Junos DDoS Secure - · PDF file · [email protected] Agenda Intro & SRX High End Firewall Junos DDoS Secure ... SRX5800 SRX5600 SRX / DATA CENTER SERVICES PLATFORMS

Junos DDoS Secure

Karel HendrychSr. Systems [email protected]

Agenda

Intro & SRX High End Firewall Junos DDoS Secure Management

2 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SRX HE Firewall

HW FIREWALLS : CONSOLIDATED SECURITY IN DC COREEdge

Core

4 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Applications

8U, 6 slot 60/15/15G

FW/VPN/IDP 95/55/35 44M sess, 400kcps

16U, 12 slot

FW/VPN/IDP 200/150/110G

60M sess, 400kcps

SRX3600

SRX5800

SRX5600

SRX / DATA CENTER SERVICES PLATFORMS

Next-Gen Security SystemsRich Standard Services

Firewall/NAT DoS/DDoS/AppDDoS VPN IPS QoS AppSecure LSYS

Scalable Performance

5 Copyright 2009 Juniper Networks, Inc. www.juniper.net

3U 8+4 GE

FW/VPN/IDP 20/6/6G

3M sess, 150kcps

5U, 8+4 GEFW/VPN/IDP 30/10/10G

6M sess, 300kcps

3U, 12GE or 3XGE+9GE

FW/VPN/IDP 10/2/2G

1,5M sess, 70kcps

SRX3600

SRX3400

SRX1400

Scalable Performance NEW - FW PPS up to 220M !

*FW/IDP/IPSEC

CP

SPU

FPGAFPGA NPFPGA FPGASWI

SRX3K PFE HIGH LEVEL ARCHITECTURE

Flow lookupStateless ScreensCoS

PhyPolicers

FiltersFlowServices

6 Copyright 2009 Juniper Networks, Inc. www.juniper.net

SPUFPGA

Fab

ric

IOC

dom

ain

Fab

ric

SP

C d

omai

n

FPGA NPFPGA FPGASWI

SPC #1

IOC #Y NPC #S

IOC #X NPC #R

SPC #N

SRX1400, HTTP 20kB, IDP recommended + 2M PPS UDP

7 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Junos DDoS Secure

Edge

Core

JUNOS DDOS SECURE

SRX SRX

9 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Applications

WHAT DOES DDOS SECURE PROTECT

Resources which can be:-

Servers Weak IP stacks, bugs IP stack table resources Session overload What are servers

Firewalls, Load Balancers, Concentrators

10 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IP stack table resources Session overload

Gateways Bandwidth overload Packet overloads What are gateways

URLs Request overload

Slow or Partial requests

HEURISTIC MITIGATION IN ACTION

Normal Internet Traffic

DDoS Attack Traffic

Normal Internet Traffic

Resources

Normal Internet Traffic

11 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Junos DDoS Secure Heurisitc Analysis DDoS Attack Traffic Management PC

Normal Internet traffic flows through the Junos DDoS Secure Appliance, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time, with minimal (store and forward) latency.

JUNOS DDoS SECURE HOW DOES IT WORK (1/3)

Packet validated against pre-defined RFC filters

Malformed and mis-sequenced packets dropped

Individual IP addresses

Mechanistic Traffic

Low CHARM Value

12 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Individual IP addresses assigned CHARM value

Value assigned based on IP behaviours

First Time Traffic

Medium CHARM Value

Humanistic, Trusted Traffic

High CHARM Value

JUNOS DDoS SECURE HOW DOES IT WORK (2/3)

Access dependent on CHARM threshold of target resource

Below threshold packets dropped

Above threshold allowed uninterrupted access

Minimal (if any) false positives

CHARM Algorithm

13 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Minimal (if any) false positives

CHARM threshold changes dynamically with resource busyness

Full stateful engine measures response times

No server Agents

JUNOS DDoS SECURE PACKET FLOW SEQUENCE (3/3)

IP Behavior TableResource

CHARM Threshold

Validates data packet Validates against defined filters

Validates packet against RFCs

Validates packet sequencing

TCP Connection state

1 Behaviour is recorded Supports up to

32-64M profiles

Profiles aged on least used basis

3 Calculates CHARM Threshold Responsiveness

of Resource

4

CHARM Technology Resource Control

14 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Drop Packet Drop Packet

Packet Enters

Syntax Screener

OK So Far

CHARM Generator

With CHARM Value

CHARM Screener

Packet Exits

Calculates CHARM value for data packet References IP behavior table

Function of time and historical behavior

Better behaved = better CHARM

2 Allow or Drop CHARM Threshold

CHARM value

5

DDOS SECURE vs. SIGNATURE BASED BLOCKING

DDoS Secure Behavioural learning Minimal configuration required

No requirements for constant updates

DDoS Secure Only drops if protected resource is struggling Minimal, if any, False Positives

15 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Recognises and dynamically adapts to new or zero day attack vectors

Plug and Play Low maintenance / human intervention

JUNOS DDoS SECURE VARIANTS

VMware Instance good for 1Gb throughput

~ 700K-800K pps

1U appliance capable of 1Gb & 10Gb

~750K cps / 2 M pps

16 Copyright 2009 Juniper Networks, Inc. www.juniper.net

1U appliances have a choice of Fail-safe Card

Fiber (10G SR/LR)

Copper (1G / 10G)

All can be used Stand Alone or as Active Standby Pair

Or Active Active (Asymmetric Routing)

HOW JUNOS DDOS SECURE UNIT IS DEPLOYED

Acts like a bridge Single in band bi-directional data path, via two NICs

No IP address on NICs

Inserts into the path of an existing Ethernet segment No need to reconfigure other network units

Circuit Interruption limited to a few seconds when installing

17 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Management is out of band, via 3rd IP addressed interface

State can be shared between multiple DDoS Secure appliances over a 4th Interface

Support for network redundancy

WHEN THATS NOT GOOD ENOUGH BGP FLOW SPEC, RFC 5575 ON JUNIPER UPSTREAM ROUTERS

Flow Specification defines method for distribution of traffic flow specification using BGP NLRI

Flow specification has n-tuple match criteria on the IP Packet

Algorithm to define ordering of firewall match criteria

18 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Algorithm to define ordering of firewall match criteria

Validation criteria defined to accept flow specification from peers

Policing/QoS/drop actions

Management

Management

- JunOS CLI

- JunOS Space

- JDDOS UI

- STRM

20 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Open Management Interfaces:

- DMI/Netconf IETF standard

- JunOS scripting

- SNMP

- Syslog logging

SECURITY THREAT RESPONSE MANAGER (STRM)Log management, Correlation, Flow, SIEM

21 Copyright 2009 Juniper Networks, Inc. www.juniper.net

STRM supports SRX Series Intrusion Prevention System (IPS) and AppSecure

220+ out-of-the box report templates

Fully customizable reporting engine: creating, branding and scheduling delivery of reports

Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

Reports based on control frameworks: NIST, ISO and CoBIT

Edge

Core

JUNOS DDOS SECURE + SRX + STRM

STRM CONSOLE

STRM LOGCOLLECTOR

STRM FLOWCOLLECTOR

UPSTREAM

22 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Applications

SRX SRX

COLLECTOR

Karel [email protected]

Q&A

??