Click here to load reader

Securing Networks With Juniper

  • View
    217

  • Download
    0

Embed Size (px)

Text of Securing Networks With Juniper

  • 8/2/2019 Securing Networks With Juniper

    1/24

    1

    Securing Netw orks w it h

    Juniper Netw orks

    Juniper Secur it y Feat ures

    Jean- Marc Uz

    Liaison Research, Education and GovernmentNetw orks and I nstit ut ions, EMEA

    [email protected]

    TF- CSI RT Meeting, 26/ 09/ 02

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traffic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    2

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    2/24

    2

    Juniper Networks, Inc. Copyright 2002 3

    Cyber At t acks I ncreasing

    Packet

    Sniffers

    IP

    Spoofing

    Denial of

    Service

    Attacks

    Automated

    Scanning

    Tools

    Distributed

    Denial of

    Service Attacks

    Email

    Script

    Attacks

    Se lf-Propagating

    Automated

    Distributed Attacks

    u Frequencyv Over 4,000 Distr ibut ed DoS att acks a w eek

    u Sophisticationv Distr ibut ed DoS att acks hard t o detect & stop

    v Network elements recent ly targeted

    u Impactv Yahoo, eBay, Microsoft mak e headlines

    v Cloud 9 ( UK) I SP out of business

    1994 1996 1998 2000

    Host Based At tacks Netw ork Based At t acks At t acks Target Netw ork

    Source: Published CERT figures

    Juniper Networks, Inc. Copyright 2002 4

    Todays Securi t y Compromises

    u Enable securi ty at specific

    points on the netw ork

    u As platforms, int erfaces

    or sof t w are al low

    u Does not provide reliable

    security

    u Security enabled after

    att ack is detected

    u High operational effor t

    u Perform ance SLAs affected

    Partial

    Attack StartsTracing Blocking

    Attack Ends

    Time

    Performance

    Reactive

    SLASLA

    TargetTarget

  • 8/2/2019 Securing Networks With Juniper

    3/24

    3

    Juniper Networks, Inc. Copyright 2002 5

    Securi t y Wit hout Compr omise

    u Ubiquitousv Juniper Netw orks: Single I mage, Securit y on All I nterf aces

    u Continuousv Juniper Netw orks: Low impact turn i t on i t , leave i t on

    u Economicalv Juniper Netw orks: I ncluded in the basic platform

    u Provenv Juniper Networks: Shipping since 2000 and in use in

    product ion netw orks around the w or ld

    Lets You, Rather Than Your Equipment,

    Dictate Your Netw ork Securit y Policy.

    Juniper Networks, Inc. Copyright 2002 6

    Prot ect ing and Enabl ing Revenues

    uCustomer Retent ion

    v I ncreased customer sati sfact ion

    vMatch compet it ive securi t y service off erings

    uNew Services

    v Lawful I nterceptv I nt rusion Detect ion Services

    vHigh Speed Encrypted VPNs

    v Att ack Resist ant Web Host ing

    vDenial of Service Protect ion/ Contr ol

    v Spoofing Prot ect ion

  • 8/2/2019 Securing Networks With Juniper

    4/24

    4

    Juniper Networks, Inc. Copyright 2002 7

    JUNOS Security Related Features

    UserUserAdministrationAdministrationTacasTacas+ / Radius+ / Radius

    ProtocolProtocolAuthenticationAuthentication

    JUNOS 5.xJUNOS 5.x20012001

    JUNOS 3.xJUNOS 3.x19981998

    JUNOS 4.xJUNOS 4.x19991999

    H/ W Based Packet Filterin gH/ W Based Packet Filterin gI ndividual CommandI ndividual CommandAuthorizationAuthorizationTraffic PolicingTraffic PolicingFirewallFirewall SyslogsSyslogs/ M I B/ M I BH/ W Based Router ProtectionH/ W Based Router Protection

    PortPort--MirroringMirroringI PSEC Encrypt ion ( Cont rolI PSEC Encrypt ion ( Cont roland Transit t raffic)and Transit t raffic)UnicastUnicast RPFRPFRadius Support forRadius Support forPPP/ CHAPPPP/ CHAPSNMPv3SNMPv3

    Juniper Networks, Inc. Copyright 2002 8

    Juniper Secur it y Featu res at aGlance

    Exam ples of Available Safeguar dsExam ples of Available Safeguar ds

    9. Hitless f i l ter implementation7. I / O f i l te rs to b lock a t tack

    f lows

    8. Rate l imi t ing

    Suppression

    6. Real-time DDOS attack

    identif ication

    5. Real t im e traff ic analysis (port

    mir ro r ing) fo r Lawfu lI n tercept , IDS

    Detection

    3. I PSEC encrypt ion of customer

    t ra f f i c

    4. Source address verificat ion

    1. Hardware based router

    pro tec t ion

    2. I PSEC encrypt ion of Contr olTraff ic

    Prevention

    Customer ProtectionI n f rast ruc ture Pro tec t ion

  • 8/2/2019 Securing Networks With Juniper

    5/24

    5

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traffic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    9

    Agenda

    Juniper Networks, Inc. Copyright 2002 10

    Syst em Archit ect ure

    u Routing Engine

    v Maintains routing t able andconstructs forwarding tableusing knowledge of thenetwork

    u

    Packet Forwarding Enginev Receives packet forwarding

    table from Routin g Engine

    v Copies packet s from an i nputinterface to an outputinterface

    v Conducts incremental tableupdates wit hout forw ardinginterrupt ion

    Update

    Forwarding

    Table

    InternetInternet Processor IIProcessor II

    Sw itch FabricSw itch Fabric

    Forwarding

    Table

    Junos

    Internet Software

    Junos

    I nternet Softw are

    I / O Ca r dI / O Ca r d

  • 8/2/2019 Securing Networks With Juniper

    6/24

    6

    Juniper Networks, Inc. Copyright 2002 11

    I P I I ASI C Overview

    u Leverages proven, predict able ASI C

    forw arding technology

    of I nternet Processor

    u Provides breakthrough technology

    to support performance-based,

    enhanced Services

    v Securi ty and bandwidt h control( I .e. f i l ter ing) at speed

    v Visibi l i ty int o netw ork operat ions

    at speed

    u Delivers perform ance WI TH services

    v Support ed on all interf aces

    InternetInternetProcessor I IProcessor I I

    InternetProcessor I I

    Juniper Networks, Inc. Copyright 2002 12

    u I P- I I enables signif icantfunct ional i ty w ith appl icat ionsto netw ork management

    v Security

    v Monitoring

    v Accounting

    IP - I IIP - I I

    Multiple rules may be specified.Multiple rules may be specified.

    Filt er Specif icationFilt er Specif ication

    filter my-filter ip {

    rule 10 {

    protocol tcp ;

    source-address 128.100.1/24 ;

    port [ smtp ftp-data 666 1024-1536 ];

    action {

    reject tcp-reset ;

    }

    }

    }

    All Packets Handled By RouterAll Packets Handled By Router

    Filters can act on highlighted fields, asFilters can act on highlighted fields, aswell as incoming interface identifier andwell as incoming interface identifier andpresence of I P optionspresence of I P options

    MicrocodeMicrocode

    Filters and route lookup are part ofFilters and route lookup are part ofsame programsame program

    PacketHandlingPrograms

    Log,syslogCount,

    Sample,Forwarding-class,

    Loss-priority,Policer

    SilentSilent

    DiscardDiscard

    ForwardForward

    TCP ResetTCP ResetOr I CMPOr I CMP

    UnreachableUnreachable

    I PI P

    TCPTCP

    Ver IHL ToS Total Len

    ID Fragmentation

    TTL Proto Hdr Checksum

    Source Address

    Destination Address

    Source Port Dest Port

    Sequence Number

    Acknowledgement Number

    Offset Flags Window

    Checksum Urgent Pointer

    CompileCompile

    Rout ingRout ing

    I nstanceI nstance

    Filtering

  • 8/2/2019 Securing Networks With Juniper

    7/24

    7

    Juniper Networks, Inc. Copyright 2002 13

    Operating SystemOperating System

    JUNOS I nt ernet Soft w are

    u Comm on softw are across

    entire product l ine

    leverages stabil it y,

    int eroperability, and a

    w ide range of features

    u Purpose built

    for I nternet scale

    u Modular design

    for high r el iabi l i ty

    u Best-in-class routi ngprotocol implementations

    u Foundation for new

    services wi th MPLS

    tr aff ic engineering

    Protocols

    I

    nterfaceMgmt

    ChassisMgmt

    SNMP

    Security

    Juniper Networks, Inc. Copyright 2002 14

    Traff ic Framew ork

    u Management , Cont rol and Data planes

    u Source, Dest inat ion and Type

    Routi ng Contr ol

    Routing Contr ol

    I CMP Notif ication

    User Data

    I CMP Notif ication

    User Data

    Router Management

    Router Management

  • 8/2/2019 Securing Networks With Juniper

    8/24

    8

    Juniper Networks, Inc. Copyright 2002 15

    Tools Prevent , Det ect , Cont rol

    u Forward

    u Redirect

    u Monitor

    u Sample

    u Count

    u Logu Mark

    u Limit

    u Discard

    Traffic

    u Import f i l ters

    u Export f i l t ers

    u Mark

    u Limitv Announcements

    v Prefixes

    Rout e Cont rol

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traffic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    9/24

    9

    Juniper Networks, Inc. Copyright 2002 17

    JUNOS Default t o Secure

    u Does not forward directed broadcasts

    u Remot e management access to the rout er isdisabled. I t must be explicitl y enabledv telnet, f t p, ssh

    u No SNMP set support for editing configurationdata

    u Default Mar t ian addresses

    Juniper Networks, Inc. Copyright 2002 18

    Comm unicat ing w it h the Rout er

    u Secure Shel lv Ssh v1 / v2

    v Support connexion limit + rate limit

    u against SYN flood DoS att acks on the ssh port

    v OpenSSH 3.0.2 since JUNOS 5.4

    u Secure Copy Prot ocol (SCP)

    v Uses the ssh encrypt ion and aut henticationinfr astr ucture t o securely copy f i les betw een hosts

    u Central Aut hentif icat ionv TACACS+ / RADI US

    v User classes w it h specific privi leges

    u File Records and Command Event s

  • 8/2/2019 Securing Networks With Juniper

    10/24

    10

    Juniper Networks, Inc. Copyright 2002 19

    Hardw are-Based Rout er

    Protection

    u Routers control plane is complex and int ell igence

    v Need t o be CPU based

    v Protocols need processing pow er for fast updat es and t o

    minim ize convergence tim e.

    u Attacks launched at rou ters include sending:

    v Forged rou t ing packet s (BGP,OSPF,RI P,et c..)

    v Bogus management tr affi c (I CMP, SNMP, SSH,etc)

    u Attacker can easily launch high speed attacks

    v Rates in excess of 40M/ second

    v CPU based filt ering u nable to k eep upv Att acks consume CPU resources needed for cont rol t raff ic.

    v Danger of protocol time-out s, leading to netw ork instabilit ies.

    Juniper Networks, Inc. Copyright 2002 20

    Hardw are Based Rout erProtection

    u Hardw are based filt ering advantagesv Hardw are drops at tack (unt rusted) t raf f ic

    v CPU free to pr ocess tru sted contr ol t raff ic

    u One filt er applied to the loopbackv Prot ects t he router and all in terfaces

    v Provides ease of m anagementv No need to configure addit ional f i lt ers

    when adding new interfaces

  • 8/2/2019 Securing Networks With Juniper

    11/24

    11

    Juniper Networks, Inc. Copyright 2002 21

    firewall {

    filter protect-RE {

    term established {

    from {

    protocol tcp;

    tcp-established;

    }

    then accept;

    }

    term trusted-traffic {

    from {

    source-address {

    10.10.10.0/24;

    10.10.11.0/24;

    10.10.12.0/24;

    10.10.17.0/24;

    10.10.18.0/24;

    }protocol [icmp tcp ospf udp];

    destination-port [bgp domain ftp ftp-

    datasnmp ssh ntp] ;

    }

    then accept;

    term default {

    then {

    log;

    discard;

    }

    }

    }

    Hardw are Based Rout er

    Protection

    u Define t rusted sourceaddresses

    u Define protocols and port s thatneed to communicate

    u Accept desired t raffic anddiscard everything else

    u One filt er applied to t heloopback in terface protectsrouter and all in terfaces

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traffic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    22

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    12/24

    12

    Juniper Networks, Inc. Copyright 2002 23

    I PSec Encryption of Cont rol Traffic

    u Encrypt Cont rol Traff ic Betw een Routers

    u Encryp t ion uses ESP in Transport Mode

    u ESP Prov ides Secure Communicat ion for crit icalcontrol / rout ing traff ic

    u Prot ect s fr om att acks against cont rol plane

    Juniper Networks, Inc. Copyright 2002 24

    I PSec Encrypt ion of Custom erTraffic

    u Encrypt ion Services PI C provides capabili t ies t oother in terf aces on t he router for Encryption andKey Exchange ( I KE)

    u Provides high-bandw idth encrypti on for tr ansitt raffic at 800 Mbps (half-du plex)

    u Applied via t he Packet Forw arding Enginev off load th e encrypt ion and decrypt ion tasks from

    Routin g Engine pr ocessor

    u Delivers Private and Secure comm unicati on ofmission-criti cal customer t raffi c

    u Provides up to 1,000 t unnels per PI C

    u Can Scale Using Mul t iple PI Cs

  • 8/2/2019 Securing Networks With Juniper

    13/24

    13

    Juniper Networks, Inc. Copyright 2002 25

    I PSec Encrypt ion of Custom er

    Traffic

    u Crypt o PIC highlight s:

    v Tunnel/ Transport Mode

    u Tunnel mode for data tr affic

    v Authentication Algorithms

    u MD5

    u SHA-1

    v Encryption Algorithms

    u DES

    u 3-DES

    v I KE Featu res

    u Support for automat ed key management using Diffie- Hellman keyestablishment

    u Main/ Aggressive mode support ed for I KE SA setup

    u Quick Mode support ed for I PSec SA setup

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traff ic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    26

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    14/24

    14

    Juniper Networks, Inc. Copyright 2002 27

    Source Address Verif icat ion

    u Why it is needed:v I P address spoofing is a technique u sed in DOS att acks

    v Att acker pr etends to be someone else

    v Makes it dif f icult to t race back t he attacks

    v Comm on Operating System s let users spoof machines I Paddress access (UNIX, LI NUX, Win dow s XP)

    u How it is done:v Route t able look-up p erform ed on I P source address

    v Router determines if tr aff ic is arr ivin g on expected path

    u traffic is acceptedu normal destination based look up is performed

    v I f t raf f ic is not arr iv ing on a the expected path

    u then it is dropped

    Juniper Networks, Inc. Copyright 2002 28

    Source Address Verif icat ion

    u Juniper Soluti onv uRPF can be configur ed per- interface/ sub-i nterface

    v Supports both I Pv4 and I Pv6

    v Packet/ Byte counters for tr aff ic fail ing t he uRPF check

    v Addit ional f i lt ering available for t raff ic fail ing check:

    u police/ reject

    u Can syslog the rejected tr affic for later analysisv Two modes available:

    u Active-paths:

    v uRPF only considers the best pat h tow ard a parti culardestination

    u Feasible-paths:v uRPF considers all t he feasible paths. This is used wher e

    routing is asymmetr ical.

  • 8/2/2019 Securing Networks With Juniper

    15/24

    15

    Juniper Networks, Inc. Copyright 2002 29

    Source Address Verif icat ion

    Data Center

    10.10.10.0/24

    so-0/0 / 0 .0

    so-1/0 / 0 .0

    Attack wi th

    Sourceaddress=10.10.10.1

    uRPF

    10.10.10.0/24 * [BGP/ 170]

    >v ia so-1 /0 / 0 /0 .0

    11.11.11.0/24

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traff ic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    30

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    16/24

    16

    Juniper Networks, Inc. Copyright 2002 31

    Real-t ime Traf fi c Analysis

    u Sampling and cflowd format export (v5 + v8)

    u since JUNOS 5.4: Passive Monit oring PI Cv Appl icat ion is pr imar ly for secui ty and t raf f ic analysis

    v Monit ors I Pv4 packet s and flow s over SONET on:

    u OC-3c, OC-12 c and OC-4 8c

    u PPP or HDLC (Cisco) layer 2 encapsulations

    v Generates cf low d v5 records for export t o collector nodes

    u I PSec or GRE tu nnels can be used for expor ti ng

    Juniper Networks, Inc. Copyright 2002 32

    Real-t ime Traf fi c Analysis

    u Juniper Port Mirrorin g capabilityv Copy of sampled packet can be sent t o arbit rary in terf ace

    v Any I nterf ace and speed up to 100% of selected packets

    v N num ber of ingress port s to single destinat ion port

    v Work in pr ogress wit h I DS vendor

    u Discussions ongoing with high-speed analytical securityapplication developers (OC48)

  • 8/2/2019 Securing Networks With Juniper

    17/24

    17

    Juniper Networks, Inc. Copyright 2002 33

    Mirrored Traf f ic

    Int rusion Detect ion SystemIntr usion Detect ion System

    Data Center

    Real-t ime Traf fi c Analysis

    Juniper Networks, Inc. Copyright 2002 34

    Real-t ime DDoS I dent if icat ion

    u Preparation

    v Pre-config ure Destinat ion Class Usage (DCU) on customer-facing ingress interfaces

    v Accounting feature t ypically for bill ing

    v Supported in JUNOS 4.3 ( 12/ 2000) and beyond

    v Counts packets, bytes destin ed for each of up to 16communit ies per interface

    v Count ers retr ievable via SNMPv Note: Source Class Usage is also supported (since JUNOS 5.4)

    u During Att ack

    v Use BGP to announce victim s / 32 host address wit h specialcommunity

    v Trigger SNMP polling of DCU counters on all ingress interf aces

    v Apply heuristic t o identify likely att ack sources

  • 8/2/2019 Securing Networks With Juniper

    18/24

    18

    Juniper Networks, Inc. Copyright 2002 35

    Real-t ime DDoS I dent if icat ion

    Attacker Network

    Vic t im Ne twor k

    NOC

    Switch

    Attacker Network

    User Networ k

    Attack Network

    Attack Network

    User Networ k

    ServiceProvider

    Juniper Networks, Inc. Copyright 2002 36

    Real-t ime DDoS I dent if icat ion

    Attacker Network

    V ic t im Ne twor kSwitch

    At tac k er Ne twor k

    User Netw ork

    Attack Network

    Attack Network

    User Network

    Service

    Provider

    NOC

    128.8.128.80128.8.128.80

    128.8.128.80/ 32128.8.128.80/ 32

    Community 100:100Community 100:100

  • 8/2/2019 Securing Networks With Juniper

    19/24

    19

    Juniper Networks, Inc. Copyright 2002 37

    Real-t ime DDoS I dent if icat ion

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traff ic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    38

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    20/24

    20

    Juniper Networks, Inc. Copyright 2002 39

    I / O Filt ers To Block At t ack Flow s

    u DOS at t acks need t o bedetected and stopped

    u I nterf ace filt ers can beapplied t o block onlyattack f low s

    u Filters can be applied toany interf ace type

    u Filt ers can be applied bothon inbound and out bound

    /* apply the filter to the ingress point of

    the network */

    so-0/2/2 {

    unit 0 {

    family inet {

    filter {

    input block-attack;

    }

    address 151.1.1.1/30;

    }

    }

    }

    /* This is the filter which blocks the

    attacks */

    firewall {

    filter block-attack {

    term bad-guy {

    from {source-address {

    10.10.10.1/32

    }

    protocol icmp;

    }

    then {

    discard;

    log;

    }

    }

    }

    Juniper Networks, Inc. Copyright 2002 40

    Rate Lim it ing

    u Suppression/ Rate Limi t ing Advantagesv Protects router of customer by lim it in g tr aff ic based on

    protocol/ port / source and dest inat ion addresses

    u Juniper Advantage

    v Architectural reasons we performu I nternet Processor ASI C not tied t o an int erface or r elease

    v Behavior under att ack

    u Stable operation, routing and management t raffic unaffected

  • 8/2/2019 Securing Networks With Juniper

    21/24

    21

    Juniper Networks, Inc. Copyright 2002 41

    Hitl ess Filt er I mplement ation

    u Can be applied immediately aft er identif icat ion ofoffending tr aff ic

    u Application of filters does not create short-termdegraded condit ion as fi lt ers t ake eff ect

    u Size and complexi t y of fil t er independent offorw arding performance

    Juniper Networks, Inc. Copyright 2002 42

    Traff ic I nt errupt ion During Fi l t erCompilation

    NOC

    NOC operator appliesNOC operator applies

    or changes filtersor changes filters

    Traffic flowTraffic flow

    Attack flowAttack flow

    NOC

    All traffic gets dropAll traffic gets drop

    During filter compilationDuring filter compilationNOC operator appliesNOC operator applies

    or changes filtersor changes filters

    Traffic flowTraffic flow

    Attack flowAttack flow

  • 8/2/2019 Securing Networks With Juniper

    22/24

    22

    Juniper Networks, Inc. Copyright 2002 43

    No I nterrupt ion With At omic

    Updates

    NOC

    NOC operator appliesNOC operator applies

    or changes filtersor changes filters

    Traffic flowTraffic flow

    Attack flowAttack flow

    NOC

    Attack tr affic gets droppedAttack tr affic gets dropped

    NOC operator appliesNOC operator applies

    or changes filtersor changes filters

    Traffic flowTraffic flow

    Attack flowAttack flow

    u Introduction

    u Juniper Netw orks Routers Architectur e

    u Router Prot ect ion

    u Encryption of Traff ic

    u Source Address Verif icati on

    u Real-t im e Traf fic Analysis

    u I / O Filt ers and Rate Limit ing

    u Summary

    44

    Agenda

  • 8/2/2019 Securing Networks With Juniper

    23/24

    23

    Juniper Networks, Inc. Copyright 2002 45

    Next St eps

    uOn going Dialog w ith security t eam

    v Ensuring existi ng securit y features are active

    v Awareness of upcoming securi t y issues

    uBest Pract ices

    vWhit e Papers

    uSecurit y consult ing and t raining

    Juniper Netw orksJuniper Netw orksthe Trusted Sourcethe Trusted Source

    Juniper Networks, Inc. Copyright 2002 46

    Fur t her References

    u Juniper Netw orks Whit epapersv Rate-l imit ing and Traff ic-poli cing Features

    v Fortif ying t he Core

    v Visibil it y into Netw ork Operations

    v Minimizing the Effects of DoS Attacks

    v Juniper Netw orks Router Securit y

    u Available fr omht tp : / / ww w. jun iper .net / techcenter

  • 8/2/2019 Securing Networks With Juniper

    24/24

    Thank [email protected]