Kunal Jha, Juniper Networks · 2017-01-18 · implementing firewall in the kernel Micro-segmenting...
Transcript of Kunal Jha, Juniper Networks · 2017-01-18 · implementing firewall in the kernel Micro-segmenting...
1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
1 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Kunal Jha, Juniper Networks
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Cloud
Virtualization
BYOD / Mobility
SDN
Se
cu
rity
Simplified Networking
[email protected] Senior Systems Engineer
Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
2008
EX4200
EX3200
2009
EX8216
EX8208
8x10G
1G-Copper
1G-Fiber
FIX
ED
Core
Aggregation
Access
MO
DU
LA
R
Core
Aggregation
Access
2008 2009 2010 2011 2013+
EX4500
EX2200
EX4200
EX3200
EX8216
EX8208
8x10G
1G-Copper
1G-Fiber
EX8200 Virtual Chassis
40x10G
EX42000 Virtual Chassis
EX4200-PX EX3300
EX4500 Virtual Chassis
EX2200-C
EX3300 Virtual Chassis
EX6200
Extra-Scale
External RPS
EX6200 48F
EX4550 SFP+
EX4550 10GT
2012
EX9200
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OPERATIONAL SIMPLICITY
Deployed Extensively
Why We Win
Technology Flexibility
Performance
Over 19,000 customers, 15M+ ports
Data center, campus, branch, SP
Financials, healthcare, education
#3 LAN switching vendor
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
On-Premise Apps
Dedicated Servers
Dedicated Storage
THE REST OF THE DATA CENTER HAS ADVANCED DRAMATICALLY IN RECENT YEARS
Rig
id,
leg
acy m
od
el
of
I.T.
Software Services
Virtualized Workloads
Shared Storage
Applications
Servers/ Compute
Storage
From To
Fle
xib
le, v
irtua
lized
mo
del
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
On-Premise Apps
Dedicated Servers
Dedicated Storage
Layers of Complexity
Rig
id,
leg
acy m
od
el
of
I.T.
Software Services
Virtualized Workloads
Shared Storage
Applications
Servers/ Compute
Storage
Network
THE DATA CENTER NETWORK HAS NOT EVOLVED, AND IS NOW AN INHIBITOR
Network
From To
Fle
xib
le, v
irtua
lized
mo
del
Experience?
Economics?
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Juniper’s data
center fabric 1. Juniper two-tier
data center 2. Legacy three-tier
data center 3.
Up to 75% of traffic E W
Ethernet Network evolution 3-2-1
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Virtual chassis : advantage
Core Switches
Distribution
Switches
Access Switches
128 Gig
10 Gig 10 Gig 10 Gig 10 Gig
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Multi Building campus
WAN
One Virtual Chassis to Manage for the entire
campus backbone
1GbE uplink
GbE/10GbE VCP
1GbE uplink
GbE/10GbE VCP
EX4200 Virtual Chassis
EX4200 Virtual Chassis
EX4200 Virtual Chassis
EX4200 Virtual Chassis
Classroom Bldg 4
Recreation Bldg 5
Admin Bldg 1
Lab Bldg 2
EX4200 Virtual Chassis
Classroom Bldg 3
Deployment example Utilize the same MM fiber
One-switch LAN
1 to manage
1 to upgrade
1 software version
No L2 Loop/No STP required
High Availability
Redundant Pwr/Cooling
Redundant Switch Fabric
Sub-second Convergence in case of device/link failure
Integrated Access Security
Integrated QoS for Voice/Video/Data
Local L3/L2 processing Peer-peer traffic can be processed by VC ring itself, no need to load the core. Optimized for Voice and Video over IP as inter building bypasses the core switch.
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Distributed CORE with 8-member VC
EX4200 EX4200
EX4200 EX4500
EX4200 EX4200
EX4200 EX4500
Single core switch to
manage across all sites
A Location
C Location
B Location D Location
One core switch to manage across multiple sites
Sites could be campus or DC or both – common hardware and operating system
Seamless virtual workload mobility across sites
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Switch Fabric
Data Plane
Flat
Any-to-any
Control Plane
Single device
Shared state
TRANSFORM THE NETWORK
Scalability and resilience of a network
Performance and simplicity of a single switch
Single device N=1
A Fabric has the….
And the…
One Network Flat, any-to-any
connectivity
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Single point of management…
Cabling complexity
Chassis Switch End of Row…
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
QFabric evolving the single switch model
Chassis Switch
• Separate the I/O modules from the fabric and replace copper traces with fiber links.
• For redundancy add multiple Interconnect devices.
• Federated Control and Intelligent Nodes
• One logical switch
Interconnect
Node
QFabric
Director
I/O Modules
Fabric
Route Engine
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Storage
Simplicity
End-to-end FCoE FCoE/FC Gateway and
FCoE/iSCSI Transit Switch N=1
Lossless
Performance
DCB compliant
Runs Junos
Rich functionality
Scalability
Designed for Modern DC
Flexible VLAN capability
Virtualization and convergence
Seamless Layer 2 and Layer 3
QFABRIC Family Summary
QFX3000-M QFX3000-G
10s to 768 ports 10s to 6,144 ports
QFX3000-M QFX3000-G
Low jitter—
<3us on avg.
Low jitter—
<5us on avg.
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
2. Agent-based
Each VM has a software firewall
Drawback: Significant performance
implications; Huge management
overhead of maintaining software
and signature on 1000s of VMs
ES
X H
os
t VM1 VM2 VM3
FW Agents
HYPERVISOR
3. Kernel-based Firewall
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from
implementing firewall in the kernel
Micro-segmenting capabilities
ES
X H
os
t
FW as Kernel Module
VM1 VM2 VM3
HYPERVISOR
1. VLAN Segmentation
ES
X H
os
t
Each VM in separate VLAN
Inter-VM communications must
route through the firewall
Drawback: Possibly complex VLAN
networking
HYPERVISOR
VM1 VM2 VM3
Approaches To Securing Virtual servers:
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
vGW Firewall Performance
TCP Throughput Test (Standard 1500 Byte packet size). See slide notes for details
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Network Access Control SIEM/STRM
SSL VPN SSL VPN
Firewall/IPSec VPN Intrusion Prevention
Juniper is recognized industry leader in Security
Leaders Quadrant in
Four Categories:
Network Access Control
SIEM/STRM
SSL VPN
FW/IPSec VPN
Visionaries Quadrant in:
Intrusion Prevention Category
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
of ALL threats are at the
Web application layer.
70%
of organizations have been
hacked in the past two years
through insecure Web apps.
73%
Inconvenient Statistics
Ponemon Institute
Gartner
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Bot Nets
Targeted Scanners
IP Scanners
Manual Hacking
• Reliance on signatures
• Static attack surface
• No understanding of attackers
• Reactive
WAF is not enough
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
– WAFW00F can fingerprint WAF products protecting a website…. Can already profile 20 WAF products.
WAF is not enough
Source: http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Plays Here
Attackers profile
physical and
virtual devices
and applications
Weaknesses in
attack surface
identified for
attack
Attacks launched
to take control of
device,
application or VM.
Can be used to
begin further
Reconnaissance
Repeat attack to
increase
effectiveness,
increase Profit or
extract more
data
Evade patching
and remediation
measures to stop
the attack
WAF Plays Here
Phase 1
Silent
Reconnaissance
Phase 2
Attack Vector
Establishment
Phase 3
Attack
Implementation
Phase 4
Attack
Automation
Phase 5
Maintenance
5 attack Phases:- APT behaviour
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
“Tar Traps” detect
threats without false
positives.
Track IPs, browsers,
software and scripts.
Understand
attacker’s capabilities
and intents.
Adaptive responses,
including block,
warn and deceive.
The Junos WebApp Secure (MYKONOS) advantage Deception-based Security
Detect Track Profile Respond
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
App Server Client
Server Configuration
Network
Perimeter
Database Firewall
Query String Parameters
Tar Traps
Hidden Input Fields
Detection by Deception
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Fingerprint of An Attacker
Browser version
Fonts
Browser add-ons
Timezone
IP Address
attributes used to
create the fingerprint.
200+
False Positives
availability of
fingerprints
~ Real Time
nearly zero
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Attacker local name
(on machine)
Smart Profile of Attacker
Incident history
Attacker threat level
Attacker global name
(in Spotlight)
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Junos WebApp Secure
Responses
Human
Hacker Botnet
Targeted
Scan IP Scan
Scripts
&Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
Respond and Deceive
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Solution Slides
Mobility & BYOD
29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE HISTORY OF BUSINESS CONNECTIVITY
Mobile Devices Laptops PCs Terminals
Ethernet
Networks
Casual
Wireless
Primarily
Wireless
Serial
Networks
30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Over 6,000 Customers
Juniper wireless today
1 M+ AP installed base since 2005 Healthcare
Education (Higher Ed & K-12)
Hospitality
Presence in Fortune 500:
Shell, Chevron, Alcoa, Audi, VW
Many Mission Critical Environments:
University Minnesota
18,000 AP, 300 Buildings, 1200 Acres
Belfast Health & Social Care Trust
2,220 AP, 7 hospitals, 22,000 Staff
Largest wlan patent portfolio today
Proven Technology Track Record:
Simple, Secure, Mobile
Real Time Location Aware
17 issued patents, 49 pending
Differentiating WLAN Innovations:
Seamless roaming
Life Cycle Management
Intelligent Switching
Controller Virtualization
Identity Based Networking
Unified Mobility Services
31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Fat AP Architecture Local Switching
Thin AP Architecture Central Switching
Juniper WLAN
Architecture Local AND Central Switching
Juniper Networks Wireless LAN Evolution
x Performanc
e
x Reliability
Security Management Performanc
e
Reliability
Security Management
Performanc
e
x Security x Management
x Reliability
Optimized for: Optimized for: Optimized for:
32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Internet
DISTRIBUTED SWITCHING MAXIMIZES SCALABILITY
• All traffic gets forwarded by controller
• Twice the traffic through network core
• 802.11n increases load up to 10x
• Can't scale without expensive upgrades
Centralized-Only Switching Breaks Down
Under Increased Load from 802.11n
Cisco & Aruba
Distributed Switching Handles
802.11n without Breaking Down
Juniper
• Traffic can be forwarded by the AP
• Optimized traffic flows – ideal for voice
• 802.11n has no impact on controller
• Scales in place without upgrades
10x increase exceeds
controller capacity
11n increases load
by up to 10x
Internet
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Hot Standby Approach - Aruba
RESILIENCY ADVANTAGE OF WLAN VIRTUALIZAION
• Catastrophic failure – dropped user sessions
(imagine voice call)
• APs restart using hot standby controller
• No AP load balancing across controllers
• Fully loaded hot standby required
• Hitless failover – even for active session
(including voice calls)
• APs instantly remapped to in-service controller
• Dynamic AP load balancing across controllers
• No additional equipment required
Controller Virtualization - Juniper
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Core differentiator: CONTROLLER CLUSTERING
Hot Stand-by or
Back-up controller
Controller A Controller B Controller C
Discrete controllers operate independently for
AP redundancy configuration
Harder to scale since adding capacity is
cumbersome
Limited resiliency – APs mapped directly to
controller & resets upon network/device failure
Limited reliability – N+1 (limited to number of
designated back-up switches)
Difficult to manage, highest cost of ownership
Competitors Complex Approach
Clustered controllers– act collectively as single
virtual controller for wireless configuration
Easy to scale – Capacity can be added in
chunks, anywhere in the network
Highest resiliency – APs dynamically map to
controllers– optimized, auto AP load balancing
Always-on reliability – many-to-many
redundancy – all switches can serve as back-up
Easiest to manage, lowest cost of ownership
Juniper’s Simplified Approach
Vendor
A
Vendor
B
35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net