Post on 24-Apr-2018
transcript
1
Securing Networks with Juniper Networks
Juniper Security Features
Jean-Marc UzéLiaison Research, Education and Government
Networks and Institutions, EMEA
juze@juniper.netTF-CSIRT Meeting, 26/09/02
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
2
Agenda
2
Juniper Networks, Inc. Copyright © 2002 3
Cyber Attacks Increasing
PacketSniffers
IPSpoofing
Denial ofServiceAttacks
AutomatedScanning
Tools
DistributedDenial of
Service Attacks
EmailScriptAttacks
Self-Propagating Automated
Distributed Attacks
u Frequencyv Over 4,000 Distributed DoS attacks a week
u Sophisticationv Distributed DoS attacks hard to detect & stopv Network elements recently targeted
u Impactv Yahoo, eBay, Microsoft make headlinesv Cloud 9 (UK) ISP out of business
1994 1996 1998 2000Host Based Attacks Network Based Attacks Attacks Target Network
Source: Published CERT figures
Juniper Networks, Inc. Copyright © 2002 4
Today’s Security Compromises
u Enable security at specificpoints on the network
u As platforms, interfacesor software allow
u Does not provide reliablesecurity
u Security enabled afterattack is detected
u High operational effort
u Performance SLAs affected
Partial
Attack StartsTracing Blocking
Attack Ends
Time
Performance
Reactive
SLASLATargetTarget
3
Juniper Networks, Inc. Copyright © 2002 5
Security Without Compromise
u Ubiquitousv Juniper Networks: Single Image, Security on All Interfaces
u Continuousv Juniper Networks: Low impact – turn it on it, leave it on
u Economicalv Juniper Networks: Included in the basic platform
u Provenv Juniper Networks: Shipping since 2000 and in use in
production networks around the world
Let’s You, Rather Than Your Equipment,
Dictate Your Network Security Policy.
Juniper Networks, Inc. Copyright © 2002 6
Protecting and Enabling Revenues
uCustomer Retentionv Increased customer satisfactionvMatch competitive security service offerings
uNew Servicesv Lawful Interceptv Intrusion Detection ServicesvHigh Speed Encrypted VPNsv Attack Resistant Web HostingvDenial of Service Protection/Controlv Spoofing Protection
4
Juniper Networks, Inc. Copyright © 2002 7
JUNOS Security Related Features
User User AdministrationAdministrationTacasTacas+/Radius+/RadiusProtocol Protocol AuthenticationAuthentication
JUNOS 5.xJUNOS 5.x20012001
JUNOS 3.xJUNOS 3.x19981998
JUNOS 4.x JUNOS 4.x 19991999
H/W Based Packet FilteringH/W Based Packet FilteringIndividual Command Individual Command AuthorizationAuthorizationTraffic PolicingTraffic PolicingFirewall Firewall SyslogsSyslogs/MIB/MIBH/W Based Router ProtectionH/W Based Router Protection
PortPort--MirroringMirroringIPSEC Encryption (Control IPSEC Encryption (Control and Transit traffic)and Transit traffic)Unicast Unicast RPFRPFRadius Support for Radius Support for PPP/CHAPPPP/CHAPSNMPv3SNMPv3
Juniper Networks, Inc. Copyright © 2002 8
Juniper Security Features at a Glance
Examples of Available SafeguardsExamples of Available Safeguards
9. Hitless filter implementation7. I/O filters to block attack flows
8. Rate limiting
Suppression
6. Real-time DDOS attack identification
5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS
Detection
3. IPSEC encryption of customer traffic
4. Source address verification
1. Hardware based router protection
2. IPSEC encryption of Control Traffic
Prevention
Customer ProtectionInfrastructure Protection
5
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
9
Agenda
Juniper Networks, Inc. Copyright © 2002 10
System Architecture
u Routing Enginev Maintains routing table and
constructs forwarding table using knowledge of the network
u Packet Forwarding Enginev Receives packet forwarding
table from Routing Enginev Copies packets from an input
interface to an output interface
v Conducts incremental table updates without forwarding interruption
Update
ForwardingTable
InternetInternet Processor IIProcessor II
Switch FabricSwitch Fabric
ForwardingTable
JunosInternet Software
JunosInternet Software
I/O CardI/O Card
6
Juniper Networks, Inc. Copyright © 2002 11
IP II ASIC Overview
u Leverages proven, predictable ASIC forwarding technologyof Internet Processor
u Provides breakthrough technologyto support performance-based, enhanced Services
v Security and bandwidth control(I.e. filtering) at speed
v Visibility into network operationsat speed
u Delivers performance WITH services
v Supported on all interfaces
InternetInternetProcessor IIProcessor II
InternetProcessor II
Juniper Networks, Inc. Copyright © 2002 12
u IP-II enables significant functionality with applications to network managementv Securityv Monitoringv Accounting
IP-IIIP-II
Multiple rules may be specified.Multiple rules may be specified.
Filter SpecificationFilter Specificationfilter my-filter ip {
rule 10 {protocol tcp ;source-address 128.100.1/24 ;port [ smtp ftp-data 666 1024-1536 ];action {
reject tcp-reset ;}
}}
All Packets Handled By RouterAll Packets Handled By Router
Filters can act on highlighted fields, as Filters can act on highlighted fields, as well as incoming interface identifier and well as incoming interface identifier and presence of IP optionspresence of IP options
MicrocodeMicrocode
Filters and route lookup are part of Filters and route lookup are part of same programsame program
PacketHandlingPrograms
Log,syslogCount,
Sample,Forwarding-class,
Loss-priority,Policer
SilentSilentDiscardDiscard
ForwardForward
TCP ResetTCP ResetOr ICMPOr ICMP
UnreachableUnreachable
IPIP
TCPTCP
Ver IHL ToS Total LenID Fragmentation
TTL Proto Hdr ChecksumSource Address
Destination AddressSource Port Dest Port
Sequence NumberAcknowledgement Number
Offset Flags WindowChecksum Urgent Pointer
CompileCompile
RoutingRoutingInstanceInstance
Filtering
7
Juniper Networks, Inc. Copyright © 2002 13
Operating SystemOperating System
JUNOS Internet Software
u Common software across entire product line leverages stability, interoperability, and a wide range of features
u Purpose builtfor Internet scale
u Modular design for high reliability
u Best-in-class routing protocol implementations
u Foundation for new services with MPLS traffic engineering
Pro
toco
ls
Inte
rfac
e M
gm
t
Ch
assi
s M
gm
t
SN
MP
Se
curi
ty
Juniper Networks, Inc. Copyright © 2002 14
Traffic Framework
u Management, Control and Data planesu Source, Destination and Type
Routing Control
Routing Control
ICMP Notification
User Data
ICMP Notification
User Data
Router Management
Router Management
8
Juniper Networks, Inc. Copyright © 2002 15
Tools – Prevent, Detect, Control
u Forwardu Redirectu Monitoru Sampleu Countu Logu Marku Limitu Discard
Trafficu Import filtersu Export filtersu Marku Limit
v Announcementsv Prefixes
Route Control
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
Agenda
9
Juniper Networks, Inc. Copyright © 2002 17
JUNOS Default to Secure
u Does not forward directed broadcastsu Remote management access to the router is
disabled. It must be explicitly enabledv telnet, ftp, ssh…
u No SNMP set support for editing configuration data
u Default Martian addresses
Juniper Networks, Inc. Copyright © 2002 18
Communicating with the Router
u Secure Shellv Ssh v1 / v2v Support connexion limit + rate limit
u against SYN flood DoS attacks on the ssh portv OpenSSH 3.0.2 since JUNOS 5.4
u Secure Copy Protocol (SCP)v Uses the ssh encryption and authentication
infrastructure to securely copy files between hosts
u Central Authentificationv TACACS+ / RADIUSv User classes with specific privileges
u File Records and Command Events
10
Juniper Networks, Inc. Copyright © 2002 19
Hardware-Based Router Protection
u Router’s control plane is complex and intelligencev Need to be CPU basedv Protocols need processing power for fast updates and to
minimize convergence time.
u Attacks launched at routers include sending:v Forged routing packets (BGP,OSPF,RIP,etc..)v Bogus management traffic (ICMP, SNMP, SSH,etc)
u Attacker can easily launch high speed attacksv Rates in excess of 40M/secondv CPU based filtering unable to keep upv Attacks consume CPU resources needed for control traffic.v Danger of protocol time-outs, leading to network instabilities.
Juniper Networks, Inc. Copyright © 2002 20
Hardware Based Router Protection
u Hardware based filtering advantagesv Hardware drops attack (“untrusted”) trafficv CPU free to process “trusted” control traffic
u One filter applied to the “loopback”v Protects the router and all interfacesv Provides ease of managementv No need to configure additional filters
when adding new interfaces
11
Juniper Networks, Inc. Copyright © 2002 21
firewall {filter protect-RE {
term established {from {
protocol tcp;tcp-established;
}then accept;
}term trusted-traffic {
from {source-address {
10.10.10.0/24;10.10.11.0/24;10.10.12.0/24;10.10.17.0/24;10.10.18.0/24;
}protocol [icmp tcp ospf udp];destination-port [bgp domain ftp ftp-
datasnmp ssh ntp] ;}then accept;
term default {then {
log;discard;
}}
}
Hardware Based Router Protection
u Define “trusted” source addresses
u Define protocols and ports that need to communicate
u Accept desired traffic and discard everything else
u One filter applied to the loopback interface protects router and all interfaces
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
22
Agenda
12
Juniper Networks, Inc. Copyright © 2002 23
IPSec Encryption of Control Traffic
u Encrypt Control Traffic Between Routers u Encryption uses ESP in Transport Modeu ESP Provides Secure Communication for critical
control/routing trafficu Protects from attacks against control plane
Juniper Networks, Inc. Copyright © 2002 24
IPSec Encryption of Customer Traffic
u Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE)
u Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex)
u Applied via the Packet Forwarding Enginev offload the encryption and decryption tasks from
Routing Engine processor
u Delivers Private and Secure communication of mission-critical customer traffic
u Provides up to 1,000 tunnels per PICu Can Scale Using Multiple PICs
13
Juniper Networks, Inc. Copyright © 2002 25
IPSec Encryption of Customer Traffic
u Crypto PIC highlights:v Tunnel/Transport Mode
u Tunnel mode for data traffic
v Authentication Algorithmsu MD5u SHA-1
v Encryption Algorithmsu DESu 3-DES
v IKE Featuresu Support for automated key management using Diffie-Hellman key
establishment u Main/Aggressive mode supported for IKE SA setupu Quick Mode supported for IPSec SA setup
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
26
Agenda
14
Juniper Networks, Inc. Copyright © 2002 27
Source Address Verification
u Why it is needed:v IP address spoofing is a technique used in DOS attacksv Attacker pretends to be someone elsev Makes it difficult to trace back the attacksv Common Operating Systems let users spoof machine’s IP
address access (UNIX, LINUX, Windows XP)
u How it is done:v Route table look-up performed on IP source addressv Router determines if traffic is arriving on expected path
u traffic is acceptedu normal destination based look up is performed
v If traffic is not arriving on a the expected pathu then it is dropped
Juniper Networks, Inc. Copyright © 2002 28
Source Address Verification
u Juniper Solutionv uRPF can be configured per-interface/sub-interfacev Supports both IPv4 and IPv6v Packet/Byte counters for traffic failing the uRPF checkv Additional filtering available for traffic failing check:
u police/rejectu Can syslog the rejected traffic for later analysis
v Two modes available:u Active-paths:
v uRPF only considers the best path toward a particular destination
u Feasible-paths:v uRPF considers all the feasible paths. This is used where
routing is asymmetrical.
15
Juniper Networks, Inc. Copyright © 2002 29
Source Address Verification
Data Center
10.10.10.0/24
so-0/0/0.0
so-1/0/0.0
Attack with
Source address=10.10.10.1
uRPF
10.10.10.0/24 *[BGP/170]
>via so-1/0/0/0.0
11.11.11.0/24
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
30
Agenda
16
Juniper Networks, Inc. Copyright © 2002 31
Real-time Traffic Analysis
u Sampling and cflowd format export (v5 + v8)
u since JUNOS 5.4: Passive Monitoring PICv Application is primarly for secuity and traffic analysisv Monitors IPv4 packets and flows over SONET on:
u OC-3c, OC-12c and OC-48cu PPP or HDLC (Cisco) layer 2 encapsulations
v Generates cflowd v5 records for export to collector nodesu IPSec or GRE tunnels can be used for exporting
Juniper Networks, Inc. Copyright © 2002 32
Real-time Traffic Analysis
u Juniper Port Mirroring capabilityv Copy of sampled packet can be sent to arbitrary interfacev Any Interface and speed up to 100% of selected packetsv N number of ingress ports to single destination portv Work in progress with IDS vendor
u Discussions ongoing with high-speed analytical security application developers (OC48)
17
Juniper Networks, Inc. Copyright © 2002 33
Mirrored Traffic
Intrusion Detection SystemIntrusion Detection System
Data Center
Real-time Traffic Analysis
Juniper Networks, Inc. Copyright © 2002 34
Real-time DDoS Identification
u Preparationv Pre-configure Destination Class Usage (DCU) on customer-
facing ingress interfacesv Accounting feature typically for billingv Supported in JUNOS 4.3 (12/2000) and beyondv Counts packets, bytes destined for each of up to 16
communities per interfacev Counters retrievable via SNMPv Note: Source Class Usage is also supported (since JUNOS 5.4)
u During Attackv Use BGP to announce victim’s /32 host address with special
communityv Trigger SNMP polling of DCU counters on all ingress interfacesv Apply heuristic to identify likely attack sources
18
Juniper Networks, Inc. Copyright © 2002 35
Real-time DDoS Identification
Attacker Network
Victim Network
NOC
Switch
Attacker Network
User Network
Attack Network
Attack Network
User Network
Service Provider
Juniper Networks, Inc. Copyright © 2002 36
Real-time DDoS Identification
Attacker Network
Victim NetworkSwitch
Attacker Network
User Network
Attack Network
Attack Network
User Network
Service Provider
NOC
128.8.128.80128.8.128.80
128.8.128.80/32128.8.128.80/32Community 100:100Community 100:100
19
Juniper Networks, Inc. Copyright © 2002 37
Real-time DDoS Identification
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
38
Agenda
20
Juniper Networks, Inc. Copyright © 2002 39
I/O Filters To Block Attack Flows
u DOS attacks need to be detected and stopped
u Interface filters can be applied to block only attack flows
u Filters can be applied to any interface type
u Filters can be applied both on inbound and outbound
/* apply the filter to the ingress point of the network */
so-0/2/2 {unit 0 {
family inet {filter {
input block-attack;}address 151.1.1.1/30;
}}
}/* This is the filter which blocks the
attacks */firewall {
filter block-attack {term bad-guy {
from {source-address {
10.10.10.1/32}protocol icmp;
}then {
discard;log;}
}}
Juniper Networks, Inc. Copyright © 2002 40
Rate Limiting
u Suppression/Rate Limiting Advantagesv Protects router of customer by limiting traffic based on
protocol/port/source and destination addresses
u Juniper Advantagev Architectural reasons we perform
u Internet Processor ASIC not tied to an interface or release
v Behavior under attacku Stable operation, routing and management traffic unaffected
21
Juniper Networks, Inc. Copyright © 2002 41
Hitless Filter Implementation
u Can be applied immediately after identification of offending traffic
u Application of filters does not create short-term degraded condition as filters take effect
u Size and complexity of filter independent of forwarding performance
Juniper Networks, Inc. Copyright © 2002 42
Traffic Interruption During Filter Compilation
NOC
NOC operator appliesNOC operator appliesor changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
NOC
All traffic gets dropAll traffic gets dropDuring filter compilationDuring filter compilation
NOC operator appliesNOC operator appliesor changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
22
Juniper Networks, Inc. Copyright © 2002 43
No Interruption With Atomic Updates
NOC
NOC operator appliesNOC operator appliesor changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
NOC
Attack traffic gets droppedAttack traffic gets dropped
NOC operator appliesNOC operator appliesor changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
u Introduction
u Juniper Networks Routers Architecture
u Router Protection
u Encryption of Traffic
u Source Address Verification
u Real-time Traffic Analysis
u I/O Filters and Rate Limiting
u Summary
44
Agenda
23
Juniper Networks, Inc. Copyright © 2002 45
Next Steps
uOn going Dialog with security teamv Ensuring existing security features are activev Awareness of upcoming security issues
uBest PracticesvWhite Papers
uSecurity consulting and training
Juniper Networks Juniper Networks –– the Trusted Sourcethe Trusted Source
Juniper Networks, Inc. Copyright © 2002 46
Further References
u Juniper Networks Whitepapersv Rate-limiting and Traffic-policing Featuresv Fortifying the Corev Visibility into Network Operationsv Minimizing the Effects of DoS Attacksv Juniper Networks Router Security
u Available fromhttp://www.juniper.net/techcenter
24
Thank Youjuze@juniper.net