Upload
grant
View
155
Download
11
Tags:
Embed Size (px)
DESCRIPTION
Juniper Secure Analytics (JSA) Overview. Stefan Lager Product Line Manager slager @juniper.net. AGENDA. Challenges with Event Management Data Collection Event Management and Analytics Flow Management and Analytics Secure Analytics - Use Cases Deployment Options Platforms and Licensing. - PowerPoint PPT Presentation
Citation preview
JUNIPER SECURE ANALYTICS (JSA)OVERVIEW
Stefan LagerProduct Line [email protected]
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
CHALLENGES WITH EVENT COLLECTION
IT “information” overload The amount of events The amount of different types of events The amount of different type of event sources
Data mining and Analytics Events Categorization Event Search and Drill-down Anomaly Detection
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
THE SOLUTION: JUNIPER SECURE ANALYTICS
Log Server
“Here are all your events.Please take a look at them andlet me know if you find anything strange.
Secure Analytics (JSA)
“Of all the million incoming events I think you need to take a look at this one.”
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
LOG SERVER VS. JUNIPER SECURE ANALYTICS
Log Server Secure Analytics (JSA)
“Security Device” “Security Device”
• “APACHE-STRUTS-URI-CMDEXE”
• Webserver is vulnerable!• Webserver sent a crash event!• Strange traffic seen FROM Webserver!• Attack came from an IP with bad reputation!• Attack came from a suspicious country!• Events has been received from other
“Security Devices”! • …
• “APACHE-STRUTS-URI-CMDEXE”
Webserver
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MULTI-VENDOR EVENT AND FLOW COLLECTION Networking events
Switches & routers, including flow data Security logs
Firewalls, IDS, IPS, VPNs, Vulnerability Scanners, Gateway AV, Desktop AV, & UTM devices
Operating Systems/Host logs Microsoft, Unix and Linux
Applications Database, mail & web
User and asset Authentication data
Security map utilities GeoIP Reputation Feeds
ComplianceTemplates
ForensicsSearch
PolicyReporting
8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
WHAT DOES JSA COLLECT?Syslog SNMP Application/Protocols (*) Agents
EventsUDP/TCP
Multiline UDPBinary (SRX)+PCAP (SRX)Syslog-TLS
Version 1, 2 & 3
JDBCOPSEC/LEA
SDEESourceFire Estreamer
Log FileMicrosoft
EMC VMWareOracle
SMB TailCisco NSEL
…
ALESnare
WinCollect
NetFlow IPFIX JFlow SFlow QFlow Packeteer
Flows Version1,5,7,9
Supported SupportedVersion2, 4, 5
On QFC and Monitor
InterfacesFDR
(*) For more info refer to datasheet
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURE ANALYTICS (JSA) - KEY BENEFITS Reduced OPEX
Collects all event and flow data in one place Supports a large set of vendors out-of-the-box
Compliance Ships with predefined reports for COBIT, FISMA, GLBA,
GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility
Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions
Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds
Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EXAMPLE:WHAT CAN SECURE ANALYTICS DO WITH A FIREWALL EVENT?
<182>Sep 26 20:14:49 127.0.0.1 <14>1 2012-03-24T05:21:13.677 utm-n0 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="192.168.34.10" source-port="58541" destination-address="204.245.34.169" destination-port="80" service-name="junos-http" nat-source-address="192.168.32.2" nat-source-port="3195" nat-destination-address="204.245.34.169" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="utm-out" source-zone-name="trust" destination-zone-name="untrust" session-id-32="143804" username="VIRTUALPOC\slager" roles="VPoC-UTM-Demo" packet-incoming-interface="ge-0/0/2.3602"]
Event Analytics• Taxonomy : RT_FLOW_SESSION_CREATE => Category “FIREWALL PERMIT”• GeoIP : 204.245.34.169 => Country “BRAZIL”• IP Reputation: 204.245.34.169 => Remote-Network “BOTNET”• Analytics: Alert if more then <x> events from the same src, IF the src is coming from
one of our client networks Event Management• RBAC: Allow access to subset of event data• Indexing: Allow to index on any field. 10-100x search time improvement• Retention: Flexible setting for how long this event should be stored• Forwarding: Should this specific event be forwarded ?
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EVENT ANALYTICS: GEOIP-MAPPING
Provide mapping of IP to Countries both for visibility and for correlation.
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EVENT ANALYTICS: IP REPUTATION
14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EVENT ANALYTICS: RULES ENGINE MATCHING
Creating a correlation rule is as simple as sorting mail in Outlook!
• Secure Analytics is delivered with a large set of built-in rules• Many of them are disabled per default but will help you get tips on what
to correlate on• All rules are easy to tune to fit your specific deployment
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EVENT ANALYTICS: RULES ENGINE ACTION
16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
THE KEY TO DATA MANAGEMENT:REDUCTION AND PRIORITIZATION
Previous 24hr period of network and security activity (2.7M logs)
Correlation of data sources creates offenses (129)
STRM
Offenses are a complete history of a threat or
violation with full context about accompanying
network, asset and user identity information
Offenses are further prioritized by business
impact
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
USE CASE: COMPLEX THREAT DETECTION
Sounds Nasty…But how do we know this?The evidence is a single
click away.
Buffer OverflowExploit attempt seen by Snort
Network ScanDetected by QFlow
Targeted Host VulnerableDetected by Nessus
Total Security IntelligenceConvergence of Network, Event and Vulnerability data
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
USE CASE: USER ACTIVITY MONITORINGAuthentication FailuresPerhaps a user who forgot his/her
password?
Brute Force Password AttackNumerous failed login attempts against different user accounts
Host CompromisedAll this followed by a successful login.Automatically detected, no custom tuning required.
19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURE ANALYTICS FLOW
STRMV-FP
WEB-1 WEB-2 WEB-3
VirtualizedServers
DMZSTRM-FP
Branch-Office
STRM-FP
STRM-Console
STRM-FP
vGW
21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
FLOWS FOR NETWORK INTELLIGENCE• QoS Monitoring• Detection of day-zero attacks that have no signature• Policy monitoring and rogue server detection• Visibility into all attacker communications• Passive flow monitoring builds asset profiles & auto-classifies hosts• Network visibility and problem solving (not just security related)
22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Secure Analytics learns and anticipates the established “normal” condition for:- The Network- The Host- The Protocol- The Application
ANOMALY DETECTION
23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM
BRANCH-1 BRANCH-2
RPM-Probes
HQ
RPM-Probes
RPM-Logs
25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
USE-CASE: CAMPUS & BRANCH VPN MONITORING USING JUNOS RPM
26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
VM-1 VM-2 VM-3 VM-4 VM-5 VM-6
WEB-1 WEB-2 WEB-3
Clients
VirtualizedServers
ExposedServices
WebApp SecureSRXAppSecure
FireFlyFireFly
N
JSA
NOC/SOC
USE-CASE: DATACENTERVISIBILITY, REPORTING AND CORRELATION OF EVENTS AND TRAFFIC
Flow and events
Flow
EventsEvents
EX
27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
Juniper EX (Switch)IDP Series
Firewall
SSG Series
ISG Series
Application Servers
Juniper IC (IF-Map Server) Secure Analytics
UAC Agent
UAC Agent-less Mode
NSM
USE-CASE: BYODAUTOMATIC REMEDIATION USING OPEN STANDARDS PROTOCOL (IF-MAP)
SRX Series
IF-MAP
Juniper SA (SSL-VPN)
Juniper AX (WLAN AP)
28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data Collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SMALL SITE DEPLOYMENT – APPLIANCE OR VM
JSA1500 can collect up to 1000 events per second 50kF/min
Allows Real-Time Streaming of events Visibility of incoming/outgoing traffic (SRX FW/AppTrack)
Visibility of internal traffic (EX flow-data)
Threat and Anomaly Detection Correlation and Compliance Reporting Provides Common Dashboard
STRM 5000 EP or FP
EX- VirtualChassis
SRX Branch
JSA1500Flowdata and syslog
syslog
30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
LARGE SITE DEPLOYMENT – APPLIANCE
You can connect up to 250 Event Processors to one Console
JSA Console provides One Dashboard with aggregated data from all EPs
Searches and Reports are done on aggregated data from all EPs
Configurable Retention Policies allows storing of important/compliance logs for a longer time than other logs
STRM 5000 EP or FP
SRX-5800
JSA 1/3/5/7500EventProcessors
syslog
SRX-5800
SLB
JSA5500-Console
31 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
DISTRIBUTED LOG/FLOW COLLECTION
JSA-Console EMEA
CanadaAustralia Beijing
JSA1500Local EP/FP
JSA VMLocal EP
JSA VMLocal FP
Distributed log and flow collection offloads WAN links
Will continue to receive and store events/flows even if WAN link goes down
Available both as physical appliance and virtual appliances
CombiCollector (both EP/FP) only supported on physical appliance
JSA VM is available as:- Remote TM EP- Remote LM EP- Remote FP
Visibility of incoming/outgoing traffic
Threat and Anomaly Detection
Correlation and Compliance
Provides Common Dashboard
32 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
AGENDA
1. Challenges with Event Management
2. Data collection
3. Event Management and Analytics
4. Flow Management and Analytics
5. Secure Analytics - Use Cases
6. Deployment Options
7. Platforms and Licensing
33 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURE ANALYTICS: ALL-IN-ONE DEPLOYMENT
JSA1500
JSA3500
1,000EPS15KF/M
5,000EPS50KF/M
10,000 EPS200 KF/M
Sm
all
Ent
erpr
ise
Sm
all M
ediu
m
Ent
erpr
ise
Med
ium
E
nter
pris
e
JSA5500
34 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
WebUI
JSA1500 QFlow Collectors Deployed in Tap/Mirror or SPAN Mode
Security Devices Exporting Event Data
Console
Event Processor
Network Devices Exporting Flow Data
Flow Processor Qflow Collector
EP/FP combo
Supports very high amount of EPS Solves branch-office collection Can be fully redundant
SECURE ANALYTICS: DISTRIBUTED DEPLOYMENT
35 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JSA PLATFORM SUPPORT MATRIXQFlow
CollectorEvent
ProcessorFlow
ProcessorEP/FP
ComboConsoleSupport
All-in-oneSupport
JSA VM
JSA1500
JSA3500
JSA5500
JSA7500
36 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURE ANALYTICS – LICENSINGLOG ANALYTICS VS THREAT ANALYTICS
Threat Analytics License
- Log Collection and Categorization- Customizable Dashboards- Predefined and customizable
reports
Log Analytics License
- Event and Flow Correlation- Asset Profiling- Vulnerability Scanner integration
Security Information and Event Management
(SIEM)
- Network Traffic Visibility- QoS Visibility- Traffic Anomaly Detection
Network Behavior Anomaly Detection
(NBAD)
37 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SECURE ANALYTICS - KEY BENEFITS Reduced OPEX
Collects all event and flow data in one place Supports a large set of vendors out-of-the-box
Compliance Ships with predefined reports for COBIT, FISMA, GLBA,
GSX-Memo22, HIPAA, NERC, PCI and SOX. Increased Visibility
Supports Graph/Dashboard/Reporting on any event data Flow collection enables proactive actions
Increased Detection Analytics engine detects violations and anomalies Built in support for GeoIP and Reputation feeds
Scalable Supports up to 7M EPS per console Supports distributed collection of events and flows
Thanks!