Firefly Perimeter ( vSRX ) Technical information 12.1 X47 D10.2
Tuncay Seyran
2
Security in a virtualized environment: same security risks + more
Targeted Malware
Thumb Drive theft
Accelerated Provisioning (clones, s/w scripts, etc.)
Mixed-trust Workloads
Data Loss
Audit Scope Creep
Security Left to Non-Traditional Security Staff
VM Migrations
Missing Security Updates and Patches
Reliance on Traditional Barriers
Hypervisor Integrity Concerns
Poor Visibility and Control
NEW SECURITY RISKS EXCLUSIVE TO VIRTUAL ENVIRONMENTS
TRADITIONAL SECURITY RISKS IMPACTING VIRTUAL ENVIRONMENTS
Leveraging traditional security solutions transposed from physical server environments can become a major obstacle in your progress—most pre-date x86 virtualization and were never designed to operate in this environment
3
Legacy security on Virtual Machines JUST DON’T MAKE SENSE…
x86 Box
Hypervisor
VM VM VM VM VM VM VM VM VM VM VM VM
Multiple instances of anti-malware software + multiple instances of anti-malware signature database
• Performance degradation
• Wasteful duplication of the security software
• Potential gaps in security:
- Scanning storms
- Panic Attacks
- Update Storms
4
Virtual Security Solutions DO MAKE SENSE…
x86 Box
Hypervisor
VM VM VM VM VM VM VM VM VM VM VM VM
One virtual instance of anti-malware software + one virtual instance of anti-malware signature database
• Higher guest virtual machine densities
• Higher performance for critical applications and business processes
• Easy deployment and automatic protection of the newly created virtual machine
• Higher return on investment
• Security gaps are eliminated (e.g. instant-on-gaps, scanning storms etc.)
Firefly Perimeter
5
Next Generation Firewalls (defined by Gartner)
• Deep-packet inspection firewalls that move beyond port/protocol inspections and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
• An NGFW should not be confused with a stand-alone network intrusion prevention system ( IPS ) which includes a commodity or nonenterprise firewall, or a firewall and IPS and in the same appliance that are not closely integrated.
NOTE : we are not calling Firefly Perimeter NGFW until the AppSecure 2.0 release as part of Firefly Perimeter
6
What’s New in FFP x47-D10.2
7
What’s New in FFP x47-D10.2
Note that Dynamic VPN has been removed in this release
8
Unified Threat Management ( UTM ) Features
• Web Filtering ( redirect ) ( WF )
• Enhanced Web Filtering ( EWF )
• (Sophos) Antivirus ( SAV / AV Sophos)
• (Sophos) Antispam Filtering ( AS )
• Content Filtering ( CF )
9
UTM Information
• License is needed for UTM and IPS. In all cases to achieve HA, must purchase twice single amount.
• License for 1,3, or 5 year term
• Currently no hard key enforcements
• Initial / eval License is valid for six months
• SBL server matching stops when antispam license key is expired
• Local whitelist / blacklist matching continues after antispam license key is expired
• UTM will be turned on by default. This means some of the capacity numbers will cut by half even though UTM is not used.
10
UTM and Security Components ( current + future )
11
SRX UTM Features and Partners
12
UTM ( current + future )
13
How to Position UTM Services ( current + future)
14
Protecting your clients
• Enhanced Web Filtering • Proactively blocks categories of sites that may be used for spreading malware, or may be in violation of
corporate policy
• Anti-virus and Anti-malware from Sophos • Verifies that the site is not known for spreading malware (reputation-based filtering available with Sophos AV),
and scans incoming files for viruses
• Intrusion Prevention System • Inspects traffic at application layer against known and unknown attacks and blocks or logs those
• Anti-spam • Prevents unwanted mail from disreputable senders
• Application Tracking ( future ) • Provides visibility about what applications and nested applications are used
• Application Firewalling ( future ) • Proactively blocks specific applications that may be used for spreading malware or may be in violation of
corporate policy
Different techniques address different problems when it comes to protecting clients from becoming infected while accessing the Internet
15
Web Filtering
• Prevents access to inappropriate web content.
• Two types: • Redirect web filtering solution ( license not needed )
• Intercepts HTTP requests and forwards the server URL to external URL filtering server to determine block or permit ( provided by Websense ).
• Juniper local web filtering ( license not needed )
• Decision making for blocking or permitting web access done on device after it identifies the category for URL from user defined categories stored on the device.
16
Enhanced Web filtering
• Enhanced web filtering ( license required ) • Requests sent to the Websense ThreatSeeker Cloud ( TSC )
• URL of the site is sent and Websense returns classification and reputation score
• Integrated URL filtering solution.
• Intercepts the HTTP and HTTPS requests and sends HTTP / HTTPS URL / source IP to Websense ThreatSeeker Cloud ( TSC ).
• HTTP request : URL is extracted
• HTTPS request : IP is extracted
• TSC categorizes URL into categories that are predefined. Provides site reputation information as well.
17
Enhanced Web Filtering cont’d
URL filtering profile can contain: • One blacklist
• One whitelist
• Multiple user-defined & predefined categories, each with permit or block action
• Multiple site reputation handling categories, each with a permit or block action
• One default action with permit or block action
18
Antivirus
• Provided by Sophos.
• Less CPU intensive than full file based antivirus (full file not available for FFP).
• Smaller memory footprint.
• “In the cloud” antivirus solution.
• Virus pattern and malware database is located on external servers maintained by Sophos servers.
• No downloading and maintenance needed.
• Local internal cache to maintain query responses from external list server.
19
Antispam Filtering
• Provided by Sophos.
• Examines transmitted e-mail messages to identify e-mail spam. When e-mail is detected as spam, it will drop the message or tag the message header or subject field with a preprogrammed string.
• IP based Spam block list ( SBL ) is updated and maintained by Sophos ( Server based antispam filtering )
• Optionally can create your own local whitelists and blacklists for filtering against email ( Local list antispam filtering )
20
Local List Antispam Filtering
• Can create lists against domain names, email address, and / or IP addresses.
• Partial matching is capable for domain names but not IP addresses.
• Matching done in following manner • Sender IP (whitelist / blacklist / SBL )
• Sender domain ( whitelist / blacklist )
• Sender email ( whitelist / blacklist )
21
Content Filtering
• Blocks or permits traffic based on MIME type, file extension, protocol command, and embedded object type.
• Content filtering evaluates traffic before all other UTM modules EXCEPT web filtering.
• Content filters available : • MIME Pattern Filter : used to identify type of traffic in HTTP and MAIL protocols
• Block MIME list : to be blocked by the content filter
• Exception MIME list : not to be blocked ( higher priority than block list )
• Block Extension List
• Protocol Command Block and Permit Lists
• Block and permit command lists are intended to be used in combination with permit list acting as an exception list to block list
22
Content Filtering cont’d
• http, ftp, email ( SMTP, IMAP, POP3 ) filtering protocol support.
• Types of content blocking supported only for HTTP : • Block ActiveX
• Block Java applets
• Block cookies
• Block EXE files
• Block ZIP files
23
IPS
• Juniper provided predefined application signatures that detect TCP and UDP applications running on nonstandard ports.
• IPS sensor monitors network and detects suspicious and anomalous network traffic based on specific rules defined in IPS rulebases.
• Download predefined app signatures.
• Cannot create application signatures • Note that attack signatures can be created
• Scheduled signature-packs usually ship at 2pm PST
24
IPS Policy & FW Integration
25
Firefly Perimeter Virtual Hardware Configuration
• CPU • 2 vCPU, one for RE, one for flowd (PFE)
• Memory • 2GB
• 3GB if UTM/IDP is enabled
• Disk • 2 GB
• Currently these configurations are fixed – Future versions will allow more tailoring of the configuration (memory, cpu, etc.)
26
Firefly Scale and Performance metrics
Firewall (UDP 1514B puts) 4.4 Gbps 1.1 Gbps
Firewall (IMIX) 1.1 Gbps 221 Mbps
Firewall Ramp Rate (TCP) 22K CPS 9K CPS
Firewall Latency (512B UDP) 107 Micro Sec 114 Micro Sec
Firewall IPv6 (UDP 512B pkts) 1.46 Gbps 374 Mbps
NAT (UDP 1514B pkts) 4.4 Gbps 981 Mbps
NAT (IMIX) 1.1 Gbps 218 Mbps
NAT Ramp Rate (TCP) 19K CPS 8K CPS
IPSec (3DES+SHA1, 1514B) 294 Mbps 195 Mbps
IPSec (3DES+SHA1, IMIX) 132 Mbps 99 Mbps
IPSec (3DES+SHA1, 64B) 50 Mbps 25 Mbps
IKE Rate (3DES+SHA1,V1 or 2) 71 Tunnels/Sec 48 Tunnels/Sec
EWF (44KB File) 251 Mbps (650 CPS Load) 62 Mbps (160 CPS Load)
SAV (Allscan 44KB File) 280 Mbps (720 CPS Load) 116 Mbps (300 CPS Load)
HTTP Throughput2 (Response Content – 44KB File) 740 Mbps 385 Mbps
HTTP CPS2 (Response Content – 64 bytes) 3000 CPS 2000 CPS
Performance1 VMware KVM
1Reference platform for performance: Dell PowerEdge R820, ESXI 5.1, 24 Cores, 2.899 Ghz CPUs 2IDP Performance is based on default recommended IDP policy
1024 Max Addresses/Address-set
256K Max Firewall Sessions
256K Max Pat Sessions (Source NAT with PAT)
8K MAC/ARP Table Size
2GB vRAM Required/Instance
10 Max vNICs/Instance
128 Max Zones
128 Max Address Books
10240 Max Policies
128 Max Policies with Count
1024 Max Applications/Policy
4K Max VLANS
160K Max OSPF Routes
2 vCPUs Required/Instance
Max VRs Supported 5
IDP Session Scaling2 32K
Scale VMware & KVM
27
FireFly Advanced Security capabilities matrix
28
Licensing Options with UTM / Security Add-Ons
• FFP with AppSecure and IDP
• FFP with Sophos AV, Sophos Anti-spam, Enhanced WF, AppSecure, IDP
• FFP with Sophos AV
• FFP with Enhanced Web Filtering
• Perpetual and subscription pricing is available BUT only subscription is available for Security Add-Ons
• Content filtering is available for “ free “ in all license options
29
Pricing
• No hard license keys required to activate the product or related features. License purchases are required for what is used but Juniper removed activation keys in the product to enable true Cloud/NFV (Network Function Virtualization) dynamic environments (cloning, auto-instantiation of vm's etc. all remain un-impacted).
• In the 'base' offering Firefly provides, full stateful firewalling, NAT, VPN and advanced routing (OSPF, BGP, MPLS, etc).
• Number of advanced security services (anti-virus, anti-spam, web url filtering, IPS) which can be purchased and activated ( all on a single virtual machine ).
30
New Pricing Models for Firefly
31
Pricing cont’d
• Documentation • Firefly FAQ
• Firefly Sales Presentation
• Firefly Pricing Guidelines
Thank You !!!