You are on page 1of 55

Juniper Networks

Intrusion Detection & Prevention

June 2006

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1


Agenda
Security Market Climate
IPS & Security Market
Market Drivers
Juniper Networks IDP Product Overview
Complete Solution Security Team
Product Features
Product Offering
Management with Juniper Networks NSM
Summary

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3


IPS and Security Market

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4


Security Market
IPS technology is a mainstream part of network
security for companies of all sizes
Keeping up with new security threats and finding
integrated management systems remain key
concerns for security admins
Assuring business critical applications have
predictable quality of service over nonessential
apps like P2P and IM
Need Visibility, Control and Ease of Use

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5


Worldwide IPS Market
Market focus on IPS technology exemplified by market forecast
Worldwide IDS/IPS revenue expected to top $800 Million by year 2009
Network-based products continue to account for more than 2/3 of total
revenue
World Wide IDS/IPS Product Revenue

900 790 819


800 752
700 667
603
600 544
500 427
Revenue 384
($ Million) 400 277 Network-based
300 Host-based
200
100
0
CY01 CY02 CY03 CY04 CY05 CY06 CY07 CY08 CY09
Source: Network Security Appliance and Software
Year Quarterly Worldwide Market Share and Forecast for 1Q06

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6


Customer Drivers

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7


Fear of external network attack and internal
noncompliance
External attacks remain the top reason for
purchasing security appliances
Failure to block viruses, attacks or malware directly
impact end-users
A growing concern meanwhile is ensuring users
on the network are doing what theyre supposed
to be doing
Quantifiable loss of productivity
Impact to revenue
Direct impact to end-users Headaches to administrators
Unauthorized access to critical data

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8


Firewall alone is not enough
Every organization is connected to the Internet
and deploys some form of firewall
Most enterprise realize firewall alone is not
sufficient to block sophisticated attacks
Lifecycle of Vulnerabilities and Threats
er ty

as s

le m
su ry
ov ili

ed
ed

le it
ed

Re or
sc ab

Is viso

R e p lo

as
ed

W
Di ner

Ex
Ad
l
Vu

Getting Shorter

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9


Business compliance practices
Need to enforce business practices including
types and version of applications
Need to ensure non-business applications does
not hinder critical business applications

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10


New Technology Adoption
Adoptions of new technologies continue to
increase
Enterprises are not satisfied to wait until
security catches up
Convergence of networks open up the
infrastructure to new attacks

New Technologies = New Risks

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11


Not Only for Enterprise
Service Providers
face similar security
concerns as
enterprise
Keeping ahead of new
security threats
considered highest
technical challenge by
SP

Source: Service Provider Plans for VPNs and


Security North America, Europe, and Asia Pacific 2006

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12


IDP Product Overview
Security Team

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13


The Juniper Approach
Complete Solution
Service Provider
Security Teams
Technology
Technology Vendor
Vendor Cooperative
Relationships Security Research
Relationships

Worldwide
Juniper
Security Partner MSSP
Internal
Internal Research
Research Intelligence
Team

3 Daily
3rd Party Customer
rd
Party Customer
Security Updates
Security Teams
Teams Security
Security Team
Team

Juniper Products
Juniper Customers

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14


The Basic Security Threat Landscape

Unknown Threats &


Vulnerabilities

Known Threats but no known


ways to protect

Known Threats with


available protection

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15


The Juniper Advantage
Superior protocol decoding and anomaly
detection the majority of the unknown
Dedicated teams researching
protocols and standards
Provide breadth & Protocol Anomalies
depth of coverage
Give Security Experts better
tools to deal with the unknown
Unknown Threats &
Vulnerabilities

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16


Dedicated Security Team
Dedicated team to research vulnerabilities and emerging threats
Protocol decode expertise
Multiple research and vendor partnerships
Reverse engineering experts
Global honey pot network
Industry-leading response time
Daily and Emergency signature
updates
Customer Accuracy Program
Team distributed globally
Emergency update within an hour
www.juniper.net/security

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17


Real-world Example Security Teams Response
Typical chain of events on recent Microsoft Super Tuesday

10:17 AM Microsoft announces security bulletins; MS06-018, MS06-


5/9/2006 019, MS06-20 and posts patches for the vulnerabilities

10:21 AM Juniper Networks announces coverage for vulnerabilities


+4 min on all IDP platforms

11:50 AM
TippingPoint provides mixed messages on coverage
+1hr 33min

11:58 AM ISS announces coverage only for MS06-019


+1hr 41min

No announcements from Cisco or McAfee


End of Day
Symantec announces coverage only for MS06-019

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18


IDP Product Overview
Product Features

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19


Thwart Attacks at Every Turn
Multiple Methods of Detection

Malicious Activities/Attacks

Recon Attack Proliferation

Traffic Anomaly Detection Protocol Anomaly Detection


Network Honeypot Stateful Signatures Backdoor Detection
Synflood Protector IP Spoof Detection
Layer-2 Attack Detection

Profiler Security Explorer

Multiple Method of Detection

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20


Traffic Anomaly Detection
Method of identifying abnormal traffic usage
No protocol anomalies or specific attack
patterns but unusual traffic usage/volume

Example: Ping Sweep


Scan the network to identify resources for possible
attack in the future - reconnaissance
Ping sweep from external/suspicious source should alert
administrator

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21


Protocol Anomaly Detection
Protocols are well defined allowing accurate
description of normal usage
Abuse or abnormal use of the protocol are
detected by the IDP appliances
Example: FTP Bounce Attack
FTP Client
Please open FTP connection

x.x.x.A
Please connect to x.x.x.B
FTP Server (so unauthorized client can receive data)

x.x.x.B is not the authorized client machine


Possible abuse of FTP protocol
Request denied!!!
x.x.x.B

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22


Stateful Signatures
Look for attacks in context
Avoid blindly scanning all traffic for particular
pattern
Improve efficiency
Reduce false-positives
Example: Code Red Worm
Utilizes HTTP GET request for attack
IDP appliance only scan for the specific request and
not any other HTTP traffic

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23


Backdoor Detection/Trojan
Well-known Trojan horse concept
Challenge is to identify the attack when the
first line of defense has been overcome
Heuristic method of analyzing interactive
traffic
Example: Traffic originating from web server
Web servers typically respond to requests for
information, not initiate one
A sign of infected server/node

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24


Features Addressing Customer Challenges

How can easily I find out


whats really running on my
network?
I dont want to block
How can I uncover new non-business apps but
network activities? how else can I control
it?
Wireless is great but
How can I make sure new how can I secure it?
technologies doesnt translate
to new threats?

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25


Security Explorer
Interactive and dynamic
touchgraph providing
comprehensive network and
application layer views
Integrated with Log Viewer and
Profiler
Identifies whats running on a
network host
Uncovers attacks, peer IP addresses,
open ports, available applications
and operating systems
NEW - IDP 4.0

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26


Enhanced Profiler
Uncovers new activities and traffic
information across network and
application levels
Identifies new protocols,
applications and operating systems
Alerts on rogue hosts, servers or IP
addresses
Detect unwanted applications like P2P
and IM
Records information on active
hosts, devices, protocols and
services in various contexts
Instant Messaging alias, FTP username,
e-mail address, subject heading, etc

NEW - NSM 2006.1

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27


Diffserv (DSCP) Marking
Controls bandwidth allocation based on specific
types of application
Marks on a packet that match an IDP signature
Allows upstream router to enforce on markings
(value 1-63) to assure quality of service on
critical applications or appropriate response to
nonessential apps
Available as an action per IDP rule for full
granular control
NEW - IDP 4.0

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28


Securing VoIP Applications
New Protocol Decode H.225
Assures that the VoIP signaling and control
protocol cannot be used as a source of network
attacks or abuse
Protocol decode capability protects underlying
vulnerability of protocol
Allows creation of custom attack objects with
contexts
VoIP protection on top of existing SIP protocol
support
Proactively prevent future exploits
NEW - IDP 4.0

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29


Securing Database Applications
New Protocol Decode Oracle TNS
Protects database applications from an
increasing number of exploits and buffer
overflows in the internal network
Blocks unauthorized users to Oracle servers
Protects the underlying vulnerability of Oracle
TNS protocol
Prevents future threats at day zero

NEW - IDP 4.0

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30


Securing Mobile Data Networks
New Inspection Capability GTP Encapsulated
Traffic
Protects an inherently unsecured traffic
Supports UDP tunnel packets per GTPv0 and GTPv1
Ensures users on cellular network arent
exposing the entire network to possible attacks
Carrier protection on top of existing inspection
for GRE encapsulated traffic

NEW - IDP 4.0

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31


Only from Juniper Networks !

Coordinated Threat Control


Identify specific attacks originating from remote user via SSL VPN
and quarantine the user (and only the offending user)

1. User logs in using SSL VPN & deliberate or inadvertent attacks are launched
2. IDP detect the attack and block requests to the internal resources
3. IDP sends identifying data to SA SSL VPN gateway
4. Based on data from IDP, SA quarantine and notifies the user Quarantine

Identifying Data

Infected
Attack

Attack
Available IDP 3.2r2

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 32


IDP Product Overview
Product Offering

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33


IDP Product Overview -Timeline
First to introduce
Introduction of fully integrated Integrated Threat
multi-gigabit FW/VPN/IDP Control for SSL
system (ISG 1000 and 2000) and IDP appliances
IDP platform introduced First to introduce daily signature
Integrated Stateful Signature updates
creation and updates
Protocol decodes
Secure response notices 2006
2005

2004

2002 Next generation of


network visibility and
control
Consolidated
First and only IPS integrating
security management
Profiler for best-in-class
solution
network awareness

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 34


Typical IPS Deployment
Regional Head
Office

NSM
Satellite Office

Main Office

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 35


IDP Product Line

Service Provider
Large Enterprise Perimeter
Internal LAN

Enterprise Perimeter
Internal LAN
ISG 1000/2000
Enterprise
Perimeter
Med Bus IDP 1100@ 1 Gbps
Large BO
Enterprise
Perimeter
SMB IDP 600 @ 500Mbps
Branch
Office
IDP 200 @ 200Mbps

IDP 50 @ 50Mbps

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 36


IDP Standalone 1100 C/F
1100C IDP 1100 C/F
Optimal for large
enterprise / Gig
environments

Up to 1 Gbps
throughput
500,000 max
sessions
10 CG or 8 Fiber SX
+ 2 CG traffic, 1 CG
mgmt & 1 CG HA
ports
HA clustering option
Integrated bypass
1100F for CG traffic ports

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 37


High Availability Options
Bypass Third-party HA Standalone HA

Bypass Unit for


Fiber Gig networks
- IDP 600F
- IDP 1100F
- ISG

state-sync

state-sync

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 38


Solutions for Every Need

Juniper IDP Standalone Appliances Juniper ISG Series


50 Mbps 1 Gbps Next-Gen Security ASIC
HA Clustering (GigaScreen)
Centralized policy management Multi-Gigabit FW/VPN/IDP
Centralized policy management
Complement existing FW/VPN
Protect network segments High performance for demanding
DMZ networks
LAN Virtualization features
Departmental servers Granular rule-by-rule management

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 39


ISG Under the hood
Integrated Best-of-breed Security &
Networking gear
Multi-Gig 2-way Layer 7 IDP Security Modules
Module blades available for ISG-1000 and
ISG-2000

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 40


ISG Series Architecture
Management Processing
Dedicated processing helps ensure linear
performance
Dual 1Ghz PowerPC CPU High performance interconnect & flow setup
1GB RAM

Security Security Module Processing


modules Dedicated processing for other security
applications
GigaScreen3 ASIC
1GB RAM Network Level Security Processing
Programmable Processors
ASIC-accelerated security
I/O I/O I/O I/O Stateful FW, NAT, VPN, DoS/DDoS
Intelligent Intrusion Prevention session
load balancing
Unmatched processing power! Embedded programmable processor
facilitate new feature acceleration

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 41


ISG Series Summary:
ISG 1000 and ISG 2000

ISG 1000 ISG 2000


Max Throughput: Firewall 1 Gbps 2 Gbps
Max Throughput: IPSec VPN (3DES/AES) 1 Gbps 1 Gbps
Packets per second: FW/VPN 1.5/1.5 Million 3/1.5 Million
Max sessions 500,000 1,000,000
VPN tunnels 2000 10000
Max Throughput: Deep Inspection 200 Mbps 300 Mbps
Max Throughput: IDP Up to 1 Gbps Up to 2 Gbps
Number of supported security modules (IDP) Up to 2 Up to 3
Number of fixed I/O interfaces 4 10/100/1000 0
Max interfaces Up to 20 Up to 28
Number of I/O modules 2 4

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 42


Product Details

Juniper Firewall/VPN, with Juniper Stand-alone Juniper ISG Series


Screen OS Deep Inspection IDP with IDP
Hardware NS-5XT IDP 50 ISG 2000 with IDP
NS-5GT IDP 200 ISG 1000 with IDP
NS-25 IDP 600C
NS-50 IDP 600F
NS-204 IDP 1100C
NS-208 IDP 1100F
NS-500
ISG 1000
ISG 2000
NS-5200
Software ScreenOS
NS-5400 5.0, 5.1, 5.2 IDP 4.0 ScreenOS 5.0-IDP
Management NSM NSM 2006.1 NSM 2004 FP3-IDP1

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 43


Management

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 44


3-Tier Management Secure and Scalable

Distributed IDP Sensors

N
S
M

Centralized
NSM Server Distributed ISG with IDP
Common User
Interface

Standalone IDP appliances requires IDP 4.0 for NSM support

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 45


Customers with a Hybrid Network
Business Challenges FW
Regional Head Mgmt
What is on my network? Office
Who is on my network?
Product Challenges IPS
Mgmt
Complex network
environments
FW Mgmt
Multi-vendor FW and
IPS systems
Multiple Management
Systems

IPS
Mgmt
IPS Mgmt
Satellite Office
Main Office FW Mgmt

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 46


Juniper Networks Customers
Juniper Offering
Juniper Networks IDPs &
Regional Head
Firewalls Office
Single Management System
Single User Interface
Business Benefits
Enhanced Network Visibility
Granular Control
Ease of Use

Satellite Office
NSM
Main Office

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 47


NSM Management Features NEW - NSM 2006.1

Scheduled Security Updates Automatically update devices with new attack objects.

Domains Service providers and distributed enterprises may use this


mechanism to logically separate devices, policies, reports,
objects, etc
Role-based Administration granular approach in which all 100+ activities in the system
may be assigned as separate permissions.
Object Locking Multiple administrators can safely and concurrently modify
different objects in the system at the same time.
Audit Logs Sortable and filterable record of who made which changes
to which objects in the system.
Device Templates Manage shared configuration such as sensor settings in one
place.
Job Manager View pending and completed directives (such as device
updates) and their status.
High Availability Active/passive high availability of the management server.

Scheduled Database Backups Copies of the NSM database may be saved on a daily basis.

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 48


Granular IDP Control w/NSM
Firewall and IDP management from same user interface

Configure desired response Configure attack detection

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 49


Summary

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 50


Why Juniper Networks IDP products?
Security Coverage
Product Innovation
Trusted Company
Market Recognition

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 51


Security Coverage
Multiple prevention methods for protection against entire
'Vulnerability & Attack Lifecycle
Complete packet capture and protocol decode @ Layer 7, including
VoIP protocols
2-way Layer 7 inspection: blocks attacks from client-to-server and
server-to-client
100% prevention and accuracy for Shellcode/buffer overflow
attacks
100% prevention in protecting against Microsoft Vulnerabilities:
Same day & Zero protection on Patch Tuesdays
Comprehensive Spyware protection, including 700+ signatures and
growing daily
Daily signature updates, including auto signature updates and auto
policy push

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 52


Product Innovation
Next generation of network visibility w/ Security Explorer
Granular, Flexible Management solution for all Juniper Networks
security appliances
Automatic custom reports
Multi Gigabit Performance
Multiple Deployment Options
Profile the network to understand applications and network
traffic
Carrier Class IDP: Multi-Gbps combined with SDX / JNPR Router
integration
Custom Signature Editor / Open Signatures Database

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 53


Trusted Company
Financial Strength / $2 Billion in Revenue /
Profitable / Cash Reserves
Investment in R&D 25% - 30% of revenue
Product Roadmap IDP plays a key role in
Junipers Infranet solution
Global Support & Relationships

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 54


Market Recognition
Most decorated IPS product in 2005
Winner Editors Choice Network Computing: The Great IPS Test
Winner Best Multifunction Appliance Network Computing (Well-Connected)
Winner Best IPS Appliance Network Computing (Well-Connected)
Winner Product of the Year SearchNetworking.com
Winner Product of the Year IDG Research / TechWorld
Winner Best Deployment Scenario ISP Guide: City of Burbank, Juniper IDP
Customer
Awarded NSS Certification for Industry Approved IPS: IDP 600F
Winner Product of the Year ISG 1000 - ZDnet Australia
Winner Editors Choice IDP 200 - ZDnet Australia

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 55


Thanks You!

Copyright 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 56