For the past several years, software-defined networking (SDN) has been a popular buzz word in the networking industry. In many ways, networking has always been defined by software. Software is pervasive within all of the technology that impacts our lives and networking is no different. However, networks have been constrained by the way software has been configured, delivered and managed—literally within a box, updated monolithically, managed through command lines that are reminiscent to the days of minicomputers and DOS in the 1980’s. Well, almost.
2. During the Intro…
Source: Gartner - Top 10 Trendsand Their Impact on IT Infrastructureand Operations
204
million e-mails
sent
47,000
app downloads
135
new botnet
infections
1.3
Million
YouTube views
200k
NEW MALWARE
SAMPLES FOUND
EACH DAY 60%
OF BREACHES
TOOK WEEKS
OR MONTHS TO
DISCOVER
40%
OF DATA
BREACHES
COME FROM
ATTACKS BY
HACKERS
$11m AVERAGE
COST DUE TO
DATA BREACH
3. “On average, an IT executive has only seven minutes to determine
whether their organization is under attack. This is according to a survey
of more than 400 IT executives in the UK, France, Germany and
Hungary in which respondents were asked about their ability to process
and use valuable information from security alerts.”
You have 7 minutes. Go!
http://www.infosecurity-magazine.com/opinions/security-alerts-only-7-minutes/
5. Why is Security So Difficult?
5
• Average cost of breach:
$20m
• Increasing 10% per year
• Sony
Pictures…incalculable
Attack frequency
and cost
• Systems don’t work
together
• Inside out, outside in
problems
• Sea of alerts
Security technology
sprawl
• Virtualized systems
• Hybrid sourcing models
• Internet of everything
• Shadow IT
Threat surface
expanding
6. “The fastest way to
solve a problem is to
continue to do what
you know.”
7. Security Trends Today
7
Network security landscape has changed.
CISOs “Treading Water”
Risks posed by threats vs risks to business outcomes
Pouring money in security, yet not any more secure
- Average of 4000 nodes with 5 security vendors
Attackers are always gaining, staying ahead
Metrics of success: total number of attacks stopped vs
reduction of risk
8. Most network security
strategies focus on security at
the perimeter only– outside
in.
Is securing the perimeter
really enough?
Today’s Enterprise:
Perimeter security
model
Trust model: trust what’s inside the network
Visibility relies mostly on perimeter firewalls
Evolving threats requires adaptability
Security layered on top of network
Inline
Anti-Malware
Inline
Intrusion
Prevention
Unified Threat
Management
Application
Security
Data Loss
Prevention
9. • Your server side uses orchestration
• The “bad actors” attacking your company use
Automation/Orchestration
Shouldn’t Your Network?
10. Let’s take a step back
• Consistency
• Network Deployments
• Integration
• Open Architecture and the Software Stack
11. 2001:
Author: Donna Scott
Source: Gartner
Article: The Weakest Link in Business Availability.
Finding: “80% of application service downtime caused by
people or process failures”
2004:
Author: John Pescatore
Source: Gartner
Article: It’s Time for Host-Based Security Platforms
Finding: “Up to 65% of successful external attacks directly
related to configuration errors.”
2010:
Author: Ronni Colville
Source: Gartner
Article: Top 7 Considerations for Configuration
Mismanagement. Virtual & Cloud Infrastructures”
Finding: 80% of outages caused by people and process issue,
and 50% of those outages will be caused by change,
configuration, release integration, and hand-off issues.”
2011:
Author: Neil MacDonald
Source: Gartner
Article: How To Devise a Server Protection Strategy
Finding “Secure configuration management ranked ‘top priority’
for corporations”
2012
Author: Dave Shackleford
Source: SANS
Article: Secure Configuration Management Demystified
Finding: “Secure configuration management should be a top
priority for corporations in 2012”
2013
Author: Jing Zhang (UM) & Manish Karir (DHS)
Source: Internet Society
Article: On Mismanagement & Maliciousness of Networks
Finding: “Statistical analysis shows direct correlation between
misconfigurations and the success of malicious attacks against
corporate networks.”
12. Analyst and Academic research suggests That
70-80% of Networks are vulnerable due to
configuration errors.
•
•
•
•
13.
14.
15. 1. Network Engineering team validates Junos
solution
2. This activity results in a set of "Golden
Configurations" for device commissioning
and service deployment
3. These configurations are copied off the
devices in "curly-brace" or "set" format and
the Engineers identify the variables
4. Network Engineering then creates the
"templates" from these configurations by
adding variable placeholders and macros
directly into the Junos configuration
5. These templates are stored for later use by
the Network Operations team
system {
host-name switch-14-02-42-01;
domain-name mycorp.net;
backup-router 10.176.31.1
destination 10.0.0.0/8;
time-zone America/Los_Angeles;
}
Junos Configuration
system {
host-name ${Hostname};
domain-name mycorp.net;
backup-router ${BackupRouter}
destination 10.0.0.0/8;
time-zone ${TimeZone};
}
Junos Template
Template
Repository
The process to create Junos templates is a "write once"
model. That is, the Network Engineers create these
templates for the operations team to use. The operations
teams do not create/modify the templates.
Engineering
18. Problem Statement:
Deployment of devices in Retail can be challenging and expensive.
On site employees don’t necessarily have the skillset to install equipment.
21. Language of
API
Mode of
Distribution
Maturity Support URL Additional Notes
Ruby Open Source Most popular.
3200+ downloads.
Open Source Click Wins big on ease of installation,
features, limited dependencies
and active support.
Java via Juniper website.
Will be shortly
available on github.
Already being used
by enterprise
customers.
JTAC Click Very simple to get started. Easy
on installation. Single .jar file to
use/zero dependencies.
Python Open Source Based on an already
popular open
source client.
Open Source. Click Favorite language of scripters.
Perl via Juniper website. Most ancient of all
API’s. Needs work
to ease installation
JTAC Click Installation of the API is not
entirely smooth and needs
further work to simplify the
process.
PHP Open Source Not in a ready to
use state yet.
Open Source Click Still in development stage.
28. Network Automation – The use of programmability to create
efficiencies in day to day operations
Orchestration – Combining various Automation tasks in the software
stack to create efficiencies in the deployment of business systems
and process.
29. 29
Stop talking about Network Security.
Start talking about Secure Networks.
A Change in Mindset
Realize threats are everywhere. They are already inside.
They walked in your front door
Recognize perimeter security isn’t enough
Detection and Enforcement should be enabled anywhere
Acknowledge security is everyone’s problem – horizontal
and vertical
30. Everything on Your Network is
a Potential Threat
Normal and Abnormal
Behavior
Normal operation: call home
beacons, energy utilization
Is this normal? How to mitigate risk?
Aberrant behavior: bursting traffic, abnormal
high data download rate
31. Firewalls
Security Foundation
Next Generation
Firewall Services
Firewall VPN NAT Routing
Application Control
User-based firewall
Unified Threat
Management
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-spam
Security Intelligence
Command & control
GeoIP feeds
Custom feeds
Management Reporting Analytics Automation
33. The Software-Defined Secure Network
33
Operate network as single enforcement domain, every
element becomes a policy enforcement point
Create and centrally manage intent based policy directly aligned
to business objectives
Gather & distribute threat intelligence, from multiple sources –
know who the bad guys are faster
Leverage cloud economics for real time analysis – find the bad
guys faster
Enforce policy to the threat feed information, real time across the
network – adapt the network real-time
Detection
Policy
Enforcement
34. Software-Defined Secure Network
Policy, Detection & Enforcement
Your
Enterprise
Network
Leverage entire network and
ecosystem for threat intelligence
and detection
Utilize any point of the network as a
point of enforcement
Dynamically execute policy
across all network elements
including third party devices
Threat
Intelligence
Enforcement
Detection
Enforcement
Detection
Bottoms Up and Top
Down Approach –Cloud-based
Threat Defense
Dynamic and Adaptive
Policy Engine
Policy
35. Your
Enterprise
Network
Software-Defined Secure Network - Building Blocks
Security from
the Cloud
Third Party Cloud
Security Feeds
Security Management Platform
Virtual Firewall
Physical Firewall
Cloud off load
Malware ProtectionThreat Intelligence
Feed
Routers
Switches
Comprehensive suite of
products: Centralize
and automate security
Instant threat intelligence
and detection
Dynamically adapting policy,
deployed in real-time
Consistent firewall capabilities –
physical and virtual
Detection
Detection
Detection
Enforcement
Enforcement
Policy
Security Policy
Controller
Policy
Third Party Network Elements
36. Your
Enterprise
Network
Where to Start – Modernize Your Perimeter
Upgrade your perimeter
to make it adaptable
Next Generation Firewall is Current
Generation Firewall – simplify and
remove niche security appliances
Utilize Cloud Economics for Instant
Intelligence that Leads to More
Effective Detection
Cloud Security
Malware ProtectionThreat Intelligence
Feed
Firewall Virtual Firewall
37. Your
Enterprise
Network
Converse With Your Network
Deploy Policy Engine
that Communicates with
Your Network
Analytics Capability Based on
Network Data
Juniper Cloud Security
Malware ProtectionThreat Intelligence
Feed
Customizable UI Provides Data
Correlation
Utilize All Network Elements as
Detection & Enforcement Points
Future: Intent Based Policy Engine
to Communicate Across Any
Network Element
Security Management Platform
Security Policy
Controller
Other Network Elements
Network Elements
38. The Right Policy for the Right Job
Different threat levels
need different policies
Aberrant lightbulb: quarantine and
create new policy for correct behavior
Compromised core switch? The right
policy for the right level of threat
Or
Shut down
light bulb
Kill
illegitimate
tunnel
Software Defined Secure Network
(SDSN)
Policy Engine + Controller
Example 1 Example 2