Soluciones de Seguridad para Banca & Finanzas


Published on

Presentación de las soluciones de seguridad de Juniper Networks para Banca & Finanzas

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Each successful exploit has three parts – the attacker, threat type, and target – we continue to see change in each. Attacker - in 2005, we saw a shift starting from attackers wanting notoriety to wanting profitability. Today, cybercrime is fully organized and we see crime syndicates out to profit from attacks. These attackers are now well funded, use sophisticated and purpose built tools and target organizations purely for profit. While this is nothing new, what we are seeing today is a move to not only attack “.gov/.com” but to attack “.me/.you”. Attackers are becoming increasingly sophisticated and are profiling not only companies but also individuals. They understand that we all have online identities but also “phyiscal profiles” or “connection points” where we connect to the internet from a variety of places……work, internet café, airport lounge, home. They have realized that often times our security defenses are down or weak at some of these connection points and penetrating individuals’ devices can work quite well outside of the work place. If you can infect a business user at an internet café and then have them walk that device into the enterprise then you can infiltrate the enterprise infrastructure and bypass many of the defenses that are in place today. Attackers understand this and have adopted their behavior. Threat – The threat landscape is also undergoing a change both in terms of the types of attacks and the sophistication and maturation of existing attacks. As expected, we continue to see new types of attacks to bypass the latest technologies that enterprises deploy.historically, the first large virus outbreak was on the Apple II in 1981. Since then there have been many well documented outbreaks that include the “iLOVEYOU” worm in 2000, SQL Slammer and Blaster worm in 2003 and countless worms, trojans and other forms of malware. Today, DOS has given way to DDOS and newer threats such as rootkits and botnets have taken hold. The most recent threat is APT which is not only a new type of threat but also a new way to profile and attack networks, systems and organizations. While we see new types of attacks we also see the morphing of existing attack types. As an example a few years ago, the majority of malware was in cleartext which could often be detected by AV or IDP solutions. Today over 80% of malware uses encryption, compression or file packing to bypass traditional AV or IDP technologies. Target - Finally, we also see significant changes with attack targets. Over the past few years there has been an explosion in devices that attackers target ranging from smartphones, to tablets to cloud services. What is particularly interesting about these new targets is the variation of the architecture of these platforms that ranges from more secure platforms such as the iphone to more open platforms such as the the Android OS. The other primary change we see is around the types of applications being attacked. Historically, most attacks have been focused on traditional corporate application servers and productivity applications such as office. Today, have seen a significant shift to web 2.0 type applications and social networking apps where attackers take advantage of a trusted relationship that is built amongst online users. They understand that there is a real tendency for online users to trust links that other users send within these applications and have used this vector as a target of malware. Transition: The challenge for enterprises today is how do they address the and new and emerging threats in a way that is both scalable and does not significantly drive up cost.
  • Juniper’s Always Protected Framework provides the critical components to securing your most valued assets through a combination of Restoring visibility with security context and coordination, flexible deployment options that meet the unique deployment models of your enterprise to reduce costs, and greater security with broad coverage that protects from the device to the data center.This framework goes hand in hand with our Simply Connected Enterprise Solutions to extend the overall value Juniper can bring to your enterprise.
  • What Are the Trends?And of course you want to attack the weak spots, not the strong spots, just for efficiency and simplicity.
  • Compliance vs. SecurityAlong those same lines, we start to get into a conversation of compliance vs. security. Where we had just port based firewalling, that’s a security feature. There's some compliance in there but it’s first and foremost a security an appliance. Now as we start to get into more advanced URL filtering and we get into application based filtering and things like that, we have this separate discussion. So for example, I’m not going to typically write a security policy that says if there are viruses coming into my network, block them if they’re coming to Bill, but allow them through if they’re coming to Joe. But I don’t know. Security policy tends to be: block the bad stuff and then filter the rest. Compliance is going to be: allow John to surf the Internet but don’t let Bill go to Facebook, because he’s just going to waste his day playing social media games and all that. So that’s into a security play that’s compliance, that’s productivity, that’s more employee based controls, where we used to have just security, now we have this mix of compliance and security. So it’s important that we start to have this discussion about how much security do you need — where and why — and how much compliance do you need — where and why — and then we can build a balance solution that covers both.  We have seen some things in the market where people are effectively selling a compliance solution and calling it security, or selling a security solution and calling it compliance. We really need to make sure that we’re balancing those two aspects, so that once the install is in and everything is done and you’ve walked away, your client is happy and everything is nice and secure and compliant so they can feel good about their purchase and keep coming back to us for additional upgrades in the future business.
  • Leaky Application Firewalls One of the central points between that whole compliance vs. security, is when we start talking about pure application based firewalling as a technology — not port based, but pure application based firewalling — they leak data. They’re a compliant solution, not a pure security solution. What do I mean by this? Well, if we stand up an HTTP server running on port80, but we’re not port aware anymore, we’re smarter than that. Port awareness is for the past and now we’re all application aware, and it’s pure application based firewalling. We set up an application firewall that says permit HTTP. I send you a packet to the server, that’s a SYN packet on let’s say port23, but again we’re not port based so it doesn't matter. That application based firewall looks at that SYN packet on port 23, and says is this HTTP? Well there’s no application associated with the SYN packet, it’s just a TCP setup message. Does it block it or pass it? Well if it blocks it, there will never be application based traffic, whether it’s HTTP or something else, so we have to pass it. That’s going to hit my HTTP server; I’m not running anything on port 23, so it will send a rest. Again the application firewall looks at it, there is no application associated with the reset, so it passes the traffic. You just let me port scan your server from the Internet. Now I know there’s a server there for sure and it’s not running port23, so I can keep probing, I’m now interested in you — that’s a bad thing from a security perspective.  Taking it one step further, if you have an application running on port22, lets’ say SSH, I send you a SYN on port22, application based firewall looks at it, there’s no application associated with the SYN, so it passes the traffic, it gets a SYN-ACK in reply. So now I know there's a server there and you’re running something on port22. He sends an ACK back and her starts sending application traffic. The application based firewall has to see a couple packets, 1, 2, 3, or maybe even 4, before he can conclusively identify that the traffic he’s seeing is not HTTP. When he conclusively identifies that, he can drop the session. The attacker on the Internet will see conclusive identification minus 1 packet, so if it takes two packets, then he does see one packet, this might give him a best guess. The application firewall must be certain it’s not HTTP before he can interrupt the conversion. The attacker doesn't have to be absolutely certain before he begins to fingerprint your system and understand what it is that you’re running. So again, we’re leaking a fair bit of data there because it’s a pure application firewall. This is why we still want our port based security in place. 
  • Layered SecurityBecause once we put a port based security on top of the application based firewall or in front of, in the worst case, typically we want port and application based firewall in the same box, then we can build a policy that says for instance, permit port80 HTTP traffic. Then we’ll block anything that isn't port80, all of the junk that’s out there, all of the probes and inappropriate traffic, then anything that comes in on port80 will also run this application awareness to make sure that it’s HTTP. So we’re just filtering out that junk at the start, rather than letting it through while we determine what the application is. This is all “defense in depth”. For example, if you get a new alarm system, you’re not going to stop locking the doors on your house, you want to add layers of security, not take them away. Port based firewalling has been around for a long time, it’s not exciting, it’s not sexy anymore, but that doesn't mean it doesn’t have a very serious place in network security.
  • AppSecure Service ModulesAppSecure, application based security, Juniper’s implementation, is specifically built around our application identification engine. This was released with IPS IDP 4.0 about three or four years ago, and we could start writing IPS policies that were application aware way back then. The challenge with the SRX was that was part of IPS, so we’d have to run it through the firewall engine, through the IPS engine, through the AppID engine, and then spin it back around and run it back through the firewall engine, which would be a weird packet flow, high latency, a lot of overhead, all that good stuff. So we pulled the AppID engine out recently and it now runs as a service on the SRX. So really the core of AppSecure is the AppID engine. We identify the application and then we do stuff with it. AppTrack: we track what the applications are, bytes in, bytes out, duration of session; AppFW: permit deny, AppQoS: we set DSPC bits; AppDoS: intelligent application aware, context aware denial of service protection; and of course IPS still has some application aware features as well.  
  • SSL ProxyAs a side note, we can today in the high end SRX do both reverse and forward proxying for SSL. So with reverse proxying, the scenario there typically is I have a Web server and I want to perform IPS on HTTPS traffic that's coming in. So we can load the private key onto the SRX, encrypted traffic comes in, we’ll make a copy of the traffic, decrypt it, on the SRX run IPS services, and then identify anything bad going in that’s a copy of the traffic so we are mirroring it, it’s not inline IPS but we can follow it so it’s more IDS detection system rather than active inline prevention. SSL forward proxy, we can actually setup a trust relationship with the client browsers when the clients browse out via HTTPS, the SRX will terminate the session and build a new SSL session out to the destination server so that the SRX is performing AppSecure based on clear text traffic.  
  • Redirecting TrafficIt is important to note that for authentication, either the single sign on or the captive portal, we need to use that unauthenticated role or on any role, but preferably the unauthenticated role, to allow users to get access to the Infranet Controllers so that they can get authenticated. They need to be able to access their Active Directory server and their Infranet Controller before they're authenticated in order to get authenticated so they can match some role based rules.  
  • AD Authentication WorkflowHow does this work? From an Active Directory authentication perspective, the single sign-on is an option that’s available. A user tries to browse through the SRX to a protected resource. The SRX will push back an SPNEGO redirect to the client’s Web browser. Modern browsers all support SPNEGO, the last few versions of Internet Explorer, Chrome, and Firefox — all the most popular versions are fully supported there. The SPNEGO redirect tells the client to contact their Active Directory server and obtain a Kerberos ticket. So the Active Directory server does its authentication stuff with the client and presents it with a Kerberos ticket which then gets sent to the Infranet Controller. The Infranet Controller will then look up the user and get the role information from the AD server and push all of that information down to the SRX so that we can match policies based on that user. If we have the option enabled, then we’ll keep that Web browser open, to run some AJAX keep alive scripts with the IC and will open a second browser window going to the initial destination — the original destination for the user — so it is effectively seamless, but we have the extra AJAX mechanism in there doing heartbeats as a keep alive mechanism.  
  • Why a Two-Box Solution??Why do we do it this way? Why do we need a two box solution while some of our competitors just put a nice little agent on the Active Directory server — wouldn’t it be great to do that? Well, it would, but here's a scenario: I log in to Active Directory; Active Directory tracks my username and my IP address. I close my laptop, or I disconnect from the network or my desktop crashes or whatever, Active Directory doesn't care that there was a change on the network, it has its own authentication mechanisms it’s designed to protect Windows based resources so it’s doing that with Kerberos and some other authentication stuff going on in the background. It doesn't’ really care that I disconnected. So later on I bring my computer back up or I roam to a different wireless AP and get a different IP or whatever and I access an Active Directory resource. It takes note that my IP address is updated, but again it doesn't really care. Network based information, IP address specifically, isn’t something that it does more than just keep track of, it doesn't really care about changes. It’s not designed to actively check your network state — doesn’t care if there are changes. So if in between number 2 and three there I’ve logged into Active Directory, it’s tracking my user ID and IP, and I disappear for the network, I close my laptop, desktop crashes, whatever, and someone else comes in behind me and attaches to the network but doesn’t log into Active Directory —so for instance, I use a Mac, I don’t login to Active Directory — if they happen to grab the same IP because your DHCP is tight on addresses and it’s reassigning or the new person already had one reassigned previously and didn't give it up properly and it was statically coded, or because they’re malicious, Active Directory isn’t aware that the user attached to the IP is anything different than it was. All it knows is Active Directory calls that it sees; so there’s no log message, there's no network sniffing, there’s nothing that will tell Active Directory that the user is different. If we write an agent that sits on an Active Directory server, it’s very difficult to check that network state. We’re working on doing that because we want to have a clean one box solution. Maybe we’ll port some of this code onto the SRX, maybe we’ll build it into an Active Directory agent — it may be a lot of different things. We are trying to address that from a sales concern. But from a technology perspective, the cleanest solution is the one we already have. We already have this Infranet Controller that’s designed to do this SPNEGO redirect or a captive portal login so we can confirm who you are now. We can also keep that window open and run this AJAX script that does keep alives with the Infranet Controller, to check the network state so we know that you’re still you; so we can check who you are and we can check state so that we know you’re still you over time. That way, if you disconnect or your box crashes, or whatever, if the keep alives fail, the Infranet Controller is aware that you have dropped off the network from its perspective, and it flushes the security policies so we stay secure moving forward.  
  • Slide 3: The World is on the Move Most business networks were designed to support specific IT-owned applications over wired ports using dedicated VLANs. Many haven't had a significant update in five years or more. Applications are bolted to the network, and wireless was designed as a secondary overlay network.Mobility obsoletes this model by changing the way content is consumed. Today, most network connections are wireless. Users employ a mix of personal and corporate cloud-based and user-chosen devices and applications.Mobility has forced enterprises to shift their security strategy away from a perimeter “protect your borders” approach, making them realize that borders are now global and that their vulnerabilities are actually internal. This changes the way they think about, and deploy, security. Additionally, applications are no longer slow and stable but fast and evolving; users are choosing their own applications to use. As a result, today’s enterprise is struggling to balance the risks posed by mobility, BYOD and fast-evolving cloud services against the safety and security of network resources. Segregated networks with dedicated VLANs can’t support the collaboration that users today demand.
  • Mega Trend – Server VirtualizationIt’s pretty clear that server virtualization is here to stay — right? It’s extremely uncommon to go into any enterprise at this point and not have virtualization in there in quite a big way in most cases. So it’s no longer just test dev off in some remote aspect of the business. This is fundamental to businesses, fundamental to service providers and what they’re trying to do, and this is an IDC slide that’s a couple years old now, but it’s pretty simple. It shows the fact that physical server roll outs are starting to flatten out and what we’re seeing is rapid deployment of virtualized servers and getting to the point where its 2x what the physical server deployment is. There’s lots of good reasons for that. It’s just virtualization and all the great things that come with virtualization that are driving this. It’s saving power, it’s dynamically allocating resources onto your server infrastructure to eke every last computing cent out of your physical servers. It’s operational management — things like being able to live migrate hosts, or live migrate VMs across hosts, and changing the way that server admins work, like there’s not these crazy demands for off hours just because you want to add some memory to a server. You can migrate the virtual machines and then take that down and in many cases people do that in the middle of the day because that technology is so robust and proven out. Clearly here to stay; the one thing to remember is we have to incorporate security into this rapid server virtualization, and customers have to understand that, as they’re virtualization more sensitive things, that they need to take security in lock step with that.  
  • Other Virtualization PlatformsThe fact is that we have Hyper-V, KVM, Zin — these platforms starting to gain momentum for various reasons. On the KVM and Zin front, there’s a lot of backing and a lot of work being done on the KVM front, even Red Hat’s systems are obviously going to be based on that. The RHEV-M and the RHEV-H, the nonstandard Linux KVM has been taken and modified and improved upon and becoming standalone virtualization products from Red Hat. There’s the Zin and the Citrix pieces which are out there; customers are using each of those for various reasons; service providers wanting to save money from VMware licensing fees, and so on and so forth.  So we’re seeing some of this starting to play out and make it tougher on VMware from a Hyper-V perspective and Microsoft perspective, there’s a lot that’s happening on Hyper-V in 2012. I was in Orlando for the TechEd conference and there’s a lot of catch up that’s happened on the features; it’s becoming very feature compatible, and in some cases for different versions — more feature rich in the Hyper-V scenario. Couple that technology catch-up with the fact that Microsoft is being very aggressive to do pricing and license strategies in a way that make it very compelling from a cost perspective to switch platforms.  There’s really a lot of contention here about what platforms are going to be around. From a Juniper perspective, we really don’t care. We don’t sell a virtualization platform; we sell a security layer for this environment. So, yes, we need to be on the most important platforms, but our long term goal is to be across all of them, and let a customer who, in many cases, has multiple hypervisors in their single environment, let them feel confident that whatever security solution they select will work across these hypervisors. That’s really important for our strategy going forward for both products.  
  • In a typical tree network the location of an application can have a significant impact on performance. [click] Ideally, an application should be no more than one hop away from its data for optimal performance, i.e. they are co-located on the same switch. We call this area of optimal performance “The Bubble” But switches have their physical limitations and often we must locate the application outside the bubble. [click] This is when networks can have a significant negative impact on application performance. [click] And the farther away we locate, the worse it gets.Although this is a great concept, it is practically never implemented in practice because the bubble size is limited. By definition, the size of the bubble is limited to a single switch. If we assume 48 ports on a top-of-rack switch with eight ports facing up to the aggregation layer, then we have 40 ports which are server facing. Given an average to 10 NICs per server, this leaves us with a bubble size of ten servers. Not big enough to be of any real use. We need to fix this problem.
  • Another problem with tree architecture is that, if we introduce a security appliance in the tree hierarchy, it casts a shadow over that part of the network. [click]If we move a VM within the shadow, VM can still taking advantage of the services that appliance delivers. [click] But, if you move VM moves out of the shadow, at best it’s insecure, and at worst you have lost it.So another way of viewing the job of managing the data center is to manage the intersection of bubbles and shadows.
  • Traditional data centers generally employ a one OS/application per server model. As we can see here, this can be highly inefficient. I’ve known situations where an application that runs one hour per week sits on its own server. This a true waste of resources.Today the vast majority of data centers are implementing programs for server virtualization and consolidation. [click] Using virtual machine technologies called hypervisors they can enable multiple OS/application pairs to run in a single server achieving better cost efficiency not only from reduced equipment costs, but also savings in power, cooling and space. There are several vendors of virtual machine technologies with VMWare being the leader in this space. [click]And new applications can easily be provisioned in just minutes, sharing existing resources and increasing cost efficiency.[click]But as application demand grows we can reach the limits of a single server. When this happens, we could manually move an application to a new server but this takes time and can violate the always responsive requirement.This is where networking and clouds enter the picture. [click]
  • Market Summary & ChallengesFrom a market summary, just a couple quick…examples.
  • Security Implication of VirtualizationLet’s get into a little bit more of the heart of the discussion around why do we care about security in a virtualized environment? What’s going on here that would necessitate these special solutions? We know virtualization is happening, we know there’s different platforms and choices our customers are going for. What does it really mean form a security perspective; what are the implications? When we first started developing the solution I would sit down with execs and leaders of IT staffs and ask them about their virtualized environment — what is the top protocol in use on their current switch? How do they know that certain virtual machines from the physical world that got virtualized from different departments aren’t intermingling there in a way that they don’t want? How do they deal with antivirus in this space? All of these sorts of questions were really hard for these guys to answer, in many, many cases. They didn’t know what was happening on their virtual network; they didn’t know what mechanisms had been put into place from a security perspective to lock things down. And the reason is that it’s not really just the servers that you’re virtualizing; it’s the network as well. So you have virtual switches, virtual interconnect in there, virtual NICs, and you’re consolidating that, but not always are you taking the security that you have from the physical world that you have in place and also virtualizing that and putting that into place. That disconnect creates essentially a blind spot from a visibility perspective into what’s happening, what are those VMs doing, and potentially a blind spot from security devices.  So it used to be segmented by different buildings and different network ports and so forth, and a lot of that starts to disappear in this very dynamic environment where VMs can move around from server to server and you have virtual machine admins making decisions around what VM gets stuck into a particular port group. It’s quite different than many of the things that happen in the physical world. That’s the fundamental thing that we want to address and we want to do it in an efficient way; we want VMs to come up and understand what those VMs are doing and give them the policy to let them do what they’re supposed to do and nothing else.
  • Customers aren’t just trying to virtualize a few servers in a small scale like the previous slides. They are trying to adopt virtualization in high quantities in their internal networks (building private clouds) and they are even exploring hosting VMs off premise and bursting between these locations (i.e., building hybrid clouds). Service providers are dealing with requests to isolate hosted VMs and provide security guarantees in this very dynamic environment.The demands of this computing model dictates a solution that is integrated, flexible, scalable and efficient. Let’s take a look at some of the specifics of vGW.
  • We looked at different kinds of traffic flows earlier and this is the kind of logical network diagram where virtualization is shown that on the access tier you may have a set of VLANS going to core Virtual Chassis and on the core Virtual Chassis we are creating virtual routers — VR 1, VR 2 for different segments. Any traffic within VR1 on the set of VLANS, which is permitted on VR1, is not going to firewall but within VR2 across virtual routers it is going through firewall. This is very important in many places; in many RFPs we see the requirement for a virtualized data center, doing segmentation, and control through a point of entry where they can control through some kind of security policy, and this is one way to meet those requirements. We’ll look at those traffic flows in the next section, in which we explore based on how these traffic flows are supported within Data Center and also across the Data Center. And when you can support this across the Data Center on different traffic profiles that means you can have agility of resources across Data Center and that is one of the essential requirements of cloud readiness or an agile environment.
  • Now we’ll look at Intra Segment Intra-DC traffic flow. Here, as you can see from the animation, there are some resources on the 2 different access tier switches and the traffic basically goes to the core and comes back to another access tier; however, that traffic is not going through the firewall. Basically this environment doesn’t require stateful security or IDP inspection but higher performance and lower latency are much more important even though the resources are on two different access tiers. You may have the resources on the same access tier and maybe they’re talking to each other directly but if the number of resources are more and they are on other access switches for any number of reasons you can still meet certain performance criteria because that traffic doesn’t necessarily have to go through firewall services. This is one very basic simple flow. Next we’ll look at Intra segment but Inter-DC traffic flow.
  • In the Intra segment Inter-DC you can see that on both sides there is a VR-1 which is the green set of VLANs and basically when this access tier sends the traffic to the other Data Center that traffic basically goes to a VLAN extension towards MX; goes to VPLS network.  The same VLAN traffic — Layer 2 broadcast or unicast — it can come to another Data Center access tier switch. This will support Layer 2 extensions; both sides are the same L-2 broadcast network; that means it can support Vmotion or VM mobility or data applications or any application which may require Layer 2 extension across the Data Center. This traffic will not go through firewall, even though certain types of traffic may be going to the firewall. This is one of the important use cases which kind of differentiates it from other solutions with MX and the building blocks we looked at earlier when we put it together we can have an end-to-end Layer 2 flow, which doesn’t go through firewall and meets the performance requirements and we have a technical article which you can refer to how to enable the Layer 2 services and how to get more benefits of MPLS network with that.
  • The 3rd type of traffic flow we are looking at is from Green VLAN to Blue VLAN in this example where even though the resources aren’t on the same access tier; the traffic goes to the core switch, goes to the firewall, is controlled through the zone security policy across these two zones, and comes out of the virtual router. So even though the resources are the same access tier, you can still control the traffic flow between those resources based on the security requirement in that. You can potentially allow it, or you can separate it out, you can even further virtualize the SRX cluster with your routers or logical systems and clear the complete segmented Data Center where this traffic doesn’t even see each other. This is one way to achieve virtualized Data Center environment. This traffic flow we looked at from within the data Center where it is across 2 segments. How does that traffic flow go through different points? If one of the segments is extended across the other data center if for any reason these two segments or the resources on these 2 segments need to talk to each other — how ever those resources are across the Data Center — how the firewalls are maintained, that we’ll look at next.
  • This traffic is from the green VLAN going to the blue VLAN, however the blue VLAN resources are on the other Data Center. So traffic will go through the VR1 go through the zone. And there is another zone going through so that traffic passes through virtual router on the MX which is connected to this side using a L3VPN configuration and it goes to the SRX cluster on the other Data Center One of the reasons the traffic is going through both SRXs or the security services is we can control from one side of SRX to other side of SRX, however that will require some routing policies, but at the same time you can not have a configuration so that any one side originates or picks the firewall on the origination side. The reason is if you do that then the return traffic will create asymmetric routing and the session may be dropped. One way to achieve it as it currently is configured is to go through both SRXs. We can always explore the options if any further optimization is required or necessary on the customer side depending on the amount of traffic and how many resources it is taking. You can decide if you want to create more control and optimize this traffic flow.
  • Competitive PositioningLet’s just look a little bit more at the competitive positioning.
  • This is the way we manage networks today. We send out the Mongolian Hordes of network administrators and tell them “Go build networks and keep them running! And don’t come back until you’re finished.” Which, of course they never are. So we keep adding manpower ad infinitum.Not a good way to manage anything.
  • The Smartest Way to Protect Websites and Web Apps from AttacksThank you for learning about Mykonos.  We started Mykonos to solve a problem of Web App Security that no one had yet to solve, which is how do you get visibility into an attacker on your website right now? And Mykonos aimed to used deception and intrusion deception to detect an attacker before the actual attack. And if you think about the five stages of an attack, your first stage is reconnaissance. The attacker goes around the site looking for holes. Your second phase is the actual scripting phase where they try to write the attack. The third phase is the actual execution of an individual attack. Your fourth phase is your automation phase, as they try to bring that attack up to large volume. And finally you’ve got a maintenance phase — as you try to close the hole, the hacker tries to keep it open. Every security solution before Mykonos was focused on phases three and four — how do I stop an attack or an automated attack in process? Mykonos seeks to move that to phase one — how do I look for the bad behavior, the reconnaissance that an attacker does so that I actually have a chance to stop the attack before it happens?
  • Hacker ThreatsA lot of people think about hackers as being binary – that they’re either bad or good. But the reality is a lot more nuanced. And in that nuance is a lot of the secret about how to start stopping attacks and changing the economics.  Now the first type of hacker that we worry about are IP scans. And these are where an attacker has gone out and is actually using a scanner that is equivalent to a robot checking every door and window in the neighborhood. It actually goes out and looks for a single vulnerability across hundreds of millions of IP addresses. Now we’ve been talking about this for about two years and, sure enough, about six months ago somebody wrote a script that actually went out and hacked 1.1 million websites in a matter of 24 hours. And that kind of shows you how powerful an IP scan can be if left uninterrupted.  But perhaps equally important, if not more important, are targeted scanners – things like Grendel scan, Metasploit, O2 – scanners that allow every APT or every script kiddie to become very sophisticated. And so we see targeted scanners like Grendel that may attack 20, 30, 40 thousand vulnerabilities in the matter of an hour, and all of a sudden they make hacking not only faster but much, much easier. And so what Mykonos does actually is intercept it, slowing down the targeted scan, but also adding, injecting fake vulnerabilities, rendering the results useless.  And the third type of vulnerability we worry about are botnets. And botnets are being used in two really interesting ways right now. One, they’re being used by APT threats to distribute an attack and avoid detection; and second, they’re being used to scale up an attack — automate a small attack to make it a really big one. And Mykonos here actually intercepts a botnet; uses a CAPTCHA processor inline to dynamically break the botnet and stop it on the fly.  Now, if you can break the various scripts and tools — the IP scans, targeted scans, and botnets — what you do is force slow, visible, human hacking that’s a lot more expensive for the attacker and a lot easier to defend against.  
  • Web App Security TechnologyUnlike traditional Web application firewalls that use signatures and force their customers to write signatures for each individual detection, Mykonos uses behaviors to go beyond the signature and not have to force the customer to finish the product for them. But, more importantly, unlike signatures that detect attacks in process, and have no coverage against zero day attacks, Mykonos actually uses its behavioral technology to take intrusion deception and detect the early reconnaissance behavior that happens before the attack ever starts. But Mykonos also goes a step further to go beyond the IP address. So, unlike an IP address, where there may be five or ten thousand people behind a single IP using a proxy, Mykonos identifies and targets the individual device and it can not only block them but it can do a huge range of responses. Both solutions meet the PCI section 6.6 requirements for compliance, but only Mykonos can detect an attacker before the attack ever happens and go beyond the IP address to stop an attacker without stopping…
  • The Mykonos Advantage Deception-Based SecurityThe way Mykonos works is in four steps. The first step is to detect attackers by injecting hundreds of little tiny bits of code into the Web application at serve time so that we detect an attacker while they’re doing the malicious behavior before the attack. And because the attacker is touching code that doesn’t exist, there aren’t false positives like traditional signature based solutions, and it also allows us to detect zero day attacks by seeing the bad behavior rather than relying on an attack signature.  The moment we detect an attacker, we track it. We actually use a super cookie to track the individual browser based attacks and we use a finger printing technology to detect script based or APT attackers. And then we start to be able to build a profile, which looks like a DVR that records everything a hacker does, to start to get smart about who that hacker is and what threat level they represent.  Then finally we respond. Unlike Web application firewalls where only 10% run in block mode, a hundred percent of Mykonos devices run in block mode, stopping attackers, blocking them, warning them, and deceiving them to make it much more expensive to hack a site where Mykonos is involved.  
  • Detection by DeceptionArchitecturally, Mykonos sits as an inline proxy, directly in front of the application server. And as it hands the code down to the client, it injects tar traps or deception points into the code.  Now the first example’s really simple; it’s a query string parameter — which is the URL string you’d see on any website. It’s very easy to hack a URL string — but a lot of people do, because there’s about 20% of top sites that have some sort of session hi-jacking vulnerability because of the query string. And so you’ll notice there, there’s a piece of code that says “debug=false”. Well, if the hacker changes this to “debug=true” to try to get back the bug information, or “debug=0” or a long string or anything else Mykonos will detect manipulation and now we know we have an attacker in our website. Let me give you a more sophisticated example. The “hidden” input field is something that you would use if you were looking at a form. Most SQL injection attempts are done via the forms, and that’s because that’s where the direct connection to the backend database is. And here you’ll see a bunch of HTML and you’ll see a line of code: <input type=“hidden” value=“0” name=“authorized”> Now there’s a lot of things you’re going to do. You might change the value; you might change the name. But what you’re trying to do is get this form to respond with an error message; with a SQL dump — with something that tells you how to get into the system that will then get into the data that you want. And here, this entire line of code is fake. It was inputted by Mykonos directly into the code stream so it’s indiscernible from actual code, and it allows us to detect those advanced SQL injection attacks before they ever touch the first input.  And then finally, not only do we think about the width of deception — meaning all the different behaviors that an attacker might do — we also think about the depth of deception — meaning how do we detect an attacker and start to change those economics. And the third example of server configuration is a great example of that. This is an HT access file — it’s an Apache System file you’d find on any site. Now if a hacker accesses that — it shouldn’t be exposed, but it often is — and Mykonos will block the real one but return this fake one or a similar fake one. Now if the hacker reads through it they’ll notice it points to an HT password file, and if they traverse hidden directories, and get to that file, we’ll again respond — this time with a list of user names and encrypted passwords. So why do that? Why provide a list of user names and passwords, instead of blocking the attacker? We know they’re bad; why not just stop them? And the reason is we want to make it expensive for the attacker. So by returning a list of user names and encrypted passwords it could take the hacker fifteen, twenty hours to run a desktop encryption tool, like John the Ripper, and break that encryption. And if they do that, we’ll then let them try to log in to the “recoverPassword.aspx” file. So, in the hacker’s mind, they’re making progress. But what they’re actually doing is wasting time and teaching Mykonos what skill level and threat level they represent.  
  • Track Attackers Beyond the IPSo once we detect the attacker we immediately start to track it. For browser based attackers, we inject a super cookie into the attacker’s PC. And that super cookie allows us to track them, even if they do things like clear cache and cookies or use private browsing mode. But on top of that, we also have a finger printing capability that serves as a backup mechanism for more sophisticated attackers that might try to spool up a new VM, or might try to figure out how to shake the cookie. And it also allows us to track script based attackers. And the reason we track them is so we can start to begin to profile.  
  • Smart Profile of AttackerThe profiling technology allows us to become almost like a DVR and record everything that a hacker does. Now, every Mykonos hacker gets a name. And you’ll see this is “Jack 26”. And the reason we do that is so you’re not running around shouting IP addresses if you’re at a security operation center. And you’ll notice in the bottom, left that we can see that this attacker was extreme. We can see the last time they were active, the first time they were active, and the threat level they posed, and on the right you’ll notice that we start building an incident history — that query parameter manipulation of the URL string I mentioned earlier; the hidden parameter manipulation in the form; up to an Apache configuration file request; the password file, and finally they cracked the password. And what Mykonos did in the background is escalate the level of threat and start to record every bad action the hacker did and all the information underlying it so we can actually start to really understand what threat level they represent; what we should do about it — more importantly.  
  • Respond and DeceiveAs I mentioned, a hundred percent of the Mykonos devices run in block mode, actually stopping real life attackers. While compliance is important, we think that preventing a company from being the next Sony is much more important. And Mykonos responds in a range of ways. We might warn the attacker. We built a response for fun a few years ago where, as a attacker attempts to hack a site, the site disappears and up pops a map of the hacker’s location, with a note that says, “It looks like you might need a criminal attorney”, with a list of lawyers in the hacker’s location. It was our way of saying we know where you are and you should really stop doing anything bad.  We can block a user without affecting anyone else in that IP address, so we’re not stopping customers. We can force a CAPTCHA processor inline, so we can break any automation that may happen. We can slow a connection down, forcing hackers into go in slow motion. We can go out and actually simulate that the application’s been broken, or we can even, in the case of a financial application, force the logout and actually immediately block and lock the account so the attackers can’t get into it and do any damage.  
  • Security AdministrationAnd so all of this becomes a real-time console. This is actually a real screen shot of the Mykonos console in action, and what you can see in the top left is the number of attacks we’ve detected — by low, medium and high — and the total number of attacks. You can see the total hackers on the site, also by low, medium, and high. So you can get a sense for the sophistication level of the people hitting your site. You can see in the top right the counter measures deployed that we’ve used to try to stop an attack. And then you can see the most frequent attacks — the top hackers — so you can see who is… are the APT threats continually hitting your site, and the top countries they come from. And then underneath that you can see the malicious incidents. You can get a sense for volume by day. And then you can see the number of sessions and hacker sessions so you can start to get a sense of what percentage of your traffic is coming from hackers.  All of this data plugs into a SIEM tool via a command line interface we expose so you can plug it into any other tool you’d like. We also have ability to plug into Nagios or Unicenter or any of your data center management tools so you don’t have another screen to stare at.  And finally, all of this data is real-time, it’s delivered on demand, and we can generate reporting as well, to help you for further use.  
  • Unified Protection Across PlatformsSo from a deployment perspective, Mykonos actually lives as a software product. It’s a software appliance that can be installed on any traditional hardware for traditional data center deployments. We also have a virtual machine based version that supports VMware’s ESX for virtualized customers that have already virtualized their application infrastructure. And finally, we actually have a cloud based version we just released, for Amazon Web Services, so that customers that have decided to let their applications live in the cloud, can now bring the Mykonos security with them into the cloud. And the really exciting part is that as of Ambler, Mykonos latest release, we now have the ability to see a single attacker across multiple of these environments inside of a customer. So, going back to that Sony example, when attackers attacked Sony Japan, Sony Germany, Sony U.S. and Sony’s Amazon cloud, Mykonos would have detected it immediately on the first site and protected the second, third, and fourth before anything bad could have happened.  We think that has an enormous amount of value to customers and we think it’s the first in what we think is going to be a wave of connected application and ultimately network firewalls.  
  • Juniper’s separate data and control plane architecture offers significant advantages. Consider the difference:Competitors’ single plane designDuring attacks, no management access to address the situationDuring attacks, processing of routing updates stop and the network is downJuniper’s separate control and data plane designMaintain management access even during a DoS/DDoS attackRoute update processing continuesSeparate data (packet forwarding) and control (management) planeScales performanceEnhances resiliencyEnables redundancyTransition: Beyond the separate data and control plane architecture, consider Juniper’s consolidated security platform.
  • Juniper Network Management portfolio (Space/Security Design, STRM and AIM) enables operational and cost efficiencies through: Full network life cycle management (Provisioning/Visibility/Diagnostics) -closed loop, less resource-intensive, one-stop-shop Single configuration/provisioning platform across Juniper’s security/routing/switching devices Single event monitoring/threat management solution across all Juniper systems Case automation for efficient and cost effective incident management Network-wide visibility with application-level granularity Appliance form factor for one stop HW/OS/Application support Rapid deployment – no server provisioning lead times Schema-based device/Space interface for day 0 deployment (application transparency) One Stop Support for hw/OS/ApplicationTransition: Clearly Juniper Networks unified management meet customer needs. To summarize…
  • For Data Center SRX, NSS Labs have given their stamp of approval, recommending SRX to businesses and organizations around the world.ABI Research, in the assessment of UTM vendors, has established Juniper Networks as the overall #1 UTM vendor ranking #1 in all decision criteria: innovation and implementation.Transition: Other analysts, as well as customers, also have showered Juniper SRX with praise too.
  • See examples above.As you can see, analysts,research houses, and most importantly customers, believe in the strength and direction of Juniper.Transition: Clearly Juniper Networks SRX solution meetcustomer needs. To summarize…
  • Soluciones de Seguridad para Banca & Finanzas

    1. 1. Juniper Confidential.TRENDS & NETWORK SECURITYJaime Castañedajaimec@juniper.netSystems Engineering ManagerCALA – Enterprise. Juniper Confidential
    2. 2. Juniper Confidential. INSANITY DEFINED… DOING THE SAME OLD THINGS & EXPECTING DIFFERENT RESULTS2 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    3. 3. Juniper Confidential.SCALABILITY?? --> NETWORK EVOLUTION3 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    4. 4. Juniper Confidential. For Internal Use Only. Juniper Confidential. THE TRENDS4 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential. For Internal Use Only. Juniper Confidential.
    5. 5. Juniper Confidential.CIO TOP 3 BUSINESS TRENDS & IT INITIATIVES - 2012 Employee Productivity Business Agility Cost Efficiency & Satisfaction BYOD New Platforms Infrastructure & Services Consolidation5 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    6. 6. Juniper Confidential.INVESTMENT FOCUS BYOD Mobility NewCloud Platforms Infrastructure Data Center, & Services Consolidation Campus & Branch6 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    7. 7. Juniper Confidential.SECURITY IMPACT Notoriety Profitability .gov /.com .me / .you Attacker Type of Attack APT Botnets DOS Malware Virus Worms Trojans Threats New Devices & Platforms New Applications & Delivery Models Targets Internet Information Services7 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    8. 8. Juniper Confidential.EVERYDAY EXPLOITS Robert Smith Funniest video ever! Check out the link! Click Here Intranet Quarter EndEmail Connect to Sales Results MALWARE Corporate SITE Corporate Network Financial Data8 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    9. 9. Juniper Confidential.EVERYDAY EXPLOITS Can’t inspect content ! in network Robert Smith Funniest video ever! Check out the link! Doesn’t have Intelligence Click Here Intranet Email to detect Malware ! on Client Connect to MALWARE Corporate SITE Corporate Network Financial Data Can’t control access ! to sensitive data Can’t protect user from ! cloud-based threats9 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    10. 10. Juniper Confidential.IT INITIATIVES DRIVING NEW SECURITYREQUIREMENTS BYOD Flexible Broad Deployment Coverage New Platforms & Services Security Context & Coordination Infrastructure Consolidation10 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    11. 11. Juniper Confidential.ALWAYS PROTECTED WITH JUNIPER Mobility Cloud Data Center, Campus & Branch Pervasive Security from the Device to the Cloud to the Data Center11 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    12. 12. Juniper Confidential. BYOD12 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    13. 13. Juniper Confidential.WHAT ARE THE TRENDS? Where would you attack?  Back? Front? Attacks against the client is the most common way of getting into a company. Attacks can be done by either exploiting vulnerabilities in the applications the client is using (browser, flash, pdf reader, etc.) or by tricking the user into executing malicious code. ALL clients are valuable targets  Some for direct attacks against the company  Some for being used as bots when attacking other companies13 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    14. 14. Juniper Confidential. THE EVOLUTION OF NETWORK SECURITYHistorically:  People used stationary computers  Each application was running on a dedicated port  Threat landscape consisted of curious teenagers.In this enviroment it worked well to filter network traffic based on IP„s and portnumbers.Today:  People are mobile  People can use any type of device (both private and corporate)  Most applications are using the same ports  Threat landscape consists of well organized criminals that make millions on attacks over the networkThe filtering in the network needs to be more intelligent to meet todays needs! 14 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    15. 15. Juniper Confidential.COMPLIANCE VS. SECURITYApplication Firewalling provides additional security by allowingadministrators to build security based on the application ratherthan just the port, right? HTTP FTP Permit HTTP HTTP :8015 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    16. 16. Juniper Confidential.LEAKY APPLICATION FIREWALLSHowever, an attacker will recon your network before attacking. SYN :23 1. RST :23 Permit HTTP HTTP :80 SYN :22 SYN-ACK :22 2. ACK :22 SSH :22 Permit HTTP HTTP :80 SSH :2216 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    17. 17. Juniper Confidential.LAYERED SECURITYSecurity = port-based PLUS application-aware firewalling for Defense-in-Depth! SYN :23 1. Permit :80, HTTP HTTP :80 SYN :22 2. Permit :80, HTTP HTTP :80 SSH :2217 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    18. 18. Juniper Confidential.APPSECURE SERVICE MODULES NAI Flow Ingress AI EgressProcessing Application Identification Engine Application ID Results AppTrack IPS AppFW AppDoS AppQoS18 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    19. 19. Juniper Confidential.APPFW – 3-DIMENSIONAL SECURITY POLICES • Easily restrict application access to necessary users • Reduce the spread of confidential information • Stop high-risk and unwanted applications DC Firewall(s) AppTrack Traditional User and Application Firewall Group Awareness User Store Policy Awareness (special UAC) STRM DC Switching Operations Center Data Center Server Farms19 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    20. 20. Juniper Confidential.APPQOS – BANDWIDTH MANAGEMENTPrioritize traffic based on application typeLimit the amount of bandwidth an application can consumeMark the DSCP values for proper QoS treatmentLeverage Junos Class-of-Service feature set to fully controlapplication handling at the interface queue level Give highest priority to financial applications for finance and sales Approved applications receive normal priority AppTrack Traditional User and Group Application Firewall Policy Awareness Awareness Lower priority for multimedia applications, except for the MM content group20 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    21. 21. Juniper Confidential. AppDosAppDoS PROTECTION Introducing Application Denial of Service AppDoSIdentifies attacking botnet traffic vs. legitimate clients based onapplication layer metrics and remediates against botnet trafficEmploys multi-stage approach from server connectionmonitoring, deep protocol analysis to bot-client classification.  Server connection monitoring  Protocol analysis  Bot-client classification Available on the SRX5000, 3000, and 1000 series of Services Gateways21 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    22. 22. Juniper Confidential.IPS – DYNAMIC SECURITYSignature-based threat protectionProcotol Anomaly protection Superior protocol decoding and anomaly detection – the majority of the unknownHeuristic Detection Protocol Anomalies Detect encrypted traffic that is not SSL (like Skype, BitTorrent, and many botnet channels.)SSL Decryption Forward- and reverse-proxy are available todayAdd STRM to the solution and get: Network Behavior Anomaly Detection Slow scan detection Unknown Threats & Cross network/application correlation Vulnerabilities See what happened before and after the attack on the network22 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    23. 23. Juniper Confidential.SSL PROXY DMZ Zone Untrust Zone SSL Reverse SRX Proxy IDP Web INTERNET Server Decrypt Keys Server private keys loaded on the SRX Trust Zone Untrust Zone SSL Forward Proxy SRX INTERNET SSL-T AppID SSL-I IDP Decrypt Encrypt Client Server Keys Server keys are unknown, so the server certificate is modified and signed by the SRX23 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    24. 24. Juniper Confidential.REDIRECTING TRAFFIC The captive portal feature is usedto redirect unauthenticated traffic Branch or Campusto the NAC  The “unauthenticated” role can be used to redirect traffic from Intranet not-yet-authenticated clients SRX Enforcer  Remember to only redirect web traffic and to allow traffic to the AD, NAC, and other infrastructure servers  In order for the client‟s web browser to perform a Single Sign Infranet Controller On (SSO), the redirect URL must include the full DNS name of the Headquarters NAC (more on SSO later)24 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    25. 25. Juniper Confidential. AD AUTHENTICATION WORKFLOW The FIREWALL connects to the1 NAC and downloads the Roles Branch or Campus table 2 4 5 Client opens his/her web browser2 1 and gets redirected to the NAC Intranet SRX Client gets an authentication Enforcer3 request Client contacts the AD server4 and obtains a Kerberos ticket for the NAC service Client sends the Kerberos authenticator details 6 7 35 to the NAC Infranet Controller6 Now equipped with the user information, the Headquarters NAC retrieves the user‟s groups from the AD7 Finally the user->roles mapping info is pushed into the FIREWALL and the user is redirected to the original URL 25 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    26. 26. Juniper Confidential.WHY A TWO-BOX SOLUTION?? 1. Log in to AD • AD tracks your userID and IP 2. Close your laptop • AD is not aware of any change 3. Reconnect from a different IP • AD notes the updated IP In between #2 and #3 above, if I connect to the network using the same IP you had before you left, AD does not take note of the fact that the identity associated with that IP address has changed. This is because Active Directory does not actively check network state. We could write an agent that sits on an AD server to give us a one- box solution, but we can‟t guarantee that the network state hasn‟t changed without including something else in the solution.26 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    27. 27. Juniper Confidential.APPTRACK SIMPLIFIES APPLICATION VISIBILITY ANDCONTROL SRX collects on- box application statistics for Traffic analyzed Monitoring SIEM reports 1 by AppTrack as it traverses the SRX 2 3 analyzed by IT staff SRX sends application logs to a SIEM/Log collector 3 DC 1 Firewall(s) 2 STRM or 3rd Party SIEM DC SwitchingOperations Center Example STRM Reports Data Center Server Farms27 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    28. 28. Juniper Confidential.THE WORLD IS ON THE MOVETHE NETWORK CAN’T STAND STILL Today’s Flexible, proactive business network legacy model of the business network From To Wired connections Wireless as primary means of connectivity Corporate owned devices Mix of personal and corporate devices Corporate operated applications Cloud based, IT or user chosen apps Perimeter security Security attacks from everywhere Stable application environments Ever evolving software based applications Multiple isolated networks Context aware unified network28 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    29. 29. Juniper Confidential.SMART MOBILE: MORE SCALABLE AND RELIABLE Centralized Architecture Distributed Architecture Internet Internet Security Management Security Management Reliability Performance Reliability Performance29 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    30. 30. Juniper Confidential. DISTRIBUTED SWITCHING MAXIMIZES SCALABILITYCentralized-Only Switching Breaks Down Distributed Switching Handles Under Increased Load from 802.11n 802.11n without Breaking Down 10x increase exceeds controller capacity Internet Internet 11n increases load by up to 10x • All traffic gets forwarded by controller • Traffic can be forwarded by the AP • Twice the traffic through network core • Optimized traffic flows – ideal for voice • 802.11n increases load up to 10x • 802.11n has no impact on controller • Cant scale without expensive upgrades • Scales in place without upgrades 30 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    31. 31. Juniper Confidential. THE CLOUD … … NETWORK VIRTUALIZATION31 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    32. 32. Juniper Confidential.MEGA TREND – SERVER VIRTUALIZATION Millions Installed Servers 80 Physical Server Installed Base (Millions) Logical Server Installed Base (Millions) 60 Capital Savings 40 20 0 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Source: IDC32 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    33. 33. Juniper Confidential.OTHER VIRTUALIZATION PLATFORMS33 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    34. 34. Juniper Confidential.SHARE—VIRTUAL PARTITIONING VLANs34 Copyright © 2011 Juniper Networks, Inc. Physical or virtual server instance Juniper Confidential.
    35. 35. Juniper Confidential.SHARE—VIRTUAL PARTITIONING ZONE 1 ZONE 2 MPLS - VPN VPLS - VPN ZONE 4 ZONE 3 DATA CENTER DATA CENTER VLANs Zones VPNs35 Copyright © 2011 Juniper Networks, Inc. Physical or virtual server instance Juniper Confidential.
    36. 36. Juniper Confidential.Challenges of Scale – Application Performance Location matters in a Typical tree tree architecture configuration Bubbles Optimal performance One VM Hop36 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    37. 37. Juniper Confidential.Challenges of Scale – Network Services Location matters in a Typical tree tree architecture configuration Appliances and VLANs Shadows VM37 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    38. 38. Juniper Confidential. TODAY’S DATA CENTER NETWORKS ARE NOT CLOUD READY Complex, inefficient 1. High Latency L2/L3 Switch L2/L3 Switch 2. Spanning Tree 3. Appliance sprawl SSL VPN Firewall 4. Multiple networks IPSec VPN IPS L2/L3 L2/L3 Switch Switch 5. Limited scalability 6. Poor economics 7. Sub-optimal L2 Switch performance SERVERS NAS STORAGECluster Network FC SAN 38 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    39. 39. Juniper Confidential. IMPACT ON SERVER VIRTUALIZATIONJuniper is committed to multi-vendor support and open standardsJuniper switches interoperate well with all hypervisors 39 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    40. 40. Juniper Confidential.SERVER VIRTUALIZATION Server 1 Server 2 O/S O/S Unused Unused Traditional Data Centers App 1 Server App 2 Server  One OS/Application per server Capacity Capacity  Low utilization ↔ Highly cost 30% 15% Utilized Utilized inefficient New Data Center – Resource Sharing Hypervisor (VMWare)  Many OS/Applications per server  Better cost efficiency O/S O/S O/SO/S U  Equipment, power, cooling, space n u  Sharing limited to server App 1 App 2 s App App 3e 3 boundary d  Clouds address this problem VM 1 VM 2 VM 340 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    41. 41. Juniper Confidential.VIRTUALIZATION AND CLOUDSRESOURCE POOLING Router/Switch Access Switch Access SwitchServer 1 Server 2Rack 1 Rack 2 3 Hypervisor (VMWare) Hypervisor Hypervisor (VMWare) Hypervisor O/S O/S O/SO/S U O/S O/S O/S O/S U O/S U n n n u u u s App 1 App 2 App App 3 6 3 e App 4 1 App 5 App 2 App 3s App 3 e s e d d d VM 1 VM 2 VM 6 3 VM 4 VM 5 VM 341 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    42. 42. Juniper Confidential.JUNIPER’S VALUE: SIMPLIFICATION AND EFFICIENCY Router/Switch Access Switch Access Switch EX 4200 EX 4200Server 1 Server 2Rack 1 Rack 2 3 Hypervisor (VMWare) Hypervisor Hypervisor (VMWare) Hypervisor O/S O/S O/S U O/S O/S O/S O/S U O/S U n n n u u u s App 1 App 2 App e 3 App 4 1 App 5 App 2 Apps App 3 e 3 s e d d d VM 1 VM 2 VM 3 VM 4 VM 5 VM 342 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    43. 43. Juniper Confidential. VIRTUALIZATION WITH VIRTUAL CHASSIS  Works with any Hypervisor Aggregation Switch  Scalable & Rich security and monitoring features  VMWare cluster fits within the span of a VC (64) EX 4200 EX 4200  Reduces network latency & Speeds up VM migration  Reduces number of managed devicesServer 1 Server 2 NIC NIC NIC NIC Rack 1 Rack 2 Virtual Switch Virtual Switch Hypervisor Hypervisor Virtual Port Virtual Port Virtual Port Virtual Port Virtual Port O/S O/S O/S O/S O/S Application Application Application Application Application Application 4 5 1 2 3 43 Copyright © 2011 Juniper Networks, Inc. VM 4 VM 5 VM 3 VM 1 VM 2 VM 3 Juniper Confidential.
    44. 44. Juniper Confidential. SIMPLIFY44 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    45. 45. Juniper Confidential.SIMPLIFY THE NETWORK Core Consolidated Access Core Aggregation Access Access Flat Data Center Fabric Eliminate the aggregation layer45 Juniper Confidential Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    46. 46. Juniper Confidential. SIMPLIFY—JUNIPER’S VISION LEGACY NETWORK ETHERNET STORAGESERVERS FC SAN 46 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    47. 47. Juniper Confidential. SIMPLIFY—JUNIPER’S VISION MX Series TODAY‟S SOLUTION SRX5800 EX8216 STORAGESERVERS FC SAN 47 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    48. 48. Juniper Confidential. SIMPLIFY—JUNIPER’S VISION MX Series DATA CENTER FABRIC SRX5800 EX8216 STORAGESERVERS FC SAN 48 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    49. 49. Juniper Confidential.SIMPLIFY—JUNIPER’S VISION MX Series DATA CENTER FABRIC Virtualized Security &SRX5800 QFabric Application Services SERVERS STORAGE 49 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    50. 50. Juniper Confidential.INTEGRATING STRATUS FABRIC MX Series Stratus Fabric EX8216 SRX5800 EX420050 Copyright © 2011 Juniper Networks, Inc. 4 Pod 1 Juniper Confidential. Pod 2
    51. 51. Juniper Confidential. For Internal Use Only. Juniper Confidential. VIRTUALIZATION & SECURITY51 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential. For Internal Use Only. Juniper Confidential.
    52. 52. Juniper Confidential.SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network VM1 VM2 VM3 ESX/ESXi Host Virtual Switch HYPERVISOR Firewall/IDS Sees/Protects Physical Security Is ―Blind‖ to All Traffic between Servers Traffic between Virtual Machines52 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    53. 53. Juniper Confidential.APPROACHES TO SECURING VIRTUAL NETWORKS VLANs & Physical Traditional Security Integrated 1 Segmentation 2 Agents 3 Virtual Security VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3 ESX/ESXi Host ESX/ESXi Host ESX/ESXi Host VS VS Virtual Security Layer VS HYPERVISOR HYPERVISOR HYPERVISOR Regular Thick Agent for FW & AV53 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    54. 54. Juniper Confidential.THE GOAL IS SECURE CLOUD COMPUTING Virtual Security Layer Virtual Security Layer ESX 1 ESXi 4 Virtual Security Layer Virtual Security Layer ESXi 2 Hosted ESX 5 Public, Private, Hybrid Clouds Virtual Security Layer Virtual Security Layer Remote ESX 3 ESXi 6 Public, private, and hybrid clouds require dynamic and highly integrated security mechanisms to keep information safe!54 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    55. 55. Juniper Confidential. NETWORK SERVICE SECURE ARCHITECTURE55 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    56. 56. Juniper Confidential.SECURE—NEW MODEL FOR THE CLOUD Hotel Model Castle Model56 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    57. 57. Juniper Confidential.SECURE—CLOUD ENABLED SECURITY Clients Global High-Performance Network Data Centers Client to DC Server to Server DC to DC57 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    58. 58. Juniper Confidential. SECURE—THE FLOW IN THE CLOUD Clients Global High-Performance Network Data CentersSecuring flowsbetween servers 1 Client to DCSecuring flowsbetween VMs 2Elastic transportusing VPLS 3 Server to Server DC to DCSecuring flowsfrom Clients to DC 4Coordinatedthreat control 5 58 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    59. 59. Juniper Confidential.SECURE—CLOUD ENABLED SECURITY59 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    60. 60. Juniper Confidential.SECURE—CLOUD ENABLED SECURITY Virtualized Security REMOTE DATA CENTER Services60 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    61. 61. Juniper Confidential.SECURE—CLOUD ENABLED SECURITY User App Coordinated Threat Control IDENTITY Virtualized Security Services Services Policies Reporting 1. AppSecure DoS Protection 5. NAT 2. Firewall 6. Intrusion prevention Junos Space STRM 3. Authentication 7. Real-time visibility Management & Compliance 4. Encryption 8. Traffic prioritization61 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    62. 62. Juniper Confidential.SECURE—CLOUD ENABLED SECURITY User App VM VM VM VM vGW 1 2 3 4 Secure VDI CLIENTS Hypervisor Support IDENTITY Virtual MachinesInternet SSL VPN Virtualized HR ZONE DMZ Security Services FINANCE ZONE Services Policies Reporting 1. AppSecure DoS Protection 5. NAT 2. Firewall 6. Intrusion prevention NSM STRM 3. Authentication 7. Real-time visibility Management & Compliance 4. Encryption 8. Traffic prioritization62 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    63. 63. Juniper Confidential. VDI CAPABILITY WITH MAG SSL VPN AAA Apps Servers MAG Series Finance Remote/Mobile User VMware VDI Server Citrix XenDesktop SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with MAG Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops Benefits: – Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or Citrix servers – Saves users time and improves their experience accessing their virtual desktops63 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    64. 64. Juniper Confidential. LOGICAL NETWORK DIAGRAM FOR VIRTUALIZED DC MPLS/VPLS Network DCI DCI DCI DCI MX-1 MX-2 MX-1 MX-2 DCI DCISRX SRXCluster VR-2 VR-2 Cluster VR-1 VR-1 EX-VC EX-VC Access Tier Access Tier Access Tier Access Tier 64 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    65. 65. Juniper Confidential. INTRA SEGMENT INTRA-DC TRAFFIC FLOW MPLS/VPLS Network DCI DCI DCI DCI MX-1 MX-2 MX-1 MX-2 DCI DCISRX SRXCluster VR-2 VR-2 Cluster VR-1 VR-1 EX-VC EX-VC Access Tier Access Tier Access Tier Access Tier 65 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    66. 66. Juniper Confidential. INTRA SEGMENT INTER-DC TRAFFIC FLOW MPLS/VPLS Network DCI DCI DCI DCI MX-1 MX-2 MX-1 MX-2 DCI DCISRX SRXCluster VR-2 VR-2 Cluster VR-1 VR-1 EX-VC EX-VC Access Tier Access Tier Access Tier Access Tier 66 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    67. 67. Juniper Confidential. INTER SEGMENT INTRA-DC TRAFFIC FLOW MPLS/VPLS Network DCI DCI DCI DCI MX-1 MX-2 MX-1 MX-2 DCI DCISRX SRXCluster VR-2 VR-2 Cluster VR-1 VR-1 EX-VC EX-VC Access Tier Access Tier Access Tier Access Tier 67 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    68. 68. Juniper Confidential. INTER SEGMENT INTER-DC TRAFFIC FLOW MPLS/VPLS Network DCI DCI DCI DCI MX-1 MX-2 MX-1 MX-2 DCI DCISRX SRXCluster VR-2 VR-2 Cluster VR-1 VR-1 EX-VC EX-VC Access Tier Access Tier Access Tier Access Tier 68 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    69. 69. Juniper Confidential. For Internal Use Only. Juniper Confidential. NETWORK MANAGEMENT69 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential. For Internal Use Only. Juniper Confidential.
    70. 70. Juniper Confidential.LEGACY NETWORK AUTOMATION TOOLS WEREBUILT TO SOLVE POINT PROBLEMS Legacy approach Switch Virtual switch Asset Security management Diagnostics management management Characteristics: Consequences: • Disparate point products • High operations costs, low operator productivity • Different interfaces • Long, error-prone cycle times • Device-centric • Poor network-wide visibility and control • Hard to use • Lack of operator -based automation • Siloed network view70 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    71. 71. Juniper Confidential.LEGACY NETWORK MANAGEMENT71 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    72. 72. Juniper Confidential.JUNOS SPACE ORCHESTRATESTHE NEW NETWORK The New Network With Junos Space In One Location: Switch Virtual switch Asset Security management management • Security Design Diagnostics management • Ethernet Design • Virtual Control • Service Now • Service Insight • Network Activate Characteristics: Consequences: • Common, cross-device platform for • Improved top and bottom line benefits automation of virtual and physical networks o Rapid scaling of application infrastructure • Plug/Play application environment o Reduced Opex • User-centric, task-oriented interface • Optimal security, scale and resource efficiency • Correlated network, security, app and user intelligence72 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    73. 73. Juniper Confidential.VISIBILITYConsolidation of security services (everywhere)Comprehensive Application Visibility and Control Global High-Performance Network What User Branch What Application Source to Data Center Destination User Device User Location Campus Mobile Clients73 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    74. 74. Juniper Confidential.STRM’S KEY VALUE PROPOSITION Threat Detection: Detect New Threats That Others Miss Log Management: Right Threats at the Right Time Compliance: Compliance and Policy Safety Net Enterprise Value Complements Juniper‟s Enterprise Mgmt Portfolio 74 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    75. 75. Juniper Confidential. Security: Always Protected75 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    76. 76. Juniper Confidential. A HISTORY OF INNOVATION 1996 1998 1999 2002 2004 2005 2006 2007 2008 2009 2010 2011 2012 FORTUNE 1 THOUSAND #789 SRX MX Series IC SeriesIncorporated Series Acorn PTX T Series “Falcon” for Mobility SSG Series EX M Series T1600 Series MX 3D QFabric ACX Revenue $1.3B $2B $2.3B $2.8B $3.5B $3.3B $4.1B $4.5B Employees 1500 2500 3500 4800 5300 7000 7200 8800 9000 76 Copyright © 2011 Juniper Networks, Inc. 76 Copyright © 2012 Juniper Networks, Inc. Confidential – Not for distribution Juniper Confidential.
    77. 77. Juniper Confidential.THE SMARTEST WAY TO PROTECTWEBSITES AND WEB APPS FROMATTACKS77 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    78. 78. Juniper Confidential.HACKER THREATS ScriptsKiddie Exploits Script & Tool IP Scan Library Attacks Targeted Scan Scans Generic scripts and tools against one site. Script run against multiple sites seeking a Targets a specific site for any vulnerability. specific vulnerability. Botnet Human Hacker Advanced Persistent Threat (APT) Script loaded onto a bot network to carry out attack. Sophisticated, targeted attack (APT). Low and slow to avoid detection. JAN JUNE DEC78 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    79. 79. Juniper Confidential.WEB APP SECURITY TECHNOLOGY Web Application Web Intrusion Firewall Prevention System Detection Signatures   Q1 2012 Tar Traps  Tracking IP address   Browser, software and scripts  Profiling IP address   Browser, software and scripts  Responses Block IP   Block, warn and deceive attacker  PCI Section 6.6  79 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    80. 80. Juniper Confidential.THE MYKONOS ADVANTAGEDECEPTION-BASED SECURITY Detect Track Profile Respond “Tar Traps” detect Track IPs, browsers, Understand Adaptive responses, threats without false software and scripts. attacker’s including block, warn and positives. capabilities and deceive. intents80 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    81. 81. Juniper Confidential.DETECTION BY DECEPTION Tar Traps Query String Parameters Network Perimeter Hidden Input FieldsClient Firewall App Database Server Server Configuration81 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    82. 82. Juniper Confidential.TRACK ATTACKERS BEYOND THE IP Track IP Address Track Browser Attacks Track Software and Script Attacks Persistent Token Fingerprinting Capacity to persist in all browsers including various HTTP communications. privacy control features.82 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    83. 83. Juniper Confidential.SMART PROFILE OF ATTACKER Every attacker assigned a name Attacker Incident history threat level83 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    84. 84. Juniper Confidential.RESPOND AND DECEIVE Human Botnet Targeted IP Scan Scripts Mykonos Responses Hacker Scan &Tools Exploits Warn attacker  Block user      Force CAPTCHA      Slow connection      Simulate broken application      Force log-out    All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.84 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    85. 85. Juniper Confidential.SECURITY ADMINISTRATION• Web-based console • SMTP alerting• Real-time • Reporting (Pdf, HTML)• On-demand threat information • CLI for exporting data into SIEM tool85 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    86. 86. Juniper Confidential.UNIFIED PROTECTION ACROSS PLATFORMS Internal App Server Database Virtualized Cloud86 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    87. 87. Juniper Confidential.WHY JUNIPER Users Data Centers Security Intelligence Internal Web Application Intrusion Content Attack Security Visibility Deception Security Protection Client IPS Network Security FIrewall Security Management87 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    88. 88. Juniper Confidential.ARCHITECTURE:SEPARATE DATA AND CONTROL PLANE Shared Plane Control Plane Management Interfaces Module n Routing DOS & DDOS ATTACKS Management … Routing Kernel Data Data Plane Packet Forwarding DOS & DDOS Physical Interfaces ATTACKSAttacks overwhelm the box Attacks can be thwarted Administrator loses management access—your  Under attack, administrator maintains management network is down access to modify policy, disallow bad traffic, and process good traffic—your network stays up89 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    89. 89. Juniper Confidential.JUNIPER‟S VISION:A CONSOLIDATED SECURITY PLATFORM FW VPN IDP SIMPLIFIED Firewall Management: Security Design  Increased automation  Scale for thousands of devices  Consistent policies 02.445.16 NAT AppSecure90 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    90. 90. Juniper Confidential.SRX SERIES AWARDS SRX1400 Wins Best Security SRX650 Wins Best of Interop Award, Hardware Product Category Infrastructure Category SRX1400 SRX650 SRX210 Wins Tokyo Interop Grand SRX5600 Wins Grand Prix, HighestPrix, Highest Honor for SMB Infrastructure Honor for Best of Show Awards SRX5600 SRX21091 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    91. 91. Juniper Confidential.INDUSTRY ACCOLADES #1 UTM Vendor Feb 25, 2011 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.
    92. 92. Juniper Confidential.ANALYST AND CUSTOMER RECOGNITION“The foundational strength of the SRX family is Juniper’s new Dynamic Services Architecture, which allows a much moreintelligent sharing of resources among security services running on the gateway.” Current Analysis, 2010“Juniper’s maturing and expanding SRX family of security gateway appliances are threatening, because they deliver an impressive combination of performance, functionality, and product family breadth.” Andrew Braunberg, Current Analysis“Juniper has consistently shown exceptional differentiation in terms of feature-set, performance and implementation flexibility in a market that is getting increasingly crowded. It continues to excel as a value differentiator.” Subha Rama, ABI Research“The simplicity of Junos providing integrated routing, switching, and security, coupled with the automation thatJunos Space provides, is a nice value-add for CIOs who are constantly being asked to do more with less in a tightereconomic environment.” IDCLink“I can sum up Juniper Networks in three words: security, performance, and reliability.” Rich Acevedo, Network Engineer, Romano’s Macaroni Grill“One of the key aspects of the relationship with Juniper is their ability to listen to what the customer needs. We’ve developeda long-term relationship. We have helped influence some of the evolution of the products and features that we as well asother customers would see as a benefit.” Eric Walters, Network Manager, 7-Eleven93 Copyright © 2011 Juniper Networks, Inc. Juniper Confidential.