Juniper Security Update - Főoldal | Relnet Technológia Kft Hendrych... · · 2010-12-19Juniper...

Juniper Security Update

Karel Hendrych

Juniper Networks

[email protected]

2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Agenda

High End SRX security gateways

Overview, SRX1400

JunOS update

AppSecure

Competitive

This product roadmap sets forth Juniper Networks’ current intention and is

subject to change at any time without notice. No purchases are contingent

upon Juniper Networks delivering any feature or functionality depicted on this

roadmap.

High End SRX

security gateways


NS-5400ISG2000

3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess,

175kcps

5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess,

175kcps

8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps

16U, 12 slot, 2RE*, 2+1 SCB,

2+2 AC, 3+1 DC, 120/30/30G,

10M sess, 350kcps

3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [45kcps

NS-5200ISG1000

SRX3600

SRX5800

SRX5600

SRX3400

SRX1400

Note *: Redundant REs not currently supported

Next-Gen Security SystemsScalable PerformanceRich Standard Services

• Firewall

• VPN

• IPS

• Routing

• QoS

• AppSecure

• More to come…

• Extensible Security Services

Integrated Networking Services

SRX / DATA CENTER SERVICES PLATFORMS


Discrete Routing

Engine

Separate Control &

Data Planes

Two USB

Aux port

One SRX3000 IOC 2x 10GbE XFP

16x10/100/1000

16x 1000BASE-X

Future Items & next

gen hardware

AC

DC

AC

DC

Fan tray

(rear)

SRX1400 DETAILS

Management Module Expansion Slot Power Supply (FRU)Optional 2nd (redundant) &

hot swap power supply

–or– –or–

12 GbE ports

– 6x 10/100/1000 RJ45

– 6x 1000BASE-X SFP• 2 HA or data

Console port

GbE & 10GbE ports

– 6x 10/100/1000 RJ45

– 3x 1000BASE-X SFP• 2 HA or data

3x 10GbE SFP+

Console port

Choice of Base Systems

–or–

-GE -XGE–or–

SRX1400 NSPC

SRX3000 NPC & SPC

–or–

Double-wide slot for processing resources


SRX HE JunOS 10.2-10.3 highlights (shipping)

ALG - IPSEC, MS-RPC, SUN-RPC, DNS, SIP, SQL

AppID decoupled from IDP

802.3AD LACP chassis cluster

IPv6 flow, QoS, filters, mgmt, screen, A/P HA

Dual HA data/control links

IDP nested applications

AppTrack

AppDoS cps limit

IDP packet capture

TCP/UDP sweep screen

Cone NAT with wild-card

Multicast HA


SRX HE JunOS 10.4 highlights (BETA)

datapath-debug pcap support

port mirroring

IPv6 NAT, multicast, A/A HA

NAT-PT, DNS ALG

DS-lite, IPv4 tunnels over IPv6 networks

VoIP ALG DSCP rewrite

IPv6 syn-flood protections

DHCPv6

SRX1400 platform

session increase (SRX3600 – up to 6M sessions)

AppSecure


APPSECURE: APPID AS PART OF JUNOS SERVICES

Provide application visibility and context to additional services for

enhanced, application-aware security

Per

Packet

Policer

Per

Packet

Filter

Session

Match?

Per

Packet

Filter

Per

Packet

Shaper

Forwarding Lookup

Per

Packet

Policer

Per

Packet

Filter

Per

Packet

Policer

Per

Packet

Filter

AppID IPSAppID


APPSECURE SERVICE MODULES

AppTrack

AppTrack

AppFW

AppFW

AppDos

AppDoS

AI

Application Identification Engine

NAI

AppDos

IPS

AppQoS

AppQoS

Flow

Processing

ID Results

Future Item


APPSECURE: APPLICATION DENIAL OF SERVICE AppDoS

Identifies attacking botnet traffic vs. legitimate clients based on application layer metrics and remediates against botnet traffic

Employs multi-stage approach from server connection monitoring, deep protocol analysis to bot-client classification.

Server connection monitoring

Protocol analysis

Bot-client classification


APPSECURE : APPLICATION VISIBILITY – SRX


CONFIGURATION – NESTED-APPLICATION DEFINITION

Both predefined and custom nested-application definition are at [services application-identification nested-application]

[edit services application-identification]

nested-application junos:FACEBOOK {

type FACEBOOK;

index 311;

protocol HTTP;

signature NestedApplication:FACEBOOK {

member m01 {

context http-header-host;

pattern ".*(facebook\.com|fbcdn\.net)";

direction client-to-server;

}

}

}

High End SRX

Competitive


Competetive Agenda

Architecture

High End ScreenOS platform packet flow

High End SRX packet flow

SRX Performance

Integration of SRX with other security products

High End ScreenOS platform

packet flow


First Packet Flow

1. Incoming Packet from I/O

module into ASIC through FPGA

Switch Fabric

2. ASIC parses the packet header

and checks for the session

match

3. If session match not found, ASIC

passes first 64 bytes to

management module through

control bus. If Mgt module

needs more info, it can access

the packet in ASIC module’s

memory.

4. Mgt module creates new session

and forwards the packet info to

ASIC module for transmission.

FPGA

FPGA

IF1

IF2

ASIC

1

SDRAM

Control Bus

Management

Module

Data Bus

Data Bus

2

3

4


Packet Flow Existing Session

Session match found, ASIC handles

packet directly

1. Incoming Packet from I/O

module

2. Packet transfer to ASIC

through FPGA

3. Session matched, and

packet is placed in

transmit queue of FPGA

(NAT, IPSec encap/decap,

screening for ASIC based

attacks all happens at

ASIC)

4. FPGA transfers the

packet out through I/O

moduleFIFO Bus

FPGA

FPGA

IF1

IF2

ASIC

1

SDRAM

Control Bus

FIFO Bus

2

3

4

Management

Module

High End SRX packet flow


CP

SPU

FPGA

SPUFPGA

Fa

bri

c –

IOC

do

ma

in

Fab

ric –

SP

C d

om

ainFPGA NPFPGA

FPGA NPFPGA

FPGASWI

FPGASWI

1. Packet Received by NP

NP flow lookup, no match

SPC #1

IOC #Y NPC #S

IOC #X NPC #R

SPC #N

3. CP chooses SPU, forwards packet SPU does session setup

4. Packet forwarded out egress port via NPC for queuing

2. NP sends packet to CP

PACKET FLOW SRX 3K: FIRST PACKET OF NEW FLOW


PACKET FLOW SRX 3K: SESSION SETUP MESSAGES

1. SPU sends insert session to CP

2. SPU sends insert session to ingress NP

3. SPU sends insert session to egress NP

CP

SPU

FPGA

SPUFPGA

Fa

bri

c –

IOC

do

ma

in

Fab

ric –

SP

C d

om

ainFPGA NPFPGA

FPGA NPFPGA

FPGASWI

FPGASWI

SPC #1

IOC #Y NPC #S

IOC #X NPC #R

SPC #N


CP

SPU

FPGA

SPUFPGA

Fa

bri

c –

IOC

do

ma

in

Fab

ric –

SP

C d

om

ainFPGA NPFPGA

FPGA NPFPGA

FPGASWI

FPGASWI

SPC #1

IOC #Y NPC #S

IOC #X NPC #R

SPC #N

PACKET FLOW SRX 3K: FAST PATH

1. Packet Received by NP NP flow lookup, match

2. NP send packet to SPU - SPU does fast path processing

3. Packet forwarded to egress NP

4. Packet egresses card

Integration of SRX with other

security products


• SSL session data pushed to NAC via IF-MAP

• IC pushes role-based FW policies to SRX• SRX senses attack, informs IC

• SSL VPN terminates user session

• IC removes SRX access

“Sales” user’s device is quarantined for automatic patch remediation

Remediation successful; full network access granted

User attempts to access “Finance” data, but is blocked

Imagine a person on the

road:

User logs in from un-

patched device

654

1 2 3

ENTERPRISE-WIDE ACCESS CONTROL

Apps

Data

Finance

Video

Mobile User

Patch

Remediation

SRX Firewall

NAC IC

Corporate Data Center

SSL VPNInternet

Q&A,

Thank you!Karel Hendrych

Juniper Networks

[email protected]

Date post:	07-Jun-2018
Category:	Documents
Upload:	hoanghanh
View:	216 times
Download:	0 times

Juniper Security Update - Főoldal | Relnet Technológia Kft Hendrych... · · 2010-12-19Juniper...

Documents