Securing Networks with Juniper Networks

Juniper Security Features

Jean- Marc Uz
Liaison Research, Education and Government Networks and Institutions, EMEA

juze@juniper.net TF- CSIRT Meeting, 26/09/02

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
2

Cyber Attacks Increasing

u u

Frequency
v Over 4,000 Distributed DoS attacks a week

Sophistication
v Distributed DoS attacks hard to detect & stop v Network elements recently targeted

Self Propagating Automated Distributed Attacks

Impact
v Yahoo, eBay, Microsoft make headlines v Cloud 9 (UK) ISP out of business
Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks

Email Script Attacks

Packet Sniffers

IP Spoofing

1994
Host Based Attacks
Source: Published CERT figures

1996

1998
Network Based Attacks
Juniper Networks, Inc. Copyright 2002

2000
Attacks Target Network
3

Todays Security Compromises

Attack Starts Tracing Blocking Attack Ends

Performance

SLA Target

Partial
u Enable security at specific

Reactive
u Security enabled after

Time

points on the network

u As platforms, interfaces

attack is detected
u High operational effort u Performance SLAs affected

or software allow
u Does not provide reliable

security
Juniper Networks, Inc. Copyright 2002 4

Security Without Compromise

u u u u

Ubiquitous
v Juniper Networks: Single Image, Security on All Interfaces

Continuous
v Juniper Networks: Low impact turn it on it, leave it on

Economical
v Juniper Networks: Included in the basic platform

Proven
v Juniper Networks: Shipping since 2000 and in use in

production networks around the world Lets You, Rather Than Your Equipment, Dictate Your Network Security Policy.
Juniper Networks, Inc. Copyright 2002 5

Protecting and Enabling Revenues

u Customer

Retention

v Increased

customer satisfaction v Match competitive security service offerings

u New

Services

v Lawful

Intercept v Intrusion Detection Services v High Speed Encrypted VPNs v Attack Resistant Web Hosting v Denial of Service Protection/Control v Spoofing Protection
Juniper Networks, Inc. Copyright 2002 6

JUNOS Security Related Features

PortPort-Mirroring IPSEC Encryption (Control and Transit traffic) Unicast RPF Radius Support for PPP/CHAP SNMPv3

User Administration Tacas+/Radius Tacas+/Radius Protocol Authentication

H/W Based Packet Filtering Individual Command Authorization Traffic Policing Firewall Syslogs/MIB Syslogs/MIB H/W Based Router Protection

JUNOS 3.x 1998

JUNOS 4.x 1999

Juniper Networks, Inc. Copyright 2002

JUNOS 5.x 2001

7

Juniper Security Features at a Glance

Examples of Available Safeguards
Infrastructure Protection Prevention
1.

Customer Protection
3.

Hardware based router protection IPSEC encryption of Control Traffic

IPSEC encryption of customer traffic Source address verification

2.

4.

Detection

5.

Real time traffic analysis (port mirroring) for Lawful Intercept, IDS I/O filters to block attack flows Rate limiting

6.

Real-time DDOS attack identification

Suppression

7. 8.

9.

Hitless filter implementation

Juniper Networks, Inc. Copyright 2002

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
9

System Architecture
Junos Internet Software
Forwarding Table

Routing Engine
v

Maintains routing table and constructs forwarding table using knowledge of the network

Update Internet Processor II

Packet Forwarding Engine

v v

Forwarding Table

Switch Fabric
I/O Card I/O Card v

Receives packet forwarding table from Routing Engine Copies packets from an input interface to an output interface Conducts incremental table updates without forwarding interruption

Juniper Networks, Inc. Copyright 2002

10

IP II ASIC Overview
u

Internet Processor II
u

Leverages proven, predictable ASIC forwarding technology of Internet Processor Provides breakthrough technology to support performance-based, enhanced Services
v

Security and bandwidth control (I.e. filtering) at speed Visibility into network operations at speed

Delivers performance WITH services

v

Supported on all interfaces

Juniper Networks, Inc. Copyright 2002

11

Filtering
u IP- II enables significant Filter Specification
filter my-filter ip { rule 10 { protocol tcp ; source-address 128.100.1/24 ; port [ smtp ftp-data 666 1024-1536 ]; action { reject tcp-reset ; } } } Multiple rules may be specified.

functionality with applications to network management

v v v

Security Monitoring Accounting

All Packets Handled By Router IP

Ver IHL ToS Total Len ID Fragmentation TTL Proto Hdr Checksum Source Address Destination Address Source Port Dest Port Sequence Number Acknowledgement Number Offset Flags Window Checksum Urgent Pointer Filters can act on highlighted fields, as well as incoming interface identifier and presence of IP options

Compile Microcode IP-II IP-II Packet Handling Programs

Log, syslog Count, Sample, Forwarding-class, Loss-priority, Policer

Forward Silent Discard TCP Reset Or ICMP Unreachable Routing Instance

12

TCP

Filters and route lookup are part of same program

Juniper Networks, Inc. Copyright 2002

JUNOS Internet Software

u

Interface Mgmt

Protocols

u u u

Operating System

Juniper Networks, Inc. Copyright 2002

13

Traffic Framework
Management, Control and Data planes u Source, Destination and Type
u
Router Management Router Management Routing Control Routing Control

ICMP Notification

ICMP Notification User Data

User Data

Juniper Networks, Inc. Copyright 2002

14

Security

Purpose built for Internet scale Modular design for high reliability Best-in-class routing protocol implementations Foundation for new services with MPLS traffic engineering

Chassis Mgmt

Common software across entire product line leverages stability, interoperability, and a wide range of features

SNMP

Tools Prevent, Detect, Control Traffic

u u u u u u u u u

Route Control
Import filters u Export filters u Mark u Limit
u
v Announcements v Prefixes

Forward Redirect Monitor Sample Count Log Mark Limit Discard

Juniper Networks, Inc. Copyright 2002

15

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary

JUNOS Default to Secure

Does not forward directed broadcasts u Remote management access to the router is disabled. It must be explicitly enabled
u
v telnet, ftp, ssh

No SNMP set support for editing configuration data u Default Martian addresses
u

Juniper Networks, Inc. Copyright 2002

17

Communicating with the Router

u

Secure Shell
v Ssh v1 / v2 v Support connexion limit + rate limit
u

against SYN flood DoS attacks on the ssh port

v OpenSSH 3.0.2 since JUNOS 5.4

Secure Copy Protocol (SCP)

v Uses the ssh encryption and authentication

infrastructure to securely copy files between hosts

Central Authentification
v TACACS+ / RADIUS v User classes with specific privileges

File Records and Command Events

Juniper Networks, Inc. Copyright 2002

18

Hardware-Based Router Protection

u Routers control plane is complex and intelligence
v v

Need to be CPU based Protocols need processing power for fast updates and to minimize convergence time. Forged routing packets (BGP,OSPF,RIP,etc..) Bogus management traffic (ICMP, SNMP, SSH,etc) Rates in excess of 40M/second CPU based filtering unable to keep up Attacks consume CPU resources needed for control traffic. Danger of protocol time-outs, leading to network instabilities.

u Attacks launched at routers include sending:

v v

u Attacker can easily launch high speed attacks

v v v v

Juniper Networks, Inc. Copyright 2002

19

Hardware Based Router Protection

u

Hardware based filtering advantages

v Hardware drops attack (untrusted) traffic v CPU free to process trusted control traffic

One filter applied to the loopback

v Protects the router and all interfaces v Provides ease of management v No need to configure additional filters

when adding new interfaces

Juniper Networks, Inc. Copyright 2002

20

10

Hardware Based Router Protection

u Define trusted source

addresses

u u u

Define protocols and ports that need to communicate Accept desired traffic and discard everything else One filter applied to the loopback interface protects router and all interfaces

firewall { filter protect-RE { term established { from { protocol tcp; tcp- established; } then accept; } term trusted -traffic { from { source -address { 10.10.10.0/24; 10.10.11.0/24; 10.10.12.0/24; 10.10.17.0/24; 10.10.18.0/24; } protocol [icmp tcp ospf udp]; destination -port [bgp domain ftp ftpdatasnmp ssh ntp] ; } then accept; term default { then { log; discard; } } 21 Juniper Networks, Inc. Copyright 2002 }

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
22

11

IPSec Encryption of Control Traffic

Encrypt Control Traffic Between Routers u Encryption uses ESP in Transport Mode u ESP Provides Secure Communication for critical control/routing traffic u Protects from attacks against control plane
u

Juniper Networks, Inc. Copyright 2002

23

IPSec Encryption of Customer Traffic

Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE) u Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex) u Applied via the Packet Forwarding Engine
u
v offload the encryption and decryption tasks from

Routing Engine processor

Delivers Private and Secure communication of mission-critical customer traffic u Provides up to 1,000 tunnels per PIC u Can Scale Using Multiple PICs
u

Juniper Networks, Inc. Copyright 2002

24

12

IPSec Encryption of Customer Traffic

u Crypto PIC highlights:
v

Tunnel/Transport Mode
u

Tunnel mode for data traffic MD5 SHA-1 DES 3-DES

Authentication Algorithms
u u

Encryption Algorithms
u u

IKE Features
Support for automated key management using Diffie-Hellman key establishment u Main/Aggressive mode supported for IKE SA setup u Quick Mode supported for IPSec SA setup
u

Juniper Networks, Inc. Copyright 2002

25

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
26

13

Source Address Verification

u

Why it is needed:
v IP address spoofing is a technique used in DOS attacks v Attacker pretends to be someone else v Makes it difficult to trace back the attacks v Common Operating Systems let users spoof machines IP

address access (UNIX, LINUX, Windows XP)

How it is done:
v Route table look-up performed on IP source address v Router determines if traffic is arriving on expected path
u u

traffic is accepted normal destination based look up is performed then it is dropped

v If traffic is not arriving on a the expected path

u

Juniper Networks, Inc. Copyright 2002

27

Source Address Verification

u

Juniper Solution
v uRPF can be configured per- interface/sub- interface v Supports both IPv4 and IPv6 v Packet/Byte counters for traffic failing the uRPF check v Additional filtering available for traffic failing check:
u u

police/reject Can syslog the rejected traffic for later analysis Active-paths:
v

v Two modes available:

u

uRPF only considers the best path toward a particular destination uRPF considers all the feasible paths. This is used where routing is asymmetrical.

Feasible-paths:
v

Juniper Networks, Inc. Copyright 2002

28

14

Source Address Verification

10.10.10.0/24

Data Center

so-1/0/0.0

10.10.10.0/24 *[BGP/170] >via so -1/0/0/0.0

so-0/0/0.0

Attack with Source address=10.10.10.1

11.11.11.0/24

uRPF
Juniper Networks, Inc. Copyright 2002 29

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
30

15

Real-time Traffic Analysis

u u

Sampling and cflowd format export (v5 + v8) since JUNOS 5.4: Passive Monitoring PIC
v Application is primarly for secuity and traffic analysis v Monitors IPv4 packets and flows over SONET on:
u u

OC-3c, OC-12c and OC-48c PPP or HDLC (Cisco) layer 2 encapsulations IPSec or GRE tunnels can be used for exporting

v Generates cflowd v5 records for export to collector nodes

u

Juniper Networks, Inc. Copyright 2002

31

Real-time Traffic Analysis

u

Juniper Port Mirroring capability

v Copy of sampled packet can be sent to arbitrary interface v Any Interface and speed up to 100% of selected packets v N number of ingress ports to single destination port v Work in progress with IDS vendor
u

Discussions ongoing with high-speed analytical security application developers (OC48)

Juniper Networks, Inc. Copyright 2002

32

16

Real-time Traffic Analysis

Data Center

Mirrored Traffic

Intrusion Detection System Intrusion Detection System

Juniper Networks, Inc. Copyright 2002

33

Real-time DDoS Identification

u Preparation
v v v v v v

Pre-configure Destination Class Usage (DCU) on customerfacing ingress interfaces Accounting feature typically for billing Supported in JUNOS 4.3 (12/2000) and beyond Counts packets, bytes destined for each of up to 16 communities per interface Counters retrievable via SNMP Note: Source Class Usage is also supported (since JUNOS 5.4) Use BGP to announce victims /32 host address with special community Trigger SNMP polling of DCU counters on all ingress interfaces Apply heuristic to identify likely attack sources

u During Attack
v v v

Juniper Networks, Inc. Copyright 2002

34

17

Real-time DDoS Identification

Attack Network Attacker Network Service Provider

Switch

Victim Network

Attacker Network

User Network

NOC

Attack Network

User Network

Juniper Networks, Inc. Copyright 2002

35

Real-time DDoS Identification

Attack Network Attacker Network Service Provider

Switch

128.8.128.80/32 Community 100:100

Victim Network

Attacker Network

128.8.128.80

User Network

NOC

Attack Network

Juniper Networks, Inc. Copyright 2002

User Network

36

18

Real-time DDoS Identification

Juniper Networks, Inc. Copyright 2002

37

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
38

19

I/O Filters To Block Attack Flows

the DOS attacks need to be so- 0/2/2 network */ { unit 0 { detected and stopped family inet { filter { u Interface filters can be input block -attack; } applied to block only address 151.1.1.1/30; } attack flows } } u Filters can be applied to /* This is the filter which blocks the attacks */ any interface type firewall { filter block- attack { term bad- guy { u Filters can be applied both from { source -address { on inbound and outbound 10.10.10.1/32

/* apply the filter to the ingress point of

} protocol icmp; } then { discard; log; } } } Juniper Networks, Inc. Copyright 2002 39

Rate Limiting
u

Suppression/Rate Limiting Advantages

v Protects router of customer by limiting traffic based on

protocol/port/source and destination addresses u

Juniper Advantage
v Architectural reasons we perform
u

Internet Processor ASIC not tied to an interface or release Stable operation, routing and management traffic unaffected

v Behavior under attack

u

Juniper Networks, Inc. Copyright 2002

40

20

Hitless Filter Implementation

Can be applied immediately after identification of offending traffic u Application of filters does not create short-term degraded condition as filters take effect u Size and complexity of filter independent of forwarding performance
u

Juniper Networks, Inc. Copyright 2002

41

Traffic Interruption During Filter Compilation

Traffic flow Attack flow All traffic gets drop During filter compilation

NOC operator applies or changes filters

NOC

Juniper Networks, Inc. Copyright 2002

42

21

No Interruption With Atomic Updates

Traffic flow Attack flow Attack traffic gets dropped NOC operator applies or changes filters

NOC

Juniper Networks, Inc. Copyright 2002

43

Agenda
u u u u u u u u

Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
44

22

Next Steps
u On

going Dialog with security team

v Ensuring

existing security features are active v Awareness of upcoming security issues

u Best

Practices
Papers

v White

u Security

consulting and training

Juniper Networks the Trusted Source

Juniper Networks, Inc. Copyright 2002

45

Further References
u

Juniper Networks Whitepapers

v Rate-limiting and Traffic-policing Features v Fortifying the Core v Visibility into Network Operations v Minimizing the Effects of DoS Attacks v Juniper Networks Router Security

Available from
http://www.juniper.net/techcenter

Juniper Networks, Inc. Copyright 2002

46

23

juze@juniper.net

Thank You

24