junos ddos secure - proidea€¦ · · [email protected]. agenda intro & srx...
TRANSCRIPT
Junos DDoS Secure
Karel HendrychSr. Systems [email protected]
Agenda
� Intro & SRX High End Firewall� Junos DDoS Secure� Management
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SRX HE Firewall
HW FIREWALLS : CONSOLIDATED SECURITY IN DC COREEdge
Core
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
8U, 6 slot 60/15/15G
FW/VPN/IDP 95/55/35 44M sess, 400kcps
16U, 12 slot
FW/VPN/IDP 200/150/110G
60M sess, 400kcps
SRX3600
SRX5800
SRX5600
SRX / DATA CENTER SERVICES PLATFORMS
Next-Gen Security Systems�Rich Standard Services
• Firewall/NAT• DoS/DDoS/AppDDoS• VPN• IPS• QoS• AppSecure• LSYS
�Scalable Performance
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
3U 8+4 GE
FW/VPN/IDP 20/6/6G
3M sess, 150kcps
5U, 8+4 GEFW/VPN/IDP 30/10/10G
6M sess, 300kcps
3U, 12GE or 3XGE+9GE
FW/VPN/IDP 10/2/2G
1,5M sess, 70kcps
SRX3600
SRX3400
SRX1400
�Scalable Performance� NEW - FW PPS up to 220M !
*FW/IDP/IPSEC
CP
SPU
FPGAFPGA NPFPGA FPGASWI
�
SRX3K PFE HIGH LEVEL ARCHITECTURE
•Flow lookup•Stateless Screens•CoS
•Phy•Policers
•Filters•Flow•Services
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SPUFPGA
Fab
ric –
IOC
dom
ain
Fab
ric –
SP
C d
omai
n
FPGA NPFPGA FPGASWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
SRX1400, HTTP 20kB, IDP recommended + 2M PPS UDP
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Junos DDoS Secure
Edge
Core
JUNOS DDOS SECURE
SRX SRX
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
WHAT DOES DDOS SECURE PROTECT
Resources which can be:-
Servers� Weak IP stacks, bugs� IP stack table resources� Session overload� What are servers
Firewalls, Load Balancers, Concentrators
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� IP stack table resources� Session overload
Gateways� Bandwidth overload� Packet overloads� What are gateways
URLs� Request overload
� Slow or Partial requests
HEURISTIC MITIGATION IN ACTION
Normal Internet Traffic
DDoS Attack Traffic
Normal Internet Traffic
Resources
Normal Internet Traffic
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC
Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency.
JUNOS DDoS SECURE HOW DOES IT WORK (1/3)
� Packet validated against pre-defined RFC filters
� Malformed and mis-sequenced packets dropped
� Individual IP addresses
Mechanistic Traffic
Low CHARM Value
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Individual IP addresses assigned CHARM value
� Value assigned based on IP behaviours
First Time Traffic
Medium CHARM Value
Humanistic, Trusted Traffic
High CHARM Value
JUNOS DDoS SECURE HOW DOES IT WORK (2/3)
Access dependent on CHARM threshold of target resource
� Below threshold packets dropped
� Above threshold allowed uninterrupted access
� Minimal (if any) false positives
CHARM Algorithm
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Minimal (if any) false positives
CHARM threshold changes dynamically with resource ‘busyness’
� Full stateful engine measures response times
� No server Agents
JUNOS DDoS SECURE PACKET FLOW SEQUENCE (3/3)
IP Behavior TableResource
CHARM Threshold
Validates data packet� Validates against defined filters
� Validates packet against RFCs
� Validates packet sequencing
� TCP Connection state
1 Behaviour is recorded� Supports up to
32-64M profiles
� Profiles aged on least used basis
3 Calculates CHARM Threshold� Responsiveness
of Resource
4
CHARM Technology Resource Control
14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Drop Packet Drop Packet
Packet Enters
Syntax Screener
OK So Far
CHARM Generator
With CHARM Value
CHARM Screener
Packet Exits
Calculates CHARM value for data packet� References IP behavior table
� Function of time and historical behavior
� Better behaved = better CHARM
2 Allow or Drop� CHARM Threshold
� CHARM value
5
DDOS SECURE vs. SIGNATURE BASED BLOCKING
DDoS Secure – Behavioural learning� Minimal configuration required
� No requirements for constant updates
DDoS Secure – Only drops if protected resource is struggling � Minimal, if any, False Positives
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Recognises and dynamically adapts to new or zero day attack vectors
Plug and Play� Low maintenance / human intervention
JUNOS DDoS SECURE VARIANTS
� VMware Instance good for 1Gb throughput
� ~ 700K-800K pps
� 1U appliance capable of 1Gb & 10Gb
� ~750K cps / 2 M pps
16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� 1U appliances have a choice of Fail-safe Card
� Fiber (10G SR/LR)
� Copper (1G / 10G)
� All can be used Stand Alone or as Active – Standby Pair
� Or Active – Active (Asymmetric Routing)
HOW JUNOS DDOS SECURE UNIT IS DEPLOYED
Acts like a bridge� Single in band bi-directional data path, via two NICs
� No IP address on NICs
� Inserts into the path of an existing Ethernet segment� No need to reconfigure other network units
� Circuit Interruption limited to a few seconds when installing
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Management is out of band, via 3rd IP addressed interface
State can be shared between multiple DDoS Secure appliances over a 4th Interface
Support for network redundancy
WHEN THAT’S NOT GOOD ENOUGH … BGP FLOW SPEC, RFC 5575 ON JUNIPER UPSTREAM ROUTERS
� Flow Specification defines method for distribution of traffic flow specification using BGP NLRI
� Flow specification has n-tuple match criteria on the IP Packet
� Algorithm to define ordering of firewall match criteria
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
� Algorithm to define ordering of firewall match criteria
� Validation criteria defined to accept flow specification from peers
� Policing/QoS/drop actions
Management
Management
- JunOS CLI
- JunOS Space
- JDDOS UI
- STRM
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Open Management Interfaces:
- DMI/Netconf IETF standard
- JunOS scripting
- SNMP
- Syslog logging
SECURITY THREAT RESPONSE MANAGER (STRM)Log management, Correlation, Flow, SIEM
21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
STRM supports SRX Series� Intrusion Prevention System (IPS) and AppSecure
� 220+ out-of-the box report templates
� Fully customizable reporting engine: creating, branding and scheduling delivery of reports
� Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
� Reports based on control frameworks: NIST, ISO and CoBIT
Edge
Core
JUNOS DDOS SECURE + SRX + STRM
STRM CONSOLE
STRM LOGCOLLECTOR
STRM FLOWCOLLECTOR
UPSTREAM
22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Applications
SRX SRX
COLLECTOR