Click here to load reader

Junos DDoS Secure - · PDF file · [email protected] Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS

  • View
    216

  • Download
    0

Embed Size (px)

Text of Junos DDoS Secure - · PDF file · [email protected] Agenda Intro...

  • Junos DDoS Secure

    Karel HendrychSr. Systems [email protected]

  • Agenda

    Intro & SRX High End Firewall Junos DDoS Secure Management

    2 Copyright 2009 Juniper Networks, Inc. www.juniper.net

  • SRX HE Firewall

  • HW FIREWALLS : CONSOLIDATED SECURITY IN DC COREEdge

    Core

    4 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Applications

  • 8U, 6 slot 60/15/15G

    FW/VPN/IDP 95/55/35 44M sess, 400kcps

    16U, 12 slot

    FW/VPN/IDP 200/150/110G

    60M sess, 400kcps

    SRX3600

    SRX5800

    SRX5600

    SRX / DATA CENTER SERVICES PLATFORMS

    Next-Gen Security SystemsRich Standard Services

    Firewall/NAT DoS/DDoS/AppDDoS VPN IPS QoS AppSecure LSYS

    Scalable Performance

    5 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    3U 8+4 GE

    FW/VPN/IDP 20/6/6G

    3M sess, 150kcps

    5U, 8+4 GEFW/VPN/IDP 30/10/10G

    6M sess, 300kcps

    3U, 12GE or 3XGE+9GE

    FW/VPN/IDP 10/2/2G

    1,5M sess, 70kcps

    SRX3600

    SRX3400

    SRX1400

    Scalable Performance NEW - FW PPS up to 220M !

    *FW/IDP/IPSEC

  • CP

    SPU

    FPGAFPGA NPFPGA FPGASWI

    SRX3K PFE HIGH LEVEL ARCHITECTURE

    Flow lookupStateless ScreensCoS

    PhyPolicers

    FiltersFlowServices

    6 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    SPUFPGA

    Fab

    ric

    IOC

    dom

    ain

    Fab

    ric

    SP

    C d

    omai

    n

    FPGA NPFPGA FPGASWI

    SPC #1

    IOC #Y NPC #S

    IOC #X NPC #R

    SPC #N

  • SRX1400, HTTP 20kB, IDP recommended + 2M PPS UDP

    7 Copyright 2009 Juniper Networks, Inc. www.juniper.net

  • Junos DDoS Secure

  • Edge

    Core

    JUNOS DDOS SECURE

    SRX SRX

    9 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Applications

  • WHAT DOES DDOS SECURE PROTECT

    Resources which can be:-

    Servers Weak IP stacks, bugs IP stack table resources Session overload What are servers

    Firewalls, Load Balancers, Concentrators

    10 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    IP stack table resources Session overload

    Gateways Bandwidth overload Packet overloads What are gateways

    URLs Request overload

    Slow or Partial requests

  • HEURISTIC MITIGATION IN ACTION

    Normal Internet Traffic

    DDoS Attack Traffic

    Normal Internet Traffic

    Resources

    Normal Internet Traffic

    11 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC

    Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency.

  • JUNOS DDoS SECURE HOW DOES IT WORK (1/3)

    Packet validated against pre-defined RFC filters

    Malformed and mis-sequenced packets dropped

    Individual IP addresses

    Mechanistic Traffic

    Low CHARM Value

    12 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Individual IP addresses assigned CHARM value

    Value assigned based on IP behaviours

    First Time Traffic

    Medium CHARM Value

    Humanistic, Trusted Traffic

    High CHARM Value

  • JUNOS DDoS SECURE HOW DOES IT WORK (2/3)

    Access dependent on CHARM threshold of target resource

    Below threshold packets dropped

    Above threshold allowed uninterrupted access

    Minimal (if any) false positives

    CHARM Algorithm

    13 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Minimal (if any) false positives

    CHARM threshold changes dynamically with resource busyness

    Full stateful engine measures response times

    No server Agents

  • JUNOS DDoS SECURE PACKET FLOW SEQUENCE (3/3)

    IP Behavior TableResource

    CHARM Threshold

    Validates data packet Validates against defined filters

    Validates packet against RFCs

    Validates packet sequencing

    TCP Connection state

    1 Behaviour is recorded Supports up to

    32-64M profiles

    Profiles aged on least used basis

    3 Calculates CHARM Threshold Responsiveness

    of Resource

    4

    CHARM Technology Resource Control

    14 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Drop Packet Drop Packet

    Packet Enters

    Syntax Screener

    OK So Far

    CHARM Generator

    With CHARM Value

    CHARM Screener

    Packet Exits

    Calculates CHARM value for data packet References IP behavior table

    Function of time and historical behavior

    Better behaved = better CHARM

    2 Allow or Drop CHARM Threshold

    CHARM value

    5

  • DDOS SECURE vs. SIGNATURE BASED BLOCKING

    DDoS Secure Behavioural learning Minimal configuration required

    No requirements for constant updates

    DDoS Secure Only drops if protected resource is struggling Minimal, if any, False Positives

    15 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Recognises and dynamically adapts to new or zero day attack vectors

    Plug and Play Low maintenance / human intervention

  • JUNOS DDoS SECURE VARIANTS

    VMware Instance good for 1Gb throughput

    ~ 700K-800K pps

    1U appliance capable of 1Gb & 10Gb

    ~750K cps / 2 M pps

    16 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    1U appliances have a choice of Fail-safe Card

    Fiber (10G SR/LR)

    Copper (1G / 10G)

    All can be used Stand Alone or as Active Standby Pair

    Or Active Active (Asymmetric Routing)

  • HOW JUNOS DDOS SECURE UNIT IS DEPLOYED

    Acts like a bridge Single in band bi-directional data path, via two NICs

    No IP address on NICs

    Inserts into the path of an existing Ethernet segment No need to reconfigure other network units

    Circuit Interruption limited to a few seconds when installing

    17 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Management is out of band, via 3rd IP addressed interface

    State can be shared between multiple DDoS Secure appliances over a 4th Interface

    Support for network redundancy

  • WHEN THATS NOT GOOD ENOUGH BGP FLOW SPEC, RFC 5575 ON JUNIPER UPSTREAM ROUTERS

    Flow Specification defines method for distribution of traffic flow specification using BGP NLRI

    Flow specification has n-tuple match criteria on the IP Packet

    Algorithm to define ordering of firewall match criteria

    18 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Algorithm to define ordering of firewall match criteria

    Validation criteria defined to accept flow specification from peers

    Policing/QoS/drop actions

  • Management

  • Management

    - JunOS CLI

    - JunOS Space

    - JDDOS UI

    - STRM

    20 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Open Management Interfaces:

    - DMI/Netconf IETF standard

    - JunOS scripting

    - SNMP

    - Syslog logging

  • SECURITY THREAT RESPONSE MANAGER (STRM)Log management, Correlation, Flow, SIEM

    21 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    STRM supports SRX Series Intrusion Prevention System (IPS) and AppSecure

    220+ out-of-the box report templates

    Fully customizable reporting engine: creating, branding and scheduling delivery of reports

    Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

    Reports based on control frameworks: NIST, ISO and CoBIT

  • Edge

    Core

    JUNOS DDOS SECURE + SRX + STRM

    STRM CONSOLE

    STRM LOGCOLLECTOR

    STRM FLOWCOLLECTOR

    UPSTREAM

    22 Copyright 2009 Juniper Networks, Inc. www.juniper.net

    Applications

    SRX SRX

    COLLECTOR

  • Karel [email protected]

    Q&A

    ??