kunal jha, juniper networks · 2017-01-18 · implementing firewall in the kernel micro-segmenting...

1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net


Kunal Jha, Juniper Networks



Cloud

Virtualization

BYOD / Mobility

SDN

Se

cu

rity

Simplified Networking

[email protected] Senior Systems Engineer

Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only



2008

EX4200

EX3200

2009

EX8216

EX8208

8x10G

1G-Copper

1G-Fiber

FIX

ED

Core

Aggregation

Access

MO

DU

LA

R

Core

Aggregation

Access

2008 2009 2010 2011 2013+

EX4500

EX2200

EX4200

EX3200

EX8216

EX8208

8x10G

1G-Copper

1G-Fiber

EX8200 Virtual Chassis

40x10G


EX4200-PX EX3300


EX2200-C


EX6200

Extra-Scale

External RPS

EX6200 48F

EX4550 SFP+

EX4550 10GT

2012

EX9200



OPERATIONAL SIMPLICITY

Deployed Extensively

Why We Win

Technology Flexibility

Performance

Over 19,000 customers, 15M+ ports

Data center, campus, branch, SP

Financials, healthcare, education

#3 LAN switching vendor



On-Premise Apps

Dedicated Servers

Dedicated Storage

THE REST OF THE DATA CENTER HAS ADVANCED DRAMATICALLY IN RECENT YEARS

Rig

id,

leg

acy m

od

el

of

I.T.

Software Services

Virtualized Workloads

Shared Storage

Applications

Servers/ Compute

Storage

From To

Fle

xib

le, v

irtua

lized

mo

del



On-Premise Apps

Dedicated Servers

Dedicated Storage

Layers of Complexity

Rig

id,

leg

acy m

od

el

of

I.T.

Software Services

Virtualized Workloads

Shared Storage

Applications

Servers/ Compute

Storage

Network

THE DATA CENTER NETWORK HAS NOT EVOLVED, AND IS NOW AN INHIBITOR

Network

From To

Fle

xib

le, v

irtua

lized

mo

del

Experience?

Economics?



Juniper’s data

center fabric 1. Juniper two-tier

data center 2. Legacy three-tier

data center 3.

Up to 75% of traffic E W

Ethernet Network evolution 3-2-1



Virtual chassis : advantage

Core Switches

Distribution

Switches

Access Switches

128 Gig

10 Gig 10 Gig 10 Gig 10 Gig



Multi Building campus

WAN

One Virtual Chassis to Manage for the entire

campus backbone

1GbE uplink

GbE/10GbE VCP

1GbE uplink

GbE/10GbE VCP





Classroom Bldg 4

Recreation Bldg 5

Admin Bldg 1

Lab Bldg 2


Classroom Bldg 3

Deployment example Utilize the same MM fiber

One-switch LAN

1 to manage

1 to upgrade

1 software version

No L2 Loop/No STP required

High Availability

Redundant Pwr/Cooling

Redundant Switch Fabric

Sub-second Convergence in case of device/link failure

Integrated Access Security

Integrated QoS for Voice/Video/Data

Local L3/L2 processing Peer-peer traffic can be processed by VC ring itself, no need to load the core. Optimized for Voice and Video over IP as inter building bypasses the core switch.



Distributed CORE with 8-member VC

EX4200 EX4200

EX4200 EX4500

EX4200 EX4200

EX4200 EX4500

Single core switch to

manage across all sites

A Location

C Location

B Location D Location

One core switch to manage across multiple sites

Sites could be campus or DC or both – common hardware and operating system

Seamless virtual workload mobility across sites



Switch Fabric

Data Plane

Flat

Any-to-any

Control Plane

Single device

Shared state

TRANSFORM THE NETWORK

Scalability and resilience of a network

Performance and simplicity of a single switch

Single device N=1

A Fabric has the….

And the…

One Network Flat, any-to-any

connectivity



Single point of management…

Cabling complexity

Chassis Switch End of Row…



QFabric evolving the single switch model

Chassis Switch

• Separate the I/O modules from the fabric and replace copper traces with fiber links.

• For redundancy add multiple Interconnect devices.

• Federated Control and Intelligent Nodes

• One logical switch

Interconnect

Node

QFabric

Director

I/O Modules

Fabric

Route Engine



Storage

Simplicity

End-to-end FCoE FCoE/FC Gateway and

FCoE/iSCSI Transit Switch N=1

Lossless

Performance

DCB compliant

Runs Junos

Rich functionality

Scalability

Designed for Modern DC

Flexible VLAN capability

Virtualization and convergence

Seamless Layer 2 and Layer 3

QFABRIC Family Summary

QFX3000-M QFX3000-G

10s to 768 ports 10s to 6,144 ports

QFX3000-M QFX3000-G

Low jitter—

<3us on avg.

Low jitter—

<5us on avg.



2. Agent-based

Each VM has a software firewall

Drawback: Significant performance

implications; Huge management

overhead of maintaining software

and signature on 1000s of VMs

ES

X H

os

t VM1 VM2 VM3

FW Agents

HYPERVISOR

3. Kernel-based Firewall

VMs can securely share VLANs

Inter-VM traffic always protected

High-performance from

implementing firewall in the kernel

Micro-segmenting capabilities

ES

X H

os

t

FW as Kernel Module

VM1 VM2 VM3

HYPERVISOR

1. VLAN Segmentation

ES

X H

os

t

Each VM in separate VLAN

Inter-VM communications must

route through the firewall

Drawback: Possibly complex VLAN

networking

HYPERVISOR

VM1 VM2 VM3

Approaches To Securing Virtual servers:



vGW Firewall Performance

TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details



Network Access Control SIEM/STRM

SSL VPN SSL VPN

Firewall/IPSec VPN Intrusion Prevention

Juniper is recognized industry leader in Security

Leaders Quadrant in

Four Categories:

Network Access Control

SIEM/STRM

SSL VPN

FW/IPSec VPN

Visionaries Quadrant in:

Intrusion Prevention Category



of ALL threats are at the

Web application layer.

70%

of organizations have been

hacked in the past two years

through insecure Web apps.

73%

Inconvenient Statistics

Ponemon Institute

Gartner



Bot Nets

Targeted Scanners

IP Scanners

Manual Hacking

• Reliance on signatures

• Static attack surface

• No understanding of attackers

• Reactive

WAF is not enough



– WAFW00F can fingerprint WAF products protecting a website…. Can already profile 20 WAF products.

WAF is not enough

Source: http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py



Plays Here

Attackers profile

physical and

virtual devices

and applications

Weaknesses in

attack surface

identified for

attack

Attacks launched

to take control of

device,

application or VM.

Can be used to

begin further

Reconnaissance

Repeat attack to

increase

effectiveness,

increase Profit or

extract more

data

Evade patching

and remediation

measures to stop

the attack

WAF Plays Here

Phase 1

Silent

Reconnaissance

Phase 2

Attack Vector

Establishment

Phase 3

Attack

Implementation

Phase 4

Attack

Automation

Phase 5

Maintenance

5 attack Phases:- APT behaviour



“Tar Traps” detect

threats without false

positives.

Track IPs, browsers,

software and scripts.

Understand

attacker’s capabilities

and intents.

Adaptive responses,

including block,

warn and deceive.

The Junos WebApp Secure (MYKONOS) advantage Deception-based Security

Detect Track Profile Respond



App Server Client

Server Configuration

Network

Perimeter

Database Firewall

Query String Parameters

Tar Traps

Hidden Input Fields

Detection by Deception



Fingerprint of An Attacker

Browser version

Fonts

Browser add-ons

Timezone

IP Address

attributes used to

create the fingerprint.

200+

False Positives

availability of

fingerprints

~ Real Time

nearly zero



Attacker local name

(on machine)

Smart Profile of Attacker

Incident history

Attacker threat level

Attacker global name

(in Spotlight)



Junos WebApp Secure

Responses

Human

Hacker Botnet

Targeted

Scan IP Scan

Scripts

&Tools

Exploits

Warn attacker

Block user

Force CAPTCHA

Slow connection

Simulate broken application

Force log-out

All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.

Respond and Deceive



Solution Slides

Mobility & BYOD



THE HISTORY OF BUSINESS CONNECTIVITY

Mobile Devices Laptops PCs Terminals

Ethernet

Networks

Casual

Wireless

Primarily

Wireless

Serial

Networks



Over 6,000 Customers

Juniper wireless today

1 M+ AP installed base since 2005 Healthcare

Education (Higher Ed & K-12)

Hospitality

Presence in Fortune 500:

Shell, Chevron, Alcoa, Audi, VW

Many Mission Critical Environments:

University Minnesota

18,000 AP, 300 Buildings, 1200 Acres

Belfast Health & Social Care Trust

2,220 AP, 7 hospitals, 22,000 Staff

Largest wlan patent portfolio today

Proven Technology Track Record:

Simple, Secure, Mobile

Real Time Location Aware

17 issued patents, 49 pending

Differentiating WLAN Innovations:

Seamless roaming

Life Cycle Management

Intelligent Switching

Controller Virtualization

Identity Based Networking

Unified Mobility Services



Fat AP Architecture Local Switching

Thin AP Architecture Central Switching

Juniper WLAN

Architecture Local AND Central Switching

Juniper Networks Wireless LAN Evolution

x Performanc

e

x Reliability

Security Management Performanc

e

Reliability

Security Management

Performanc

e

x Security x Management

x Reliability

Optimized for: Optimized for: Optimized for:



Internet

DISTRIBUTED SWITCHING MAXIMIZES SCALABILITY

• All traffic gets forwarded by controller

• Twice the traffic through network core

• 802.11n increases load up to 10x

• Can't scale without expensive upgrades

Centralized-Only Switching Breaks Down

Under Increased Load from 802.11n

Cisco & Aruba

Distributed Switching Handles

802.11n without Breaking Down

Juniper

• Traffic can be forwarded by the AP

• Optimized traffic flows – ideal for voice

• 802.11n has no impact on controller

• Scales in place without upgrades

10x increase exceeds

controller capacity

11n increases load

by up to 10x

Internet



Hot Standby Approach - Aruba

RESILIENCY ADVANTAGE OF WLAN VIRTUALIZAION

• Catastrophic failure – dropped user sessions

(imagine voice call)

• APs restart using hot standby controller

• No AP load balancing across controllers

• Fully loaded hot standby required

• Hitless failover – even for active session

(including voice calls)

• APs instantly remapped to in-service controller

• Dynamic AP load balancing across controllers

• No additional equipment required

Controller Virtualization - Juniper



Core differentiator: CONTROLLER CLUSTERING

Hot Stand-by or

Back-up controller

Controller A Controller B Controller C

Discrete controllers operate independently for

AP redundancy configuration

Harder to scale since adding capacity is

cumbersome

Limited resiliency – APs mapped directly to

controller & resets upon network/device failure

Limited reliability – N+1 (limited to number of

designated back-up switches)

Difficult to manage, highest cost of ownership

Competitors Complex Approach

Clustered controllers– act collectively as single

virtual controller for wireless configuration

Easy to scale – Capacity can be added in

chunks, anywhere in the network

Highest resiliency – APs dynamically map to

controllers– optimized, auto AP load balancing

Always-on reliability – many-to-many

redundancy – all switches can serve as back-up

Easiest to manage, lowest cost of ownership

Juniper’s Simplified Approach

Vendor

A

Vendor

B

kunal jha, juniper networks · 2017-01-18 · implementing firewall in the kernel micro-segmenting...

Documents