SECURE THE DATACENTER. Dennis de Leest Sr. Systems Engineer

(1)

SECURE THE DATACENTER

Dennis de Leest

(2)

PURE PLAY IN HIGH-PERFORMANCE NETWORKING

First 10 Years Of Juniper: 1996-2006

Breadth of Today’s Portfolio

Access & Aggregation

Campus & Branch Data Center

Edge WAN Consumer &

Business Device Core § E § M § MX § SRX § MobileNext § MediaFlow § ACX § MX § QFX § MX § EX § SRX § vGW § MediaFlow § MX § SRX § M § NetScreen § SRX § MX § WLAN § Junos Pulse § Junos Pulse § EX § T § M § PTX Converged Supercore Universal Edge Universal Access 3-2-1 Architecture & Physical + Virtual Security Simplified Pay-as-you-Grow MPLS Wired/Wireless convergence & Unified Policy Best-of-breed Mobile Security

(3)

• Leading high-‐end ﬁrewall

• Proven datacenter scale

• Integra6on with WebApp Secure

• Low-‐and-‐slow and volumetric

• Signature free: stops new a@acks

• No tuning or thresholds

• Intrusion Decep6on stops hacking

• Near-‐zero false posi6ves

• No tuning or Web App changes

DDoS Secure _{WebApp Secure}

SRX Firewall

JUNIPER IN THE DATACENTER: PROTECTING APPS

Spotlight Secure

• Global a@acker ﬁngerprint system

(4)

SRX Firewall

JUNIPER IN THE DATACENTER: PROTECTING APPS

• Ac6onable – beyond IP address

(5)

IMPLICATIONS OF WEB APP VULNERABILITY

1

2

3 Direct Theft of Web App Data

Compromise Web app and use as DMZ

pivot point

(6)

DIRECT THEFT OF WEB APP DATA

WebApp

Database

• Credit card info

• Customer data

• Account records

• Credentials

• …

(7)

WebApp

Internet

PCI Data

COMPROMISE DMZ AND MOVE LATERALLY

Own Web Server,

Install Backdoor

Attack into PCI

Zone from DMZ

1 ₂

Exfiltrate data

through backdoor

3 ✗

(8)

TARGETED DRIVE-BY CAMPAIGNS

Attack Web app,

Embed malicious link

1 Infect employees,

partners, customers

with backdoor

2 Steal data

3

(9)

WEB APP FIREWALLS MISS THE MARK

1 in

6

66%

report having a Web App Firewall that is deployed in block mode

say next gen

security is ineffective on SQL injection attacks against Web apps

High false positives

block real customers

Complex policies

Source: “Efficacy of Emerging Network Security Technologies”, Ponemon, 2013

Hackers bypass signature

based detection

Not in block mode =

expensive log file

(10)

After a 3 month bake-off with WAFs, we chose WebApp Secure

for it’s lowest false positive, real-time attacker visibility and

operational efficiency.

-- Cedomir Novakovic, Sr. System Engineer

MOZZART BET

”

Background

§ 

2

nd

Largest Online Gaming Site in Europe

§ 

Online Attacks put Millions of Euros at Stake

§ 

Needed Active Protection vs. Post-Event Log Analysis

Products Bought

§ 

WebApp Secure & Spotlight Secure

(11)

“Tar Traps” detect threats without false

positives.

Track IPs, browsers, software and scripts.

Understand attacker’s capabilities

and intents.

Adaptive responses, including block, warn and deceive.

THE JUNOS WEBAPP SECURE ADVANTAGE

DECEPTION-BASED SECURITY

(12)

Phase 1 Reconnaissance Phase 2 Attack Vector Establishment Phase 3 Implementation Phase 4 Automation Phase 5 Maintenance

THE ANATOMY OF A WEB ATTACK

(13)

INTRUSION DECEPTION: DETECTING WITH

NEAR-ZERO FALSE POSITIVES, NO TUNING

App Server Client

Server Conﬁgura6on (.htpasswd) Query String Parameters

Injected Tar

Traps

HTML Hidden Input Fields

Junos WebApp

Secure

Server Conﬁgura6on (.htpasswd) Query String Parameters

Web App Response

HTML Hidden Input Fields

404 Not Found

(14)

Fingerprint

Analyze environment and connection. Not site specific.

Persistent Token

Persists in all browsers even with privacy controls enabled. Site specific.

(15)

Slow Connection

CAPTCHA

Force Logout

Strip Inputs

Feed Fake Data

(16)

• Intrusion Decep6on stop hacking

SRX Firewall

JUNIPER IN THE DATACENTER: PROTECTING APPS

(17)

FINGERPRINT OF AN ATTACKER

Browser version

Fonts

Browser add-ons

Timezone

IP Address

attributes used to

create the fingerprint.

200+

False Positives

availability of

fingerprints

~ Real Time

nearly zero

(18)

JUNOS SPOTLIGHT SECURE

Attacker from San Francisco

Junos Spotlight Secure

Global Attacker Intelligence Service

Junos WebApp Secure protected site in UK

New Attacker fingerprint

uploaded

Detect Anywhere, Stop Everywhere

India

Australia

Russia

(19)

App Server Client Network Perimeter Database Firewall

JWAS + SPOTLIGHT TECHNOLOGY DETAILS

1st_Page

Requested

Super Cookie Inserted

Finger Print Code Delivered

(20)

JWAS Customer A JWAS Customer B

Spotlight Secure

Mary13

HOW DOES IT WORK?

(21)

Spotlight Secure

Mary13

HOW DOES IT WORK?

(22)

App Server Client Server Conﬁgura6on Network Perimeter Database Firewall

Query String Parameters

Tar Traps

Hidden Input Fields

ATTACKER TRIPS A TAR TRAP

Mary13

Attacker

(23)

Spotlight Secure

Mary13

UPDATING SPOTLIGHT

(24)

Mary13 JWAS Customer A JWAS Customer B

SOPTLIGHT UPDATE

Global Name Local Name JWAS Device Bob112 Mary13 4X12J8

(25)

?

Joe196 JWAS Customer A JWAS Customer B

SPOTLIGHT LOOKUP

(26)

?

SPOTLIGHT MATCH

(27)

?

DETECT ANYWHERE, ENFORCE EVERYWHERE

Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 Joe196 M391LT

(28)

• Intrusion Decep6on stop hacking

SRX Firewall

JUNIPER IN THE DATACENTER: PROTECTING APPS

(29)

SRX INTEGRATION: BLOCK HIGH-VOLUME ATTACKS AT

THE FIREWALL

SRX Configuration:

• Enable netconf port 830

• Setup specific JWAS Filter • Bind on interface

• Filter updated by JWAS

Web App Secure Configuration:

• Enter SRX information

• Activate SRX Counter Response (manual or automatic) • Update SRX filter

• Periodically checks SRX filter

3) Send IP address to SRX

for enforcement

SRX

WebApp

Secure

Web Servers

1) Traffic from

vulnerability scanner

2) WebApp Secure

identifies attack

(30)

SRX Firewall

JUNIPER IN THE DATACENTER: PROTECTING APPS

(31)

JUNOS DDOS SECURE HIGHLIGHTS

Mature Product

Webscreen acquisition

(Feb 2013)

13 years of

development

$60B in revenue

protected

Highly Differentiated

Low-and-slow

application attack

protection

High tech, low touch:

fire-and-forget

New attacks: protects

before signatures exist

(32)

KEY CONCEPT: CHARM

Simple example: real human

traffic typically bursty and

irregular; machine/bot traffic is

regular

Algorithms updated regularly with

characteristics of new attacks

CHARM: Real-time risk score for each source IP

0 100

Initial

50

Human-like

Machine-like

Per packet

(33)

•  SIP/DNS/URL and SIP Response Time

•  SIP/DNS/URL Rate, Pending counts

•  HTTP Server Error Codes

KEY CONCEPT: RESOURCE HEALTH

Resource health: real-time view of status for every discrete “thing”

on protected interface, based on stateful analysis of source and

resource responsiveness

Internet Traffic Internet Traffic Resources Internet Traffic

DDoS Secure

L7

•  Backlog Queue (per resource, per port)

•  TCP stats: SYN, SYN-ACK, CLS, RST, etc

L3-4

Exa

mp

le

(34)

DDOS MITIGATION: CHARM AND RESOURCE HEALTH

In this example, Resource 2’s response time starts to degrade and the CHARM pass threshold is increased to start the process of rate limiting the bad traffic.

At this point the good traffic will continue to pass

unhindered whilst the

attackers will start to believe their attack has been

successful

as their request fails.

Resource 1 Resource 2 Resource 3 Resource ‘N’

The attack traffic to

Resource 2 reduces as the attackers switch the attack to Resource 3.

Once again, Junos DDoS Secure responds

dynamically by increasing the pass threshold for Resource 3 Limiting bad traffic.