Copyright © 2005 Juniper Networks, Inc. www.juniper.net 1 Implementing Layered Security across the Enterprise Ross Callon Distinguished Engineer Andy Leung Regional Security Product Manager
Copyright © 2005 Juniper Networks, Inc. www.juniper.net 1
Implementing Layered Security across the
EnterpriseRoss Callon
Distinguished Engineer
Andy LeungRegional Security Product Manager
2Copyright © 2005 Juniper Networks, Inc.
Agenda! Trends and Challenges! Implementation Technologies
• Overview of Router Security• Firewall• IDP• VPN• Remote Access
! Other considerations! Managed services! Summary
3Copyright © 2005 Juniper Networks, Inc.
Layered Security Solutions
“Security professionals agree that network security requires a multi-layered defense. To meet the challenges posed by sophisticated and run-of-the-mill attacks, enterprises have been forced to deploy layers of security products.”
International Data Corp.
4Copyright © 2005 Juniper Networks, Inc.
Implementation questions
! Are my routers stable and secure during an attack? ! When do you propose a new firewall?! When do you propose an IDP?! What VPN technology should you use?! How to secure remote access?! What are the security features you should look for?! Single box or multiple box solution?! How to implement the managed service?
5Copyright © 2005 Juniper Networks, Inc.
Cyber Attacks Increasing! Frequency: 4,000 DDoS attacks/week*! Sophistication: Hybrid attacks,
Network elements targeted, …! Impact
• Businesses in Headlines• One ISP out of business
IPSpoofing
Denial ofServiceAttacks
AutomatedScanning
Tools
DistributedDenial of
Service Attacks
EmailScript
Attacks
Self-Propagating Automated
Distributed Attacks
Host-Based Attacks Network-Based Attacks Attacks Target Network
Source: Published CERT figures * http://www.caida.org/outreach/papers/2001/BackScatter/
PacketSniffers
1994 1996 1998 2000
6Copyright © 2005 Juniper Networks, Inc.
Consequences of Slammer• Global loss of 20% of all Internet traffic• Loss of emergency services in Washington• No mobile network for 27m South Koreans• Shutdown of 13,000 cash machines• Flights delayed• Cleanup costs of more than $1bn• Spread in just 10 minutes• One major service provider was unaffected!
7Copyright © 2005 Juniper Networks, Inc.
Top Technical Challenge for Service ProvidersTechnical Challenges
Source Infonetics: Service Provider Plans for VPNs and Security NA, EUR, APAC 2004
22%
26%
30%
48%
65%
39%
39%
48%
9%
0% 25% 50% 75% 100%
Building NOCs for security
Finding VPN and security products with adequate performance
Monitoring security device log files
Finding security/VPN expertise
Understanding customers’existing networks
Integrating multiple VPN/security technologies into a single service
Scaling services to over 100,000 users
Finding integrated security management systems
Keeping up with new security threats
Percent of Respondents Rating 6 or 7
8Copyright © 2005 Juniper Networks, Inc.
Why - Networking is Evolving
Centralized Widely Distributed
Corporate
Data Centers
Business
Partner
Mobile Access
Tele-workerRemote
Office
Conn
ectiv
ity
Wireless
Access
Non-demanding Very demanding
Email Web
Browsing Streaming
Media Video
telephonyTran
saction
Processing
Appli
catio
ns
VoIP
Simple Sophisticated
Access
Violation D/DoS
Trojan
Horses
Network Worms
E-Mail Worms
Viruses
Atta
cks
Eavesdropping
Trusted Untrusted
Servers
Workstations PDAs
KiosksWireless
AccessLaptops
Endp
oint
Acce
ss
9Copyright © 2005 Juniper Networks, Inc.
Trends Affecting Solution Requirements
• Provide linear performance for large and small packet traffic mix• Make traffic decisions with low latency so applications are not affected• Increasing traffic load and number of connection points• Prevent/mitigate network and application-level attacks
Time
Latency/Jitter ToleranceLatency sensitive
applications
Depth of
Inspection
Increasing vulnerabilities
Average Packet Size
Small packet applications (multi-media, VoIP, etc).
Connectivity
Points
Wireless connectivity,
increasing ubiquity
10Copyright © 2005 Juniper Networks, Inc.
Security Services Growth & InvestmentServices Expected to Grow Security Technologies for Investment
23%
28%
42%
60%
65%
65%
77%
78%
50%
51%
60%
19%
0% 25% 50% 75% 100%
Traditional intrusion detection
PKI
Authentication
Application security
Security audits
Firewall
Integration and professional services
Content filtering
Vulnerabilityassessment
VPN
Integrated services
Intrusion prevention
Average Percent
30%
43%
57%
74%
26%
0% 25% 50% 75% 100%
Other
Application security
Firewall
Intrusion prevention
VPN
Percent of Respondents
Source Infonetics: Service Provider Plans for VPNs and Security NA, EUR, APAC 2004
11Copyright © 2005 Juniper Networks, Inc.
Security Across the Network
SP1
Corporate NetworkCorporate NetworkVoice NetVoice NetAccess NetAccess Net
Broadband
IP Core Network
SP Shared NetworkSP Shared Network
Branch/RemoteOffices
Headquarters
PartnersRemote Users
Cellular/VoIP
Services
SP2
Internet
Remote Users
Service NetService NetHosting NetHosting Net
S e rv e rsD M Z -1
F ina nc e
H R
S a lesD M Z -2
S e rv e rsD M Z -1
F ina nc e
H R
S a lesD M Z -2D M Z -2
Mgmt Network/DCN
Protect the Service Network Protect the SP Core Protect CorpInfrastructure
12Copyright © 2005 Juniper Networks, Inc.
Security Across the SP Network
Multiple virtual FWs on single platform
Protect Perimeter
Integrated security protects remote edge
Secure access for mobile user, biz partner
Detect, suppress and prevent attacks
Secure online meetings
Remote secure access
Managed Secure Service
Secure BB, VoIP, etc.
Managed Security Service
FW, IPS, VPN, etc.
Protect DCN
Protect Control Plane
FW & IPSEC VPNWAN over Internet
VPN Services
Protect GPRS Network
Protect Service Portal
Protect VoIP Network
Protect Broadband Network
Protect the Service Network Protect the SP Core Protect CorpInfrastructure
SP1
Broadband
IP Core Network
Branch/RemoteOffices
Headquarters
PartnersRemote Users
Cellular/VoIP
Services
SP2
Internet
Remote Users
S e rv e rsD M Z -1
F in a n c e
H R
S ale sD M Z -2
S e rv e rsD M Z -1
F in a n c e
H R
S ale sD M Z -2D M Z -2
Mgmt Network/DCN
14Copyright © 2005 Juniper Networks, Inc.
Securing the Router Infrastructure! Links, routers, routing protocols, and
management thereof• Are critical network components• Must work securely
! These can be strongly secured• Very few systems have a valid reason to send
traffic to the router's control plane (rather than via the router's data plane)
15Copyright © 2005 Juniper Networks, Inc.
Basic Router Security! Security with performance
• Line rate packet filtering, rate limiting• Stability under stress (eg, routers need to
prioritize control traffic)
! Limit who can send traffic to routers! Secure network management
• One-time passwords, authenticate access,…
! Secure routing protocols! More details on Thursday
16Copyright © 2005 Juniper Networks, Inc.
Firewalls: Access Control! What it does:
• Controls what / who gets in and out of network• Protects against common attacks
! How it works:• Scans for standard services
• Ability to create custom services• Performs user authentication
! Where it’s deployed:• An initial layer of defense for most locations
• Remote, site to site, perimeter, and core • Commonly used for LAN segment protection Protected
Network
Network Protection
17Copyright © 2005 Juniper Networks, Inc.
Firewalls: User Authentication! Control who gets in and out of network
• Verifies sender is who they claim to be
• Support for tokens, digital certificates, ID/password
• Interoperate with RADIUS, LDAP, PKI, internal DB, and SecurID
firewall
Radius
Internalnetwork
protectedresources
Userauthentication
ID/passwordtoken/biometric
18Copyright © 2005 Juniper Networks, Inc.
Firewalls: Denial-of-Service Protection
Malformed Packet Protection
• SYN and FIN bit set• No flags in TCP• FIN with no ACK• ICMP fragment• Large ICMP• IP source route• IP record route• IP security options• IP timestamp• IP stream• IP bad options• Unknown protocols
DoS and DDoS Protection• SYN flood• ICMP flood• UDP flood• IP spoofing• Per-session limiting• SYN fragments• Default packet deny• SYN-ACK-ACK attack
Malicious Packet Protection• Ping of death• Land attack• Tear drop attack• WinNuke attack• IP source route• Loose source route
Reconnaissance Protection• Port scan• IP address sweep
Firewall Protection• Stateful inspection firewall
(i.e., TCP and UDP)• TCP sequence checking• MAC address checking• CRC packet checking
Content Protection• Java/ActiveX/Zip/Exe blocking• User-define malicious URLs• URL blocking (Websense,
SurfControl)
PROTECTION
FirewallProtectedNetwork
! Protection against common DoS attacks
! Another layer to prevent network attacks
! Deployed at Remote site, perimeter, core, or LAN
19Copyright © 2005 Juniper Networks, Inc.
Security Zones: Internal Firewalls! What it does:
• Use security zones to divide network into logically managed zones - HR, finance, wireless, etc.
! How it works: • Zones no longer bound to physical
interfaces • Policies applied between security zones
and to interfaces within zones! Where it’s deployed:
• Used in Core/LAN scenarios• Segments network into secure domains• Protects against internal attacks • Distributed security at low cost
Business Partner Regional Office
Centralized Management
Telecommuter
DMZ
HR
Wireless Network
Finance
Policies provide security and control traffic between zones
20Copyright © 2005 Juniper Networks, Inc.
Virtual Systems: Another Security Layer! What it does:
• Provides virtual FW/VPN • Each with their own address book,
policies, and management • Separate management facilitates for
division of labor! How it works:
• Traffic routed to VSYS by IP addr, physical interface, or VLAN
! Where it’s deployed:• Used in Core/LAN scenarios• Augments Security Zones as a means
of of segmenting network• Used in scenarios where
administration must be separate.
Vsys #1 Vsys #2 Vsys #3
PhysicalInterfaces
VLANTags
IPAddresses
22Copyright © 2005 Juniper Networks, Inc.
What does VPN do?
! Confidential! Integrity! Authentication
Alice Bob
23Copyright © 2005 Juniper Networks, Inc.
IPsec VPN: Protecting Communications! What it does:
• Encrypts and authenticates
! How it works: • Establishes secure tunnel
between remote site/user
! Where it’s deployed: • Encryption and non-
repudiation are another layer of protection
• Used for secure communications across the enterprise
• Remote user, site-to-site, Internal LAN communications
Wireless Network
Remote Access, Telecommuter
Remote Site, Business Partner
Flexible VPN provides secure connections to and from both internal and external locations
24Copyright © 2005 Juniper Networks, Inc.
Extensive Deployment Requirements:• Duplication & Migration of Servers into DMZ• Harden OS/Server Farms & Ongoing Patch Maintenance• Distributed Software Agents (n times server permutations)• Maintenance of public facing infrastructure• AAA Limitation to only those integrated resources• Custom API development for non-Web content
Web server
SSL VPN: Secure Remote Access
DMZ
MRP/ERP
API
InternalCorporate
LAN
Web server
API
API
API
Policy Server
Web server
Web server
Web server
Web server
Web server
Web server
Web server
UNIFIED ACCESS ENFORCEMENT:Dynamic Authentication PoliciesExpressive Role Definition & Mapping RulesDynamic Resource-based AuthorizationGranular Auditing & LoggingWeb Single Sign-On (SSO)Password Management IntegrationMultiple Hostnames & Customizable UIEndpoint Policy Enforcement
SWAgent
SWAgent
SWAgent
25Copyright © 2005 Juniper Networks, Inc.
Web server
SSL VPN: Secure Remote Access
DMZ
MRP/ERP
API
InternalCorporate
LAN
Web server
Web server
UNIFIED ACCESS ENFORCEMENT:Dynamic Authentication PoliciesExpressive Role Definition & Mapping RulesDynamic Resource-based AuthorizationGranular Auditing & LoggingWeb Single Sign-On (SSO)Password Management IntegrationMultiple Hostnames & Customizable UIEndpoint Policy Enforcement
SSL-VPN
27Copyright © 2005 Juniper Networks, Inc.
00000000000000000000000000000 000000000000000000000000000 000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000 000000000000000000000
Firewall providesaccess control
Deny Traffic
Allow TrafficDeny Some Attacks
Corporate Network
What about??– P2P traffics e.g. BT,
WinMX, Kazaa …. etc– IM traffics e.g. Yahoo!
Messenger, MSN, ICQ
– Real time application: VoIP, H.323, SIP, Streaming video
What about??– P2P traffics e.g. BT,
WinMX, Kazaa …. etc– IM traffics e.g. Yahoo!
Messenger, MSN, ICQ
– Real time application: VoIP, H.323, SIP, Streaming video
Firewalls are only 1st layer of defense
28Copyright © 2005 Juniper Networks, Inc.
In-Line Attack Prevention
Dropped from the network
Benefits• Attacks never reach their victim,
eliminating impact to the network
• No need to waste time investigating the attack
• Works for all traffic (IP, TCP, UDP, etc.)
• Drops only the offending traffic
An active, in-line system detects an attack and
drops malicious traffic during the detection
process
29Copyright © 2005 Juniper Networks, Inc.
Intrusion Prevention vs. Deep Inspection
00000000000000000000000000000 000000000000000000000000000 000000000000
00000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00
Deny Traffic
Deny Some Attacks
Application Traffic
Detects Attacks
Drops Attacks
DeepInspectionFirewall
!Suspicious activity monitor
Protect Network LayerProtocol conformance
Application layer protection
Compliance monitor
!
!
broad range of protocolsspecific protocols!!
0% - 20%100%Traffic Decision80% - 100%As neededForensic analysis
!
Deep Inspection Firewall
Access Control
Purpose Intrusion Detectionand Prevention
30Copyright © 2005 Juniper Networks, Inc.
Gateway Anti-Virus: Preventing Virus Proliferation! What it does:
• Protects corporate network from telecommuter generated virus proliferation
! How it works: • Embed leading AV engine
into FW/VPN appliance• Scan Mail traffic and web
downloads
! Where it’s deployed: • Deployed at the gateway• Embedded AV stops
viruses before the infect the user
AV Engine Detects Virus…Email with infected attachment
Warning! An infected file was dropped due to virus infection.
Warning sent to Receiver
Warning! Your virus infected Email message was dropped.
Warning sent back to Sender
Infected email dropped
Email To: John
Subject: Open this file
FW
31Copyright © 2005 Juniper Networks, Inc.
Layered Security Summary
No""""Antivirus/ Web filtering
"No"No"SSL VPN
No"""NoIDP
"No"""IPSec VPN
"No""NoDenial Of Service
""""NoFirewall
LAN Security
Network Core Security
Perimeter Security
Site-to-site Security
Remote Access Security
Layered Security Component
33Copyright © 2005 Juniper Networks, Inc.
Additional Considerations: High Availability
SW1SW1
Active/Active Full Mesh
• Failure anywhere funnels all traffic through “up” device
• Stateful failover for both firewall ANDVPN
• Active sessions, NAT, VPN tunnels, security associations maintained
SW1SW1
Active/Active
• Traffic split between devices – backup always under test
• Stateful failover for both firewall ANDVPN
• Active sessions, NAT, VPN tunnels, security associations maintained
Active/Passive
• Secondary device configuration mirrors primary
• Stateful failover for both firewall ANDVPN
• Active sessions, NAT, VPN tunnels, security associations maintained
34Copyright © 2005 Juniper Networks, Inc.
Network consideration: Route-based VPNs! What it does:
• Leverages built-in dynamic routing for VPN resiliency
! How it works:• Dynamic routing “learns” network and
available routes automatically• Network or routes need not be
defined for VPN• Routes around failures and topology
changes• Helps ensure highly available network
! Where it’s deployed: • Encryption and non-repudiation are
another layer of protection• Used for secure communications -
Remote user, site-to-site, Internal LAN communications
BA
C
BA
C
Failure between A and B is automatically re-rerouted to C to complete the connection
35Copyright © 2005 Juniper Networks, Inc.
Performance Considerations: Platform Architecture
! Purpose-built for rock solid security • Security specific processing for optimized performance • Entire platform controlled by security specific, real-time
operating system• Includes security applications and integrated networking
Advantages! Eliminates OS hardening! Facilitates network integration! Ensures application
interoperability! Simplifies management ! Matches or exceeds performance
requirements of today’s networks
RISCCPU Memory ASIC Interfaces
Security-Specific, Real-Time OS
• Dynamic Routing • Virtualization
• High Availability• Centralized Management
Integrated Security Applications
• VPN • Denial of Service
• Firewall• Traffic management
Purpose-Built Hardware Platform
RISCCPU Memory ASIC Interfaces
Security-Specific, Real-Time OS
• Dynamic Routing • Virtualization
• High Availability• Centralized Management
Integrated Security Applications
• VPN • Denial of Service
• Firewall• Traffic management
• VPN • Denial of Service
• Firewall• Traffic management
Purpose-Built Hardware Platform
36Copyright © 2005 Juniper Networks, Inc.
Purpose-built Architecture! Purpose-Built Appliance
• Tightly integrated platform, OS, Networking and applications
• VPN, Firewall, DoS• Optimized for security
performance
! Benefits• High performance
throughput under load• Quick VPN session
establishment • Accelerated IKE
negotiation• Low latency• Improved security
Security Specific Processing • Streamlined, linear packet processing • Each processing component is optimized• Applications and hardware optimized for
security processing and performance
SecuritySpecific
Processing
CPU
High Speed Backplane
InOut RAMI/O
ASIC-based Advanced Architecture
Security-Specific, Real-Time OS
Integrated Security Applications
Security Specific Processing • Streamlined, linear packet processing • Each processing component is optimized• Applications and hardware optimized for
security processing and performance
SecuritySpecific
Processing
CPU
High Speed Backplane
InOut RAMI/O
Security-Specific, Real-Time OS
Integrated Security Applications
37Copyright © 2005 Juniper Networks, Inc.
Alternative Architectures! Alternative architecture
characteristics• Security applications
added to networking architecture
• Software applications on general purpose OS/platform
! Characteristics• High performance
throughput under load• Quick VPN establishment
with IKE negotiation• Low latency• Improved security
PC Appliances/Pseudo Appliances
OS
VPNCo-Processor
CPURAM
Bus
I/OInOut
Applications
39Copyright © 2005 Juniper Networks, Inc.
Life Cycle Management
! Manages Device, Network, Security
! Support the entire device life cycle
! Enables delegation of roles, responsibility, access
! Enables Network and Security Team to work together
! Interact using CLI, Web or GUI
Security AdminNetwork AdminOps Technician
• OS upgrade• Device config
changes
• VPN model• Adjust routing
• Signature updates• Policy adjustment
• HW monitoring (interfaces up/down, fan failure, power failure)
• Interface characteristics
• Management access
• Licenses• OS version
• Remote installation
• Initial configuration
• VPN monitoring• Network failure
recognition and response
• HA failover monitoring
• VPN config• Route tables• Routing• VLAN
• VPN modeling• L2/L3
specification• (Routing)
• Attack log monitoring
• Consolidation• Top attacks report• Log Investigation• Reports
• Push device-specific policy out
• RAS user management
• Admin management
• Define security of entire network (all devices)
• Permission definitions
• OS upgrade• Device config
changes
• VPN model• Adjust routing
• Signature updates• Policy adjustment
• HW monitoring (interfaces up/down, fan failure, power failure)
• Interface characteristics
• Management access
• Licenses• OS version
• Remote installation
• Initial configuration
• VPN monitoring• Network failure
recognition and response
• HA failover monitoring
• VPN config• Route tables• Routing• VLAN
• VPN modeling• L2/L3
specification• (Routing)
• Attack log monitoring
• Consolidation• Top attacks report• Log Investigation• Reports
• Push device-specific policy out
•management
• Admin management
• Define security of entire network (all devices)
• Permission definitions
Upgrade, AdjustMonitor, MaintainConfigureDesign, Deploy Upgrade, AdjustMonitor, MaintainConfigureDesign, Deploy
Device Lifecycle
Device
Network
Security
Device
Network
SecurityM
anag
emen
t Lev
el
41Copyright © 2005 Juniper Networks, Inc.
Response Management Considerations! New Mind Set
• What is happening?• What has
happened?• What may happen?
! Analyze• Dictate exactly
what traffic to analyze, what to look for in that traffic and how to respond.
! Network Aware• Network awareness
is visualizing the entire environment.
Understanding what happens in the network is critical!!
43Copyright © 2005 Juniper Networks, Inc.
Managed CPE-based IPSEC VPN
! Lease Line is $2,000-$3,000/month/branch vs. IPSec VPN is $200/month/branch
! NTT-Com has end to end VPN solution by using MPLS and IPSec VPN
InternetNTT-Com
MPLSIP-VPN
Customer A
Customer B
Radius
5XPs
5XPs
ADSL
ADSL
ADSL
ADSL
ADSL
Cust. C Cust. C
ADSL ADSL
Cust. A HQ
Cust. B HQ
NS-204/208s5XPs 5XPs
44Copyright © 2005 Juniper Networks, Inc.
PCCW CentralizeWeb-based manager
Managed Secure Broadband Svc! SME Business Problem
• Lack of IT resource/knowledge• Need business continuity• One-stop-shop for service
! Secure Broadband Solution • Increase service value
• Protect customer network• Provide security advices• CPE provides tangible value
• Account Control• Protect PCCW network
• Keep virus/worms from spreading
4000+ Secure Broadband Customers
Internet
45Copyright © 2005 Juniper Networks, Inc.
Summary: Implementing Layered Security ! Defense in Depth! Attack Protection
• Secure routers maintain network availability / manageability• Combination of FW, IDP, Anti-Virus to detect broad range of
network and application attacks with ability to drop malicious packet to eliminate impact
! Appliance• Performance and management consideration, high speed; high
capacity; high availability! Network Integration
• Integrate BOTH networking and security applications and simplify deployment
! Management• Capable of centrally manage the growing number of network and
security devices, events and response.