, Inc. www.juniper.net

VGW INTEGRATION WITH VCLOUD DIRECTOR vcloud Director 1.5 and vgw Series products can be used together! 1. vcloud relies on traditional vsphere technologies (vcenter & ESX/ESXi hosts). vgw can be inserted into this environment (VMsafe and VI API s are still working and available) 2. vcloud introduces new abstraction constructs which are inserted into vcenter. vcloud API s and vgw API s can be used to discover the constructs and auto-populate SmartGroups for dynamic, human-readable security policies. VM created with semi-random structure. For example: 1 2 vcloud Director Juniper s vcdsync Script uses vcd API s to determine which organizational unit a VM belongs (VMs with same name could be in two different organizational units). VMware vcenter 4 3 vgw management knows that AML- SYS1 is part of Org2. This is made available as a vf.tag Smart Group parameter ESX/ESXi Host with vgw vgw Management inserts AML- SYS1 into SmartGroup and enforces policy on ESX/ESXi host automatically! vgw Management 27 Copyright 2012 Juniper Networks, Inc. www.juniper.net

SUMMARY:- PROTECT KEY APPLICATIONS WITH A LAYERED SECURITY APPROACH --OR-- Hypervisor SRX/vSRX Firewall L3/L4 DoS protection Application-layer DoS protection Application profiling and monitoring Application port control/enforcement IPS IPSec termination to the DC Mykonos Protect Web apps Deception technology complements signature approach; makes APTs uneconomical Tar traps identify malicious users without false positives Profiling identifies users without recourse to IP address Future Global hacker database vgw Inter-VM security Firewall, IDS, AV Policies based on VMWare or security attributes VM application profiling Hypervisor traffic monitoring PCI compliance 28 Copyright 2012 Juniper Networks, Inc. www.juniper.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback