Karel Hendrych, Juniper Networks
Juniper Day, Praha, 13.5.2015
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf (kliknutím na tlačitko v dolní liště snímků).
4. COMMITTED TO INNOVATION AND
INVESTMENT
Security is core to our business at Juniper
First to ship 100GbE interface
Innovating in SDN/NFV, network automation
New in 2014: A differentiated approach to security with our
open, integrated threat intelligence platform
New in 2015: Leveraged custom silicon and software to deliver
breakthrough performance and scale in the High End SRX
2 TbpsThroughput
Dedicated Innovator
Global Powerhouse
Serving customers in over 47 countries, with a
worldwide community of over
1000 Reseller Partners
Significant Market Share
High-End Firewalls1
1. Infonetics Research Q2’2014
2. Gartner Carrier Class Network Firewalls Report, Q4’14
Carrier-Class Network
Firewalls2
#
2
#
2
6. Solving the Problem
Tailored Security for Critical Assets
Get maximum
PERFORMANCE
& easily SCALE to
adapt to the future
Stop all types
of attacks with
BEST-IN-CLASS
SECURITY
Ensure your network
is always AVAILABLE
with easy, secure
ACCESS to optimize
productivity
7. EVOLUTION OF FIREWALL
Open platform delivers more value
Scalable to ensure full enterprise or
service provider deployment
Built for expansive data capacity
Improved efficacy, with fine-tuning
Adaptive in its ability to incorporate
many types of data into policy
Security Intelligence!
Layer 7
Layer 3
Next-gen
firewall
Dynamic
Adaptive
Platform
Traditional
firewall
Closed Open
8. SRX Differentiators
HIGH
PERFORMANCE
and SCALE with
maximum
throughput,
session scale,
ISSU, and ISHU
OPEN THREAT
INTELLIGENCE
leveraging
threat feeds
from multiple
sources to
deliver
automated
enforcement
SECURE AND
RESILIENT
under attack
with separate
control and data
planes and
multiple
processing
cores
INTEGRATION
of physical and
virtual solutions
(vSRX) to
deliver visibility,
security, and
compliance
APPLICATION
AWARENESS
with AppSecure
to stop
application
borne security
threats and
manage
application
usage
9. JUNOS Architecture:
Separate Data and Control Plane
ControlPlaneDataPlane
Physical Interfaces
PACKET FORWARDING
DOS & DDOS
ATTACKS
Attacks overwhelm the box
Administrator loses management access –
your network is down
Attacks can be thwarted
Under attack, administrator maintains management
access to modify policy, disallow bad traffic, and
process good traffic – your network stays up
SHARED PLANE
MODULEN
INTERFACES
MANAGEMENT
ROUTING
…
KERNEL
DATA
MANAGEMENT
ROUTING
DOS & DDOS
ATTACKS
10. SRX Series Services Gateways
100G
Up to 1.2 Tbps FW
throughput and 100
million concurrent
sessions scaling
High-End SRX
Single Junos
Unprecedented ScaleIntegrated Routing, Switching and Security
1G
10G
Branch SRX
SRX3400
SRX100
SRX210
SRX220
SRX240
SRX650
BRANCH CAMPUS DATA CENTER
SRX110
SRX550
SRX1400
SRX3600
SRX5400
SRX5800
SRX5600
1 Tbps
vSRX
11. Juniper Security Architecture Overview
VR
VR
Virtualized Servers
Multi Tenant
Hypervisor
VM VM
vSRXvSRX
Virtualized Host
Single Tenant
vSRX
VR
Hypervisor
MX
Enterprise
Branch
SRX
WAN
Hybrid Cloud
MX
Security Director/ Virtual
Director/Log Director
Internet
OSS/BSS
High End SRX Cluster
VM VM
Customer
Portal
VM VM
13. Firewall Management
IPsec VPN Management
Network Address Translation (NAT) management
Intrusion prevention (IPS) management
Application-level policy management
Publish WorkFlow: Manage policy
changes with review/approve cycle
Junos Space Security Director Management
AUTOMATES
• Delivers scalable and
responsive security
management
• Improves the reach, ease,
and accuracy of security
policy administration
• Enables quick and intuitive
web-based management
of security policy lifecycle
• Integrated with Spotlight
Secure, open threat
intelligence platform
UTM unified threat management
Threat Intelligence Enforcement
14. Security Intelligence Solution Architecture (1/2)
Customer-provided or
3rd Party Threat Data
Command & Control
GeoIP
Attacker Fingerprints
Local Attacker Details
(API calls)
1
2
3
4
5
SRX Firewalls
Aggregated & optimized cloud-based threat intelligence1
Juniper-provided threat intelligence to customer premise2
Local/Customer data incorporated into solution3
Centrally managed by Junos Space Security Director4
Intelligence distributed to SRX enforcement points5
Security
Director
Spotlight Secure
15. SecIntel Solution Architecture (2/2)
Spotlight Secure
Command & Control
GeoIP
1
Spotlight Secure
Connector
2
Security
Director
Log
Director
Space H/W or ESX
Space “Fabric” ESX
4
Customer-provided or
3rd Party Threat Data Local Attacker Details
3
1. Aggregated & Optimized cloud-based threat intelligence
2. Juniper-provided threat intelligence to customer premise
3. Local/Customer data aggregated into solution
4. Centralized management by Security Director
5. Scalable (aggregated) intelligence distribution
5
16. Spotlight Secure cloud service
Spotlight Secure – intelligence from the Cloud
Spotlight
Secure
Connector
Internal
Sources
Confidential
Sources
Mysterious
Sources
External
Sources
Spotlight Secure compiles it’s data from multiple
sources, using heuristic analysis and machine learning
provide the most up to date, actionable, intelligence
17. USE CASE I. bot command
& control mitigation
PREVENTING INSIDE TO OUTSIDE
COMMUCATION WITH KNOWN BOT
COMMAND AND CONTROL CHANNELS –
IP/URLs
18. USE CASE II. Custom whitelists/blacklists and
rulebase automation https://provisioning/blacklist1.txt
192.168.2.11
192.168.1.0/24
192.168.1.30-192.168.1.99
https://provisioning/custom1.txt
26. Automation: Unique to SRX and Junos
OSS integration
Workflow automation
NetOps & SecOps tools
“off-box”
Audits & compliance
Change control
Troubleshooting & event response
“on-box”
XML API
On the Device Across the Network
27. PyEZ EXAMPLE
dev = Device( user='netconf', host='172.16.0.1', password='test123' )
dev.open()
dev.cu.lock()
dev.cu.load(set_cfg, format='set')
dev.cu.commit()
dev.cu.unlock()
dev.close()
https://techwiki.juniper.net/Projects/Junos_PyEZ
29. NEXT STEPS
- Q&A session?
- Local demo, Partner/Disti/JNPR
- Loan of Juniper Equipment
- Proof of Concept Labs, nearest in Amsterdam
- Mandatory item is a testplan
- Professional testing tools
- Possibility to bring 3rd party equipment