Securing Networks with Juniper Networks - TERENA Networks with Juniper Networks ... uReal-time Traffic Analysis uI/O Filters and Rate Limiting ... vMatch competitive security service

1

Securing Networks with Juniper Networks

Juniper Security Features

Jean-Marc UzéLiaison Research, Education and Government

Networks and Institutions, EMEA

[email protected] Meeting, 26/09/02

u Introduction

u Juniper Networks Routers Architecture

u Router Protection

u Encryption of Traffic

u Source Address Verification

u Real-time Traffic Analysis

u I/O Filters and Rate Limiting

u Summary

2

Agenda

2

Juniper Networks, Inc. Copyright © 2002 3

Cyber Attacks Increasing

PacketSniffers

IPSpoofing

Denial ofServiceAttacks

AutomatedScanning

Tools

DistributedDenial of

Service Attacks

EmailScriptAttacks

Self-Propagating Automated

Distributed Attacks

u Frequencyv Over 4,000 Distributed DoS attacks a week

u Sophisticationv Distributed DoS attacks hard to detect & stopv Network elements recently targeted

u Impactv Yahoo, eBay, Microsoft make headlinesv Cloud 9 (UK) ISP out of business

1994 1996 1998 2000Host Based Attacks Network Based Attacks Attacks Target Network

Source: Published CERT figures


Today’s Security Compromises

u Enable security at specificpoints on the network

u As platforms, interfacesor software allow

u Does not provide reliablesecurity

u Security enabled afterattack is detected

u High operational effort

u Performance SLAs affected

Partial

Attack StartsTracing Blocking

Attack Ends

Time

Performance

Reactive

SLASLATargetTarget

3


Security Without Compromise

u Ubiquitousv Juniper Networks: Single Image, Security on All Interfaces

u Continuousv Juniper Networks: Low impact – turn it on it, leave it on

u Economicalv Juniper Networks: Included in the basic platform

u Provenv Juniper Networks: Shipping since 2000 and in use in

production networks around the world

Let’s You, Rather Than Your Equipment,

Dictate Your Network Security Policy.


Protecting and Enabling Revenues

uCustomer Retentionv Increased customer satisfactionvMatch competitive security service offerings

uNew Servicesv Lawful Interceptv Intrusion Detection ServicesvHigh Speed Encrypted VPNsv Attack Resistant Web HostingvDenial of Service Protection/Controlv Spoofing Protection

4


JUNOS Security Related Features

User User AdministrationAdministrationTacasTacas+/Radius+/RadiusProtocol Protocol AuthenticationAuthentication

JUNOS 5.xJUNOS 5.x20012001

JUNOS 3.xJUNOS 3.x19981998

JUNOS 4.x JUNOS 4.x 19991999

H/W Based Packet FilteringH/W Based Packet FilteringIndividual Command Individual Command AuthorizationAuthorizationTraffic PolicingTraffic PolicingFirewall Firewall SyslogsSyslogs/MIB/MIBH/W Based Router ProtectionH/W Based Router Protection

PortPort--MirroringMirroringIPSEC Encryption (Control IPSEC Encryption (Control and Transit traffic)and Transit traffic)Unicast Unicast RPFRPFRadius Support for Radius Support for PPP/CHAPPPP/CHAPSNMPv3SNMPv3


Juniper Security Features at a Glance

Examples of Available SafeguardsExamples of Available Safeguards

9. Hitless filter implementation7. I/O filters to block attack flows

8. Rate limiting

Suppression

6. Real-time DDOS attack identification

5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS

Detection

3. IPSEC encryption of customer traffic

4. Source address verification

1. Hardware based router protection

2. IPSEC encryption of Control Traffic

Prevention

Customer ProtectionInfrastructure Protection

5

u Introduction


u Router Protection





u Summary

9

Agenda


System Architecture

u Routing Enginev Maintains routing table and

constructs forwarding table using knowledge of the network

u Packet Forwarding Enginev Receives packet forwarding

table from Routing Enginev Copies packets from an input

interface to an output interface

v Conducts incremental table updates without forwarding interruption

Update

ForwardingTable

InternetInternet Processor IIProcessor II

Switch FabricSwitch Fabric

ForwardingTable

JunosInternet Software

JunosInternet Software

I/O CardI/O Card

6


IP II ASIC Overview

u Leverages proven, predictable ASIC forwarding technologyof Internet Processor

u Provides breakthrough technologyto support performance-based, enhanced Services

v Security and bandwidth control(I.e. filtering) at speed

v Visibility into network operationsat speed

u Delivers performance WITH services

v Supported on all interfaces

InternetInternetProcessor IIProcessor II

InternetProcessor II


u IP-II enables significant functionality with applications to network managementv Securityv Monitoringv Accounting

IP-IIIP-II

Multiple rules may be specified.Multiple rules may be specified.

Filter SpecificationFilter Specificationfilter my-filter ip {

rule 10 {protocol tcp ;source-address 128.100.1/24 ;port [ smtp ftp-data 666 1024-1536 ];action {

reject tcp-reset ;}

}}

All Packets Handled By RouterAll Packets Handled By Router

Filters can act on highlighted fields, as Filters can act on highlighted fields, as well as incoming interface identifier and well as incoming interface identifier and presence of IP optionspresence of IP options

MicrocodeMicrocode

Filters and route lookup are part of Filters and route lookup are part of same programsame program

PacketHandlingPrograms

Log,syslogCount,

Sample,Forwarding-class,

Loss-priority,Policer

SilentSilentDiscardDiscard

ForwardForward

TCP ResetTCP ResetOr ICMPOr ICMP

UnreachableUnreachable

IPIP

TCPTCP

Ver IHL ToS Total LenID Fragmentation

TTL Proto Hdr ChecksumSource Address

Destination AddressSource Port Dest Port

Sequence NumberAcknowledgement Number

Offset Flags WindowChecksum Urgent Pointer

CompileCompile

RoutingRoutingInstanceInstance

Filtering

7


Operating SystemOperating System

JUNOS Internet Software

u Common software across entire product line leverages stability, interoperability, and a wide range of features

u Purpose builtfor Internet scale

u Modular design for high reliability

u Best-in-class routing protocol implementations

u Foundation for new services with MPLS traffic engineering

Pro

toco

ls

Inte

rfac

e M

gm

t

Ch

assi

s M

gm

t

SN

MP

Se

curi

ty


Traffic Framework

u Management, Control and Data planesu Source, Destination and Type

Routing Control

Routing Control

ICMP Notification

User Data

ICMP Notification

User Data

Router Management

Router Management

8


Tools – Prevent, Detect, Control

u Forwardu Redirectu Monitoru Sampleu Countu Logu Marku Limitu Discard

Trafficu Import filtersu Export filtersu Marku Limit

v Announcementsv Prefixes

Route Control

u Introduction


u Router Protection





u Summary

Agenda

9


JUNOS Default to Secure

u Does not forward directed broadcastsu Remote management access to the router is

disabled. It must be explicitly enabledv telnet, ftp, ssh…

u No SNMP set support for editing configuration data

u Default Martian addresses


Communicating with the Router

u Secure Shellv Ssh v1 / v2v Support connexion limit + rate limit

u against SYN flood DoS attacks on the ssh portv OpenSSH 3.0.2 since JUNOS 5.4

u Secure Copy Protocol (SCP)v Uses the ssh encryption and authentication

infrastructure to securely copy files between hosts

u Central Authentificationv TACACS+ / RADIUSv User classes with specific privileges

u File Records and Command Events

10


Hardware-Based Router Protection

u Router’s control plane is complex and intelligencev Need to be CPU basedv Protocols need processing power for fast updates and to

minimize convergence time.

u Attacks launched at routers include sending:v Forged routing packets (BGP,OSPF,RIP,etc..)v Bogus management traffic (ICMP, SNMP, SSH,etc)

u Attacker can easily launch high speed attacksv Rates in excess of 40M/secondv CPU based filtering unable to keep upv Attacks consume CPU resources needed for control traffic.v Danger of protocol time-outs, leading to network instabilities.


Hardware Based Router Protection

u Hardware based filtering advantagesv Hardware drops attack (“untrusted”) trafficv CPU free to process “trusted” control traffic

u One filter applied to the “loopback”v Protects the router and all interfacesv Provides ease of managementv No need to configure additional filters

when adding new interfaces

11


firewall {filter protect-RE {

term established {from {

protocol tcp;tcp-established;

}then accept;

}term trusted-traffic {

from {source-address {

10.10.10.0/24;10.10.11.0/24;10.10.12.0/24;10.10.17.0/24;10.10.18.0/24;

}protocol [icmp tcp ospf udp];destination-port [bgp domain ftp ftp-

datasnmp ssh ntp] ;}then accept;

term default {then {

log;discard;

}}

}

Hardware Based Router Protection

u Define “trusted” source addresses

u Define protocols and ports that need to communicate

u Accept desired traffic and discard everything else

u One filter applied to the loopback interface protects router and all interfaces

u Introduction


u Router Protection





u Summary

22

Agenda

12


IPSec Encryption of Control Traffic

u Encrypt Control Traffic Between Routers u Encryption uses ESP in Transport Modeu ESP Provides Secure Communication for critical

control/routing trafficu Protects from attacks against control plane


IPSec Encryption of Customer Traffic

u Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE)

u Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex)

u Applied via the Packet Forwarding Enginev offload the encryption and decryption tasks from

Routing Engine processor

u Delivers Private and Secure communication of mission-critical customer traffic

u Provides up to 1,000 tunnels per PICu Can Scale Using Multiple PICs

13


IPSec Encryption of Customer Traffic

u Crypto PIC highlights:v Tunnel/Transport Mode

u Tunnel mode for data traffic

v Authentication Algorithmsu MD5u SHA-1

v Encryption Algorithmsu DESu 3-DES

v IKE Featuresu Support for automated key management using Diffie-Hellman key

establishment u Main/Aggressive mode supported for IKE SA setupu Quick Mode supported for IPSec SA setup

u Introduction


u Router Protection





u Summary

26

Agenda

14


Source Address Verification

u Why it is needed:v IP address spoofing is a technique used in DOS attacksv Attacker pretends to be someone elsev Makes it difficult to trace back the attacksv Common Operating Systems let users spoof machine’s IP

address access (UNIX, LINUX, Windows XP)

u How it is done:v Route table look-up performed on IP source addressv Router determines if traffic is arriving on expected path

u traffic is acceptedu normal destination based look up is performed

v If traffic is not arriving on a the expected pathu then it is dropped



u Juniper Solutionv uRPF can be configured per-interface/sub-interfacev Supports both IPv4 and IPv6v Packet/Byte counters for traffic failing the uRPF checkv Additional filtering available for traffic failing check:

u police/rejectu Can syslog the rejected traffic for later analysis

v Two modes available:u Active-paths:

v uRPF only considers the best path toward a particular destination

u Feasible-paths:v uRPF considers all the feasible paths. This is used where

routing is asymmetrical.

15



Data Center

10.10.10.0/24

so-0/0/0.0

so-1/0/0.0

Attack with

Source address=10.10.10.1

uRPF

10.10.10.0/24 *[BGP/170]

>via so-1/0/0/0.0

11.11.11.0/24

u Introduction


u Router Protection





u Summary

30

Agenda

16


Real-time Traffic Analysis

u Sampling and cflowd format export (v5 + v8)

u since JUNOS 5.4: Passive Monitoring PICv Application is primarly for secuity and traffic analysisv Monitors IPv4 packets and flows over SONET on:

u OC-3c, OC-12c and OC-48cu PPP or HDLC (Cisco) layer 2 encapsulations

v Generates cflowd v5 records for export to collector nodesu IPSec or GRE tunnels can be used for exporting



u Juniper Port Mirroring capabilityv Copy of sampled packet can be sent to arbitrary interfacev Any Interface and speed up to 100% of selected packetsv N number of ingress ports to single destination portv Work in progress with IDS vendor

u Discussions ongoing with high-speed analytical security application developers (OC48)

17


Mirrored Traffic

Intrusion Detection SystemIntrusion Detection System

Data Center



Real-time DDoS Identification

u Preparationv Pre-configure Destination Class Usage (DCU) on customer-

facing ingress interfacesv Accounting feature typically for billingv Supported in JUNOS 4.3 (12/2000) and beyondv Counts packets, bytes destined for each of up to 16

communities per interfacev Counters retrievable via SNMPv Note: Source Class Usage is also supported (since JUNOS 5.4)

u During Attackv Use BGP to announce victim’s /32 host address with special

communityv Trigger SNMP polling of DCU counters on all ingress interfacesv Apply heuristic to identify likely attack sources

18



Attacker Network

Victim Network

NOC

Switch

Attacker Network

User Network

Attack Network

Attack Network

User Network

Service Provider



Attacker Network

Victim NetworkSwitch

Attacker Network

User Network

Attack Network

Attack Network

User Network

Service Provider

NOC

128.8.128.80128.8.128.80

128.8.128.80/32128.8.128.80/32Community 100:100Community 100:100

19



u Introduction


u Router Protection





u Summary

38

Agenda

20


I/O Filters To Block Attack Flows

u DOS attacks need to be detected and stopped

u Interface filters can be applied to block only attack flows

u Filters can be applied to any interface type

u Filters can be applied both on inbound and outbound

/* apply the filter to the ingress point of the network */

so-0/2/2 {unit 0 {

family inet {filter {

input block-attack;}address 151.1.1.1/30;

}}

}/* This is the filter which blocks the

attacks */firewall {

filter block-attack {term bad-guy {

from {source-address {

10.10.10.1/32}protocol icmp;

}then {

discard;log;}

}}


Rate Limiting

u Suppression/Rate Limiting Advantagesv Protects router of customer by limiting traffic based on

protocol/port/source and destination addresses

u Juniper Advantagev Architectural reasons we perform

u Internet Processor ASIC not tied to an interface or release

v Behavior under attacku Stable operation, routing and management traffic unaffected

21


Hitless Filter Implementation

u Can be applied immediately after identification of offending traffic

u Application of filters does not create short-term degraded condition as filters take effect

u Size and complexity of filter independent of forwarding performance


Traffic Interruption During Filter Compilation

NOC

NOC operator appliesNOC operator appliesor changes filtersor changes filters

Traffic flowTraffic flow

Attack flowAttack flow

NOC

All traffic gets dropAll traffic gets dropDuring filter compilationDuring filter compilation




22


No Interruption With Atomic Updates

NOC




NOC

Attack traffic gets droppedAttack traffic gets dropped




u Introduction


u Router Protection





u Summary

44

Agenda

23


Next Steps

uOn going Dialog with security teamv Ensuring existing security features are activev Awareness of upcoming security issues

uBest PracticesvWhite Papers

uSecurity consulting and training

Juniper Networks Juniper Networks –– the Trusted Sourcethe Trusted Source


Further References

u Juniper Networks Whitepapersv Rate-limiting and Traffic-policing Featuresv Fortifying the Corev Visibility into Network Operationsv Minimizing the Effects of DoS Attacksv Juniper Networks Router Security

u Available fromhttp://www.juniper.net/techcenter

24

Thank [email protected]

Documents

Securing Networks with Juniper Networks - TERENA Networks with Juniper Networks ... uReal-time Traffic Analysis uI/O Filters and Rate Limiting ... vMatch competitive security service