Securing Networks with Juniper Networks

(1)

Securing Networks with

Juniper Networks

Juniper Security Features

Jean-Marc Uzé Liaison Research, Education and Government

Networks and Institutions, EMEA

[email protected]

TF-CSIRT Meeting, 26/09/02

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

2

(2)

Cyber Attacks Increasing

Packet Sniffers IP Spoofing Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks Email Script Attacks Self-Propagating Automated Distributed Attacks u

Frequency

v Over 4,000 Distributed DoS attacks a week

u

Sophistication

v Distributed DoS attacks hard to detect & stop

v Network elements recently targeted

u

Impact

v Yahoo, eBay, Microsoft make headlines

v Cloud 9 (UK) ISP out of business

1994 1996 1998 2000

Host Based Attacks Network Based Attacks Attacks Target Network

Source: Published CERT figures

Today’s Security Compromises

uEnable security at specific

points on the network

uAs platforms, interfaces

or software allow

uDoes not provide reliable

security

uSecurity enabled after

attack is detected

uHigh operational effort uPerformance SLAs affected

Partial

Attack Starts

Tracing Blocking Attack Ends

Time Performance

Reactive

SLA SLA Target Target

(3)

Security Without Compromise

u

Ubiquitous

vJuniper Networks: Single Image, Security on All Interfaces

u

Continuous

vJuniper Networks: Low impact – turn it on it, leave it on

u

Economical

vJuniper Networks: Included in the basic platform

u

Proven

vJuniper Networks: Shipping since 2000 and in use in

production networks around the world

Let’s You, Rather Than Your Equipment, Dictate Your Network Security Policy.

Protecting and Enabling Revenues

u

Customer Retention

v

Increased customer satisfaction

v

Match competitive security service offerings

u

New Services

v

Lawful Intercept

v

Intrusion Detection Services

v

High Speed Encrypted VPNs

v

Attack Resistant Web Hosting

v

Denial of Service Protection/Control

v

Spoofing Protection

(4)

JUNOS Security Related Features

User User

Administration Administration Tacas

Tacas+/Radius+/Radius Protocol Protocol Authentication Authentication JUNOS 5.x JUNOS 5.x 2001 2001 JUNOS 3.x JUNOS 3.x 1998 1998 JUNOS 4.x JUNOS 4.x 19991999

H/W Based Packet Filtering H/W Based Packet Filtering Individual Command Individual Command Authorization Authorization Traffic Policing Traffic Policing Firewall

Firewall SyslogsSyslogs/MIB/MIB H/W Based Router Protection H/W Based Router Protection

Port

Port--MirroringMirroring

IPSEC Encryption (Control IPSEC Encryption (Control and Transit traffic) and Transit traffic) Unicast

Unicast RPFRPF Radius Support for Radius Support for PPP/CHAP PPP/CHAP SNMPv3 SNMPv3

Juniper Security Features at a

Glance

Examples of Available Safeguards

9. Hitless filter implementation

7. I/O filters to block attack flows

8. Rate limiting Suppression

6. Real-time DDOS attack identification

5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS Detection

3. IPSEC encryption of customer

traffic

4. Source address verification

1. Hardware based router

protection

2. IPSEC encryption of Control Traffic

Prevention

Customer Protection Infrastructure Protection

(5)

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

9

Agenda

System Architecture

u

Routing Engine

v Maintains routing table and

constructs forwarding table using knowledge of the network

u

Packet Forwarding Engine

v Receives packet forwarding

table from Routing Engine

v Copies packets from an input

interface to an output interface

v Conducts incremental table

updates without forwarding interruption

Update

Forwarding Table

Internet

Internet Processor IIProcessor II

Switch Fabric Switch Fabric Forwarding Table Junos Internet Software Junos Internet Software I/O Card I/O Card

(6)

IP II ASIC Overview

u Leverages proven, predictable ASIC

forwarding technology of Internet Processor

u Provides breakthrough technology

to support performance-based, enhanced Services

v Security and bandwidth control

(I.e. filtering) at speed

v Visibility into network operations

at speed

u Delivers performance WITH services

v Supported on all interfaces

Internet Internet Processor II Processor II Internet Processor II

u IP-II enables significant

functionality with applications to network management v Security v Monitoring v Accounting IP-II IP-II

Multiple rules may be specified.

Filter Specification Filter Specification filter my-filter ip { rule 10 { protocol tcp ; source-address 128.100.1/24 ; port [ smtp ftp-data 666 1024-1536 ]; action { reject tcp-reset ; } } }

All Packets Handled By Router All Packets Handled By Router

Filters can act on highlighted fields, as

well as incoming interface identifier and

presence of IP options

Microcode Microcode

Filters and route lookup are part of

same program same program Packet Handling Programs Log, syslog Count, Sample, Forwarding-class, Loss-priority, Policer Silent Silent Discard Discard Forward Forward TCP Reset TCP Reset Or ICMP Or ICMP Unreachable Unreachable IP IP TCP TCP

Ver IHL ToS Total Len ID Fragmentation TTL Proto Hdr Checksum

Source Address Destination Address Source Port Dest Port

Sequence Number Acknowledgement Number Offset Flags Window

Checksum Urgent Pointer

Compile Compile Routing Routing Instance Instance

Filtering

(7)

Operating System Operating System

JUNOS Internet Software

u Common software across

entire product line leverages stability, interoperability, and a wide range of features

u Purpose built

for Internet scale

u Modular design

for high reliability

u Best-in-class routing

protocol implementations

u Foundation for new

services with MPLS traffic engineering

Protocols

Interface Mgmt Chassis Mgmt

SNMP _Security

Traffic Framework

u

Management, Control and Data planes

u

Source, Destination and Type

Routing Control Routing Control ICMP Notification User Data ICMP Notification User Data Router Management Router Management

(8)

Tools – Prevent, Detect, Control

u

Forward

u

Redirect

u

Monitor

u

Sample

u

Count

u

Log

u

Mark

u

Limit

u

Discard

Traffic

u

Import filters

u

Export filters

u

Mark

u

Limit

v Announcements v Prefixes

Route Control

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

(9)

JUNOS Default to Secure

u

Does not forward directed broadcasts

u

Remote management access to the router is

disabled. It must be explicitly enabled

vtelnet, ftp, ssh…

u

No SNMP set support for editing configuration

data

u

Default Martian addresses

Communicating with the Router

u

Secure Shell

vSsh v1 / v2

vSupport connexion limit + rate limit

uagainst SYN flood DoS attacks on the ssh port

vOpenSSH 3.0.2 since JUNOS 5.4

u

Secure Copy Protocol (SCP)

vUses the ssh encryption and authentication

infrastructure to securely copy files between hosts

u

Central Authentification

vTACACS+/ RADIUS

vUser classes with specific privileges

(10)

Hardware-Based Router

Protection

u Router’s control plane is complex and intelligence

v Need to be CPU based

v Protocols need processing power for fast updates and to

minimize convergence time.

u Attacks launched at routers include sending:

v Forged routing packets (BGP,OSPF,RIP,etc..)

v Bogus management traffic (ICMP, SNMP, SSH,etc)

u Attacker can easily launch high speed attacks

v Rates in excess of 40M/second

v CPU based filtering unable to keep up

v Attacks consume CPU resources needed for control traffic. v Danger of protocol time-outs, leading to network instabilities.

Hardware Based Router

Protection

u

Hardware based filtering advantages

vHardware drops attack (“untrusted”) traffic

vCPU free to process “trusted” control traffic

u

One filter applied to the “loopback”

vProtects the router and all interfaces

vProvides ease of management

vNo need to configure additional filters

(11)

term trusted -traffic { from { source -address { 10.10.10.0/24; 10.10.11.0/24; 10.10.12.0/24; 10.10.17.0/24; 10.10.18.0/24; }

protocol [icmp tcp ospf udp]; destination -port [bgp domain ftp ftp-datasnmp ssh ntp] ; } then accept; term default { then { log; discard; } } }

Hardware Based Router

Protection

u Define “trusted” source

addresses

u Define protocols and ports that

need to communicate

u Accept desired traffic and

discard everything else

u One filter applied to the

loopback interface protects router and all interfaces

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

22

(12)

IPSec Encryption of Control Traffic

u

Encrypt Control Traffic Between Routers

u

Encryption uses ESP in Transport Mode

u

ESP Provides Secure Communication for critical

control/routing traffic

u

Protects from attacks against control plane

IPSec Encryption of Customer

Traffic

u

Encryption Services PIC provides capabilities to

other interfaces on the router for Encryption and

Key Exchange (IKE)

u

Provides high-bandwidth encryption for transit

traffic at 800 Mbps (half-duplex)

u

Applied via the Packet Forwarding Engine

voffload the encryption and decryption tasks from

Routing Engine processor

u

Delivers Private and Secure communication of

mission-critical customer traffic

u

Provides up to 1,000 tunnels per PIC

u

Can Scale Using Multiple PICs

(13)

IPSec Encryption of Customer

Traffic

u Crypto PIC highlights:

v Tunnel/Transport Mode

uTunnel mode for data traffic

v Authentication Algorithms uMD5 uSHA-1 v Encryption Algorithms uDES u3-DES v IKE Features

uSupport for automated key management using Diffie-Hellman key

establishment

uMain/Aggressive mode supported for IKE SA setup uQuick Mode supported for IPSec SA setup

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

26

(14)

Source Address Verification

u

Why it is needed:

vIP address spoofing is a technique used in DOS attacks

vAttacker pretends to be someone else

vMakes it difficult to trace back the attacks

vCommon Operating Systems let users spoof machine’s IP

address access (UNIX, LINUX, Windows XP)

u

How it is done:

vRoute table look-up performed on IP source address

vRouter determines if traffic is arriving on expected path

utraffic is accepted

unormal destination based look up is performed

vIf traffic is not arriving on a the expected path

uthen it is dropped

Source Address Verification

u

Juniper Solution

vuRPF can be configured per-interface/sub-interface

vSupports both IPv4 and IPv6

vPacket/Byte counters for traffic failing the uRPF check

vAdditional filtering available for traffic failing check:

upolice/reject

uCan syslog the rejected traffic for later analysis

vTwo modes available:

uActive-paths:

vuRPF only considers the best path toward a particular

destination

uFeasible-paths:

vuRPF considers all the feasible paths. This is used where

(15)

Source Address Verification

Data Center 10.10.10.0/24 so-0/0/0.0 so-1/0/0.0 Attack with Source address=10.10.10.1 uRPF 10.10.10.0/24 *[BGP/170] >via so -1/0/0/0.0 11.11.11.0/24 u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

30

(16)

Real-time Traffic Analysis

u

Sampling and cflowd format export (v5 + v8)

u

since JUNOS 5.4: Passive Monitoring PIC

vApplication is primarly for secuity and traffic analysis

vMonitors IPv4 packets and flows over SONET on:

uOC-3c, OC-12c and OC-48c

uPPP or HDLC (Cisco) layer 2 encapsulations

vGenerates cflowd v5 records for export to collector nodes

uIPSec or GRE tunnels can be used for exporting

Real-time Traffic Analysis

u

Juniper Port Mirroring capability

vCopy of sampled packet can be sent to arbitrary interface

vAny Interface and speed up to 100% of selected packets

vN number of ingress ports to single destination port

vWork in progress with IDS vendor

uDiscussions ongoing with high-speed analytical security

(17)

Intrusion Detection System

Data Center

Real-time Traffic Analysis

Real-time DDoS Identification

u Preparation

v Pre-configure Destination Class Usage (DCU) on

customer-facing ingress interfaces

v Accounting feature typically for billing

v Supported in JUNOS 4.3 (12/2000) and beyond

v Counts packets, bytes destined for each of up to 16

communities per interface

v Counters retrievable via SNMP

v Note: Source Class Usage is also supported (since JUNOS 5.4)

u During Attack

v Use BGP to announce victim’s /32 host address with special

community

v Trigger SNMP polling of DCU counters on all ingress interfaces v Apply heuristic to identify likely attack sources

(18)

Real-time DDoS Identification

Attacker Network Victim Network NOC Switch Attacker Network User Network Attack Network Attack Network User Network Service Provider

Real-time DDoS Identification

Attacker Network Victim Network Switch Attacker Network User Network Attack Network Attack Network User Network Service Provider NOC 128.8.128.80 128.8.128.80 128.8.128.80/32 128.8.128.80/32 Community 100:100 Community 100:100

(19)

Real-time DDoS Identification

u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

38

(20)

I/O Filters To Block Attack Flows

u

DOS attacks need to be

detected and stopped

u

Interface filters can be

applied to block only

attack flows

u

Filters can be applied to

any interface type

u

Filters can be applied both

on inbound and outbound

/* apply the filter to the ingress point of the network */

so- 0/2/2 { unit 0 {

family inet { filter {

input block -attack; }

address 151.1.1.1/30; }

} }

/* This is the filter which blocks the attacks */

firewall {

filter block- attack { term bad- guy {

from { source -address { 10.10.10.1/32 } protocol icmp; } then { discard; log; } } }

Rate Limiting

u

Suppression/Rate Limiting Advantages

vProtects router of customer by limiting traffic based on

protocol/port/source and destination addresses

u

Juniper Advantage

vArchitectural reasons we perform

uInternet Processor ASIC not tied to an interface or release

vBehavior under attack

(21)

Hitless Filter Implementation

u

Can be applied immediately after identification of

offending traffic

u

Application of filters does not create short-term

degraded condition as filters take effect

u

Size and complexity of filter independent of

forwarding performance

Traffic Interruption During Filter

Compilation

NOC

NOC operator applies

or changes filters or changes filters Traffic flow Traffic flow Attack flow Attack flow NOC

All traffic gets drop

During filter compilation

or changes filters or changes filters Traffic flow Traffic flow Attack flow Attack flow

(22)

No Interruption With Atomic

Updates

NOC

or changes filters or changes filters Traffic flow Traffic flow Attack flow Attack flow NOC

Attack traffic gets dropped

or changes filters or changes filters Traffic flow Traffic flow Attack flow Attack flow u

Introduction

u

Juniper Networks Routers Architecture

u

Router Protection

u

Encryption of Traffic

u

Source Address Verification

u

Real-time Traffic Analysis

u

I/O Filters and Rate Limiting

u

Summary

44

(23)

Next Steps

u

On going Dialog with security team

v

Ensuring existing security features are active

v

Awareness of upcoming security issues

u

Best Practices

v

White Papers

u

Security consulting and training

Juniper Networks

–

the Trusted Source

Further References

u

Juniper Networks Whitepapers

vRate-limiting and Traffic-policing Features vFortifying the Core

vVisibility into Network Operations vMinimizing the Effects of DoS Attacks vJuniper Networks Router Security

u

Available from

(24)