Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Next Generation Security Solution


Published on

Juniper Day 2016
Praha, 25.5.2016
Karel Hendrych, Juniper Networks

Published in: Technology
  • Be the first to comment

Next Generation Security Solution

  1. 1. Juniper SRX update Karel Hendrych Consulting Engineer
  2. 2. Platform Updates: Virtual
  3. 3. vSRX - Industry’s Fastest Virtual Firewall • 18G FW Large packet (1514B), 4G FW Imix • 2 vCPU (cores), Lowest TCO • Highest Perf/Core • ~80G FW (8 instances) Large packet per server • VMware5.5+SRIOV - 8 vSRX instances on a 2.4GHz Dell server • VMware5.5+SRIOV –1 vSRX instance on a 3.4GHz Dell server 100G vSRX just got announced!
  4. 4. vSRX VM Hypervisors (VMware, KVM) Physical X86 CPU, Memory, & Storage Adv Services + Flow Processing + Packet FWD (JEXEC) Junos Kernel QEMU/KVM Juniper Linux (Guest OS) SRIOV Junos Control Plane (JCP/vRE) MGD RPD FEATURE PARITY TO FFP (Including Firewall, AppSecure, UTM/IDP, VPN, NAT, Routing, HA Cluster, etc.) PLATFORMS • VMWare 5.1,5.5, 6.0 • Ubuntu 14.04 (KVM) CHANGES • Name change to vSRX • Junos Version change to 15.1 • DPDK • SR-IOV • VMXNET3 and VirtIO (Driver updates) • Linux Base OS • 64Bit Flowd • Dedicated management I/F • SCSI Support • SNMP enhancements • VMTools • Min 4G vRAM and 8G HD vSRX 2.0 (15.1X49) • CentOS 7.0 (KVM) • Contrail 2.2
  5. 5. Platform Updates: Physical
  6. 6. SRX Series Services Gateways for Branch All in one routing, switching and security in a single platform Security at a every layer with MAC-sec, IPSec and application security Best end-user application experience and operational efficiency
  7. 7. SRX3xx Portfolio Summary *Performance numbers for the IMIX packet size **NGFW = IPS + AppFW + External Logging App Firewall* Routing* IPSec VPN* NGFW** 500 Mbps 1 Gbps 2 Gbps 3 Gbps 500 Mbps 1 Gbps 1.7 Gbps 2.5 Gbps 100 Mbps 100 Mbps 200 Mbps 200 Mbps 300 Mbps 300 Mbps 350 Mbps 350 Mbps SRX300 Retail Office Up to 50 Users SRX320 Small Branch Up to 50 Users SRX340 Mid Branch Up to 100 Users Large Branch Up to 500 Users SRX550SRX345 Mid-Large Branch Up to 200 Users
  8. 8. SRX1500 Services Gateway Specification SRX1500 RAM / storage 16GB / 16GB On-board 1G ports 16xGE (w 4x SFP) On-board 10G ports 4x SFP+ OOB Management port 1x GE Acoustics 66 dBA SSD Storage 120G Power Supply 1+1 400W PSU Forwarding capacity 1.8 Mpps Routing / firewall 5 Gbps IPSec VPN (IMIX) 1.2 Gbps IPS 3.5 Gbps NGFW 1 Gbps Concurrent session 2,000,000 • SRX1500 is a high performance, cost effective and high available next generation firewall • Provide outstanding protection with Sky ATP • Integrate networking & security in a single platform • High port density and small form factor • Targeted for • Enterprise Campus Edge • Data Center Edge • Branch Router
  9. 9. SRX5400 • Ideal for medium to large enterprises and Service Provider networks • Software Security Services – AppSecure and IPS – AV and web filtering • Next-generation, high-performance line cards SRX5400 On-board Ports 100GE-CFP/CFP2 40GE-QSFPP 10GE-SFPP, XFP 1GE - SFP JUNOS Software Version Support JUNOS 15.1X49-D10 Firewall Performance (w/ Express Path) 65Gbps (480 Gbps) Firewall Performance IMIX (w/ Express Path) 32 Gbps (450 Gbps) Firewall Performance (Firewall + Routing PPS 64byte) (w/Express Path) 8 Mpps (98 Mpps) VPN Performance – AES256+SHA-1 35 Gbps AppSecure 42 Gbps Intrusion Prevention System 22 Gbps Connections Per Second (CPS) 450 K Maximum Concurrent Sessions 42 M High Availability A/A or A/P
  10. 10. SRX5k CPS with CP-lite, scaling up to 250M sessions! 1 4 7 10 11 X49-D10 213 420 420 420 420 CP-Lite 230 1060 1815 2240 2500 0 500 1000 1500 2000 2500 3000 KCPS TCP CPS
  11. 11. Software update
  12. 12. Next-Gen Firewall Features on SRX Application Reporting Application Firewalling Geo-IP C&C & Reputation Filtering User Firewalling Intrusion Prevention Web Filtering Anti-Virus Anti-Spam Content Filtering SSL Inspection Cloud-based Anti-malware
  13. 13. 01101010 01110101 01101110 01101001 01110000 What is Sky Advanced Threat Prevention Customer SRX Juniper Cloud Customer Sandbox w/Deception Static Analysis ATP 1. SRX extracts potentially malicious objects and files and sends them to the cloud for analysis 2. Known malicious files are quickly identified and dropped before they can infect a host 3. Multiple techniques identify new malware, adding it to the Known Bad list and reporting it to SecOps 4. Correlation between newly identified malware and known C&C sites aids analysis 5. SRX blocks known malicious file downloads and outbound C&C traffic Sky Advanced Threat Prevention Cloud
  14. 14. The ATP verdict chain Staged analysis: combining rapid response and deep analysis Suspect file 1 2 3 4 Suspect files enter the analysis chain in the cloud Cache lookup: (~1 second) Files we’ve seen before are identified and a verdict immediately goes back to SRX Anti-virus scanning: (~5 second) Multiple AV engines to return a verdict, which is then cached for future reference Static analysis: (~30 second) The static analysis engine does a deeper inspection, with the verdict again cached for future reference Dynamic analysis: (~7 minutes) Dynamic analysis in a custom sandbox leverages deception and provocation techniques to identify evasive malware
  15. 15. • Build for Aruba ClearPass integration but can be used by 3rd party • https://srxhostname/api/userfw/v1/ SRX User Identity Restful API (12.3X48-D30) Healthy(0), Checkup(10), Transition(15), Quarantine(20), Infected(30), Unknown(100) “Aruba ClearPass”, “UAC”, “Active Directory” IPv4 & IPv6 support Standard XML DateTime format (ISO8601) logon, logoff or posture-update for logon, role-list is a must for logoff A list of roles, maximum 200 with each 64 characters
  16. 16. Custom AppID Signature (15.1X49-D40) • Types of custom signatures: • ICMP-based • L3/L4 based • Layer 7-based http-get-url-parsed-param-parsed http-header-content-type http-header-cookie http-header-host http-header-user-agent http-post-url-parsed-param-parsed http-post-variable-parsed http-url-parsed http-url-parsed-param-parsed ssl-server-name stream
  17. 17. SSL Forward Proxy and UTM • 12.3X48-D25 and 15.1X49-D40 support UTM with SSL Proxy • No configuration changes on UTM side. A ssl-proxy profile must be applied […]policy trust-to-untrust match source-address any […]policy trust-to-untrust match destination-address any […]policy trust-to-untrust match application junos-any […]policy trust-to-untrust then permit application-services ssl-proxy profile-name ssl-inspection-p […]policy trust-to-untrust then permit application-services utm-policy junos-av-policy […]policy trust-to-untrust then permit application-services application-firewall rule-set block-app […]policy trust-to-untrust then log session-close
  18. 18. Juniper site to site VPN Solutions update Use Case Auto VPN Auto + AD VPN Group VPN Network Topology Failover Redundancy Traffic Steering • Large Scale of Hub and Spoke • Cluster Hub/Spoke • Active-Passive • Active-Backup • Traffic Selector with Static Routes – Higher scalability • Dynamic Routing • On Demand Spoke to Spoke • Dynamic Any-to-Any • Cluster Hub • Cluster Spokes (Hierarchy) • Traffic Selector with Static Routes – Higher scalability • Dynamic Routing - OSPF • Any-to-Any • Full Mesh • Server Cluster for Key Server protection • Up to 4 server in the same cluster. • No overlay routing • Advance QoS for encrypted traffic Tunnel Technology • Tunnel Based VPN • St0 P2P with Traffic Selector • St0 P2MP with Routing • IKEv1 and IKEv2 • Dynamic Spoke to Spoke Tunnel • IKEv2 • Tunnel-less VPN • Group Protection • IKEV1 Performance / Scalability • Up to 1 Gbps / 3 Gbps and 2000 Tunnel - SRX1500 • 15K Tunnel with TS • 256 shortcut tunnels- SRX550M • 512 shortcut tunnels - SRX650 and above • 4000 group members per server • 16K per cluster
  19. 19. Management
  20. 20. Firewall Policy Threat Map Events and Logs Application Visibility Dashboard Junos Space Security Director 2.0 Graphical, Intuitive, Network Wide Visibility
  21. 21. …smarter and faster Big = More 1 2 3
  22. 22. Future
  23. 23. Software Defined Secure Network Vision Unify and rate threat intelligence, from multiple sources Create and centrally manage security policy through user-intent based system Enforce policy in near real time across the network; ability to adapt to network changes Detection Enforcement Policy Users & Roles Departments & Sites Devices Applications Business Needs IT View Switch Ports VLANs ACLs IPs/Subnets VRFs ACLs Firewall Zones Rules Users & Apps Threats Location
  24. 24. Thanks!