Upload
trinhliem
View
223
Download
0
Embed Size (px)
Citation preview
Security EverywhereWithin Juniper Networks’ Mobile Cloud Architecture
Mobile World Congress 2017
Agenda
Challenges and Trends
Use Cases and Solutions
Products and Services
Proof Points
Juniper’s Mobile Cloud Architecture
• Hybrid cloud deployments growing
• Device proliferation and BYOD
• IoT and big data everywhere
• Zero day attacks
• Advanced, persistent, targeted attacks
• Adaptive malware
• Virtualization and SDN
• Applications, data, management
in the cloud
• Application proliferation
INFRASTRUCTURETHREAT SOPHISTICATION CLOUD
Challenges and TrendsCustomer challenge: rapid growth in security threat and exposure
Software-Defined Secure Network Policy, Detection & Enforcement
Leverage entire network and ecosystem for threat intelligence and detection
Utilize any point of the network as a point of enforcement
Dynamically execute policyacross all network elements including third party devices
Bottoms Up and Top Down Approach
Network
ThreatIntelligence
Enforcement
Detection
Enforcement
Detection
Cloud-based Threat Defense
Dynamic and Adaptive Policy Engine
Policy
Campus
&
Branch
DCPublic
CloudPrivate
Cloud
Perimeter Security
Complex Security Policies
Lateral Threat Propagation
Limited Visibility
Hyper-connected Network w/Security at Perimeter
Outside(Untrusted)
Secure Network
User Intent Based Policies
Block Lateral Threat Propagation
Comprehensive Visibility
Secure Network
Outside(Untrusted)
SDSN Enforcement - Granularity of Control
Network Configuration
Device/Platform specific configurations
Tough to automate, challenging compliance
Islands of Management
User Intent Policy
User Intent Based Policies
Native automation and compliance support
Comprehensive Security
Users SitesDevices Applications Meta Data
AD CMDB vCenter Custom
ExtensibilityAutomation
Access ControlThreat Prevention
Compliance
Firewall
Rule
Tables
Access
Control
Lists
Routing Tables
& SDN Service
Chains
IP MAC Proto Port
Private Public
SDSN - User Intent Policy Model
Manual Threat Workflows
Threat Detection Enforcement Delays
Vendor specific threat feeds
Multiple Teams
Threat Management Automation
Automation across Network & Security
Open API & 3rd Party threat feeds
Cohesive Threat Management System
SDSN - Threat Management
Incident Response
Net-Sec Operations
EndpointSecurity
Malware Found
TKT
TKT
Feed
Feed
SDSN
Policy Controller
Cloud based threat
prevention
CnC &GeoIPfeeds
Custom/3rd partyfeeds
SIEM
Wireline
Security – VPN, SDSN, Sky ATP
Analytics – JTI, JSA
Orchestration – Contrail, CSO, Policy
IoTGateway
RAN MEC
Solution: Secure IoT Service FabricVirtualization, Orchestration, Analytics, Security
ControlPlaneM2M/IoT
Devices
User Plane(Distributed or Centralised)
Mobile SP Network
2/3/4/5GNB-IoT
Cloud CPE
IoT Applications and Services
Comprehensive security solutions protecting customer data and privacy, as well as the infrastructure to enable a self defining network.
3G/GSMLTE
Backhaul
EPCRoaming Partners
Internet
Gp Firewall
LTE SecGW
Gi Firewall
Create a security border with roaming control at the service provider to service provider roaming interface
Manages 3GPP release interoperability and protocol differences between service providers
Protects service provider infrastructure and user devices from outside-in attacks
Deliver value-added services such as UTM and App ID/QoS/FW
Perform CGNAT for IPv6 transition and IPv4 address exhaustion
Gp/S8 Firewall
Encrypts and protects integrity of traffic from eNodeB to EPC across any mobile backhaul infrastructure
Controls traffic between infrastructure components and protects against inter-device signaling overload (SCTP-FW)
LTE Security Gateway
Gi/SGi Firewall and Service Delivery Gateway
Use Cases: Secure Mobile Network
Common Junos Operating System
Unprecedented ScaleIntegrated Routing, Switching and Security
1G
10G
Products: Security Gateways and Gi FirewallsSecurity Everywhere
IPsec C
apa
city (
IMIX
)
SRX5400
SRX5600
SRX5800MX960
MX480
MX240
MX104
(SecGW only)SRX4100/4200
60G
vSRX
700G
100G
GiF
W C
apa
city (
IMIX
)
1.5TB
200G
200G
Scale out with Contrail
400G
Service Provider: Mobile Edge Computing
SDSN PolicyEnforcer
SKY ATP3rd PartyFeeds
Policy update for Service Chain
Dynamic servicechains
ContrailService
Orchestrator
MOBILE HUB SITE
SRX SecGWIPsec
MEC server
S1-U GTP
S1-U IP
IoT App
vSRX IoT
NFX250TELCOCLOUD
Network Perf App
Network Perf App
IoT App
SGi from EPC
• Describe traffic pathways for IoT and Network performance apps at Mobile Hub and Telco Cloud
POLICY ENFORCER
• Sky ATP: IoT malware detection
• Sky ATP: cloud server malware detection
• JSA: multi-dimensional detection
DETECTION
• vSRX provisioned in service chains
• Infected IoT devices & servers quarantined
• Enforce legitimate traffic pathways
ENFORCEMENT
vSRX IoT
JSA
MX104
• LTE-A Features available as software upgrades 2016 onwards• Coordinated Multi-Point (CoMP)• Enhanced Inter-cell Interference Coordination, (eICIC)
• Drive inter-cell site coordination & backhaul network requirements• Timing: Frequency & Phase: Frequency16ppB, Phase +/- 0.5µSecs• Distributed Security: X2 Handover Interface requires a latency of <3-5ms
• Accurate timing current & installed backhaul is a major change: accuracy relies on hardware
• Security gateways:• Core SecGW terminates S1 IPsec tunnels & protects EPC• Distributed LTE-A SecGW for X2 at the Hub-Site deployed at Fiber Edge
Use Case: Distributed Security Gateway
Source: Qualcomm
CORE “Switch” Site
IP Access Network
POC3Hub Site
MacroCell Site
EDGERouter
EDGERouter
CSR
CoreLTESecGW
SRX5800LTE SecGW
MX104Hub site router
Hub Site
LTE S1 Traffic
LTE X2 Traffic
LTE-A S1 Traffic
LTE-A X2 TrafficDistributed SecGW w/MS-MICIPsec Termination for LTE-A X2
IPsec Termination For LTE S1 & X2Protects EPCIPsec Termination for LTE-A S1Other security features available
ServicesSecurity Everywhere
Juniper Education and Training
Customer
Lifecycle Plan Build
Assessment
Design
Deployment
Migration
Operate
Maintenance
Optimization
Juniper Optimum
Care
Juniper Care
Juniper Care Plus
Juniper
Service
Offerings
Juniper Professional Services Security & SDSN Assessment and Deployment
Security VNF Testing & Deployment Service
Customer On-Boarding
Custom Engagements
“As the security landscape continues to
evolve, it is more important than ever to
work together to combat cyber threats.
These key additions to our security
portfolio will further our Software-Defined
Secure Networking vision and greatly
benefit our customers”
Kevin Walker,
Juniper Security CTO
ComprehensiveGlobal policy orchestration, unified threat detection,
and automated + localized enforcement
InteroperableSecurity solution interoperability and integration
with major RAN vendors
IntegratedIntegrated security policy enforcement into products
like LTE Security Gateway function on Pre/IP-Agg routers
High PerformanceIndustry’s highest performance physical and virtual firewalls
for networks and Data Centers
Open FrameworkCombined with proprietary countermeasures for advanced
threat protection from the cloud
Juniper’s SDSN framework
“We believe that security is the 'killer app' that will accelerate
SDN adoption. The complement of SDN and security can
solve one of the greatest problems enterprises have dealt
with over the last 25 years of enterprise network expansion,
an operationally efficient way to implement policy, detection
and enforcement across the entire network. With its Software-
Defined Secure Networking vision, Juniper is making a move
in that direction.”
Mike Spanbauer, VP of Security Test & Advisory,
NSS Labs
“The low footprint and high density
advantages of the cSRX, will allow us
greater leverage to secure east west
traffic. The multi-core vSRX delivers high
performance and the ability to handle large
amounts of traffic…We expect both
products to significantly increase the
benefits we deliver to our customers.”
John White, VP of Product
Strategy, Expedient
Proof PointsSecurity Everywhere
Use C
ases
Part
ne
rs
Serv
ices
Mo
bil
e C
lou
d
Arc
hit
ectu
re
Disaggregation & Virtualization
Integrated Packet, Optical & Timing Solutions
Distributed Data Centers
Automated Control & Orchestration
Security Everywhere
Security and SDSN Assessment and Deployment Services, Security VNF Testing & Deployment ServiceServices
Core Network
Het-Net Sites
(Macro & Small Cells)Internet/Roaming
Access & Aggregation Network
Enterprise Site
Regional Data Center
Centralized Data Center
Application Enablement Layer
Compute
Application Application
NGCO
Distributed Data Center
Distributed Compute
Node
Residential Business
SecGwIPsec SecGw. FW, NAT, VPN FW, NAT, VPN
Products
Software DefinedSecure NetworkingSecurity detection,policy, and enforcement everywhere
Sky ATPAdvanced Threat Protection
vSRXVirtual Firewall, NAT, VPN, IPsec
SRX SeriesServices GatewaysFirewall, NAT, VPN
Junos SpaceSecurity Director
1 of 5 Solutions within Juniper’s Mobile Cloud ArchitectureSecurity Everywhere
Use C
ases
Part
ne
rs
Serv
ices
Mo
bil
e C
lou
d
Arc
hit
ectu
re
Pioneer in utilizing an open framework to ensure a seamless migration to carrier-grade NFV.
Integrated solutions from a global leader and innovator in packet networking and optical DCI.
Complete, automated and secure solutions for mini DCs at the edge and large DCs in the core.
Industry’s most deployed SDN solution for multi-vendor and multi-layer network automation.
Industry’s most innovative and comprehensive platform to secure the distributed telco cloud.
Disaggregation & Virtualization
Integrated Packet, Optical & Timing Solutions
Distributed Data Centers
Automated Control & Orchestration
Security Everywhere
Core Network
Het-Net Sites
(Macro & Small Cells)Internet/Roaming
Access & Aggregation Network
Enterprise Site
Regional Data Center
Centralized Data Center
Application Enablement Layer
Compute
Application Application
NGCO
Distributed Data Center
Distributed Compute
Node
n
Key mobile use cases supported
Best-of-breed partner ecosystem
Best-in-class life-cycle service & support
Juniper’s Mobile Cloud ArchitectureE2E Offering for your Next-gen Secure Distributed Telco Cloud from the Industry’s Most Trusted Vendor
Residential Business
Thank you