of 35/35
1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Kunal Jha, Juniper Networks

Kunal Jha, Juniper NetworksSecure Site  · Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only ... Lab Bldg 2 EX4200 Virtual Chassis

  • View
    0

  • Download
    0

Embed Size (px)

Text of Kunal Jha, Juniper NetworksSecure Site  · Juniper Networks Proprietary and Confidential -- printed...

  • 1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Kunal Jha, Juniper Networks

  • 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Cloud

    Virtualization

    BYOD / Mobility

    SDN

    Se

    cu

    rity

  • Simplified Networking

    [email protected] Senior Systems Engineer

    Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only

  • 4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    2008

    EX4200

    EX3200

    2009

    EX8216

    EX8208

    8x10G

    1G-Copper

    1G-Fiber

    FIX

    ED

    Core

    Aggregation

    Access

    MO

    DU

    LA

    R

    Core

    Aggregation

    Access

    2008 2009 2010 2011 2013+

    EX4500

    EX2200

    EX4200

    EX3200

    EX8216

    EX8208

    8x10G

    1G-Copper

    1G-Fiber

    EX8200 Virtual Chassis

    40x10G

    EX42000 Virtual Chassis

    EX4200-PX EX3300

    EX4500 Virtual Chassis

    EX2200-C

    EX3300 Virtual Chassis

    EX6200

    Extra-Scale

    External RPS

    EX6200 48F

    EX4550 SFP+

    EX4550 10GT

    2012

    EX9200

  • 5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    OPERATIONAL SIMPLICITY

    Deployed Extensively

    Why We Win

    Technology Flexibility

    Performance

    Over 19,000 customers, 15M+ ports

    Data center, campus, branch, SP

    Financials, healthcare, education

    #3 LAN switching vendor

  • 6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    On-Premise Apps

    Dedicated Servers

    Dedicated Storage

    THE REST OF THE DATA CENTER HAS ADVANCED DRAMATICALLY IN RECENT YEARS

    Rig

    id,

    leg

    acy m

    od

    el

    of

    I.T.

    Software Services

    Virtualized Workloads

    Shared Storage

    Applications

    Servers/ Compute

    Storage

    From To

    Fle

    xib

    le, v

    irtua

    lized

    mo

    del

  • 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    On-Premise Apps

    Dedicated Servers

    Dedicated Storage

    Layers of Complexity

    Rig

    id,

    leg

    acy m

    od

    el

    of

    I.T.

    Software Services

    Virtualized Workloads

    Shared Storage

    Applications

    Servers/ Compute

    Storage

    Network

    THE DATA CENTER NETWORK HAS NOT EVOLVED, AND IS NOW AN INHIBITOR

    Network

    From To

    Fle

    xib

    le, v

    irtua

    lized

    mo

    del

    Experience?

    Economics?

  • 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Juniper’s data

    center fabric 1. Juniper two-tier

    data center 2. Legacy three-tier

    data center 3.

    Up to 75% of traffic E W

    Ethernet Network evolution 3-2-1

  • 9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Virtual chassis : advantage

    Core Switches

    Distribution

    Switches

    Access Switches

    128 Gig

    10 Gig 10 Gig 10 Gig 10 Gig

  • 10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Multi Building campus

    WAN

    One Virtual Chassis to Manage for the entire

    campus backbone

    1GbE uplink

    GbE/10GbE VCP

    1GbE uplink

    GbE/10GbE VCP

    EX4200 Virtual Chassis

    EX4200 Virtual Chassis

    EX4200 Virtual Chassis

    EX4200 Virtual Chassis

    Classroom Bldg 4

    Recreation Bldg 5

    Admin Bldg 1

    Lab Bldg 2

    EX4200 Virtual Chassis

    Classroom Bldg 3

    Deployment example Utilize the same MM fiber

    One-switch LAN

    1 to manage

    1 to upgrade

    1 software version

    No L2 Loop/No STP required

    High Availability

    Redundant Pwr/Cooling

    Redundant Switch Fabric

    Sub-second Convergence in case of device/link failure

    Integrated Access Security

    Integrated QoS for Voice/Video/Data

    Local L3/L2 processing Peer-peer traffic can be processed by VC ring itself, no need to load the core. Optimized for Voice and Video over IP as inter building bypasses the core switch.

  • 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Distributed CORE with 8-member VC

    EX4200 EX4200

    EX4200 EX4500

    EX4200 EX4200

    EX4200 EX4500

    Single core switch to

    manage across all sites

    A Location

    C Location

    B Location D Location

    One core switch to manage across multiple sites

    Sites could be campus or DC or both – common hardware and operating system

    Seamless virtual workload mobility across sites

  • 12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Switch Fabric

    Data Plane

    Flat

    Any-to-any

    Control Plane

    Single device

    Shared state

    TRANSFORM THE NETWORK

    Scalability and resilience of a network

    Performance and simplicity of a single switch

    Single device N=1

    A Fabric has the….

    And the…

    One Network Flat, any-to-any

    connectivity

  • 13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Single point of management…

    Cabling complexity

    Chassis Switch End of Row…

  • 14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    QFabric evolving the single switch model

    Chassis Switch

    • Separate the I/O modules from the fabric and replace copper traces with fiber links.

    • For redundancy add multiple Interconnect devices.

    • Federated Control and Intelligent Nodes

    • One logical switch

    Interconnect

    Node

    QFabric

    Director

    I/O Modules

    Fabric

    Route Engine

  • 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Storage

    Simplicity

    End-to-end FCoE FCoE/FC Gateway and

    FCoE/iSCSI Transit Switch N=1

    Lossless

    Performance

    DCB compliant

    Runs Junos

    Rich functionality

    Scalability

    Designed for Modern DC

    Flexible VLAN capability

    Virtualization and convergence

    Seamless Layer 2 and Layer 3

    QFABRIC Family Summary

    QFX3000-M QFX3000-G

    10s to 768 ports 10s to 6,144 ports

    QFX3000-M QFX3000-G

    Low jitter—

  • 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    2. Agent-based

    Each VM has a software firewall

    Drawback: Significant performance

    implications; Huge management

    overhead of maintaining software

    and signature on 1000s of VMs

    ES

    X H

    os

    t VM1 VM2 VM3

    FW Agents

    HYPERVISOR

    3. Kernel-based Firewall

    VMs can securely share VLANs

    Inter-VM traffic always protected

    High-performance from

    implementing firewall in the kernel

    Micro-segmenting capabilities

    ES

    X H

    os

    t

    FW as Kernel Module

    VM1 VM2 VM3

    HYPERVISOR

    1. VLAN Segmentation

    ES

    X H

    os

    t

    Each VM in separate VLAN

    Inter-VM communications must

    route through the firewall

    Drawback: Possibly complex VLAN

    networking

    HYPERVISOR

    VM1 VM2 VM3

    Approaches To Securing Virtual servers:

  • 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    vGW Firewall Performance

    TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details

  • 18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Network Access Control SIEM/STRM

    SSL VPN SSL VPN

    Firewall/IPSec VPN Intrusion Prevention

    Juniper is recognized industry leader in Security

    Leaders Quadrant in

    Four Categories:

    Network Access Control

    SIEM/STRM

    SSL VPN

    FW/IPSec VPN

    Visionaries Quadrant in:

    Intrusion Prevention Category

  • 19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    of ALL threats are at the

    Web application layer.

    70%

    of organizations have been

    hacked in the past two years

    through insecure Web apps.

    73%

    Inconvenient Statistics

    Ponemon Institute

    Gartner

  • 20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Bot Nets

    Targeted Scanners

    IP Scanners

    Manual Hacking

    • Reliance on signatures

    • Static attack surface

    • No understanding of attackers

    • Reactive

    WAF is not enough

  • 21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    – WAFW00F can fingerprint WAF products protecting a website…. Can already profile 20 WAF products.

    WAF is not enough

    Source: http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py

  • 22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Plays Here

    Attackers profile

    physical and

    virtual devices

    and applications

    Weaknesses in

    attack surface

    identified for

    attack

    Attacks launched

    to take control of

    device,

    application or VM.

    Can be used to

    begin further

    Reconnaissance

    Repeat attack to

    increase

    effectiveness,

    increase Profit or

    extract more

    data

    Evade patching

    and remediation

    measures to stop

    the attack

    WAF Plays Here

    Phase 1

    Silent

    Reconnaissance

    Phase 2

    Attack Vector

    Establishment

    Phase 3

    Attack

    Implementation

    Phase 4

    Attack

    Automation

    Phase 5

    Maintenance

    5 attack Phases:- APT behaviour

  • 23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    “Tar Traps” detect

    threats without false

    positives.

    Track IPs, browsers,

    software and scripts.

    Understand

    attacker’s capabilities

    and intents.

    Adaptive responses,

    including block,

    warn and deceive.

    The Junos WebApp Secure (MYKONOS) advantage Deception-based Security

    Detect Track Profile Respond

  • 24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    App Server Client

    Server Configuration

    Network

    Perimeter

    Database Firewall

    Query String Parameters

    Tar Traps

    Hidden Input Fields

    Detection by Deception

  • 25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Fingerprint of An Attacker

    Browser version

    Fonts

    Browser add-ons

    Timezone

    IP Address

    attributes used to

    create the fingerprint.

    200+

    False Positives

    availability of

    fingerprints

    ~ Real Time

    nearly zero

  • 26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Attacker local name

    (on machine)

    Smart Profile of Attacker

    Incident history

    Attacker threat level

    Attacker global name

    (in Spotlight)

  • 27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Junos WebApp Secure

    Responses

    Human

    Hacker Botnet

    Targeted

    Scan IP Scan

    Scripts

    &Tools

    Exploits

    Warn attacker

    Block user

    Force CAPTCHA

    Slow connection

    Simulate broken application

    Force log-out

    All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.

    Respond and Deceive

  • 28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Solution Slides

    Mobility & BYOD

  • 29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    THE HISTORY OF BUSINESS CONNECTIVITY

    Mobile Devices Laptops PCs Terminals

    Ethernet

    Networks

    Casual

    Wireless

    Primarily

    Wireless

    Serial

    Networks

  • 30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Over 6,000 Customers

    Juniper wireless today

    1 M+ AP installed base since 2005 Healthcare

    Education (Higher Ed & K-12)

    Hospitality

    Presence in Fortune 500:

    Shell, Chevron, Alcoa, Audi, VW

    Many Mission Critical Environments:

    University Minnesota

    18,000 AP, 300 Buildings, 1200 Acres

    Belfast Health & Social Care Trust

    2,220 AP, 7 hospitals, 22,000 Staff

    Largest wlan patent portfolio today

    Proven Technology Track Record:

    Simple, Secure, Mobile

    Real Time Location Aware

    17 issued patents, 49 pending

    Differentiating WLAN Innovations:

    Seamless roaming

    Life Cycle Management

    Intelligent Switching

    Controller Virtualization

    Identity Based Networking

    Unified Mobility Services

  • 31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Fat AP Architecture Local Switching

    Thin AP Architecture Central Switching

    Juniper WLAN

    Architecture Local AND Central Switching

    Juniper Networks Wireless LAN Evolution

    x Performanc

    e

    x Reliability

    Security Management Performanc

    e

    Reliability

    Security Management

    Performanc

    e

    x Security x Management x Reliability

    Optimized for: Optimized for: Optimized for:

  • 32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Internet

    DISTRIBUTED SWITCHING MAXIMIZES SCALABILITY

    • All traffic gets forwarded by controller

    • Twice the traffic through network core

    • 802.11n increases load up to 10x

    • Can't scale without expensive upgrades

    Centralized-Only Switching Breaks Down

    Under Increased Load from 802.11n

    Cisco & Aruba

    Distributed Switching Handles

    802.11n without Breaking Down

    Juniper

    • Traffic can be forwarded by the AP

    • Optimized traffic flows – ideal for voice

    • 802.11n has no impact on controller

    • Scales in place without upgrades

    10x increase exceeds

    controller capacity

    11n increases load

    by up to 10x

    Internet

  • 33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Hot Standby Approach - Aruba

    RESILIENCY ADVANTAGE OF WLAN VIRTUALIZAION

    • Catastrophic failure – dropped user sessions

    (imagine voice call)

    • APs restart using hot standby controller

    • No AP load balancing across controllers

    • Fully loaded hot standby required

    • Hitless failover – even for active session

    (including voice calls)

    • APs instantly remapped to in-service controller

    • Dynamic AP load balancing across controllers

    • No additional equipment required

    Controller Virtualization - Juniper

  • 34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    Core differentiator: CONTROLLER CLUSTERING

    Hot Stand-by or

    Back-up controller

    Controller A Controller B Controller C

    Discrete controllers operate independently for

    AP redundancy configuration

    Harder to scale since adding capacity is

    cumbersome

    Limited resiliency – APs mapped directly to

    controller & resets upon network/device failure

    Limited reliability – N+1 (limited to number of

    designated back-up switches)

    Difficult to manage, highest cost of ownership

    Competitors Complex Approach

    Clustered controllers– act collectively as single

    virtual controller for wireless configuration

    Easy to scale – Capacity can be added in

    chunks, anywhere in the network

    Highest resiliency – APs dynamically map to

    controllers– optimized, auto AP load balancing

    Always-on reliability – many-to-many

    redundancy – all switches can serve as back-up

    Easiest to manage, lowest cost of ownership

    Juniper’s Simplified Approach

    Vendor

    A

    Vendor

    B

  • 35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

    35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net