protecting key applications in the datacenter · protecting key applications in the datacenter . 2...

Protecting key applications in the Datacenter

2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net

SECURITY OUTLOOK

Source : Canalys, March 2012

Threats get more Sophisticated

•Flame, Shamoon, Gauss...

•Dirt Jumper (DDoS) toolkits blend attacks

•Mobile Malware is exploding

•APT’s

Industry Megatrends •CoIT/BYOD

•Virtualisation/Cloud

•Big Data

•Mobility

•Social Media

•Compliance – Views on the toolsets

Corporate Cloud Applications Grow New security approaches emerge

•Security Boundary blurring into the cloud

•Data residing in multiple locations

•Public and Private

•Need to Secure all data at rest and in transit

•Identity management and trust between SP’s and cloud providers is key

•Defence by Deception

•Secure The Hypervisor

•Virtualise the appliance

•Enhance existing security solutions


SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS

Hypervisor Hypervisor Hypervisor

DC FABRIC

Blended/Compound attacks

• L3/4 DoS

• L7 DoS

• L7 App exploits

Web services

• ~73% of all attacks are web based

• WAF/Signatures alone are

insufficent

• New approaches required

Compromised VMs

• Staging points for reconnaissance

in APTs

• Physical security cannot detect

cross-hypervisor traffic


Web threat

mitigation without

false positives

Site-level Security

and Zoning to

separate customer

traffic, ALGs, IPS for

threat protection, etc.

VM-level Security

at an aggregated

level - multi-tenant

segmentation

Inter-VM Security

and inbound threat

protection for all

VMs combined

Remote Branch

Connectivity

and Security

DATACENTER SECURITY OVERVIEW

Branch SRX High-End SRX JunosV Firefly vGW

Remote

Office

Note – Illustrated here are just a few use cases

Branch SRX

series

VM-A

vGW vGW vGW

VM-B

vGW vGW vGW

Firefly

Firefly

High-end SRX

VM-A VM-A

VM-B VM-B

Rack servers

Mykonos

Physical Data Center

Datacenter A Virtual Infrastructure

Datacenter B Virtual Infrastructure

MOBILE

WORKER

Junos Pulse


MITIGATING BLENDED ATTACKS WITH DC SRX

AppFW/Apptrack

AppDoS Screens

IPS

L3/4 attack mitigation

• SYN flood

• UDP flood

• Protocol anomalies

L7 exploit prevention

• Signature based

• Zero day availability

• Scalable IPS processing

App filtering/monitoring

• Protect applications whichever

port they are deployed on

•Monitor app usage for

IPS/AppDoS profiles

L7 DoS mitigation

• Context based DoS

monitoring/protection

• Differentiate attack from

genuine traffic


A CLOSER LOOK AT VSRX

Security & Routing functionality delivered

as a virtual machine

Junos delivered as a virtual

appliance on a choice of Hypervisors

Runs on standard x86 hardware

Full, proven Junos security and routing

protocol suite

Leverages proven SRX & VJX

technology

Performance optimized

SMP kernel & multi-threaded flowd

over multiple vCPUs

Supports Hypervisor VM functionality

Example: vMotion, snapshots,

HA/FT, Cloning, Management etc.

Firewall

VPN

NAT

Network Admission Control

Perimeter

Anti-Virus

IPS

Full IDP Feature Set

Web Filtering

Anti-Spam

Content

Application

Awareness

Identity

Awareness

Application

CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT

Junos Routing Protocols and SDK

Junos Rich & Extensible Security Stack


EDGE DC SECURITY:- VIRTUAL INSTANCE SCALE

Using x86 virtualization for unlimited, dynamic, private firewall scaling

Option 1 (SRX & LSYS)

NAT

Etc.

VPN

Firewall Routing

ALG’s

Customer A Admin

Custo

me

r A

Custo

me

r B

Custo

me

r C

Cu

sto

me

r D

Custo

me

r E

Separate a single physical

SRX into unique virtual

instances on the device

(Difficult beyond hundreds)

VJ-SR Customer A

VJ-SR Customer <X>

Option 2 (Hypervisors & VJ-SR)

VJ-SR Customer <X> VJ-SR Customer <X>




VJ-SR Customer <X>

VJ-SR Customer <X>

VJ-SR Customer <X>






Leverage x86 Hypervisors (KVM, VMware)

to build unlimited pools of VJ-SRs!

HYPERVISORS


VIRTUALISATION WITH LOGICAL SYSTEMS

LS

YS

4

LS

YS

3

LS

YS

1

LS

YS

2

LSYS 0

(VPLS

DOMAIN)

RO

OT

LS

YS

SRX

Key Takeaways

Maximum of 32 LSYS

Uses an internal switch (VPLS domain) for

communication between LSYS

Important to minimise inter-LSYS flows

Inter-LSYS flows processed three times – by

ingress LSYS, VPLS domain, and egress

LSYS

Performance implications

License-based – no LSYS supported with

standard SKUs

Primary use cases

Multi-tenant cloud/DC environments

Departmental/Business Unit resource

preservation (eg University deployment)

Firewall physical consolidation


LSYS RESOURCE PROFILES

JUNOS LSYS PROFILE PARAMETERS Firewall Policy Rules

Zones

Sessions

IDP (Enable/Disable)

NAT rules

Addresses

Applications (Services)

CPU Utilization

Log Rate

Resource profiles defined and applied by global administrator

Resource profiles broadly cover two parameter categories:-

Configuration options, eg firewall policies, zones, NAT rules

Compute resources, eg CPU cycles, concurrent sessions, log rates


VIRTUALISATION WITH VRS/ZONES

SRX Key Takeaways

Much greater scaling than LSYS

2,000 zones/vrs on SRX5800

No license required

Generally simpler configuration

Requires inter-vr routing – not generally

possible with static routes

Primary use cases

Firewall consolidation

Service separation

VR A VR B VR C

Zone ‘Untrust A’

Zone ‘Trust A’ Zone ‘Trust B’ Zone ‘Trust C’

Zone ‘Untrust B’ Zone ‘Untrust C’


LOGICAL SYSTEMS v VRs/ZONEs

Pros

Resource separation

Management isolation, including Space/Security

Design

Cons

License required

Extra configuration complexity

Performance hits for sending traffic between LSYS

LSYS ZONES

/VRS

Pros

Simple configuration

High scale

No license

Cons

No resource protection – usually a requirement

in multi-tenant environments

No true management isolation


VSRX:- SAMPLE HIGH LEVEL DESIGN

Cloud Service Provider segmenting tenants with VJ-SR and allowing inter-VM protection with vGW

Customer B

Customer A

Primary Site (Virtual and Non-Virtual)

MX

Series

Cloud Service Provider

Non-Virtual Network

SRX

Primary Site (Non-Virtual)

Branch

Cloud-

Connect

CPE

Hypervisors

Customer B Customer A

Virtual Network

EX Series

Internet

EX Series


Datacenter: BEFORE

VSRX USE CASE VIRTUALIZED DATACENTER ENVIRONMENTS

Customer

Requirements

Cloud Service Provider, Large enterprises who are virtualizing their datacenters

Goal Maximize efficiency and resource utilization; extend gains of virtualization to network

infrastructure.

Routing and/or security functionality without a standalone appliance. Under 2Gbps of traffic.

Solution Deploy combined virtual security and routing appliance to maximize efficiency.

Virtualized Environment

VM1 VM2 VM3 VM4 Physical

Firewall

Datacenter: AFTER

Virtualized Environment

VM1 VM2 VM3 VM4

WAN

WAN


VSRX – PLANNING

Routing Firewall DHCP

ALGs

NAT

VPN

• Family inet

• Family inet6

(packet mode)

• Static routing

• BGP

• OSPF

• RIP

• PIM

• MPLS/VPLS

•Firewall

policy

•Screens

•SYN cookie

• Policy-based

• Route-based

• Dynamic VPN

• Manual key

• Auto key

• IKE phase 1

• IKE phase 2

• Anti-replay

•Source NAT

•Destination

NAT

•Static NAT

•Persistent

NAT

• DNS

• FTP

• H323

• MGCP

• MS-RPC

• PPTP

• RSH

• RTSP

•DHCP client

•DHCP

server

•DHCP relay

• XAUTH

• DPD

• VPN monitor

• Tunnel mode

• AH & ESP

• des/3des/aes

• Sha-1/md5

• SCCP

• SIP

• SQL

• SUN-RPC

• TALK

• TFTP

• IKE-ESP

VMWare, KVM

Hypervisors

Device Manager, Limited Virtual

Systems Manager

Management

Initial Release

Features

UTM, IDP, Clustering, AppSecure

HyperV, Xen Hypervisors

Junos SDK

Juniper Portfolio Integration (vGW, QFabric, HW

SRX, MX, etc.)

Scale & Performance optimization

Management

Policy management APIs

Enhancements to Virtual Systems Manager :

Junos Space App

ROADMAP


VSRX MANAGEABILITY

vSRX Device Management

App for Junos Space Platform

Long term single provisioning point and systems manager for

vGW and vSRX deployments

Support for popular Cloud Management tools

vCenter, RHEV-M, SCVMM, ServerCenter

vCloud Director, CloudStack, OpenStack

Features (Life Cycle Management):

Provisioning

Bootstrapping

Troubleshooting/Debug

Log management

Reporting etc.

Virtual Systems Manager

Junos Space – Security Design

CLI + Junos Scripts

JWeb

SNMP

STRM (Logging and Reporting),

Syslog, Traceroute

Security Insight

Junos LMS

Policy Manager APIs


5 ATTACK PHASES:- APT BEHAVIOUR

Phase 1

Silent

Reconnaissance

Attackers profile

physical and virtual

devices and

applications

Phase 2

Attack Vector

Establishment

Weaknesses in

attack surface

identified for attack

Phase 3

Attack

Implementation

Attacks launched to

take control of

device, application or

VM. Can be used to

begin further

Reconnaissance

Phase 4

Attack

Automation

Repeat attack to

increase

effectiveness,

increase Profit or

extract more data

Phase 5

Maintenance

Evade patching and

remediation

measures to stop the

attack


“Tar Traps” detect

threats without false

positives.

Track IPs, browsers,

software and scripts.

Understand

attacker’s capabilities

and intents.

Adaptive responses,

including block, warn

and deceive.

THE MYKONOS ADVANTAGE DECEPTION-BASED SECURITY

Detect Track Profile Respond


App Server Client

Server Configuration

Network

Perimeter

Database Firewall

Query String Parameters

Tar Traps

Hidden Input Fields

DETECT THREATS BY DECEPTION


Track Software and Script Attacks Fingerprinting

HTTP communications.

Track Browser Attacks Persistent Token

Capacity to persist in all browsers including various

privacy control features.

Track IP Address

TRACK ATTACKERS BEYOND THE IP


Every attacker assigned a name

SMART PROFILE OF ATTACKER

Incident history

Attacker threat level


Mykonos Responses

Human

Hacker Botnet

Targeted

Scan IP Scan

Scripts

&Tools

Exploits

Warn attacker

Block user

Force CAPTCHA

Slow connection

Simulate broken application

Force log-out

All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.

RESPOND AND DECEIVE


Purpose Built

Virtual Security

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Virtual Security Layer

Traditional Security

Agents

VLANs & Physical

Segmentation

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Regular Thick Agent for FW & AV

HYPERVISOR

HYPERVISOR

HYPERVISOR

APPROACHES TO SECURING VIRTUAL NETWORKS

1 2 3


Service Provider & Enterprise Grade Three Tiered Model

VMware Certified (signed binaries!)

Protects each VM and the hypervisor

Fault-tolerant architecture (i.e., HA)

Virtualization-aware “Secure VMotion” scales to

1,000+ hosts

“Auto Secure” detects/protects new VMs

Granular, Tiered Defense Stateful firewall, integrated IDS,

and AV

Flexible Policy Enforcement – zone, VM group, VM, individual vNIC

THE VGW PURPOSE-BUILT APPROACH - VMWARE

THE vGW ENGINE

Virtual Center VM

VM1 VM2 VM3

Partner Server

(IDS, SIM,

Syslog, Netflow)

Packet Data

VMWARE API’s

Any vSwitch (Standard, DVS, 3rd Party)

HYPERVISOR

VM

ware

Kern

el

ES

X o

r ES

Xi H

ost

Security Design

for vGW

1 2

3


SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS


OPEN HYPERVISOR FRAMEWORK FOR KVM

vGW KVM Manager

Optional VM Provisioning System

(Service Providers, Large Enterprises) VM Management System

(RHEV-M, UVMM, qemu, etc.)

Environment

Specific Tools

and APIs

vGW Protected KVM

Host 1

vGW Protected KVM Host

N

vGW Protected KVM

Host 2

Communication via Libvirt

or Juniper Protocol

vGW Cloud SDK Enhancements

1. new_vm_info_api & new_hypervisor_api

2. vGW Policy API’s (improvements to existing API’s)

3. vGW Management API’s (updates, versions, etc.)

4. vGW Install API’s (deploy SVMs, kernel modules, etc.)

Enhanced vGW Cloud SDK


Hyper-V Integration

Three Tiered Model

SCVMM Integration

Filter Extension in Extensible Switch

Supports Live Migration

Granular, Tiered Defense for VMs

VGW AND MICROSOFT HYPER-V

THE vGW ENGINE

System Center VMM VM

VM1 VM2 VM3

Partner Server

(IDS, SIM,

Syslog, Netflow)

Packet Data

Hyper-V Host

Hyp

er-V

E

xte

nsib

le

Sw

itch

Phys

ical S

erv

er

Security Design

for vGW

1 2

3

Capture Extension

WFP Extension

Filter Extension

Forwarding Extension

Coming

Soon!


VGW INTEGRATION WITH VCLOUD DIRECTOR

vCloud Director 1.5 and vGW Series products can be used together!

1. vCloud relies on traditional vSphere technologies (vCenter & ESX/ESXi hosts). vGW can be inserted into this

environment (VMsafe and VI API’s are still working and available)

2. vCloud introduces new abstraction constructs which are inserted into vCenter. vCloud API’s and vGW API’s can be

used to discover the constructs and auto-populate SmartGroups for dynamic, human-readable security policies.

VMware vCenter

vCloud Director

ESX/ESXi Host with vGW

VM created with semi-random structure. For example: Juniper’s ‘vcdSync’ Script uses vCD API’s to

determine which organizational unit a VM

belongs (VMs with same name could be in two

different organizational units).

vGW Management inserts AML-

SYS1 into SmartGroup and

enforces policy on ESX/ESXi host

automatically!

vGW management knows that AML-

SYS1 is part of ‘Org2’. This is made

available as a vf.tag Smart Group

parameter

1 2

3

4

vGW Management


SUMMARY:- PROTECT KEY APPLICATIONS WITH A LAYERED SECURITY APPROACH

Hypervisor --OR--

SRX/vSRX Firewall

L3/L4 DoS protection

Application-layer DoS protection

Application profiling and monitoring

Application port control/enforcement

IPS

IPSec termination to the DC

Mykonos

Protect Web apps

Deception technology

complements signature

approach; makes APTs

uneconomical

Tar traps identify malicious

users without false positives

Profiling identifies users

without recourse to IP address

Future Global hacker database

vGW

Inter-VM security

Firewall, IDS, AV

Policies based on VMWare

or security attributes

VM application profiling

Hypervisor traffic monitoring

PCI compliance

protecting key applications in the datacenter · protecting key applications in the datacenter . 2...

Documents