scalable and open ng security by juniper networks
TRANSCRIPT
Scalable and open NG security by Juniper Networks
Karel Hendrych
Sr. Systems Engineer
April 2015
COMMITTED TO INNOVATION AND INVESTMENT Security is core to our business at Juniper
First to ship 100GbE interface Innovating in SDN/NFV, network automation New in 2014: A differentiated approach to security with our open, integrated threat intelligence platform
New in 2015: Leveraged custom silicon and software to deliver breakthrough performance and scale in the High End SRX
2 Tbps Throughput
Dedicated Innovator
Global Powerhouse
Serving customers in over 47 countries, with a worldwide community of over 1000 Reseller Partners
Significant Market Share
High-End Firewalls1
1. Infonetics Research Q2’2014 2. Gartner Carrier Class Network Firewalls Report, Q4’14
Carrier-Class Network Firewalls2
#2
#2
Solving the Problem Tailored Security for Critical Assets
Get maximum
PERFORMANCE & easily SCALE to
adapt to the future
Stop all types
of attacks with
BEST-IN-CLASS
SECURITY
Ensure your network
is always AVAILABLE
with easy, secure
ACCESS to optimize
productivity
EVOLUTION OF FIREWALL
Open platform delivers more value
Scalable to ensure full enterprise or service provider deployment
Built for expansive data capacity
Improved efficacy, with fine-tuning
Adaptive in its ability to incorporate many types of data into policy
Security Intelligence!
Layer 7
Layer 3
Next-gen firewall
Dynamic Adaptive Platform
Traditional firewall
Closed Open
SRX Differentiators
HIGH
PERFORMANCE
and SCALE with
maximum
throughput,
session scale,
ISSU, and ISHU
OPEN THREAT
INTELLIGENCE
leveraging
threat feeds
from multiple
sources to
deliver
automated
enforcement
SECURE AND
RESILIENT
under attack
with separate
control and data
planes and
multiple
processing
cores
INTEGRATION
of physical and
virtual solutions
(vSRX) to
deliver visibility,
security, and
compliance
APPLICATION
AWARENESS
with AppSecure
to stop
application
borne security
threats and
manage
application
usage
JUNOS Architecture: Separate Data and Control Plane
Co
ntr
ol P
lan
e
Data
Pla
ne
Physical Interfaces
PACKET FORWARDING
DOS & DDOS
ATTACKS
Attacks overwhelm the box
Administrator loses management access –
your network is down
Attacks can be thwarted
Under attack, administrator maintains management
access to modify policy, disallow bad traffic, and
process good traffic – your network stays up
SHARED PLANE
MO
DU
LE
N
INT
ER
FA
CE
S
MA
NA
GE
ME
NT
RO
UT
ING
… KERNEL
DA
TA
MA
NA
GE
ME
NT
RO
UT
ING
DOS & DDOS
ATTACKS
SRX Series Services Gateways
100G
Up to 1.2 Tbps FW
throughput and 100
million concurrent
sessions scaling High-End SRX
Single Junos
Unprecedented Scale Integrated Routing, Switching and Security
1G
10G Branch SRX
SRX3400
SRX100
SRX210 SRX220
SRX240
SRX650
BRANCH CAMPUS DATA CENTER
SRX110
SRX550
SRX1400
SRX3600
SRX5400
SRX5800
SRX5600
1 Tbps
vSRX
Juniper Security Architecture Overview
VR
VR
Virtualized Servers
Multi Tenant
Hypervisor
VM VM
vSRX vSRX
Virtualized Host
Single Tenant
vSRX
VR
Hypervisor
MX
Enterprise Branch
SRX WAN
Hybrid Cloud
MX
Security Director/ Virtual
Director/Log Director
Internet
OSS/BSS
High End SRX Cluster
VM VM
Customer
Portal
VM VM
Firewall Management
IPsec VPN Management
Network Address Translation (NAT) management
Intrusion prevention (IPS) management
Application-level policy management
Publish WorkFlow: Manage policy
changes with review/approve cycle
Junos Space Security Director Management AUTOMATES
• Delivers scalable and
responsive security
management
• Improves the reach, ease,
and accuracy of security
policy administration
• Enables quick and intuitive
web-based management
of security policy lifecycle
• Integrated with Spotlight
Secure, open threat
intelligence platform
UTM unified threat management
Threat Intelligence Enforcement
Security Intelligence Solution Architecture (1/2)
Customer-provided or
3rd Party Threat Data
Command & Control
GeoIP
Attacker Fingerprints
Local Attacker Details
(API calls)
1
2
3
4 5
SRX Firewalls
Aggregated & optimized cloud-based threat intelligence 1
Juniper-provided threat intelligence to customer premise 2
Local/Customer data incorporated into solution 3
Centrally managed by Junos Space Security Director 4
Intelligence distributed to SRX enforcement points 5
Security Director
Spotlight Secure
SecIntel Solution Architecture (2/2) Spotlight Secure
Command & Control
GeoIP
1
Spotlight Secure
Connector
2
Security
Director Log
Director
Space H/W or ESX
Space “Fabric” ESX
4
Customer-provided or
3rd Party Threat Data Local Attacker Details
3
1. Aggregated & Optimized cloud-based threat intelligence
2. Juniper-provided threat intelligence to customer premise
3. Local/Customer data aggregated into solution
4. Centralized management by Security Director
5. Scalable (aggregated) intelligence distribution
5
Spotlight Secure cloud service
Spotlight Secure – intelligence from the Cloud
Spotlight
Secure
Connector
Internal
Sources
Confidential
Sources
Mysterious
Sources
External
Sources
Spotlight Secure compiles it’s data from multiple sources, using heuristic analysis and machine learning provide the most up to date, actionable, intelligence
USE CASE I. bot command & control mitigation
PREVENTING INSIDE TO OUTSIDE
COMMUCATION WITH KNOWN BOT
COMMAND AND CONTROL CHANNELS –
IP/URLs
USE CASE II. Custom whitelists/blacklists and rulebase automation https://provisioning/blacklist1.txt
192.168.2.11
192.168.1.0/24
192.168.1.30-192.168.1.99
https://provisioning/custom1.txt
SRX5400
• Ideal for medium to large enterprises and Service Provider networks
• Software Security Services • AppSecure and IPS
• AV and web filtering
• Threat intelligence
• Next-generation, high-performance line cards (IOCII)
SRX5400
On-board Ethernet 10X10GE-SFPP
Optional Ethernet
1GE - SFP
10GE – SFPP
40GE – QSFP
100GE - CFP
JUNOS Software Version Support JUNOS 12.3X48
Firewall Performance (w/Express
Path) 65 Gbps (240Gbps)
Firewall Performance (IMIX) 30 Gbps
Firewall Performance
(Firewall + Routing PPS 64byte) 8 Mpps (50M PPS)
VPN Performance – AES256+SHA-1
or 3DES+SHA 1 20 Gbps
AppSecure 50 Gbps
Intrusion Prevention System 22 Gbps
Connections Per Second (CPS) 420 K
Maximum Concurrent Sessions 28 M
High Availability A/A or A/P
slot cover
power supply
SPCII Card
IOCII card
SCB and RE card
IPS COMPETITIVE
• Source: http://forums.juniper.net/t5/Security-Now/7-617-Tests-Later-and-
Juniper-s-Firewall-Stops-Threats-Better/ba-p/270404
• Critical/Major/Minor server side protection
• Testing Methodology Details: HW/SW version/signature pack:
SRX 3400/ 12.1X46D30/ Juniper IDP Signature Database 2454
PAN 500/ 6.0.3/ Signature pack 454-2355
Fortinet VM/ 5.2.2/ Extended IPS DB: 5.00590
Automation: Unique to SRX and Junos
OSS integration
Workflow automation
NetOps & SecOps tools
“off-box”
Audits & compliance
Change control
Troubleshooting & event response
“on-box”
XML API
On the Device Across the Network
PyEZ EXAMPLE
dev = Device( user='netconf', host='172.16.0.1', password='test123' )
dev.open()
dev.cu.lock()
dev.cu.load(set_cfg, format='set')
dev.cu.commit()
dev.cu.unlock()
dev.close()
https://techwiki.juniper.net/Projects/Junos_PyEZ
NEXT STEPS
- Q&A session?
- Local demo, Partner/Disti/JNPR
- Loan of Juniper Equipment
- Proof of Concept Labs, nearest in Amsterdam
- Mandatory item is a testplan
- Professional testing tools
- Possibility to bring 3rd party equipment