Protecting key applications in the Datacenter
SECURITY OUTLOOK Threats get more Sophisticated Flame, Shamoon, Gauss... Dirt Jumper (DDoS) toolkits blend attacks Mobile Malware is exploding APT s Corporate Cloud Applications Grow Security Boundary blurring into the cloud Data residing in multiple locations Public and Private Need to Secure all data at rest and in transit Identity management and trust between SP s and cloud providers is key Industry Megatrends CoIT/BYOD Virtualisation/Cloud Big Data Mobility Social Media Compliance Views on the toolsets New security approaches emerge Defence by Deception Secure The Hypervisor Virtualise the appliance Enhance existing security solutions Source : Canalys, March 2012 2 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS Blended/Compound attacks L3/4 DoS L7 DoS L7 App exploits DC FABRIC Web services ~73% of all attacks are web based WAF/Signatures alone are insufficent New approaches required Hypervisor Hypervisor Hypervisor Compromised VMs Staging points for reconnaissance in APTs Physical security cannot detect cross-hypervisor traffic 3 Copyright 2012 Juniper Networks, Inc. www.juniper.net
DATACENTER SECURITY OVERVIEW Branch SRX High-End SRX JunosV Firefly Mykonos vgw Remote Branch Connectivity and Security Site-level Security and Zoning to separate customer traffic, ALGs, IPS for threat protection, etc. VM-level Security at an aggregated level - multi-tenant segmentation Web threat mitigation without false positives Inter-VM Security and inbound threat protection for all VMs combined Remote Office Branch SRX series Datacenter A Virtual Infrastructure VM-A VM-A VM-A Rack servers Firefly Datacenter B Virtual Infrastructure VM-B vgw vgw vgw VM-B VM-B High-end SRX MOBILE WORKER Junos Pulse Firefly Physical Data Center vgw vgw vgw Note Illustrated here are just a few use cases 4 Copyright 2012 Juniper Networks, Inc. www.juniper.net
MITIGATING BLENDED ATTACKS WITH DC SRX Screens L3/4 attack mitigation SYN flood UDP flood Protocol anomalies IPS L7 exploit prevention Signature based Zero day availability Scalable IPS processing AppDoS L7 DoS mitigation Context based DoS monitoring/protection Differentiate attack from genuine traffic AppFW/Apptrack App filtering/monitoring Protect applications whichever port they are deployed on Monitor app usage for IPS/AppDoS profiles 5 Copyright 2012 Juniper Networks, Inc. www.juniper.net
A CLOSER LOOK AT VSRX Security & Routing functionality delivered as a virtual machine Junos delivered as a virtual appliance on a choice of Hypervisors Runs on standard x86 hardware Full, proven Junos security and routing protocol suite Leverages proven SRX & VJX technology Performance optimized SMP kernel & multi-threaded flowd over multiple vcpus Supports Hypervisor VM functionality Example: vmotion, snapshots, HA/FT, Cloning, Management etc. Perimeter Firewall VPN NAT Network Admission Control Junos Routing Protocols and SDK Junos Rich & Extensible Security Stack Content Anti-Virus IPS Full IDP Feature Set Web Filtering Anti-Spam Application Application Awareness Identity Awareness CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT 6 Copyright 2012 Juniper Networks, Inc. www.juniper.net
EDGE DC SECURITY:- VIRTUAL INSTANCE SCALE Using x86 virtualization for unlimited, dynamic, private firewall scaling Option 1 (SRX & LSYS) Option 2 (Hypervisors & VJ-SR) Customer E Customer D Customer C Customer B Customer A Customer A Admin Firewall Routing NAT VPN ALG s Etc. VJ-SR Customer A Separate a single physical SRX into unique virtual instances on the device (Difficult beyond hundreds) HYPERVISORS Leverage x86 Hypervisors (KVM, VMware) to build unlimited pools of VJ-SRs! 7 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VIRTUALISATION WITH LOGICAL SYSTEMS LSYS 1 LSYS 2 LSYS 3 LSYS 4 LSYS 0 (VPLS DOMAIN) SRX ROOT LSYS Key Takeaways Maximum of 32 LSYS Uses an internal switch (VPLS domain) for communication between LSYS Important to minimise inter-lsys flows Inter-LSYS flows processed three times by ingress LSYS, VPLS domain, and egress LSYS Performance implications License-based no LSYS supported with standard SKUs Primary use cases Multi-tenant cloud/dc environments Departmental/Business Unit resource preservation (eg University deployment) Firewall physical consolidation 8 Copyright 2012 Juniper Networks, Inc. www.juniper.net
LSYS RESOURCE PROFILES JUNOS LSYS PROFILE PARAMETERS Firewall Policy Rules Zones Sessions IDP (Enable/Disable) NAT rules Addresses Applications (Services) CPU Utilization Log Rate Resource profiles defined and applied by global administrator Resource profiles broadly cover two parameter categories:- Configuration options, eg firewall policies, zones, NAT rules Compute resources, eg CPU cycles, concurrent sessions, log rates 9 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VIRTUALISATION WITH VRS/ZONES Zone Untrust A Zone Untrust B Zone Untrust C SRX VR A VR B VR C Key Takeaways Much greater scaling than LSYS 2,000 zones/vrs on SRX5800 No license required Generally simpler configuration Requires inter-vr routing not generally possible with static routes Primary use cases Firewall consolidation Service separation Zone Trust A Zone Trust B Zone Trust C 10 Copyright 2012 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS v VRs/ZONEs LSYS ZONES /VRS Pros Resource separation Management isolation, including Space/Security Design Cons License required Extra configuration complexity Performance hits for sending traffic between LSYS Pros Simple configuration High scale No license Cons No resource protection usually a requirement in multi-tenant environments No true management isolation 11 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VSRX:- SAMPLE HIGH LEVEL DESIGN Cloud Service Provider segmenting tenants with VJ-SR and allowing inter-vm protection with vgw Cloud Service Provider Customer A Virtual Network Primary Site (Virtual and Non-Virtual) Customer A Customer B Hypervisors Branch Non-Virtual Network EX Series EX Series MX Series Internet Cloud- Connect CPE Customer B Primary Site (Non-Virtual) SRX 12 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VSRX USE CASE VIRTUALIZED DATACENTER ENVIRONMENTS Customer Goal Cloud Service Provider, Large enterprises who are virtualizing their datacenters Maximize efficiency and resource utilization; extend gains of virtualization to network infrastructure. Requirements Routing and/or security functionality without a standalone appliance. Under 2Gbps of traffic. Solution Deploy combined virtual security and routing appliance to maximize efficiency. Virtualized Environment Virtualized Environment VM1 VM2 VM3 VM4 Physical Firewall WAN VM1 VM2 VM3 VM4 WAN Datacenter: BEFORE Datacenter: AFTER 13 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VSRX PLANNING Routing NAT Firewall DHCP Family inet Family inet6 (packet mode) Static routing BGP OSPF RIP PIM MPLS/VPLS ALGs DNS FTP H323 MGCP MS-RPC PPTP RSH RTSP Hypervisors VMWare, KVM Initial Release Source NAT Destination NAT Static NAT Persistent NAT SCCP SIP SQL SUN-RPC TALK TFTP IKE-ESP Firewall policy Screens SYN cookie VPN Policy-based Route-based Dynamic VPN Manual key Auto key IKE phase 1 IKE phase 2 Anti-replay DHCP client DHCP server DHCP relay XAUTH DPD VPN monitor Tunnel mode AH & ESP des/3des/aes Sha-1/md5 Management Device Manager, Limited Virtual Systems Manager ROADMAP Features UTM, IDP, Clustering, AppSecure HyperV, Xen Hypervisors Junos SDK Juniper Portfolio Integration (vgw, QFabric, HW SRX, MX, etc.) Scale & Performance optimization Management Policy management APIs Enhancements to Virtual Systems Manager : Junos Space App 14 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VSRX MANAGEABILITY vsrx Device Management Virtual Systems Manager Junos Space Security Design CLI + Junos Scripts JWeb SNMP STRM (Logging and Reporting), Syslog, Traceroute Security Insight Junos LMS Policy Manager APIs App for Junos Space Platform Long term single provisioning point and systems manager for vgw and vsrx deployments Support for popular Cloud Management tools vcenter, RHEV-M, SCVMM, ServerCenter vcloud Director, CloudStack, OpenStack Features (Life Cycle Management): Provisioning Bootstrapping Troubleshooting/Debug Log management Reporting etc. 15 Copyright 2012 Juniper Networks, Inc. www.juniper.net
5 ATTACK PHASES:- APT BEHAVIOUR Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Silent Reconnaissance Attack Vector Establishment Attack Implementation Attack Automation Maintenance Attackers profile physical and virtual devices and applications Weaknesses in attack surface identified for attack Attacks launched to take control of device, application or VM. Can be used to begin further Reconnaissance Repeat attack to increase effectiveness, increase Profit or extract more data Evade patching and remediation measures to stop the attack 16 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE MYKONOS ADVANTAGE DECEPTION-BASED SECURITY Detect Track Profile Respond Tar Traps detect threats without false positives. Track IPs, browsers, software and scripts. Understand attacker s capabilities and intents. Adaptive responses, including block, warn and deceive. 17 Copyright 2012 Juniper Networks, Inc. www.juniper.net
DETECT THREATS BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Database Server Configuration 18 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Persistent Token Capacity to persist in all browsers including various privacy control features. Track Software and Script Attacks Fingerprinting HTTP communications. 19 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SMART PROFILE OF ATTACKER Every attacker assigned a name Incident history Attacker threat level 20 Copyright 2012 Juniper Networks, Inc. www.juniper.net
RESPOND AND DECEIVE Mykonos Responses Warn attacker Human Hacker Botnet Targeted Scan IP Scan Block user Force CAPTCHA Slow connection Simulate broken application Scripts &Tools Exploits Force log-out All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat. 21 Copyright 2012 Juniper Networks, Inc. www.juniper.net
APPROACHES TO SECURING VIRTUAL NETWORKS VLANs & Physical Segmentation Traditional Security Agents 1 2 3 Purpose Built Virtual Security VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 VS HYPERVISOR ESX/ESXi Host VS HYPERVISOR ESX/ESXi Host Virtual Security Layer VS ESX/ESXi Host HYPERVISOR Regular Thick Agent for FW & AV 22 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE VGW PURPOSE-BUILT APPROACH - VMWARE Service Provider & Enterprise Grade Three Tiered Model VMware Certified (signed binaries!) Protects each VM and the hypervisor Fault-tolerant architecture (i.e., HA) Virtual Center 1 Security Design for vgw VM 2 VM1 VM2 VM3 Virtualization-aware Secure VMotion scales to 1,000+ hosts Auto Secure detects/protects new VMs Granular, Tiered Defense Stateful firewall, integrated IDS, and AV Flexible Policy Enforcement zone, VM group, VM, individual vnic Partner Server (IDS, SIM, Syslog, Netflow) Packet Data 3 THE vgw ENGINE VMWARE API s Any vswitch (Standard, DVS, 3 rd Party) HYPERVISOR VMware Kernel ESX or ESXi Host 23 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS 24 Copyright 2012 Juniper Networks, Inc. www.juniper.net
OPEN HYPERVISOR FRAMEWORK FOR KVM Environment Specific Tools and APIs Enhanced vgw Cloud SDK VM Management System (RHEV-M, UVMM, qemu, etc.) Optional VM Provisioning System (Service Providers, Large Enterprises) Communication via Libvirt or Juniper Protocol vgw KVM Manager vgw Protected KVM Host 1 vgw Protected KVM Host 2 vgw Protected KVM Host N vgw Cloud SDK Enhancements 1. new_vm_info_api & new_hypervisor_api 2. vgw Policy API s (improvements to existing API s) 3. vgw Management API s (updates, versions, etc.) 4. vgw Install API s (deploy SVMs, kernel modules, etc.) 25 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VGW AND MICROSOFT HYPER-V Hyper-V Integration Three Tiered Model SCVMM Integration Filter Extension in Extensible Switch System Center VMM 1 Security Design for vgw VM 2 Coming Soon! VM1 VM2 VM3 Supports Live Migration Granular, Tiered Defense for VMs Partner Server (IDS, SIM, Syslog, Netflow) Packet Data 3 THE vgw ENGINE Capture Extension WFP Extension Filter Extension Forwarding Extension Hyper-V Extensible Switch Physical Server Hyper-V Host 26 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VGW INTEGRATION WITH VCLOUD DIRECTOR vcloud Director 1.5 and vgw Series products can be used together! 1. vcloud relies on traditional vsphere technologies (vcenter & ESX/ESXi hosts). vgw can be inserted into this environment (VMsafe and VI API s are still working and available) 2. vcloud introduces new abstraction constructs which are inserted into vcenter. vcloud API s and vgw API s can be used to discover the constructs and auto-populate SmartGroups for dynamic, human-readable security policies. VM created with semi-random structure. For example: 1 2 vcloud Director Juniper s vcdsync Script uses vcd API s to determine which organizational unit a VM belongs (VMs with same name could be in two different organizational units). VMware vcenter 4 3 vgw management knows that AML- SYS1 is part of Org2. This is made available as a vf.tag Smart Group parameter ESX/ESXi Host with vgw vgw Management inserts AML- SYS1 into SmartGroup and enforces policy on ESX/ESXi host automatically! vgw Management 27 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SUMMARY:- PROTECT KEY APPLICATIONS WITH A LAYERED SECURITY APPROACH --OR-- Hypervisor SRX/vSRX Firewall L3/L4 DoS protection Application-layer DoS protection Application profiling and monitoring Application port control/enforcement IPS IPSec termination to the DC Mykonos Protect Web apps Deception technology complements signature approach; makes APTs uneconomical Tar traps identify malicious users without false positives Profiling identifies users without recourse to IP address Future Global hacker database vgw Inter-VM security Firewall, IDS, AV Policies based on VMWare or security attributes VM application profiling Hypervisor traffic monitoring PCI compliance 28 Copyright 2012 Juniper Networks, Inc. www.juniper.net