Juniper Networks Corporate PowerPoint Templatemedia.gswi.westcon.com/media/3._WestCon_-_SRX_-_Firewall... · 2016-10-19 · • The ability to attack is outpacing the ability for

Copyright © 2014 Juniper Networks, Inc. 1 Copyright © 2014 Juniper Networks, Inc.

FIREWALL INTELLIGENCE

Copyright © 2014 Juniper Networks, Inc. 2

Introduction to Firewall Intelligence

Overview

Use Cases

Demo / Screenshots

Questions?

AGENDA SLIDE


THE NEXT LEAP FORWARD FOR THE FIREWALL

LAYER 3

DYNAMIC STATIC

LAYER 7

Next Gen Firewall

Traditional Firewall

Intelligent Firewall

1

2 3


THE NEED FOR FIREWALL INTELLIGENCE

• The ability to attack is outpacing the ability for many to defend themselves.

• As the threats and markets that drive them continue to evolve, so too do the ways companies defend themselves.

• There is no silver bullet for security. Solutions must evolve from a collection of static standalone devices to an ecosystem of collaborating devices.

• Static firewalls may work for policy enforcement (ex: Firewall, AppFirewall) but is not good enough for threat detection and mitigation.

• Customer need the ability to include real-time threat feeds from any source that make sense for their specific industry, and not be locked into a single vendors feeds.


1110 1110 1110 1110

1110

FIREWALL INTELLIGENCE ECOSYSTEM

Data Feeds

Custom Intelligence Feeds

SRX Firewalls Attacker

Fingerprints Spotlight Intelligence

Spotlight Connector

WebApp Secure

Spotlight Cloud



Overview

Use Cases

Demo / Screenshots

Questions?

AGENDA SLIDE


CHALLENGES WITH EXISTING FEED SOLUTIONS • Many of existing feed solutions does not provide good enough coverage since the feed is

either too small or is not updated often enough • Many of existing feed solution generates too many false positives. This provides two big

challenges for the customers: • It prevents admin from taking action based on feed data, due to the risk of blocking valid traffic. • Due to the amount of false positives it is very hard for administrators to find the infected devices among all

the false positives.

Junipers Security Intelligence team takes a large set of both internal and external feeds, analyzes them in different test beds to then generate relevant and accurate

feeds of data to our customers.


SPOTLIGHT CLOUD – THE SECURITY INTELLIGENCE ENGINE

Spotlight Cloud

Hacker Fingerprints

Open Source Feeds

Third Party Feeds

Feed Validation - False Positive vs True Positive testing - Correlation between feeds - Machine based learning - …

Juniper Security Intelligence Feeds`

Internal Feeds


OVERVIEW OF THE SECURITY INTELLIGENCE SOLUTION

Information Sources Enforcement Points Spotlight Connector

Spotlight Cloud

Custom whitelist/blacklist

Spotlight Connector

Security Director


COMPONENTS IN THE SECURITY INTELLIGENCE SOLUTION

Information Sources Enforcement Points Junos Space Platform (13.3r1)

Spotlight Cloud (C&C + GeoIP feed)

WebAppSecure (5.5) (Attacker IP and Fingerprint feed)

Custom whitelist/blacklist (IP list feed)

Spotlight Connector

Security Director (13.3r2) SRX Branch (2G) 12.1x46-D25* (550/650) 100s/200s TBD

SRX 1k/3k 12.1x46-D25*

SRX 5k 12.1x46-D25*

* The exact Junos release is not yet committed and may change



Overview

Use Cases

Demo / Screenshots

Questions?

AGENDA SLIDE


WHAT CAN YOU DO WITH A SECURITY INTELLIGENCE ECOSYSTEM?

Block hackers w/ attacker fingerprints

Stop bots & detect

infections w/ Command &

Control blocking

Custom intelligence-

based controls

High speed incident

response flexibility

Dynamically control GEOIP

traffic

…And there will be more


USE-CASE #1: DETECTION OF INFECTED HOSTS

Command & Control Blocking Infected devices tries to connect to a known Command & Control server on the Internet. SRX mitigates the traffic based on a real-time feed of known Command & Control IP:s and URL:s from the Spotlight cloud. The feed data is dynamically loaded and does not require any commit or configuration change.

Spotlight Connector

Internet

Spotlight Cloud

IP/URL feed

IP/URL feed SRX


USE-CASE #2: GEOIP BASED TRAFFIC INSPECTION Dynamic Address Groups • Dynamic Address Groups can be

used as either “Source Address” or “Destination Address” in a firewall rule.

• A Dynamic Address Group is updated dynamically and does not require any configuration commit.

• The following type of feeds are supported in the first version:

• Custom IP-list feeds (from file) • GeoIP feed (from Spotlight Cloud)


USE-CASE #3: CUSTOM IP FEEDS

Spotlight Connector

Internet

IP feed IP feed

Blocking or changing inspection depth based on a custom feed of addresses. Customer gets a list of IP addresses, from a trusted third party, that they want to use for policy enforcement. The file is posted on a webserver. The Connector polls this file on a given interval and updates the SRX dynamically with the IP:s, without any commit or configuration change required. The feed can either be used as simple blacklist, or it can be assigned to a dynamic address group and used for source or destination match in the firewall policy.



Overview

Use Cases

Demo / Screenshots

Questions?

AGENDA SLIDE


POLICY DEMO #1 Security Intelligence Policy - Command&Control - Attacker Fingerprints - Custom Blocklists


HOW DO YOU CONFIGURE YOUR SRX FIREWALL FOR INTELLIGENCE?

Identify the source of the intelligence

Define what SRX does w/ the intelligence Use automated settings or customize your own

Combine different profiles into a Security Intelligence policy

Add Security Intelligence policies into Firewall policies

Information Source Profiles Policies Rules


INTRODUCTION TO SD This is Security Director, is our central management platform that can manage thousands of SRX

firewalls.

From this platform you can configure - Firewall policies

- VPN - Intrusion Prevention

- NAT - (also normal Device Setting)

..and… - SECURITY INTELLIGENCE

…that we are going to talk about now


SECURITY INTELLIGENCE OVERVIEW This is the landing page for Security Intelligence. “Information Sources”. These sources provides intelligent real-time feed data to the “Spotlight Connector”. Example of feed-data is: - GeoIP (country-to-IP) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party)

“Spotlight Connector” Central connection point between feeds and devices. Provides control and intelligence to the solution. “Security Devices” This is our family of SRX firewalls that will turn the security intelligence into actions and visibility.


INFORMATION SOURCES “Information Sources” We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for.


PROFILES #1(2) Security Intelligence Profiles On this page the administrator configures profiles for what actions to take for a specific feed and for a specific Threat Level. Juniper provides Recommended Actions (that is why the settings are grey). If you want to change the default settings just change the Action from “Default” to “Custom” In the first release we support the following actions: - Permit - Block - Redirect With message, block-page or URL redirect


PROFILES #2(2)

Feed categories that support threat levels in the first release are: - Command&Control - JWAS Attacker Fingerprints

By changing from “default” to “Custom” you can now modify the default actions and log-levels as you need.


SECINTEL POLICIES Policies To make it easier to combine profiles and apply them consistently across multiple firewall rules, we have Policies. In the Policy you will select the profiles that you want to include. If you want to test a different profile you can easily just change it here and it will apply across all your firewall rules where you have referenced this policy.


FIREWALL RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering


POLICY #2 Dynamic Addressbook - Custom IP Feeds - GeoIP


SECURITY INTELLIGENCE OVERVIEW This is the landing page for Security Intelligence. “Information Sources”. These sources provides intelligent real-time feed data to the “Spotlight Connector”. Example of feed-data is: - GeoIP (country-to-IP) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party)

“Spotlight Connector” Central connection point between feeds and devices. Provides control and intelligence to the solution. “Security Devices” This is our family of SRX firewalls that will turn the security intelligence into actions and visibility.


INFORMATION SOURCES “Information Sources” We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for.


DYNAMIC ADDRESS GROUPS Dynamic Address Groups Address Groups has existed for a very long time on firewalls. They enable admins to statically group addresses together so that they can be used throughout the firewall rule base. Dynamic Address Groups takes this one step further by allowing both firewall admins and non-firewall admins to dynamically feed IP addresses into a group that does not require any configure change nor commit on the firewall. Dynamic Address Groups supports two different type of feeds: - Custom IP lists - GeoIP (Country to IP Mapping)


USING DYNAMIC ADDRESS GROUPS IN FIREWALL RULEBASE

You can use dynamic address groups both as “Source Address” and “Destination Address” in the firewall rulebase. This means that you can either block, or change the inspection level based on information in the feed. Example (above) - We want to block all outgoing traffic that has “unwanted countries” as destination, but for “Suspicious Countries” we permit the traffic but add IPS inspection.


VISIBILITY (STRM/JSA)


CLIENT THREAT DASHBOARD


CLIENT THREAT DASHBOARD

SRX-IPS “Attack against

Client WebBrowser”

SRX-AppFW “Blocked Tunneling

Applications”

SRX- C&C (Firewall Intelligence) “Top Blocked Destination Countries”

SRX- C&C (Firewall Intelligence) “Top Blocked

Users”

SRX- Dynamic Blacklist (Firewall Intelligence)

“Top Blocked Countries”

SRX- Dynamic Blacklist (Firewall Intelligence)

“Top Blocked Users”


SERVER THREAT DASHBOARD


SERVER THREAT DASHBOARD

JWAS “Top Deception Events

JWAS “Top Attacked URL:s

SRX- IPS “Top Attack Categories”

SRX- IPS “Top Attacks”

SRX- Fingerprint (Firewall Intelligence)

“Top Protected Internal Assets”

SRX- Fingerprint (Firewall Intelligence) “Top Threat Levels”


QUESTIONS?

Documents

Juniper Networks Corporate PowerPoint Templatemedia.gswi.westcon.com/media/3._WestCon_-_SRX_-_Firewall... · 2016-10-19 · • The ability to attack is outpacing the ability for