Discussions regarding security gear deployments include IDP appliances in addition to the traditional firewalls. Administrators are aware that traditional firewalls alone is not sufficient to keep ahead of the emerging attacks. In addition to allowing valid traffic and blocking attacks, more and more customers are looking for ways to control applications that are not attacks but are also not mission-critical. P2P and Instant Messaging are common examples but others include music servers and other “personal” applications.
Using the projected IPS market as an indication of the concern over security, the data in this slide is from Infonetics Research. The obvious item to note is that the revenue for IDS/IPS continues to climb topping $800 Mil by CY09. The other item to note is how network-based products (which categorizes Juniper IDP products) more than double the host-based products in revenue.
Following slides dive more into the customer drivers for IDP products.
Despite the amount of varying attacks and threats, external network attacks remain the top reason for purchasing security gears. Basically, the fear of being hacked. While network downtime can directly be correlated to business impact, the graphics illustrate how impact to end-users can also have significant consequences. This is designed to illustrate that overly aggressive security policies can keep network attacks out but can also cause quantifiable impact to the business with the increase in false positives.
This slide illustrate why firewall alone is not enough to protect typical enterprise network. ANIMATION 1 st click – Displays the time when vulnerability is discovered and advisory is issued. A good example if Microsoft who provide vulnerability information on a monthly basis. 2 nd click – At some later time after the vulnerability has been discovered, exploits are released to take advantage of the vulnerability. For example, hackers develop an attack to leverage the newly discovered vulnerability. 3 rd click – Worms are released which can leverage the vulnerability for massive attacks. 4 th click – The main point of this graphic is that the time from when the vulnerability is discovered to a full blown worm attack is getting shorter. This requires security products designed to be highly adaptable and the company geared to provide new updates in a timely manner.
Business compliance is also a good example for the need for IDP products. The word “compliance” has been crossed and replaced with “practices” to indicate that we are not just talking about regulatory compliance. Any enterprise wishing to conform to their business practices would benefit from IDP products. Good and possibly overly used example is IM where some businesses will allows its use but with the understanding that its use will not hinder critical business applications. One question you can ask the audience is “Do you have the means to easily find out how much IM traffic is in your network?”. Naturally, with Juniper IDP products, you can.
Another customer driver for IDP products are new technologies. Many enterprise adopt new technologies to reduce cost and gain competitive edge over competitors. They require security solutions to support the new technologies. Good example is the proliferation of VoIP solutions. Sharing the same network infrastructure as the enterprise data network, an un-secure VoIP solution would be opening the entire enterprise network to attack. Attacking through the phone is a very real possibility. ANIMATION 1 st click – Displays text “New Technologies = New Risks” reiterating that customers need to consider the risks any time a new technology is being introduced.
Finishing off the customer driver section, touch on the service provider and managed service provider market. SPs face much of the same issues as the enterprise. The chart in the slide is from Infonetics and illustrates how “Keeping up with new security threats” is the top concern for service providers.
This slide outlines how Juniper approach is not just point products. The IDP product as a whole has several components to it including 3 rd party security team, internal research, etc… All these resources are tied to the in-house Juniper Security team and the results of that goes into every IDP product on a daily basis. The discussion should illustrate how there are so many other factors to an IDP product that must be taken into consideration compared to the usual, throughput, price, footprint, etc…
This slide is not designed to provide a specific percentage of the data show but only to illustrate that unknown or undiscovered threats and vulnerabilities dwarf the amount of known threats. Some of the threats are known but no effective way to protect from it while others have been identified and there are known protection, patches, etc… Question that will come up is “how to protect against unknown vulnerabilities?”
This slide builds on the previous slide and addresses the question of “how do you protect from vulnerabilities that are unknown?” Good portion of unknown vulnerabilities is from protocol anomalies where the use of protocols beyond the defined specification can have adverse effect. The way to prevent such attack is to ensure that all usage of the protocol conforms to the acceptable guidelines. Hence, if an vulnerability is found for a particular protocol and exploits are developed, Juniper IDP would already have the coverage since it’ll treat such attack as protocol anomaly and block it … protection from the unknown.
Juniper Networks Security Team had traditionally been under-marketed. Yet, they provide market-leading support for IDP products. The key thing to outline regarding the Security Team is its expertise in protocol decodes and partnership with multiple security vendors. The proof of excellent security team is in its response time. How fast the team can provide signature updates based on new vulnerabilities is a good indication of how effective the entire IDP product really is. This is a good lead-in to the next slide. The graphics is a screen capture of the Juniper Security portal indicated by the URL.
Continuing the emphasis on response time, this slide outlines the actual timeline for response time based on a Microsoft vulnerability announcement. The “Super Tuesday” refers to Microsoft’s monthly disclosure of security vulnerabilities. ANIMATION 1 st click – The text illustrate that at 10:17 AM, Microsoft announced 3 security bulletins 2 nd click – 4 minutes later, Juniper Security team announced coverage for all three bulletins 3 rd click – After 1.5 hrs, TippingPoint provided unclear message regarding their coverage of the bulletins 4 th click – Close to 2 hours, ISS announced coverage for only one of the bulletins 5 th click – By end of the day, Cisco and McAfee had no announcements regarding the bulletins. Similar to ISS, Symantec announced coverage for only one of the bulletins
Following slides dive into the IDP products.
Before talking about IDP product features, this slide illustrates some of the basic responses to different malicious activities. It offers high-level view of how the IDP product thwart these activities. ANIMATION 1 st click – Recon (or reconnaissance) is used by attackers to see what resources are out there. IDP can detect this activity through traffic anomaly detection in terms of the change in volume of the traffic as well as network honeypot where the attacker thinks the target resource exists when in actuality, it does not. 2 nd click - To thwart an attack, IDP uses protocol anomaly (already discussed), stateful signatures and features such as Synflood protector. 3 rd click – Reacting to proliferation is designed to stop the spread attacks. Backdoor detection is an obvious feature as it assumes the first level of defense had been compromised and a Trojan is sitting in your network. The key is to continue to provide high level of security even if the first line of defense has been breached.
This slide is an example of traffic anomaly detection. The concept being that there are no obvious sign of attack other than suspicious amount of traffic pattern change. ANIMATION 1 st click – Displays the example of ping sweep where administrators see a high traffic volume of network scans to identify target resources.
This slides provide example of protocol anomaly detection. The concept should be familiar so an example would be the best way to discuss this slide. ANIMATION 1 st click – The set up graphic shows the FTP client and the FTP server with the IDP appliance in front of the server. 2 nd click – A request is sent from the client to the server requesting an FTP session. No attack has occurred yet. 3 rd click – The client sends a second request to open a connection from the server to the client. However, instead of sending its open address, the address of a different server is sent. If this request were to go though, data can be sent to an unauthorized client. This is the attack. 4 th click – The IDP appliance recognizes that the FTP protocol is not being used as expected and blocks the communication to the FTP server. Attack blocked.
Stateful signature refers to the ability to look for attacks in the context of the network traffic. Without it, IDP would need to scan any and all traffic for a specific pattern that matches the attack. This can result in performance degradation and increased false positives. ANIMATION 1 st click – The example shown here is Code Red Worm. The worm utilized HTTP but only the GET request of HTTP. Hence the IDP only scans the specific traffic (in this case, HTTP GET) for a pattern that matches the attack.
The slides in this section addresses some of the new features available in IDP 4.0 and NSM 2006.1 release.
Security Explorer is a simple, intuitive, interactive graphical user interface released as part of IDP 4.0 and NSM 2006.1 release. Some customer may be aware of this feature as it had been an officially unsupported features in previous versions of IDP Manager. The graphic is a screen capture of Security Explorer and illustrates how you can see the traffic between multiple nodes. The UI is interactive in the sense that you can follow the traffic from one node/user to another simply by clicking the graphic icon of that node/user.
Profiler feature is carried over from IDP Manager to NSM. After being configured, Profiler continually captures information about the network node and traffic relevant to the administrator requirements. The level and detail of information span to the application showing not just the type of applications but details such as the on-line user name, e-mail address, subject of e-mails, etc…
New to IDP 4.0, Diffserv marking is the rate limiting capability introduced to IDP product line. Rather than just allowing or blocking traffic based on various criteria, IDP can now set priorities of the traffic. Since the level of granularity can be as detailed as the type of applications, its simple to tag certain application traffic as lower priority (e.g., IM or P2P). Since the Diffserv marking is defined as an action based on IDP rules, the configuration is as simple as any other IDP policy rule configuration. Since the actual enforcement of Diffserv marking is performed by routers, its important to note that this feature will work in networks with Juniper network gear as well as non-Juniper gear.
H.225 Protocol is the signaling protocol for the H.323 VoIP solution. Since VoIP attacks utilize the signaling portion of the traffic (rather than the actual voice data), the support for H.225 bolsters the Juniper IDP products which already supported SIP. With fill protocol decode, we can offer day-zero protection against future exploits.
Support of GTP decodes is tailored primarily for service providers of cellular data infrastructure. GTP encapsulated standard network traffic for the GPRS cellular data infrastructure. In order to apply the various analysis to the actual traffic, IDP must understand the GTP protocol.
Coordinated Threat Control is an example of innovation brought on by collaboration between Juniper Networks products. In this case, tight integration between Juniper IDP and SSL VPN products have resulted in enhanced capability to thwart attacks from remote users. SSL VPN gateways often act as proxy between the remote users and the enterprise resources. While IDP appliances can detect attacks from remote users, pinpointing the actual user to quarantine or block the user has been difficult. SSL VPN gateway acting as a proxy does not make the end-user information available. With Juniper product, once an attack has been detected, the IDP appliance will send the identifying information to the SSL VPN gateway which will in turn, identify the offending end-user and take specific actions (often quarantining the user). This feature is only available from Juniper Networks. ANIMATION The steps are self-explanatory as defined above.
1999 - Juniper Networks IDP was being developed as the industry’s first Intrusion Prevention (IPS) product / platform, launched amidst IDS only offerings 2002 - IDP platforms introduced to market, backed by a dedicated Security Team that provided attack signature creation and updates, protocol decodes, and security response notices 2003 - Integrated Stateful signature and protocol anomaly detection mechanisms from IDP – specifically Internet facing protocols ideal for remote/branch offices – into firewall known as Deep Inspection (DI) 2004 - Industry’s first and only IPS to integrate full ‘forensics’ / ‘network profiling’ capabilities with Profiler 2005 - Juniper launches ISG Series (ASIC-based FW/VPN) with IDP ‘blades’, a fully integrated FW/VPN/IDP system with multi-Gigabit performance and Next-Generation ASICs 2006 – Launch of Coordinated Threat Control feature in collaboration with SSL VPN product line 2006 – Introduction of the next generation of network awareness and control with common management solution as Juniper FW/VPN and integrated security platform (ISG) as well as Security Explorer for graphical, interactive and intuitive user interface.
This slide illustrates typical IDP deployments in distributed enterprise environment. Key item to note is that while IDP appliances may be deployed in different geographical locations, only one NSM management server located at the main office/headquarter is needed. This concept extends to Juniper Networks FW/VPN and ISG platforms deployed throughout the network.
IDP 50, targeted at small and branch offices, do not support full active-active HA. All other platforms support state sync HA redundancy.
This slide is a review of the capabilities of the various platforms, as well as the differences between them. Note the management solution for all three types of platforms is NSM.
This is a set up slide for the next one. The graphic illustrates how “hybrid” or networks with different vendor’s firewalls and IDP appliances can result in multiple management solutions. Obviously, not an ideal environment.
Much simplified consolidated view of the network with single management server for all the security gears in the network.
Domains and Role-based Admin feature deserves to be pointed out in this slide. While often requested by service providers, this feature is also very valuable to enterprise. It is not uncommon for enterprise to logically divide the roles of administrators based on the type of security gears so that specific administrators manage firewall policies while others manage IDP policies, etc… It is also common for enterprise to logically separate admin responsibilities based on their business requirements (e.g., a particular admin manages all security gear at a specific branch office while another manages the headquarter).
This slides illustrate how NSM truly integrates the management of IDP products along with other security devices. The main point of this slide is to convey how simple it is to manage IDP policies. ANIMATION 1 st click – Circles the tab section of the screen shot. Within the circle, you can see the different tasks available. In particular, you can see the tab used to configure firewall rules and IDP. 2 nd click – The Attack button from the main page launches the window used for configuring attack detection. 3 rd click – The Action button from the main page launches the window for configuring the response to a particular attack.
Some consider the selection of IDP products to be based on throughput first and all else, second. While the product is an inline network device, its important to iterate that the main purpose for the appliance is security. IDP appliance with sub-par security coverage is not much better than a simple router. Do you need another router in your network? Focus needs to be on the level of security coverage and the rapid response of Juniper Networks security team. Reiterate the example from previous slides on how we compare to our competitors on responding to Microsoft vulnerability announcement.
While NSM does not provide management of “all” Juniper products, it does manage FW, IDP and ISG platforms which make up the bulk of enterprise security appliances. Multiple deployment options include inline, sniffer mode (traditional IDS), HA, etc… “Profile” the network obviously refers to Profiler feature in NSM and previously in IDP manager where administrators can configure the type of information to gather from the network to better understand the network traffic and application.