Junos DDoS Secure

Karel HendrychSr. Systems Engineerkhendrych@juniper.net

Agenda

� Intro & SRX High End Firewall� Junos DDoS Secure� Management

2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

SRX HE Firewall

HW FIREWALLS : CONSOLIDATED SECURITY IN DC COREEdge

Core

4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Applications

8U, 6 slot 60/15/15G

FW/VPN/IDP 95/55/35 44M sess, 400kcps

16U, 12 slot

FW/VPN/IDP 200/150/110G

60M sess, 400kcps

SRX3600

SRX5800

SRX5600

SRX / DATA CENTER SERVICES PLATFORMS

Next-Gen Security Systems�Rich Standard Services

• Firewall/NAT• DoS/DDoS/AppDDoS• VPN• IPS• QoS• AppSecure• LSYS

�Scalable Performance

5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

3U 8+4 GE

FW/VPN/IDP 20/6/6G

3M sess, 150kcps

5U, 8+4 GEFW/VPN/IDP 30/10/10G

6M sess, 300kcps

3U, 12GE or 3XGE+9GE

FW/VPN/IDP 10/2/2G

1,5M sess, 70kcps

SRX3600

SRX3400

SRX1400

�Scalable Performance� NEW - FW PPS up to 220M !

*FW/IDP/IPSEC

CP

SPU

FPGAFPGA NPFPGA FPGASWI

�

SRX3K PFE HIGH LEVEL ARCHITECTURE

•Flow lookup•Stateless Screens•CoS

•Phy•Policers

•Filters•Flow•Services

6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

SPUFPGA

Fab

ric –

IOC

dom

ain

Fab

ric –

SP

C d

omai

n

FPGA NPFPGA FPGASWI

SPC #1

IOC #Y NPC #S

IOC #X NPC #R

SPC #N

SRX1400, HTTP 20kB, IDP recommended + 2M PPS UDP

7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Junos DDoS Secure

Edge

Core

JUNOS DDOS SECURE

SRX SRX

9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Applications

WHAT DOES DDOS SECURE PROTECT

Resources which can be:-

Servers� Weak IP stacks, bugs� IP stack table resources� Session overload� What are servers

Firewalls, Load Balancers, Concentrators

10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� IP stack table resources� Session overload

Gateways� Bandwidth overload� Packet overloads� What are gateways

URLs� Request overload

� Slow or Partial requests

HEURISTIC MITIGATION IN ACTION

Normal Internet Traffic

DDoS Attack Traffic

Normal Internet Traffic

Resources

Normal Internet Traffic

11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC

Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency.

JUNOS DDoS SECURE HOW DOES IT WORK (1/3)

� Packet validated against pre-defined RFC filters

� Malformed and mis-sequenced packets dropped

� Individual IP addresses

Mechanistic Traffic

Low CHARM Value

12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� Individual IP addresses assigned CHARM value

� Value assigned based on IP behaviours

First Time Traffic

Medium CHARM Value

Humanistic, Trusted Traffic

High CHARM Value

JUNOS DDoS SECURE HOW DOES IT WORK (2/3)

Access dependent on CHARM threshold of target resource

� Below threshold packets dropped

� Above threshold allowed uninterrupted access

� Minimal (if any) false positives

CHARM Algorithm

13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� Minimal (if any) false positives

CHARM threshold changes dynamically with resource ‘busyness’

� Full stateful engine measures response times

� No server Agents

JUNOS DDoS SECURE PACKET FLOW SEQUENCE (3/3)

IP Behavior TableResource

CHARM Threshold

Validates data packet� Validates against defined filters

� Validates packet against RFCs

� Validates packet sequencing

� TCP Connection state

1 Behaviour is recorded� Supports up to

32-64M profiles

� Profiles aged on least used basis

3 Calculates CHARM Threshold� Responsiveness

of Resource

4

CHARM Technology Resource Control

14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Drop Packet Drop Packet

Packet Enters

Syntax Screener

OK So Far

CHARM Generator

With CHARM Value

CHARM Screener

Packet Exits

Calculates CHARM value for data packet� References IP behavior table

� Function of time and historical behavior

� Better behaved = better CHARM

2 Allow or Drop� CHARM Threshold

� CHARM value

5

DDOS SECURE vs. SIGNATURE BASED BLOCKING

DDoS Secure – Behavioural learning� Minimal configuration required

� No requirements for constant updates

DDoS Secure – Only drops if protected resource is struggling � Minimal, if any, False Positives

15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� Recognises and dynamically adapts to new or zero day attack vectors

Plug and Play� Low maintenance / human intervention

JUNOS DDoS SECURE VARIANTS

� VMware Instance good for 1Gb throughput

� ~ 700K-800K pps

� 1U appliance capable of 1Gb & 10Gb

� ~750K cps / 2 M pps

16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� 1U appliances have a choice of Fail-safe Card

� Fiber (10G SR/LR)

� Copper (1G / 10G)

� All can be used Stand Alone or as Active – Standby Pair

� Or Active – Active (Asymmetric Routing)

HOW JUNOS DDOS SECURE UNIT IS DEPLOYED

Acts like a bridge� Single in band bi-directional data path, via two NICs

� No IP address on NICs

� Inserts into the path of an existing Ethernet segment� No need to reconfigure other network units

� Circuit Interruption limited to a few seconds when installing

17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Management is out of band, via 3rd IP addressed interface

State can be shared between multiple DDoS Secure appliances over a 4th Interface

Support for network redundancy

WHEN THAT’S NOT GOOD ENOUGH … BGP FLOW SPEC, RFC 5575 ON JUNIPER UPSTREAM ROUTERS

� Flow Specification defines method for distribution of traffic flow specification using BGP NLRI

� Flow specification has n-tuple match criteria on the IP Packet

� Algorithm to define ordering of firewall match criteria

18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

� Algorithm to define ordering of firewall match criteria

� Validation criteria defined to accept flow specification from peers

� Policing/QoS/drop actions

Management

Management

- JunOS CLI

- JunOS Space

- JDDOS UI

- STRM

20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Open Management Interfaces:

- DMI/Netconf IETF standard

- JunOS scripting

- SNMP

- Syslog logging

SECURITY THREAT RESPONSE MANAGER (STRM)Log management, Correlation, Flow, SIEM

21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

STRM supports SRX Series� Intrusion Prevention System (IPS) and AppSecure

� 220+ out-of-the box report templates

� Fully customizable reporting engine: creating, branding and scheduling delivery of reports

� Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

� Reports based on control frameworks: NIST, ISO and CoBIT

Edge

Core

JUNOS DDOS SECURE + SRX + STRM

STRM CONSOLE

STRM LOGCOLLECTOR

STRM FLOWCOLLECTOR

UPSTREAM

22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Applications

SRX SRX

COLLECTOR

Karel Hendrychkhe@juniper.net

Q&A

??