protecting key applications in the datacenter · protecting key applications in the datacenter . 2...
TRANSCRIPT
Protecting key applications in the Datacenter
2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SECURITY OUTLOOK
Source : Canalys, March 2012
Threats get more Sophisticated
•Flame, Shamoon, Gauss...
•Dirt Jumper (DDoS) toolkits blend attacks
•Mobile Malware is exploding
•APT’s
Industry Megatrends •CoIT/BYOD
•Virtualisation/Cloud
•Big Data
•Mobility
•Social Media
•Compliance – Views on the toolsets
Corporate Cloud Applications Grow New security approaches emerge
•Security Boundary blurring into the cloud
•Data residing in multiple locations
•Public and Private
•Need to Secure all data at rest and in transit
•Identity management and trust between SP’s and cloud providers is key
•Defence by Deception
•Secure The Hypervisor
•Virtualise the appliance
•Enhance existing security solutions
3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS
Hypervisor Hypervisor Hypervisor
DC FABRIC
Blended/Compound attacks
• L3/4 DoS
• L7 DoS
• L7 App exploits
Web services
• ~73% of all attacks are web based
• WAF/Signatures alone are
insufficent
• New approaches required
Compromised VMs
• Staging points for reconnaissance
in APTs
• Physical security cannot detect
cross-hypervisor traffic
4 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Web threat
mitigation without
false positives
Site-level Security
and Zoning to
separate customer
traffic, ALGs, IPS for
threat protection, etc.
VM-level Security
at an aggregated
level - multi-tenant
segmentation
Inter-VM Security
and inbound threat
protection for all
VMs combined
Remote Branch
Connectivity
and Security
DATACENTER SECURITY OVERVIEW
Branch SRX High-End SRX JunosV Firefly vGW
Remote
Office
Note – Illustrated here are just a few use cases
Branch SRX
series
VM-A
vGW vGW vGW
VM-B
vGW vGW vGW
Firefly
Firefly
High-end SRX
VM-A VM-A
VM-B VM-B
Rack servers
Mykonos
Physical Data Center
Datacenter A Virtual Infrastructure
Datacenter B Virtual Infrastructure
MOBILE
WORKER
Junos Pulse
5 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
MITIGATING BLENDED ATTACKS WITH DC SRX
AppFW/Apptrack
AppDoS Screens
IPS
L3/4 attack mitigation
• SYN flood
• UDP flood
• Protocol anomalies
L7 exploit prevention
• Signature based
• Zero day availability
• Scalable IPS processing
App filtering/monitoring
• Protect applications whichever
port they are deployed on
•Monitor app usage for
IPS/AppDoS profiles
L7 DoS mitigation
• Context based DoS
monitoring/protection
• Differentiate attack from
genuine traffic
6 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
A CLOSER LOOK AT VSRX
Security & Routing functionality delivered
as a virtual machine
Junos delivered as a virtual
appliance on a choice of Hypervisors
Runs on standard x86 hardware
Full, proven Junos security and routing
protocol suite
Leverages proven SRX & VJX
technology
Performance optimized
SMP kernel & multi-threaded flowd
over multiple vCPUs
Supports Hypervisor VM functionality
Example: vMotion, snapshots,
HA/FT, Cloning, Management etc.
Firewall
VPN
NAT
Network Admission Control
Perimeter
Anti-Virus
IPS
Full IDP Feature Set
Web Filtering
Anti-Spam
Content
Application
Awareness
Identity
Awareness
Application
CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT
Junos Routing Protocols and SDK
Junos Rich & Extensible Security Stack
7 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EDGE DC SECURITY:- VIRTUAL INSTANCE SCALE
Using x86 virtualization for unlimited, dynamic, private firewall scaling
Option 1 (SRX & LSYS)
NAT
Etc.
VPN
Firewall Routing
ALG’s
Customer A Admin
Custo
me
r A
Custo
me
r B
Custo
me
r C
Cu
sto
me
r D
Custo
me
r E
Separate a single physical
SRX into unique virtual
instances on the device
(Difficult beyond hundreds)
VJ-SR Customer A
VJ-SR Customer <X>
Option 2 (Hypervisors & VJ-SR)
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X>
VJ-SR Customer <X>
VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
VJ-SR Customer <X> VJ-SR Customer <X>
Leverage x86 Hypervisors (KVM, VMware)
to build unlimited pools of VJ-SRs!
HYPERVISORS
8 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VIRTUALISATION WITH LOGICAL SYSTEMS
LS
YS
4
LS
YS
3
LS
YS
1
LS
YS
2
LSYS 0
(VPLS
DOMAIN)
RO
OT
LS
YS
SRX
Key Takeaways
Maximum of 32 LSYS
Uses an internal switch (VPLS domain) for
communication between LSYS
Important to minimise inter-LSYS flows
Inter-LSYS flows processed three times – by
ingress LSYS, VPLS domain, and egress
LSYS
Performance implications
License-based – no LSYS supported with
standard SKUs
Primary use cases
Multi-tenant cloud/DC environments
Departmental/Business Unit resource
preservation (eg University deployment)
Firewall physical consolidation
9 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
LSYS RESOURCE PROFILES
JUNOS LSYS PROFILE PARAMETERS Firewall Policy Rules
Zones
Sessions
IDP (Enable/Disable)
NAT rules
Addresses
Applications (Services)
CPU Utilization
Log Rate
Resource profiles defined and applied by global administrator
Resource profiles broadly cover two parameter categories:-
Configuration options, eg firewall policies, zones, NAT rules
Compute resources, eg CPU cycles, concurrent sessions, log rates
10 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VIRTUALISATION WITH VRS/ZONES
SRX Key Takeaways
Much greater scaling than LSYS
2,000 zones/vrs on SRX5800
No license required
Generally simpler configuration
Requires inter-vr routing – not generally
possible with static routes
Primary use cases
Firewall consolidation
Service separation
VR A VR B VR C
Zone ‘Untrust A’
Zone ‘Trust A’ Zone ‘Trust B’ Zone ‘Trust C’
Zone ‘Untrust B’ Zone ‘Untrust C’
11 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS v VRs/ZONEs
Pros
Resource separation
Management isolation, including Space/Security
Design
Cons
License required
Extra configuration complexity
Performance hits for sending traffic between LSYS
LSYS ZONES
/VRS
Pros
Simple configuration
High scale
No license
Cons
No resource protection – usually a requirement
in multi-tenant environments
No true management isolation
12 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VSRX:- SAMPLE HIGH LEVEL DESIGN
Cloud Service Provider segmenting tenants with VJ-SR and allowing inter-VM protection with vGW
Customer B
Customer A
Primary Site (Virtual and Non-Virtual)
MX
Series
Cloud Service Provider
Non-Virtual Network
SRX
Primary Site (Non-Virtual)
Branch
Cloud-
Connect
CPE
Hypervisors
Customer B Customer A
Virtual Network
EX Series
Internet
EX Series
13 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Datacenter: BEFORE
VSRX USE CASE VIRTUALIZED DATACENTER ENVIRONMENTS
Customer
Requirements
Cloud Service Provider, Large enterprises who are virtualizing their datacenters
Goal Maximize efficiency and resource utilization; extend gains of virtualization to network
infrastructure.
Routing and/or security functionality without a standalone appliance. Under 2Gbps of traffic.
Solution Deploy combined virtual security and routing appliance to maximize efficiency.
Virtualized Environment
VM1 VM2 VM3 VM4 Physical
Firewall
Datacenter: AFTER
Virtualized Environment
VM1 VM2 VM3 VM4
WAN
WAN
14 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VSRX – PLANNING
Routing Firewall DHCP
ALGs
NAT
VPN
• Family inet
• Family inet6
(packet mode)
• Static routing
• BGP
• OSPF
• RIP
• PIM
• MPLS/VPLS
•Firewall
policy
•Screens
•SYN cookie
• Policy-based
• Route-based
• Dynamic VPN
• Manual key
• Auto key
• IKE phase 1
• IKE phase 2
• Anti-replay
•Source NAT
•Destination
NAT
•Static NAT
•Persistent
NAT
• DNS
• FTP
• H323
• MGCP
• MS-RPC
• PPTP
• RSH
• RTSP
•DHCP client
•DHCP
server
•DHCP relay
• XAUTH
• DPD
• VPN monitor
• Tunnel mode
• AH & ESP
• des/3des/aes
• Sha-1/md5
• SCCP
• SIP
• SQL
• SUN-RPC
• TALK
• TFTP
• IKE-ESP
VMWare, KVM
Hypervisors
Device Manager, Limited Virtual
Systems Manager
Management
Initial Release
Features
UTM, IDP, Clustering, AppSecure
HyperV, Xen Hypervisors
Junos SDK
Juniper Portfolio Integration (vGW, QFabric, HW
SRX, MX, etc.)
Scale & Performance optimization
Management
Policy management APIs
Enhancements to Virtual Systems Manager :
Junos Space App
ROADMAP
15 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VSRX MANAGEABILITY
vSRX Device Management
App for Junos Space Platform
Long term single provisioning point and systems manager for
vGW and vSRX deployments
Support for popular Cloud Management tools
vCenter, RHEV-M, SCVMM, ServerCenter
vCloud Director, CloudStack, OpenStack
Features (Life Cycle Management):
Provisioning
Bootstrapping
Troubleshooting/Debug
Log management
Reporting etc.
Virtual Systems Manager
Junos Space – Security Design
CLI + Junos Scripts
JWeb
SNMP
STRM (Logging and Reporting),
Syslog, Traceroute
Security Insight
Junos LMS
Policy Manager APIs
16 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
5 ATTACK PHASES:- APT BEHAVIOUR
Phase 1
Silent
Reconnaissance
Attackers profile
physical and virtual
devices and
applications
Phase 2
Attack Vector
Establishment
Weaknesses in
attack surface
identified for attack
Phase 3
Attack
Implementation
Attacks launched to
take control of
device, application or
VM. Can be used to
begin further
Reconnaissance
Phase 4
Attack
Automation
Repeat attack to
increase
effectiveness,
increase Profit or
extract more data
Phase 5
Maintenance
Evade patching and
remediation
measures to stop the
attack
17 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
“Tar Traps” detect
threats without false
positives.
Track IPs, browsers,
software and scripts.
Understand
attacker’s capabilities
and intents.
Adaptive responses,
including block, warn
and deceive.
THE MYKONOS ADVANTAGE DECEPTION-BASED SECURITY
Detect Track Profile Respond
18 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
App Server Client
Server Configuration
Network
Perimeter
Database Firewall
Query String Parameters
Tar Traps
Hidden Input Fields
DETECT THREATS BY DECEPTION
19 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Track Software and Script Attacks Fingerprinting
HTTP communications.
Track Browser Attacks Persistent Token
Capacity to persist in all browsers including various
privacy control features.
Track IP Address
TRACK ATTACKERS BEYOND THE IP
20 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Every attacker assigned a name
SMART PROFILE OF ATTACKER
Incident history
Attacker threat level
21 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Mykonos Responses
Human
Hacker Botnet
Targeted
Scan IP Scan
Scripts
&Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
RESPOND AND DECEIVE
22 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Purpose Built
Virtual Security
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security
Agents
VLANs & Physical
Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISOR
HYPERVISOR
HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
1 2 3
23 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Service Provider & Enterprise Grade Three Tiered Model
VMware Certified (signed binaries!)
Protects each VM and the hypervisor
Fault-tolerant architecture (i.e., HA)
Virtualization-aware “Secure VMotion” scales to
1,000+ hosts
“Auto Secure” detects/protects new VMs
Granular, Tiered Defense Stateful firewall, integrated IDS,
and AV
Flexible Policy Enforcement – zone, VM group, VM, individual vNIC
THE VGW PURPOSE-BUILT APPROACH - VMWARE
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE API’s
Any vSwitch (Standard, DVS, 3rd Party)
HYPERVISOR
VM
ware
Kern
el
ES
X o
r ES
Xi H
ost
Security Design
for vGW
1 2
3
24 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SECURITY TRENDS:- IMPACT ON DATACENTER APPLICATIONS
25 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
OPEN HYPERVISOR FRAMEWORK FOR KVM
vGW KVM Manager
Optional VM Provisioning System
(Service Providers, Large Enterprises) VM Management System
(RHEV-M, UVMM, qemu, etc.)
Environment
Specific Tools
and APIs
vGW Protected KVM
Host 1
vGW Protected KVM Host
N
vGW Protected KVM
Host 2
Communication via Libvirt
or Juniper Protocol
vGW Cloud SDK Enhancements
1. new_vm_info_api & new_hypervisor_api
2. vGW Policy API’s (improvements to existing API’s)
3. vGW Management API’s (updates, versions, etc.)
4. vGW Install API’s (deploy SVMs, kernel modules, etc.)
Enhanced vGW Cloud SDK
26 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Hyper-V Integration
Three Tiered Model
SCVMM Integration
Filter Extension in Extensible Switch
Supports Live Migration
Granular, Tiered Defense for VMs
VGW AND MICROSOFT HYPER-V
THE vGW ENGINE
System Center VMM VM
VM1 VM2 VM3
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
Hyper-V Host
Hyp
er-V
E
xte
nsib
le
Sw
itch
Phys
ical S
erv
er
Security Design
for vGW
1 2
3
Capture Extension
WFP Extension
Filter Extension
Forwarding Extension
Coming
Soon!
27 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VGW INTEGRATION WITH VCLOUD DIRECTOR
vCloud Director 1.5 and vGW Series products can be used together!
1. vCloud relies on traditional vSphere technologies (vCenter & ESX/ESXi hosts). vGW can be inserted into this
environment (VMsafe and VI API’s are still working and available)
2. vCloud introduces new abstraction constructs which are inserted into vCenter. vCloud API’s and vGW API’s can be
used to discover the constructs and auto-populate SmartGroups for dynamic, human-readable security policies.
VMware vCenter
vCloud Director
ESX/ESXi Host with vGW
VM created with semi-random structure. For example: Juniper’s ‘vcdSync’ Script uses vCD API’s to
determine which organizational unit a VM
belongs (VMs with same name could be in two
different organizational units).
vGW Management inserts AML-
SYS1 into SmartGroup and
enforces policy on ESX/ESXi host
automatically!
vGW management knows that AML-
SYS1 is part of ‘Org2’. This is made
available as a vf.tag Smart Group
parameter
1 2
3
4
vGW Management
28 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SUMMARY:- PROTECT KEY APPLICATIONS WITH A LAYERED SECURITY APPROACH
Hypervisor --OR--
SRX/vSRX Firewall
L3/L4 DoS protection
Application-layer DoS protection
Application profiling and monitoring
Application port control/enforcement
IPS
IPSec termination to the DC
Mykonos
Protect Web apps
Deception technology
complements signature
approach; makes APTs
uneconomical
Tar traps identify malicious
users without false positives
Profiling identifies users
without recourse to IP address
Future Global hacker database
vGW
Inter-VM security
Firewall, IDS, AV
Policies based on VMWare
or security attributes
VM application profiling
Hypervisor traffic monitoring
PCI compliance