Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Copyright © 2014 Juniper Networks, Inc. 1 Copyright © 2014 Juniper Networks, Inc.
FIREWALL INTELLIGENCE
Copyright © 2014 Juniper Networks, Inc. 2
Introduction to Firewall Intelligence
Overview
Use Cases
Demo / Screenshots
Questions?
AGENDA SLIDE
Copyright © 2014 Juniper Networks, Inc. 3
THE NEXT LEAP FORWARD FOR THE FIREWALL
LAYER 3
DYNAMIC STATIC
LAYER 7
Next Gen Firewall
Traditional Firewall
Intelligent Firewall
1
2 3
Copyright © 2014 Juniper Networks, Inc. 4
THE NEED FOR FIREWALL INTELLIGENCE
• The ability to attack is outpacing the ability for many to defend themselves.
• As the threats and markets that drive them continue to evolve, so too do the ways companies defend themselves.
• There is no silver bullet for security. Solutions must evolve from a collection of static standalone devices to an ecosystem of collaborating devices.
• Static firewalls may work for policy enforcement (ex: Firewall, AppFirewall) but is not good enough for threat detection and mitigation.
• Customer need the ability to include real-time threat feeds from any source that make sense for their specific industry, and not be locked into a single vendors feeds.
Copyright © 2014 Juniper Networks, Inc. 5
1110 1110 1110 1110
1110
FIREWALL INTELLIGENCE ECOSYSTEM
Data Feeds
Custom Intelligence Feeds
SRX Firewalls Attacker
Fingerprints Spotlight Intelligence
Spotlight Connector
WebApp Secure
Spotlight Cloud
Copyright © 2014 Juniper Networks, Inc. 6
Introduction to Firewall Intelligence
Overview
Use Cases
Demo / Screenshots
Questions?
AGENDA SLIDE
Copyright © 2014 Juniper Networks, Inc. 7
CHALLENGES WITH EXISTING FEED SOLUTIONS • Many of existing feed solutions does not provide good enough coverage since the feed is
either too small or is not updated often enough • Many of existing feed solution generates too many false positives. This provides two big
challenges for the customers: • It prevents admin from taking action based on feed data, due to the risk of blocking valid traffic. • Due to the amount of false positives it is very hard for administrators to find the infected devices among all
the false positives.
Junipers Security Intelligence team takes a large set of both internal and external feeds, analyzes them in different test beds to then generate relevant and accurate
feeds of data to our customers.
Copyright © 2014 Juniper Networks, Inc. 8
SPOTLIGHT CLOUD – THE SECURITY INTELLIGENCE ENGINE
Spotlight Cloud
Hacker Fingerprints
Open Source Feeds
Third Party Feeds
Feed Validation - False Positive vs True Positive testing - Correlation between feeds - Machine based learning - …
Juniper Security Intelligence Feeds`
Internal Feeds
Copyright © 2014 Juniper Networks, Inc. 9
OVERVIEW OF THE SECURITY INTELLIGENCE SOLUTION
Information Sources Enforcement Points Spotlight Connector
Spotlight Cloud
Custom whitelist/blacklist
Spotlight Connector
Security Director
Copyright © 2014 Juniper Networks, Inc. 10
COMPONENTS IN THE SECURITY INTELLIGENCE SOLUTION
Information Sources Enforcement Points Junos Space Platform (13.3r1)
Spotlight Cloud (C&C + GeoIP feed)
WebAppSecure (5.5) (Attacker IP and Fingerprint feed)
Custom whitelist/blacklist (IP list feed)
Spotlight Connector
Security Director (13.3r2) SRX Branch (2G) 12.1x46-D25* (550/650) 100s/200s TBD
SRX 1k/3k 12.1x46-D25*
SRX 5k 12.1x46-D25*
* The exact Junos release is not yet committed and may change
Copyright © 2014 Juniper Networks, Inc. 11
Introduction to Firewall Intelligence
Overview
Use Cases
Demo / Screenshots
Questions?
AGENDA SLIDE
Copyright © 2014 Juniper Networks, Inc. 12
WHAT CAN YOU DO WITH A SECURITY INTELLIGENCE ECOSYSTEM?
Block hackers w/ attacker fingerprints
Stop bots & detect
infections w/ Command &
Control blocking
Custom intelligence-
based controls
High speed incident
response flexibility
Dynamically control GEOIP
traffic
…And there will be more
Copyright © 2014 Juniper Networks, Inc. 13
USE-CASE #1: DETECTION OF INFECTED HOSTS
Command & Control Blocking Infected devices tries to connect to a known Command & Control server on the Internet. SRX mitigates the traffic based on a real-time feed of known Command & Control IP:s and URL:s from the Spotlight cloud. The feed data is dynamically loaded and does not require any commit or configuration change.
Spotlight Connector
Internet
Spotlight Cloud
IP/URL feed
IP/URL feed SRX
Copyright © 2014 Juniper Networks, Inc. 14
USE-CASE #2: GEOIP BASED TRAFFIC INSPECTION Dynamic Address Groups • Dynamic Address Groups can be
used as either “Source Address” or “Destination Address” in a firewall rule.
• A Dynamic Address Group is updated dynamically and does not require any configuration commit.
• The following type of feeds are supported in the first version:
• Custom IP-list feeds (from file) • GeoIP feed (from Spotlight Cloud)
Copyright © 2014 Juniper Networks, Inc. 15
USE-CASE #3: CUSTOM IP FEEDS
Spotlight Connector
Internet
IP feed IP feed
Blocking or changing inspection depth based on a custom feed of addresses. Customer gets a list of IP addresses, from a trusted third party, that they want to use for policy enforcement. The file is posted on a webserver. The Connector polls this file on a given interval and updates the SRX dynamically with the IP:s, without any commit or configuration change required. The feed can either be used as simple blacklist, or it can be assigned to a dynamic address group and used for source or destination match in the firewall policy.
Copyright © 2014 Juniper Networks, Inc. 16
Introduction to Firewall Intelligence
Overview
Use Cases
Demo / Screenshots
Questions?
AGENDA SLIDE
Copyright © 2014 Juniper Networks, Inc. 17 Copyright © 2013 Juniper Networks, Inc.
POLICY DEMO #1 Security Intelligence Policy - Command&Control - Attacker Fingerprints - Custom Blocklists
Copyright © 2014 Juniper Networks, Inc. 18
HOW DO YOU CONFIGURE YOUR SRX FIREWALL FOR INTELLIGENCE?
Identify the source of the intelligence
Define what SRX does w/ the intelligence Use automated settings or customize your own
Combine different profiles into a Security Intelligence policy
Add Security Intelligence policies into Firewall policies
Information Source Profiles Policies Rules
Copyright © 2014 Juniper Networks, Inc. 19
INTRODUCTION TO SD This is Security Director, is our central management platform that can manage thousands of SRX
firewalls.
From this platform you can configure - Firewall policies
- VPN - Intrusion Prevention
- NAT - (also normal Device Setting)
..and… - SECURITY INTELLIGENCE
…that we are going to talk about now
Copyright © 2014 Juniper Networks, Inc. 20
SECURITY INTELLIGENCE OVERVIEW This is the landing page for Security Intelligence. “Information Sources”. These sources provides intelligent real-time feed data to the “Spotlight Connector”. Example of feed-data is: - GeoIP (country-to-IP) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party)
“Spotlight Connector” Central connection point between feeds and devices. Provides control and intelligence to the solution. “Security Devices” This is our family of SRX firewalls that will turn the security intelligence into actions and visibility.
Copyright © 2014 Juniper Networks, Inc. 21
INFORMATION SOURCES “Information Sources” We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for.
Copyright © 2014 Juniper Networks, Inc. 22
PROFILES #1(2) Security Intelligence Profiles On this page the administrator configures profiles for what actions to take for a specific feed and for a specific Threat Level. Juniper provides Recommended Actions (that is why the settings are grey). If you want to change the default settings just change the Action from “Default” to “Custom” In the first release we support the following actions: - Permit - Block - Redirect With message, block-page or URL redirect
Copyright © 2014 Juniper Networks, Inc. 23
PROFILES #2(2)
Feed categories that support threat levels in the first release are: - Command&Control - JWAS Attacker Fingerprints
By changing from “default” to “Custom” you can now modify the default actions and log-levels as you need.
Copyright © 2014 Juniper Networks, Inc. 24
SECINTEL POLICIES Policies To make it easier to combine profiles and apply them consistently across multiple firewall rules, we have Policies. In the Policy you will select the profiles that you want to include. If you want to test a different profile you can easily just change it here and it will apply across all your firewall rules where you have referenced this policy.
Copyright © 2014 Juniper Networks, Inc. 25
FIREWALL RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering
Copyright © 2014 Juniper Networks, Inc. 26 Copyright © 2013 Juniper Networks, Inc.
POLICY #2 Dynamic Addressbook - Custom IP Feeds - GeoIP
Copyright © 2014 Juniper Networks, Inc. 27
SECURITY INTELLIGENCE OVERVIEW This is the landing page for Security Intelligence. “Information Sources”. These sources provides intelligent real-time feed data to the “Spotlight Connector”. Example of feed-data is: - GeoIP (country-to-IP) mapping - Known destinations for Command&Control traffic - Hacker fingerprints - Custom Feeds (internal or third party)
“Spotlight Connector” Central connection point between feeds and devices. Provides control and intelligence to the solution. “Security Devices” This is our family of SRX firewalls that will turn the security intelligence into actions and visibility.
Copyright © 2014 Juniper Networks, Inc. 28
INFORMATION SOURCES “Information Sources” We support three different type of information sources in the first release. Spotlight Cloud Juniper feed of GeoIP and C&C WebAppSecure Feed of attacker fingerprints and IP:s from Juniper WebApp Secure appliances. Custom Custom file that you can either manually upload or use a scheduled poll from a webserver. This enables customers to dynamically feed addresses into the SRX firewalls to either block or just increase inspection and visibility for.
Copyright © 2014 Juniper Networks, Inc. 29
DYNAMIC ADDRESS GROUPS Dynamic Address Groups Address Groups has existed for a very long time on firewalls. They enable admins to statically group addresses together so that they can be used throughout the firewall rule base. Dynamic Address Groups takes this one step further by allowing both firewall admins and non-firewall admins to dynamically feed IP addresses into a group that does not require any configure change nor commit on the firewall. Dynamic Address Groups supports two different type of feeds: - Custom IP lists - GeoIP (Country to IP Mapping)
Copyright © 2014 Juniper Networks, Inc. 30
USING DYNAMIC ADDRESS GROUPS IN FIREWALL RULEBASE
You can use dynamic address groups both as “Source Address” and “Destination Address” in the firewall rulebase. This means that you can either block, or change the inspection level based on information in the feed. Example (above) - We want to block all outgoing traffic that has “unwanted countries” as destination, but for “Suspicious Countries” we permit the traffic but add IPS inspection.
Copyright © 2014 Juniper Networks, Inc. 31 Copyright © 2013 Juniper Networks, Inc.
VISIBILITY (STRM/JSA)
Copyright © 2014 Juniper Networks, Inc. 32
CLIENT THREAT DASHBOARD
Copyright © 2014 Juniper Networks, Inc. 33
CLIENT THREAT DASHBOARD
SRX-IPS “Attack against
Client WebBrowser”
SRX-AppFW “Blocked Tunneling
Applications”
SRX- C&C (Firewall Intelligence) “Top Blocked Destination Countries”
SRX- C&C (Firewall Intelligence) “Top Blocked
Users”
SRX- Dynamic Blacklist (Firewall Intelligence)
“Top Blocked Countries”
SRX- Dynamic Blacklist (Firewall Intelligence)
“Top Blocked Users”
Copyright © 2014 Juniper Networks, Inc. 34
SERVER THREAT DASHBOARD
Copyright © 2014 Juniper Networks, Inc. 35
SERVER THREAT DASHBOARD
JWAS “Top Deception Events
JWAS “Top Attacked URL:s
SRX- IPS “Top Attack Categories”
SRX- IPS “Top Attacks”
SRX- Fingerprint (Firewall Intelligence)
“Top Protected Internal Assets”
SRX- Fingerprint (Firewall Intelligence) “Top Threat Levels”
Copyright © 2014 Juniper Networks, Inc. 36 Copyright © 2013 Juniper Networks, Inc.
QUESTIONS?