Firefly Perimeter ( vSRX ) Technical information 12.1 X47 D10.2

Tuncay Seyran

2

Security in a virtualized environment: same security risks + more

Targeted Malware

Thumb Drive theft

Accelerated Provisioning (clones, s/w scripts, etc.)

Mixed-trust Workloads

Data Loss

Audit Scope Creep

Security Left to Non-Traditional Security Staff

VM Migrations

Missing Security Updates and Patches

Reliance on Traditional Barriers

Hypervisor Integrity Concerns

Poor Visibility and Control

NEW SECURITY RISKS EXCLUSIVE TO VIRTUAL ENVIRONMENTS

TRADITIONAL SECURITY RISKS IMPACTING VIRTUAL ENVIRONMENTS

Leveraging traditional security solutions transposed from physical server environments can become a major obstacle in your progress—most pre-date x86 virtualization and were never designed to operate in this environment

3

Legacy security on Virtual Machines JUST DON’T MAKE SENSE…

x86 Box

Hypervisor

VM VM VM VM VM VM VM VM VM VM VM VM

Multiple instances of anti-malware software + multiple instances of anti-malware signature database

• Performance degradation

• Wasteful duplication of the security software

• Potential gaps in security:

- Scanning storms

- Panic Attacks

- Update Storms

4

Virtual Security Solutions DO MAKE SENSE…

x86 Box

Hypervisor

VM VM VM VM VM VM VM VM VM VM VM VM

One virtual instance of anti-malware software + one virtual instance of anti-malware signature database

• Higher guest virtual machine densities

• Higher performance for critical applications and business processes

• Easy deployment and automatic protection of the newly created virtual machine

• Higher return on investment

• Security gaps are eliminated (e.g. instant-on-gaps, scanning storms etc.)

Firefly Perimeter

5

Next Generation Firewalls (defined by Gartner)

• Deep-packet inspection firewalls that move beyond port/protocol inspections and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.

• An NGFW should not be confused with a stand-alone network intrusion prevention system ( IPS ) which includes a commodity or nonenterprise firewall, or a firewall and IPS and in the same appliance that are not closely integrated.

NOTE : we are not calling Firefly Perimeter NGFW until the AppSecure 2.0 release as part of Firefly Perimeter

6

What’s New in FFP x47-D10.2

7

What’s New in FFP x47-D10.2

Note that Dynamic VPN has been removed in this release

8

Unified Threat Management ( UTM ) Features

• Web Filtering ( redirect ) ( WF )

• Enhanced Web Filtering ( EWF )

• (Sophos) Antivirus ( SAV / AV Sophos)

• (Sophos) Antispam Filtering ( AS )

• Content Filtering ( CF )

9

UTM Information

• License is needed for UTM and IPS. In all cases to achieve HA, must purchase twice single amount.

• License for 1,3, or 5 year term

• Currently no hard key enforcements

• Initial / eval License is valid for six months

• SBL server matching stops when antispam license key is expired

• Local whitelist / blacklist matching continues after antispam license key is expired

• UTM will be turned on by default. This means some of the capacity numbers will cut by half even though UTM is not used.

10

UTM and Security Components ( current + future )

11

SRX UTM Features and Partners

12

UTM ( current + future )

13

How to Position UTM Services ( current + future)

14

Protecting your clients

• Enhanced Web Filtering • Proactively blocks categories of sites that may be used for spreading malware, or may be in violation of

corporate policy

• Anti-virus and Anti-malware from Sophos • Verifies that the site is not known for spreading malware (reputation-based filtering available with Sophos AV),

and scans incoming files for viruses

• Intrusion Prevention System • Inspects traffic at application layer against known and unknown attacks and blocks or logs those

• Anti-spam • Prevents unwanted mail from disreputable senders

• Application Tracking ( future ) • Provides visibility about what applications and nested applications are used

• Application Firewalling ( future ) • Proactively blocks specific applications that may be used for spreading malware or may be in violation of

corporate policy

Different techniques address different problems when it comes to protecting clients from becoming infected while accessing the Internet

15

Web Filtering

• Prevents access to inappropriate web content.

• Two types: • Redirect web filtering solution ( license not needed )

• Intercepts HTTP requests and forwards the server URL to external URL filtering server to determine block or permit ( provided by Websense ).

• Juniper local web filtering ( license not needed )

• Decision making for blocking or permitting web access done on device after it identifies the category for URL from user defined categories stored on the device.

16

Enhanced Web filtering

• Enhanced web filtering ( license required ) • Requests sent to the Websense ThreatSeeker Cloud ( TSC )

• URL of the site is sent and Websense returns classification and reputation score

• Integrated URL filtering solution.

• Intercepts the HTTP and HTTPS requests and sends HTTP / HTTPS URL / source IP to Websense ThreatSeeker Cloud ( TSC ).

• HTTP request : URL is extracted

• HTTPS request : IP is extracted

• TSC categorizes URL into categories that are predefined. Provides site reputation information as well.

17

Enhanced Web Filtering cont’d

URL filtering profile can contain: • One blacklist

• One whitelist

• Multiple user-defined & predefined categories, each with permit or block action

• Multiple site reputation handling categories, each with a permit or block action

• One default action with permit or block action

18

Antivirus

• Provided by Sophos.

• Less CPU intensive than full file based antivirus (full file not available for FFP).

• Smaller memory footprint.

• “In the cloud” antivirus solution.

• Virus pattern and malware database is located on external servers maintained by Sophos servers.

• No downloading and maintenance needed.

• Local internal cache to maintain query responses from external list server.

19

Antispam Filtering

• Provided by Sophos.

• Examines transmitted e-mail messages to identify e-mail spam. When e-mail is detected as spam, it will drop the message or tag the message header or subject field with a preprogrammed string.

• IP based Spam block list ( SBL ) is updated and maintained by Sophos ( Server based antispam filtering )

• Optionally can create your own local whitelists and blacklists for filtering against email ( Local list antispam filtering )

20

Local List Antispam Filtering

• Can create lists against domain names, email address, and / or IP addresses.

• Partial matching is capable for domain names but not IP addresses.

• Matching done in following manner • Sender IP (whitelist / blacklist / SBL )

• Sender domain ( whitelist / blacklist )

• Sender email ( whitelist / blacklist )

21

Content Filtering

• Blocks or permits traffic based on MIME type, file extension, protocol command, and embedded object type.

• Content filtering evaluates traffic before all other UTM modules EXCEPT web filtering.

• Content filters available : • MIME Pattern Filter : used to identify type of traffic in HTTP and MAIL protocols

• Block MIME list : to be blocked by the content filter

• Exception MIME list : not to be blocked ( higher priority than block list )

• Block Extension List

• Protocol Command Block and Permit Lists

• Block and permit command lists are intended to be used in combination with permit list acting as an exception list to block list

22

Content Filtering cont’d

• http, ftp, email ( SMTP, IMAP, POP3 ) filtering protocol support.

• Types of content blocking supported only for HTTP : • Block ActiveX

• Block Java applets

• Block cookies

• Block EXE files

• Block ZIP files

23

IPS

• Juniper provided predefined application signatures that detect TCP and UDP applications running on nonstandard ports.

• IPS sensor monitors network and detects suspicious and anomalous network traffic based on specific rules defined in IPS rulebases.

• Download predefined app signatures.

• Cannot create application signatures • Note that attack signatures can be created

• Scheduled signature-packs usually ship at 2pm PST

24

IPS Policy & FW Integration

25

Firefly Perimeter Virtual Hardware Configuration

• CPU • 2 vCPU, one for RE, one for flowd (PFE)

• Memory • 2GB

• 3GB if UTM/IDP is enabled

• Disk • 2 GB

• Currently these configurations are fixed – Future versions will allow more tailoring of the configuration (memory, cpu, etc.)

26

Firefly Scale and Performance metrics

Firewall (UDP 1514B puts) 4.4 Gbps 1.1 Gbps

Firewall (IMIX) 1.1 Gbps 221 Mbps

Firewall Ramp Rate (TCP) 22K CPS 9K CPS

Firewall Latency (512B UDP) 107 Micro Sec 114 Micro Sec

Firewall IPv6 (UDP 512B pkts) 1.46 Gbps 374 Mbps

NAT (UDP 1514B pkts) 4.4 Gbps 981 Mbps

NAT (IMIX) 1.1 Gbps 218 Mbps

NAT Ramp Rate (TCP) 19K CPS 8K CPS

IPSec (3DES+SHA1, 1514B) 294 Mbps 195 Mbps

IPSec (3DES+SHA1, IMIX) 132 Mbps 99 Mbps

IPSec (3DES+SHA1, 64B) 50 Mbps 25 Mbps

IKE Rate (3DES+SHA1,V1 or 2) 71 Tunnels/Sec 48 Tunnels/Sec

EWF (44KB File) 251 Mbps (650 CPS Load) 62 Mbps (160 CPS Load)

SAV (Allscan 44KB File) 280 Mbps (720 CPS Load) 116 Mbps (300 CPS Load)

HTTP Throughput2 (Response Content – 44KB File) 740 Mbps 385 Mbps

HTTP CPS2 (Response Content – 64 bytes) 3000 CPS 2000 CPS

Performance1 VMware KVM

1Reference platform for performance: Dell PowerEdge R820, ESXI 5.1, 24 Cores, 2.899 Ghz CPUs 2IDP Performance is based on default recommended IDP policy

1024 Max Addresses/Address-set

256K Max Firewall Sessions

256K Max Pat Sessions (Source NAT with PAT)

8K MAC/ARP Table Size

2GB vRAM Required/Instance

10 Max vNICs/Instance

128 Max Zones

128 Max Address Books

10240 Max Policies

128 Max Policies with Count

1024 Max Applications/Policy

4K Max VLANS

160K Max OSPF Routes

2 vCPUs Required/Instance

Max VRs Supported 5

IDP Session Scaling2 32K

Scale VMware & KVM

27

FireFly Advanced Security capabilities matrix

28

Licensing Options with UTM / Security Add-Ons

• FFP with AppSecure and IDP

• FFP with Sophos AV, Sophos Anti-spam, Enhanced WF, AppSecure, IDP

• FFP with Sophos AV

• FFP with Enhanced Web Filtering

• Perpetual and subscription pricing is available BUT only subscription is available for Security Add-Ons

• Content filtering is available for “ free “ in all license options

29

Pricing

• No hard license keys required to activate the product or related features. License purchases are required for what is used but Juniper removed activation keys in the product to enable true Cloud/NFV (Network Function Virtualization) dynamic environments (cloning, auto-instantiation of vm's etc. all remain un-impacted).

• In the 'base' offering Firefly provides, full stateful firewalling, NAT, VPN and advanced routing (OSPF, BGP, MPLS, etc).

• Number of advanced security services (anti-virus, anti-spam, web url filtering, IPS) which can be purchased and activated ( all on a single virtual machine ).

30

New Pricing Models for Firefly

31

Pricing cont’d

• Documentation • Firefly FAQ

• Firefly Sales Presentation

• Firefly Pricing Guidelines

Thank You !!!