Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | rizal-muhammad |
View: | 227 times |
Download: | 0 times |
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 1/24
1
Securing Netw orks w it h
Juniper Netw orks
Juniper Secur it y Feat ures
Jean- Marc Uzé
Liaison Research, Education and GovernmentNetw orks and I nstit ut ions, EMEA
TF- CSI RT Meeting, 26/ 09/ 02
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traffic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
2
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 2/24
2
Juniper Networks, Inc. Copyright © 2002 3
Cyber At t acks I ncreasing
Packet
Sniffers
IP
Spoofing
Denial of
Service
Attacks
Automated
Scanning
Tools
Distributed
Denial of
Service Attacks
Script
Attacks
Se lf-Propagating
Automated
Distributed Attacks
u Frequencyv Over 4,000 Distr ibut ed DoS att acks a w eek
u Sophisticationv Distr ibut ed DoS att acks hard t o detect & stop
v Network elements recent ly targeted
u Impactv Yahoo, eBay, Microsoft mak e headlines
v Cloud 9 ( UK) I SP out of business
1994 1996 1998 2000
Host Based At tacks Netw ork Based At t acks At t acks Target Netw ork
Source: Published CERT figures
Juniper Networks, Inc. Copyright © 2002 4
Today’s Securi t y Compromises
u Enable securi ty at specific
points on the netw ork
u As platforms, int erfaces
or sof t w are al low
u Does not provide reliable
security
u Security enabled after
att ack is detected
u High operational effor t
u Perform ance SLAs affected
Partial
Attack StartsTracing Blocking
Attack Ends
Time
Performance
Reactive
SLASLA
TargetTarget
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 3/24
3
Juniper Networks, Inc. Copyright © 2002 5
Securi t y Wit hout Compr omise
u Ubiquitousv Juniper Netw orks: Single I mage, Securit y on All I nterf aces
u Continuousv Juniper Netw orks: Low impact – turn i t on i t , leave i t on
u Economicalv Juniper Netw orks: I ncluded in the basic platform
u Provenv Juniper Networks: Shipping since 2000 and in use in
product ion netw orks around the w or ld
Let’s You, Rather Than Your Equipment,
Dictate Your Netw ork Securit y Policy.
Juniper Networks, Inc. Copyright © 2002 6
Prot ect ing and Enabl ing Revenues
uCustomer Retent ion
v I ncreased customer sati sfact ion
vMatch compet it ive securi t y service off erings
uNew Services
v Lawful I nterceptv I nt rusion Detect ion Services
vHigh Speed Encrypted VPNs
v Att ack Resist ant Web Host ing
vDenial of Service Protect ion/ Contr ol
v Spoofing Prot ect ion
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 4/24
4
Juniper Networks, Inc. Copyright © 2002 7
JUNOS Security Related Features
UserUserAdministrationAdministrationTacasTacas+ / Radius+ / Radius
ProtocolProtocolAuthenticationAuthentication
JUNOS 5.xJUNOS 5.x20012001
JUNOS 3.xJUNOS 3.x19981998
JUNOS 4.xJUNOS 4.x19991999
H/ W Based Packet Filterin gH/ W Based Packet Filterin gI ndividual CommandI ndividual CommandAuthorizationAuthorizationTraffic PolicingTraffic PolicingFirewallFirewall SyslogsSyslogs / M I B / M I BH/ W Based Router ProtectionH/ W Based Router Protection
PortPort--MirroringMirroringI PSEC Encrypt ion ( Cont rolI PSEC Encrypt ion ( Cont roland Transit t raffic)and Transit t raffic)UnicastUnicast RPFRPFRadius Support forRadius Support forPPP/ CHAPPPP/ CHAPSNMPv3SNMPv3
Juniper Networks, Inc. Copyright © 2002 8
Juniper Secur it y Featu res at aGlance
Exam ples of Available Safeguar dsExam ples of Available Safeguar ds
9. Hitless f i l ter implementation7. I / O f i l te rs to b lock a t tack
f lows
8. Rate l imi t ing
Suppression
6. Real-time DDOS attack
identif ication
5. Real t im e traff ic analysis (port
mir ro r ing) fo r Lawfu lI n tercept , IDS
Detection
3. I PSEC encrypt ion of customer
t ra f f i c
4. Source address verificat ion
1. Hardware based router
pro tec t ion
2. I PSEC encrypt ion of Contr olTraff ic
Prevention
Customer ProtectionI n f rast ruc ture Pro tec t ion
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 5/24
5
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traffic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
9
Agenda
Juniper Networks, Inc. Copyright © 2002 10
Syst em Archit ect ure
u Routing Engine
v Maintains routing t able andconstructs forwarding tableusing knowledge of thenetwork
u
Packet Forwarding Enginev Receives packet forwarding
table from Routin g Engine
v Copies packet s from an i nputinterface to an outputinterface
v Conducts incremental tableupdates wit hout forw ardinginterrupt ion
Update
Forwarding
Table
InternetInternet Processor IIProcessor II
Sw itch FabricSw itch Fabric
Forwarding
Table
Junos
Internet Software
Junos
I nternet Softw are
I / O Ca r dI / O Ca r d
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 6/24
6
Juniper Networks, Inc. Copyright © 2002 11
I P I I ASI C Overview
u Leverages proven, predict able ASI C
forw arding technology
of I nternet Processor
u Provides breakthrough technology
to support performance-based,
enhanced Services
v Securi ty and bandwidt h control( I .e. f i l ter ing) at speed
v Visibi l i ty int o netw ork operat ions
at speed
u Delivers perform ance WI TH services
v Support ed on all interf aces
InternetInternetProcessor I IProcessor I I
InternetProcessor I I
Juniper Networks, Inc. Copyright © 2002 12
u I P- I I enables signif icantfunct ional i ty w ith appl icat ionsto netw ork management
v Security
v Monitoring
v Accounting
IP - I IIP - I I
Multiple rules may be specified.Multiple rules may be specified.
Filt er Specif icationFilt er Specif ication
filter my-filter ip {
rule 10 {
protocol tcp ;
source-address 128.100.1/24 ;
port [ smtp ftp-data 666 1024-1536 ];
action {
reject tcp-reset ;
}
}
}
All Packets Handled By RouterAll Packets Handled By Router
Filters can act on highlighted fields, asFilters can act on highlighted fields, aswell as incoming interface identifier andwell as incoming interface identifier andpresence of I P optionspresence of I P options
MicrocodeMicrocode
Filters and route lookup are part ofFilters and route lookup are part ofsame programsame program
PacketHandlingPrograms
Log,syslogCount,
Sample,Forwarding-class,
Loss-priority,Policer
SilentSilent
DiscardDiscard
ForwardForward
TCP ResetTCP ResetOr I CMPOr I CMP
UnreachableUnreachable
I PI P
TCPTCP
Ver IHL ToS Total Len
ID Fragmentation
TTL Proto Hdr Checksum
Source Address
Destination Address
Source Port Dest Port
Sequence Number
Acknowledgement Number
Offset Flags Window
Checksum Urgent Pointer
CompileCompile
Rout ingRout ing
I nstanceI nstance
Filtering
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 7/24
7
Juniper Networks, Inc. Copyright © 2002 13
Operating SystemOperating System
JUNOS I nt ernet Soft w are
u Comm on softw are across
entire product l ine
leverages stabil it y,
int eroperability, and a
w ide range of features
u Purpose built
for I nternet scale
u Modular design
for high r el iabi l i ty
u Best-in-class routi ngprotocol implementations
u Foundation for new
services wi th MPLS
tr aff ic engineering
P r o t o c o l s
I
n t e r f a c e M g m t
C h a s s i s M g m t
S N M P
S e c u r i t y
Juniper Networks, Inc. Copyright © 2002 14
Traff ic Framew ork
u Management , Cont rol and Data planes
u Source, Dest inat ion and Type
Routi ng Contr ol
Routing Contr ol
I CMP Notif ication
User Data
I CMP Notif ication
User Data
Router Management
Router Management
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 8/24
8
Juniper Networks, Inc. Copyright © 2002 15
Tools – Prevent , Det ect , Cont rol
u Forward
u Redirect
u Monitor
u Sample
u Count
u Logu Mark
u Limit
u Discard
Traffic
u Import f i l ters
u Export f i l t ers
u Mark
u Limitv Announcements
v Prefixes
Rout e Cont rol
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traffic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 9/24
9
Juniper Networks, Inc. Copyright © 2002 17
JUNOS Default t o Secure
u Does not forward directed broadcasts
u Remot e management access to the rout er isdisabled. I t must be explicitl y enabledv telnet, f t p, ssh…
u No SNMP set support for editing configurationdata
u Default Mar t ian addresses
Juniper Networks, Inc. Copyright © 2002 18
Comm unicat ing w it h the Rout er
u Secure Shel lv Ssh v1 / v2
v Support connexion limit + rate limit
u against SYN flood DoS att acks on the ssh port
v OpenSSH 3.0.2 since JUNOS 5.4
u Secure Copy Prot ocol (SCP)
v Uses the ssh encrypt ion and aut henticationinfr astr ucture t o securely copy f i les betw een hosts
u Central Aut hentif icat ionv TACACS+ / RADI US
v User classes w it h specific privi leges
u File Records and Command Event s
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 10/24
10
Juniper Networks, Inc. Copyright © 2002 19
Hardw are-Based Rout er
Protection
u Router’s control plane is complex and int ell igence
v Need t o be CPU based
v Protocols need processing pow er for fast updat es and t o
minim ize convergence tim e.
u Attacks launched at rou ters include sending:
v Forged rou t ing packet s (BGP,OSPF,RI P,et c..)
v Bogus management tr affi c (I CMP, SNMP, SSH,etc)
u Attacker can easily launch high speed attacks
v Rates in excess of 40M/ second
v CPU based filt ering u nable to k eep upv Att acks consume CPU resources needed for cont rol t raff ic.
v Danger of protocol time-out s, leading to netw ork instabilit ies.
Juniper Networks, Inc. Copyright © 2002 20
Hardw are Based Rout erProtection
u Hardw are based filt ering advantagesv Hardw are drops at tack (“unt rusted”) t raf f ic
v CPU free to pr ocess “ tru sted” contr ol t raff ic
u One filt er applied to the “loopback”v Prot ects t he router and all in terfaces
v Provides ease of m anagementv No need to configure addit ional f i lt ers
when adding new interfaces
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 11/24
11
Juniper Networks, Inc. Copyright © 2002 21
firewall {
filter protect-RE {
term established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term trusted-traffic {
from {
source-address {
10.10.10.0/24;
10.10.11.0/24;
10.10.12.0/24;
10.10.17.0/24;
10.10.18.0/24;
} protocol [icmp tcp ospf udp];
destination-port [bgp domain ftp ftp-
datasnmp ssh ntp] ;
}
then accept;
term default {
then {
log;
discard;
}
}
}
Hardw are Based Rout er
Protection
u Define “t rusted” sourceaddresses
u Define protocols and port s thatneed to communicate
u Accept desired t raffic anddiscard everything else
u One filt er applied to t heloopback in terface protectsrouter and all in terfaces
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traffic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
22
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 12/24
12
Juniper Networks, Inc. Copyright © 2002 23
I PSec Encryption of Cont rol Traffic
u Encrypt Cont rol Traff ic Betw een Routers
u Encryp t ion uses ESP in Transport Mode
u ESP Prov ides Secure Communicat ion for crit icalcontrol / rout ing traff ic
u Prot ect s fr om att acks against cont rol plane
Juniper Networks, Inc. Copyright © 2002 24
I PSec Encrypt ion of Custom erTraffic
u Encrypt ion Services PI C provides capabili t ies t oother in terf aces on t he router for Encryption andKey Exchange ( I KE)
u Provides high-bandw idth encrypti on for tr ansitt raffic at 800 Mbps (half-du plex)
u Applied via t he Packet Forw arding Enginev off load th e encrypt ion and decrypt ion tasks from
Routin g Engine pr ocessor
u Delivers Private and Secure comm unicati on ofmission-criti cal customer t raffi c
u Provides up to 1,000 t unnels per PI C
u Can Scale Using Mul t iple PI Cs
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 13/24
13
Juniper Networks, Inc. Copyright © 2002 25
I PSec Encrypt ion of Custom er
Traffic
u Crypt o PIC highlight s:
v Tunnel/ Transport Mode
u Tunnel mode for data tr affic
v Authentication Algorithms
u MD5
u SHA-1
v Encryption Algorithms
u DES
u 3-DES
v I KE Featu res
u Support for automat ed key management using Diffie- Hellman keyestablishment
u Main/ Aggressive mode support ed for I KE SA setup
u Quick Mode support ed for I PSec SA setup
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traff ic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
26
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 14/24
14
Juniper Networks, Inc. Copyright © 2002 27
Source Address Verif icat ion
u Why it is needed:v I P address spoofing is a technique u sed in DOS att acks
v Att acker pr etends to be someone else
v Makes it dif f icult to t race back t he attacks
v Comm on Operating System s let users spoof machine’s I Paddress access (UNIX, LI NUX, Win dow s XP)
u How it is done:v Route t able look-up p erform ed on I P source address
v Router determines if tr aff ic is arr ivin g on expected path
u traffic is acceptedu normal destination based look up is performed
v I f t raf f ic is not arr iv ing on a the expected path
u then it is dropped
Juniper Networks, Inc. Copyright © 2002 28
Source Address Verif icat ion
u Juniper Soluti onv uRPF can be configur ed per- interface/ sub-i nterface
v Supports both I Pv4 and I Pv6
v Packet/ Byte counters for tr aff ic fail ing t he uRPF check
v Addit ional f i lt ering available for t raff ic fail ing check:
u police/ reject
u Can syslog the rejected tr affic for later analysisv Two modes available:
u Active-paths:
v uRPF only considers the best pat h tow ard a parti culardestination
u Feasible-paths:v uRPF considers all t he feasible paths. This is used wher e
routing is asymmetr ical.
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 15/24
15
Juniper Networks, Inc. Copyright © 2002 29
Source Address Verif icat ion
Data Center
10.10.10.0/24
so-0/0 / 0 .0
so-1/0 / 0 .0
Attack wi th
Sourceaddress=10.10.10.1
uRPF
10.10.10.0/24 * [BGP/ 170]
>v ia so-1 /0 / 0 /0 .0
11.11.11.0/24
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traff ic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
30
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 16/24
16
Juniper Networks, Inc. Copyright © 2002 31
Real-t ime Traf fi c Analysis
u Sampling and cflowd format export (v5 + v8)
u since JUNOS 5.4: Passive Monit oring PI Cv Appl icat ion is pr imar ly for secui ty and t raf f ic analysis
v Monit ors I Pv4 packet s and flow s over SONET on:
u OC-3c, OC-12 c and OC-4 8c
u PPP or HDLC (Cisco) layer 2 encapsulations
v Generates cf low d v5 records for export t o collector nodes
u I PSec or GRE tu nnels can be used for expor ti ng
Juniper Networks, Inc. Copyright © 2002 32
Real-t ime Traf fi c Analysis
u Juniper Port Mirrorin g capabilityv Copy of sampled packet can be sent t o arbit rary in terf ace
v Any I nterf ace and speed up to 100% of selected packets
v N num ber of ingress port s to single destinat ion port
v Work in pr ogress wit h I DS vendor
u Discussions ongoing with high-speed analytical securityapplication developers (OC48)
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 17/24
17
Juniper Networks, Inc. Copyright © 2002 33
Mirrored Traf f ic
Int rusion Detect ion SystemIntr usion Detect ion System
Data Center
Real-t ime Traf fi c Analysis
Juniper Networks, Inc. Copyright © 2002 34
Real-t ime DDoS I dent if icat ion
u Preparation
v Pre-config ure Destinat ion Class Usage (DCU) on customer-facing ingress interfaces
v Accounting feature t ypically for bill ing
v Supported in JUNOS 4.3 ( 12/ 2000) and beyond
v Counts packets, bytes destin ed for each of up to 16communit ies per interface
v Count ers retr ievable via SNMPv Note: Source Class Usage is also supported (since JUNOS 5.4)
u During Att ack
v Use BGP to announce victim ’s / 32 host address wit h specialcommunity
v Trigger SNMP polling of DCU counters on all ingress interf aces
v Apply heuristic t o identify likely att ack sources
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 18/24
18
Juniper Networks, Inc. Copyright © 2002 35
Real-t ime DDoS I dent if icat ion
Attacker Network
Vic t im Ne twor k
NOC
Switch
Attacker Network
User Networ k
Attack Network
Attack Network
User Networ k
ServiceProvider
Juniper Networks, Inc. Copyright © 2002 36
Real-t ime DDoS I dent if icat ion
Attacker Network
V ic t im Ne twor kSwitch
At tac k er Ne twor k
User Netw ork
Attack Network
Attack Network
User Network
Service
Provider
NOC
128.8.128.80128.8.128.80
128.8.128.80/ 32128.8.128.80/ 32
Community 100:100Community 100:100
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 19/24
19
Juniper Networks, Inc. Copyright © 2002 37
Real-t ime DDoS I dent if icat ion
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traff ic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
38
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 20/24
20
Juniper Networks, Inc. Copyright © 2002 39
I / O Filt ers To Block At t ack Flow s
u DOS at t acks need t o bedetected and stopped
u I nterf ace filt ers can beapplied t o block onlyattack f low s
u Filters can be applied toany interf ace type
u Filt ers can be applied bothon inbound and out bound
/* apply the filter to the ingress point of
the network */
so-0/2/2 {
unit 0 {
family inet {
filter {
input block-attack;
}
address 151.1.1.1/30;
}
}
}
/* This is the filter which blocks the
attacks */
firewall {
filter block-attack {
term bad-guy {
from {source-address {
10.10.10.1/32
}
protocol icmp;
}
then {
discard;
log;
}
}
}
Juniper Networks, Inc. Copyright © 2002 40
Rate Lim it ing
u Suppression/ Rate Limi t ing Advantagesv Protects router of customer by lim it in g tr aff ic based on
protocol/ port / source and dest inat ion addresses
u Juniper Advantage
v Architectural reasons we performu I nternet Processor ASI C not tied t o an int erface or r elease
v Behavior under att ack
u Stable operation, routing and management t raffic unaffected
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 21/24
21
Juniper Networks, Inc. Copyright © 2002 41
Hitl ess Filt er I mplement ation
u Can be applied immediately aft er identif icat ion ofoffending tr aff ic
u Application of filters does not create short-termdegraded condit ion as fi lt ers t ake eff ect
u Size and complexi t y of fil t er independent offorw arding performance
Juniper Networks, Inc. Copyright © 2002 42
Traff ic I nt errupt ion During Fi l t erCompilation
NOC
NOC operator appliesNOC operator applies
or changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
NOC
All traffic gets dropAll traffic gets drop
During filter compilationDuring filter compilationNOC operator appliesNOC operator applies
or changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 22/24
22
Juniper Networks, Inc. Copyright © 2002 43
No I nterrupt ion With At omic
Updates
NOC
NOC operator appliesNOC operator applies
or changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
NOC
Attack tr affic gets droppedAttack tr affic gets dropped
NOC operator appliesNOC operator applies
or changes filtersor changes filters
Traffic flowTraffic flow
Attack flowAttack flow
u Introduction
u Juniper Netw orks Routers Architectur e
u Router Prot ect ion
u Encryption of Traff ic
u Source Address Verif icati on
u Real-t im e Traf fic Analysis
u I / O Filt ers and Rate Limit ing
u Summary
44
Agenda
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 23/24
23
Juniper Networks, Inc. Copyright © 2002 45
Next St eps
uOn going Dialog w ith security t eam
v Ensuring existi ng securit y features are active
v Awareness of upcoming securi t y issues
uBest Pract ices
vWhit e Papers
uSecurit y consult ing and t raining
Juniper Netw orksJuniper Netw orks – – the Trusted Sourcethe Trusted Source
Juniper Networks, Inc. Copyright © 2002 46
Fur t her References
u Juniper Netw orks Whit epapersv Rate-l imit ing and Traff ic-poli cing Features
v Fortif ying t he Core
v Visibil it y into Netw ork Operations
v Minimizing the Effects of DoS Attacks
v Juniper Netw orks Router Securit y
u Available fr omht tp : / / ww w. jun iper .net / techcenter
8/2/2019 Securing Networks With Juniper
http://slidepdf.com/reader/full/securing-networks-with-juniper 24/24
Thank You [email protected]