Juniper idp overview

Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Juniper Networks
Intrusion Detection & Prevention
June 2006

3Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda
 Security Market Climate
• IPS & Security Market
• Market Drivers
 Juniper Networks IDP Product Overview
• Complete Solution – Security Team
• Product Features
• Product Offering
 Management with Juniper Networks NSM
 Summary

IPS and Security Market

Security Market
 IPS technology is a mainstream part of network
security for companies of all sizes
 Keeping up with new security threats and finding
integrated management systems remain key
concerns for security admins
 Assuring business critical applications have
predictable quality of service over nonessential
apps like P2P and IM
 Need Visibility, Control and Ease of Use

Worldwide IPS Market
 Market focus on IPS technology exemplified by market forecast
 Worldwide IDS/IPS revenue expected to top $800 Million by year 2009
 Network-based products continue to account for more than 2/3 of total
revenue
277
384
427
544
603
667
752
790 819
0
100
200
300
400
500
600
700
800
900
Revenue
($ Million)
CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09
Year
World Wide IDS/IPS Product Revenue
Network-based
Host-based
Source: Network Security Appliance and Software
Quarterly Worldwide Market Share and Forecast for 1Q06

Customer Drivers

Fear of external network attack and internal
noncompliance
 External attacks remain the top reason for
purchasing security appliances
• Failure to block viruses, attacks or malware directly
impact end-users
 A growing concern meanwhile is ensuring users
on the network are doing what they’re supposed
to be doing
Direct impact to end-users
•Quantifiable loss of productivity
•Impact to revenue
•Headaches to administrators
•Unauthorized access to critical data

Firewall alone is not enough
 Every organization is connected to the Internet
and deploys some form of firewall
 Most enterprise realize firewall alone is not
sufficient to block sophisticated attacks
Vulnerability
Discovered
Advisory
Issued
Exploits
Released
W
orm
Released
Getting Shorter
Lifecycle of Vulnerabilities and Threats

Business compliance
 Need to enforce business practices including
types and version of applications
 Need to ensure non-business applications does
not hinder critical business applications
practices

New Technology Adoption
 Adoptions of new technologies continue to
increase
 Enterprises are not satisfied to wait until
security “catches up”
 Convergence of networks open up the
infrastructure to new attacks
New Technologies = New Risks

Not Only for Enterprise
 Service Providers
face similar security
concerns as
enterprise
 Keeping ahead of new
security threats
considered highest
technical challenge by
SP
Source: Service Provider Plans for VPNs and
Security North America, Europe, and Asia Pacific 2006

IDP Product Overview
Security Team

The Juniper Approach
Complete Solution
Service Provider
Security Teams
Worldwide
Juniper
Security
Team
Juniper Customers
Juniper Products
Technology Vendor
Relationships
Technology Vendor
Relationships
Internal ResearchInternal Research
3rd
Party
Security Teams
3rd
Party
Security Teams
Customer
Security Team
Customer
Security Team
Cooperative
Security Research
Partner MSSP
Intelligence
Daily
Updates

The Basic Security Threat Landscape
Unknown Threats &
Vulnerabilities
Known Threats but no known
ways to protect
Known Threats with
available protection

The Juniper Advantage
 Superior protocol decoding and anomaly
detection – the majority of the unknown
 Dedicated teams researching
protocols and standards
 Provide breadth &
depth of coverage
 Give Security Experts better
tools to deal with the unknown
Unknown Threats &
Vulnerabilities
Protocol Anomalies

Dedicated Security Team
 Dedicated team to research vulnerabilities and emerging threats
• Protocol decode expertise
• Multiple research and vendor partnerships
• Reverse engineering experts
• Global honey pot network
 Industry-leading response time
• Daily and Emergency signature
updates
• Customer Accuracy Program
• Team distributed globally
• Emergency update within an hour
 www.juniper.net/security

Real-world Example Security Team’s Response
10:17 AM
5/9/2006
Microsoft announces security bulletins; MS06-018, MS06-
019, MS06-20 and posts patches for the vulnerabilities
10:21 AM
+4 min
Juniper Networks announces coverage for vulnerabilities
on all IDP platforms
11:50 AM
+1hr 33min
TippingPoint provides mixed messages on coverage
11:58 AM
+1hr 41min
ISS announces coverage only for MS06-019
End of Day
No announcements from Cisco or McAfee
Symantec announces coverage only for MS06-019
 Typical chain of events on recent Microsoft “Super Tuesday”

Product Features

Thwart Attacks at Every Turn
Multiple Methods of Detection
•Traffic Anomaly Detection
•Network Honeypot
Malicious Activities/Attacks
•Protocol Anomaly Detection
•Stateful Signatures
•Synflood Protector
•Backdoor Detection
•IP Spoof Detection
•Layer-2 Attack Detection
Recon
Multiple Method of Detection
Attack Proliferation
• Profiler • Security Explorer

Traffic Anomaly Detection
 Method of identifying abnormal traffic usage
 No protocol anomalies or specific attack
patterns but unusual traffic usage/volume
 Example: Ping Sweep
• Scan the network to identify resources for possible
attack in the future - reconnaissance
• Ping sweep from external/suspicious source should alert
administrator

Protocol Anomaly Detection
 Protocols are well defined allowing accurate
description of “normal” usage
 “Abuse” or abnormal use of the protocol are
detected by the IDP appliances
 Example: FTP Bounce Attack
x.x.x.A
x.x.x.B
Please connect to x.x.x.B
(so unauthorized client can receive data)
Please open FTP connection
x.x.x.B is not the authorized client machine
Possible abuse of FTP protocol
Request denied!!!
FTP Server
FTP Client

Stateful Signatures
 Look for attacks in context
 Avoid blindly scanning all traffic for particular
pattern
• Improve efficiency
• Reduce false-positives
 Example: Code Red Worm
• Utilizes HTTP GET request for attack
• IDP appliance only scan for the specific request and
not any other HTTP traffic

Backdoor Detection/Trojan
 Well-known “Trojan horse” concept
 Challenge is to identify the attack when the
first line of defense has been overcome
 Heuristic method of analyzing interactive
traffic
 Example: Traffic originating from web server
• Web servers typically respond to requests for
information, not initiate one
• A sign of infected server/node

Features Addressing Customer Challenges
 How can I uncover new
network activities?
 How can easily I find out
what’s really running on my
network?
 I don’t want to block
non-business apps but
how else can I control
it?
 How can I make sure new
technologies doesn’t translate
to new threats?
 Wireless is great but
how can I secure it?

Security Explorer
 Interactive and dynamic
touchgraph providing
comprehensive network and
application layer views
• Integrated with Log Viewer and
Profiler
 Identifies what’s running on a
network host
• Uncovers attacks, peer IP addresses,
open ports, available applications
and operating systems
NEW - IDP 4.0

Enhanced Profiler
 Uncovers new activities and traffic
information across network and
application levels
 Identifies new protocols,
applications and operating systems
• Alerts on rogue hosts, servers or IP
addresses
• Detect unwanted applications like P2P
and IM
 Records information on active
hosts, devices, protocols and
services in various contexts
• Instant Messaging alias, FTP username,
e-mail address, subject heading, etc…
NEW - NSM 2006.1

Diffserv (DSCP) Marking
 Controls bandwidth allocation based on specific
types of application
 Marks on a packet that match an IDP signature
 Allows upstream router to enforce on markings
(value 1-63) to assure quality of service on
critical applications or appropriate response to
nonessential apps
 Available as an action per IDP rule for full
granular control
NEW - IDP 4.0

Securing VoIP Applications
 New Protocol Decode – H.225
 Assures that the VoIP signaling and control
protocol cannot be used as a source of network
attacks or abuse
 Protocol decode capability protects underlying
vulnerability of protocol
 Allows creation of custom attack objects with
contexts
 VoIP protection on top of existing SIP protocol
support
 Proactively prevent future exploits
NEW - IDP 4.0

Securing Database Applications
 New Protocol Decode – Oracle TNS
 Protects database applications from an
increasing number of exploits and buffer
overflows in the internal network
 Blocks unauthorized users to Oracle servers
 Protects the underlying vulnerability of Oracle
TNS protocol
 Prevents future threats at day zero
NEW - IDP 4.0

Securing Mobile Data Networks
 New Inspection Capability – GTP Encapsulated
Traffic
• Protects an inherently unsecured traffic
• Supports UDP tunnel packets per GTPv0 and GTPv1
 Ensures users on cellular network aren’t
exposing the entire network to possible attacks
 Carrier protection on top of existing inspection
for GRE encapsulated traffic
NEW - IDP 4.0

Coordinated Threat Control
 Identify specific attacks originating from remote user via SSL VPN
and quarantine the user (and only the offending user)
Only from Juniper Networks !
Available IDP 3.2r2
Infected
Attack
1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched
2. IDP detect the attack and block requests to the internal resources
3. IDP sends identifying data to SA SSL VPN gateway
4. Based on data from IDP, SA quarantine and notifies the user
Attack
Identifying Data
Quarantine

Product Offering

IDP Product Overview -Timeline
2002
2004
2005
2006
•IDP platform introduced
•Integrated Stateful Signature
creation and updates
•Protocol decodes
•Secure response notices
•First and only IPS integrating
Profiler for best-in-class
network awareness
•Introduction of fully integrated
multi-gigabit FW/VPN/IDP
system (ISG 1000 and 2000)
•First to introduce daily signature
updates
•Next generation of
network visibility and
control
•Consolidated
security management
solution
•First to introduce
Integrated Threat
Control for SSL
and IDP appliances

Typical IPS Deployment
Regional Head
Office
Satellite Office
Main Office
NSM

IDP Product Line
• Med Bus
• Large BO
• Enterprise
Perimeter
• Enterprise
Perimeter
• Enterprise Perimeter
• Internal LAN
IDP 50 @ 50Mbps
IDP 200 @ 200Mbps
IDP 600 @ 500Mbps
IDP 1100@ 1 Gbps
• SMB
• Branch
Office
• Service Provider
• Large Enterprise Perimeter
• Internal LAN
ISG 1000/2000

IDP Standalone – 1100 C/F
 1100C
1100F
IDP 1100 C/FIDP 1100 C/F
Optimal for largeOptimal for large
enterprise / Gigenterprise / Gig
environmentsenvironments
Up to 1 Gbps
throughput
500,000 max
sessions
10 CG or 8 Fiber SX
+ 2 CG traffic, 1 CG
mgmt & 1 CG HA
ports
HA clustering option
Integrated bypass
for CG traffic ports

High Availability Options
Standalone HA
state-sync
Third-party HA
state-sync
Bypass
Bypass Unit for
Fiber Gig networks
- IDP 600F
- IDP 1100F
- ISG

Solutions for Every Need
Juniper IDP Standalone Appliances
• 50 Mbps – 1 Gbps
• HA Clustering
• Centralized policy management
•Complement existing FW/VPN
•Protect network segments
•DMZ
•LAN
•Departmental servers
Juniper ISG Series
•Next-Gen Security ASIC
(GigaScreen)
•Multi-Gigabit FW/VPN/IDP
•Centralized policy management
•High performance for demanding
networks
•Virtualization features
•Granular rule-by-rule management

ISG – Under the hood
 Integrated Best-of-breed Security &
Networking gear
 Multi-Gig 2-way Layer 7 IDP Security Modules
 Module “blades” available for ISG-1000 and
ISG-2000

ISG Series Architecture
I/O I/O I/O I/O
GigaScreen3 ASIC
1GB RAM
Programmable Processors
Security
modules
Dual 1Ghz PowerPC CPU
1GB RAM
Management Processing
• Dedicated processing helps ensure linear
performance
• High performance interconnect & flow setup
Security Module Processing
• Dedicated processing for other security
applications
Network Level Security Processing
• ASIC-accelerated security
•Stateful FW, NAT, VPN, DoS/DDoS
•Intelligent Intrusion Prevention session
load balancing
•Embedded programmable processor
facilitate new feature acceleration
Unmatched processing power!

ISG Series Summary:
ISG 1000 and ISG 2000
ISG 1000 ISG 2000
Max Throughput: Firewall 1 Gbps 2 Gbps
Max Throughput: IPSec VPN (3DES/AES) 1 Gbps 1 Gbps
Packets per second: FW/VPN 1.5/1.5 Million 3/1.5 Million
Max sessions 500,000 1,000,000
VPN tunnels 2000 10000
Max Throughput: Deep Inspection 200 Mbps 300 Mbps
Max Throughput: IDP Up to 1 Gbps Up to 2 Gbps
Number of supported security modules (IDP) Up to 2 Up to 3
Number of fixed I/O interfaces 4 – 10/100/1000 0
Max interfaces Up to 20 Up to 28
Number of I/O modules 2 4

Product Details
Juniper Firewall/VPN, with
Screen OS Deep Inspection
Juniper Stand-alone
IDP
Juniper ISG Series
with IDP
Hardware •NS-5XT
•NS-5GT
•NS-25
•NS-50
•NS-204
•NS-208
•NS-500
•ISG 1000
•ISG 2000
•NS-5200
•NS-5400
•IDP 50
•IDP 200
•IDP 600C
•IDP 600F
•IDP 1100C
•IDP 1100F
•ISG 2000 with IDP
•ISG 1000 with IDP
Software ScreenOS 5.0, 5.1, 5.2 IDP 4.0 ScreenOS 5.0-IDP
Management NSM NSM 2006.1 NSM 2004 FP3-IDP1

Management

3-Tier Management – Secure and Scalable
Distributed IDP Sensors
Distributed ISG with IDP
Centralized
NSM Server
Common User
Interface
NSM
Standalone IDP appliances requires IDP 4.0 for NSM support

Customers with a Hybrid Network
Regional Head
Office
Satellite Office
Main Office FW Mgmt
IPS Mgmt
FW
Mgmt
IPS
Mgmt
FW Mgmt
IPS
Mgmt
 Business Challenges
• What is on my network?
• Who is on my network?
 Product Challenges
• Complex network
environments
• Multi-vendor FW and
IPS systems
• Multiple Management
Systems

Juniper Networks Customers
Regional Head
Office
Satellite Office
Main Office
NSM
 Juniper Offering
• Juniper Networks IDPs &
Firewalls
• Single Management System
• Single User Interface
 Business Benefits
• Enhanced Network Visibility
• Granular Control
• Ease of Use

NSM Management Features
Scheduled Security Updates Automatically update devices with new attack objects.
Domains Service providers and distributed enterprises may use this
mechanism to logically separate devices, policies, reports,
objects, etc…
Role-based Administration granular approach in which all 100+ activities in the system
may be assigned as separate permissions.
Object Locking Multiple administrators can safely and concurrently modify
different objects in the system at the same time.
Audit Logs Sortable and filterable record of who made which changes
to which objects in the system.
Device Templates Manage shared configuration such as sensor settings in one
place.
Job Manager View pending and completed directives (such as device
updates) and their status.
High Availability Active/passive high availability of the management server.
Scheduled Database Backups Copies of the NSM database may be saved on a daily basis.
NEW - NSM 2006.1

Granular IDP Control w/NSM
Firewall and IDP management from same user interface
Configure attack detectionConfigure desired response

Summary

Why Juniper Networks IDP products?
 Security Coverage
 Product Innovation
 Trusted Company
 Market Recognition

Security Coverage
 Multiple prevention methods for protection against entire
'Vulnerability & Attack Lifecycle’
 Complete packet capture and protocol decode @ Layer 7, including
VoIP protocols
 2-way Layer 7 inspection: blocks attacks from client-to-server and
server-to-client
 100% prevention and accuracy for Shellcode/buffer overflow
attacks
 100% prevention in protecting against Microsoft Vulnerabilities:
Same day & Zero protection on “Patch Tuesday’s”
 Comprehensive Spyware protection, including 700+ signatures and
growing daily
 Daily signature updates, including auto signature updates and auto
policy push

Product Innovation
 Next generation of network visibility w/ Security Explorer
 Granular, Flexible Management solution for all Juniper Networks
security appliances
 Automatic custom reports
 Multi Gigabit Performance
 Multiple Deployment Options
 “Profile” the network to understand applications and network
traffic
 Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router
integration
 Custom Signature Editor / Open Signatures Database

Trusted Company
 Financial Strength / $2 Billion in Revenue /
Profitable / Cash Reserves
 Investment in R&D 25% - 30% of revenue
 Product Roadmap – IDP plays a key role in
Juniper’s Infranet solution
 Global Support & Relationships

Market Recognition
 Most decorated IPS product in 2005
• Winner ‘Editors Choice’ – Network Computing: ‘The Great IPS Test’
• Winner ‘Best Multifunction Appliance’ – Network Computing (Well-Connected)
• Winner ‘Best IPS Appliance’ – Network Computing (Well-Connected)
• Winner ‘Product of the Year’ – SearchNetworking.com
• Winner ‘Product of the Year’ – IDG Research / TechWorld
• Winner ‘Best Deployment Scenario’ ISP Guide: City of Burbank, Juniper IDP
Customer
• Awarded ‘NSS Certification’ for Industry Approved IPS: IDP 600F
• Winner ‘Product of the Year’ – ISG 1000 - ZDnet Australia
• Winner ‘Editors Choice’ – IDP 200 - ZDnet Australia

Thanks You!

Juniper idp overview

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (16)

Ähnlich wie Juniper idp overview

Ähnlich wie Juniper idp overview (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Juniper idp overview

Hinweis der Redaktion