Next Generation Security Solution
4 likes1,360 views
The document provides information on Juniper SRX platform updates, including: 1) vSRX updates - The virtual firewall platform now supports up to 80G FW throughput on a single server and 100G vSRX was announced. Support for VMware 5.5+SRIOV and features parity with physical SRX firewalls. 2) Physical SRX updates - New SRX3xx and SRX550 series for branches up to 500 users. The SRX1500 provides high performance networking and security for enterprise edge and data center edge. The SRX5400 supports advanced software security services. 3) Software updates - Sky ATP cloud-based malware analysis and SRX User Identity REST API.
![SSL Forward Proxy and UTM
• 12.3X48-D25 and 15.1X49-D40 support UTM with SSL Proxy
• No configuration changes on UTM side. A ssl-proxy profile must be
applied
[…]policy trust-to-untrust match source-address any
[…]policy trust-to-untrust match destination-address any
[…]policy trust-to-untrust match application junos-any
[…]policy trust-to-untrust then permit application-services ssl-proxy profile-name ssl-inspection-p
[…]policy trust-to-untrust then permit application-services utm-policy junos-av-policy
[…]policy trust-to-untrust then permit application-services application-firewall rule-set block-app
[…]policy trust-to-untrust then log session-close](https://image.slidesharecdn.com/3junipersecurityreloadedhendrych-160601154025/85/Next-Generation-Security-Solution-17-320.jpg)
Next Generation Security Solution
- 3. vSRX - Industry’s Fastest Virtual Firewall • 18G FW Large packet (1514B), 4G FW Imix • 2 vCPU (cores), Lowest TCO • Highest Perf/Core • ~80G FW (8 instances) Large packet per server • VMware5.5+SRIOV - 8 vSRX instances on a 2.4GHz Dell server • VMware5.5+SRIOV –1 vSRX instance on a 3.4GHz Dell server 100G vSRX just got announced!
- 4. vSRX VM Hypervisors (VMware, KVM) Physical X86 CPU, Memory, & Storage Adv Services + Flow Processing + Packet FWD (JEXEC) Junos Kernel QEMU/KVM Juniper Linux (Guest OS) SRIOV Junos Control Plane (JCP/vRE) MGD RPD FEATURE PARITY TO FFP (Including Firewall, AppSecure, UTM/IDP, VPN, NAT, Routing, HA Cluster, etc.) PLATFORMS • VMWare 5.1,5.5, 6.0 • Ubuntu 14.04 (KVM) CHANGES • Name change to vSRX • Junos Version change to 15.1 • DPDK • SR-IOV • VMXNET3 and VirtIO (Driver updates) • Linux Base OS • 64Bit Flowd • Dedicated management I/F • SCSI Support • SNMP enhancements • VMTools • Min 4G vRAM and 8G HD vSRX 2.0 (15.1X49) • CentOS 7.0 (KVM) • Contrail 2.2
- 6. SRX Series Services Gateways for Branch All in one routing, switching and security in a single platform Security at a every layer with MAC-sec, IPSec and application security Best end-user application experience and operational efficiency
- 7. SRX3xx Portfolio Summary *Performance numbers for the IMIX packet size **NGFW = IPS + AppFW + External Logging App Firewall* Routing* IPSec VPN* NGFW** 500 Mbps 1 Gbps 2 Gbps 3 Gbps 500 Mbps 1 Gbps 1.7 Gbps 2.5 Gbps 100 Mbps 100 Mbps 200 Mbps 200 Mbps 300 Mbps 300 Mbps 350 Mbps 350 Mbps SRX300 Retail Office Up to 50 Users SRX320 Small Branch Up to 50 Users SRX340 Mid Branch Up to 100 Users Large Branch Up to 500 Users SRX550SRX345 Mid-Large Branch Up to 200 Users
- 8. SRX1500 Services Gateway Specification SRX1500 RAM / storage 16GB / 16GB On-board 1G ports 16xGE (w 4x SFP) On-board 10G ports 4x SFP+ OOB Management port 1x GE Acoustics 66 dBA SSD Storage 120G Power Supply 1+1 400W PSU Forwarding capacity 1.8 Mpps Routing / firewall 5 Gbps IPSec VPN (IMIX) 1.2 Gbps IPS 3.5 Gbps NGFW 1 Gbps Concurrent session 2,000,000 • SRX1500 is a high performance, cost effective and high available next generation firewall • Provide outstanding protection with Sky ATP • Integrate networking & security in a single platform • High port density and small form factor • Targeted for • Enterprise Campus Edge • Data Center Edge • Branch Router
- 9. SRX5400 • Ideal for medium to large enterprises and Service Provider networks • Software Security Services – AppSecure and IPS – AV and web filtering • Next-generation, high-performance line cards SRX5400 On-board Ports 100GE-CFP/CFP2 40GE-QSFPP 10GE-SFPP, XFP 1GE - SFP JUNOS Software Version Support JUNOS 15.1X49-D10 Firewall Performance (w/ Express Path) 65Gbps (480 Gbps) Firewall Performance IMIX (w/ Express Path) 32 Gbps (450 Gbps) Firewall Performance (Firewall + Routing PPS 64byte) (w/Express Path) 8 Mpps (98 Mpps) VPN Performance – AES256+SHA-1 35 Gbps AppSecure 42 Gbps Intrusion Prevention System 22 Gbps Connections Per Second (CPS) 450 K Maximum Concurrent Sessions 42 M High Availability A/A or A/P
- 10. SRX5k CPS with CP-lite, scaling up to 250M sessions! 1 4 7 10 11 X49-D10 213 420 420 420 420 CP-Lite 230 1060 1815 2240 2500 0 500 1000 1500 2000 2500 3000 KCPS TCP CPS
- 11. Software update
- 12. Next-Gen Firewall Features on SRX Application Reporting Application Firewalling Geo-IP C&C & Reputation Filtering User Firewalling Intrusion Prevention Web Filtering Anti-Virus Anti-Spam Content Filtering SSL Inspection Cloud-based Anti-malware
- 13. 01101010 01110101 01101110 01101001 01110000 What is Sky Advanced Threat Prevention Customer SRX Juniper Cloud Customer Sandbox w/Deception Static Analysis ATP 1. SRX extracts potentially malicious objects and files and sends them to the cloud for analysis 2. Known malicious files are quickly identified and dropped before they can infect a host 3. Multiple techniques identify new malware, adding it to the Known Bad list and reporting it to SecOps 4. Correlation between newly identified malware and known C&C sites aids analysis 5. SRX blocks known malicious file downloads and outbound C&C traffic Sky Advanced Threat Prevention Cloud
- 14. The ATP verdict chain Staged analysis: combining rapid response and deep analysis Suspect file 1 2 3 4 Suspect files enter the analysis chain in the cloud Cache lookup: (~1 second) Files we’ve seen before are identified and a verdict immediately goes back to SRX Anti-virus scanning: (~5 second) Multiple AV engines to return a verdict, which is then cached for future reference Static analysis: (~30 second) The static analysis engine does a deeper inspection, with the verdict again cached for future reference Dynamic analysis: (~7 minutes) Dynamic analysis in a custom sandbox leverages deception and provocation techniques to identify evasive malware
- 15. • Build for Aruba ClearPass integration but can be used by 3rd party • https://srxhostname/api/userfw/v1/ SRX User Identity Restful API (12.3X48-D30) Healthy(0), Checkup(10), Transition(15), Quarantine(20), Infected(30), Unknown(100) “Aruba ClearPass”, “UAC”, “Active Directory” IPv4 & IPv6 support Standard XML DateTime format (ISO8601) logon, logoff or posture-update for logon, role-list is a must for logoff A list of roles, maximum 200 with each 64 characters
- 16. Custom AppID Signature (15.1X49-D40) • Types of custom signatures: • ICMP-based • L3/L4 based • Layer 7-based http-get-url-parsed-param-parsed http-header-content-type http-header-cookie http-header-host http-header-user-agent http-post-url-parsed-param-parsed http-post-variable-parsed http-url-parsed http-url-parsed-param-parsed ssl-server-name stream
- 17. SSL Forward Proxy and UTM • 12.3X48-D25 and 15.1X49-D40 support UTM with SSL Proxy • No configuration changes on UTM side. A ssl-proxy profile must be applied […]policy trust-to-untrust match source-address any […]policy trust-to-untrust match destination-address any […]policy trust-to-untrust match application junos-any […]policy trust-to-untrust then permit application-services ssl-proxy profile-name ssl-inspection-p […]policy trust-to-untrust then permit application-services utm-policy junos-av-policy […]policy trust-to-untrust then permit application-services application-firewall rule-set block-app […]policy trust-to-untrust then log session-close
- 18. Juniper site to site VPN Solutions update Use Case Auto VPN Auto + AD VPN Group VPN Network Topology Failover Redundancy Traffic Steering • Large Scale of Hub and Spoke • Cluster Hub/Spoke • Active-Passive • Active-Backup • Traffic Selector with Static Routes – Higher scalability • Dynamic Routing • On Demand Spoke to Spoke • Dynamic Any-to-Any • Cluster Hub • Cluster Spokes (Hierarchy) • Traffic Selector with Static Routes – Higher scalability • Dynamic Routing - OSPF • Any-to-Any • Full Mesh • Server Cluster for Key Server protection • Up to 4 server in the same cluster. • No overlay routing • Advance QoS for encrypted traffic Tunnel Technology • Tunnel Based VPN • St0 P2P with Traffic Selector • St0 P2MP with Routing • IKEv1 and IKEv2 • Dynamic Spoke to Spoke Tunnel • IKEv2 • Tunnel-less VPN • Group Protection • IKEV1 Performance / Scalability • Up to 1 Gbps / 3 Gbps and 2000 Tunnel - SRX1500 • 15K Tunnel with TS • 256 shortcut tunnels- SRX550M • 512 shortcut tunnels - SRX650 and above • 4000 group members per server • 16K per cluster
- 19. Management
- 20. Firewall Policy Threat Map Events and Logs Application Visibility Dashboard Junos Space Security Director 2.0 https://www.youtube.com/watch?v=IN0g7SUfFQ0 Graphical, Intuitive, Network Wide Visibility
- 21. …smarter and faster Big = More 1 2 3
- 22. Future
- 23. Software Defined Secure Network Vision Unify and rate threat intelligence, from multiple sources Create and centrally manage security policy through user-intent based system Enforce policy in near real time across the network; ability to adapt to network changes Detection Enforcement Policy Users & Roles Departments & Sites Devices Applications Business Needs IT View Switch Ports VLANs ACLs IPs/Subnets VRFs ACLs Firewall Zones Rules Users & Apps Threats Location
- 24. Thanks!