JUNIPER THREAT DEFENSE DIRECTOR (TDD)
2y ago
53 Views
1 Downloads
1.51 MB
25 Pages
Report/dmca
Download PDF

Transcription

JUNIPERTHREAT DEFENSEDIRECTOR (TDD)Karel HendrychConsulting Engineer, EMEAkhe@juniper.net 2019 Juniper NetworksJuniper Business Use Only

AGENDA Juniper Threat Defense Director (TDD) Positioning Technology Overview, Use Cases Scaling and deployment options Demo videos 2019 Juniper NetworksJuniper Business Use Only

JUNIPER DDOS PROTECTION SOLUTIONSSRX and MX Series Basic DDoS Protection with screens first protection line for smaller scale All SRX series, high end SRX5k series recommended MX240/480/960 and MX2K with service pics (MS-MIC, MS-MPC), 16.1R3 andabove (so called IDS)BGP flow specs in routers: MX and PTX Allows DDoS protection enforcement in combination with any flow speccompliant DDoS solution, example ArborCorero MX Sophisticated, fast and scalable DDoS protection solution 2019 Juniper NetworksJuniper Business Use Only

CORERO INTRODUCTIONCorero Network Security (CNS) London Stock Exchange AIM listed: Focus: Real-time DDoS Protection (Detection andMitigation) Target Markets: Service Providers, Cloud/Hosting Providers, Digital EnterpriseSmartWall DDoS Detection and Mitigation Products: SmartWall Threat Defense Director (TDD) with Juniper MX DDoS Detection and Mitigation 500Gb, 1Tb, 10Tb, 40Tb Services: DDoS Monitoring, Analytics and SOC Available on the Juniper Price List Supported by JTAC 2019 Juniper NetworksJuniper Business Use Only

WHAT JUNIPER TDD DOESJuniper TDD is threshold basedvolumetric DoS/DDoS protection. 2019 Juniper NetworksJuniper Business Use Only

MITIGATION STYLE VS. ATTACK SIZE AND EDGE CAPACITYSize ofAttackProvider Edge CapacityBlackholeZoneTypically multiple Terabits/secProvider Edge MitigationLeverage real-time data and analyticsto deliver intelligent automationProvider Scrubbing Capacity 90% attacks mitigated at Provider Edge 10% redirected to scrubbingProvider EdgeMitigationZone100%Edge ProtectionScales to 10Terabits DDoSProtectionScrubbing ZoneNumber of Attacks 2019 Juniper NetworksJuniper Business Use Only

TIME TO MITIGATION (TTM) OF MINUTES FAILSUCCESS 2019 Juniper NetworksJuniper Business Use Only

TIME TO MITIGATE COMPARISON USING ANALYTICS77% of DDoSIncidents last lessthan 10 minutes 2019 Juniper NetworksJuniper Business Use Only

ENHANCED ACCURACY SPEED OF DDOSDETECTION/MITIGATIONNetflowSampled Mirror aggregation delay header only attack overloadFlowspecimmediate forwarding header and payload scales with attack NETCONF BGP propagation header only limited visibility 2019 Juniper Networksephemeral configuration header and payload streaming telemetry Juniper Business Use Only

COMPARISON TRADITIONAL NETFLOW/REDIRECT VSMIRROR/NETCONFNetflow/RedirectTypically ampled Mirror / NetconfTypically 10 secondsPacketsSampledMirror 2 second 2019 Juniper NetworksSampled DPI 2 second 5 secondsJuniper Business Use OnlyRedirect orRTBHDPIMitigation orFlowspecReinject

TECHNOLOGY OVERVIEWJuniper Thread Defense Director 2019 Juniper NetworksJuniper Business Use Only11

TDD COMPONENTS AND MX FEATURESJuniper Threat Defense Director (TDD)Juniper MX--Packet mirroring (1:1000)-NETCONF and ephemeral config database-FF TelemetryDetection Engine (vDE)--Detect DDoS attack from sampled packetsForwards information to CMSDetection Director (DD)- Central Management Server (vCMS)--Manage mitigation policyReceives and coalesces data from DE(s)-Firewall flexible match filter-Trio MPCsJuniper MXRouterSecureWatch Analytics (vSWA)-Receive information from CMSFF provisioningReceive and display TelemetryRich analytics and visualization 2019 Juniper NetworksSampledMirror(1:1000)Juniper Business Use OnlyStreamingTelemetryDynamic Filter(Tuple Payload)

JUNIPER THREAT DEFENSE DIRECTOR AUTOMATIONFLOWInternetLegitimateCustomersJuniper MXRouterWeb, 10/32Source10.3.3.0/24AttackersCustomer Facing ServicesMirror(1:1000)StreamingTelemetry1. Peace-Time Operation2. Attack Starts3. Automatic Mitigation Begins 2019 Juniper NetworksJuniper Business Use OnlyDynamic Filter(Tuple Payload)

MX FIREWALL FILTER FLEXIBLE MATCHEXAMPLE: NTP MONLIST1st byte of UDP12th byte of UDPFlex match:start from layer 4 (UDP)Byte-offset 11 means the 12th ByteMatch for 8 bitsMask 0xFF 1111 1111 (compare all bits)Pattern DEC 42 HEX 2a 2019 Juniper NetworksJuniper Business Use Only14

PROVIDER EDGE DDOS DETECTION AND MITIGATIONDDoS Attacksarriving fromtransit/peeringSPSPSPingress fromtransit/peeringNETCONFServiceProviderGood traffic toedge or cust 2019 Juniper Networksegress tosubscribersGood traffic toedge or custJuniper Business Use Only

DC/CLOUD EDGE DDOS DETECTION AND MITIGATIONDDoS Attacksarriving fromtransit/peeringSPSPSPingress fromtransit/peeringDC/CloudProviderNETCONFGood traffic toserver/service 2019 Juniper NetworksJuniper Business Use Only

SETTING TDD THRESHOLDS WITH SRX5K SPC3 SCREENING ?Background 21M PPS SYN floodSuccessful application transactions over time 2019 Juniper NetworksJuniper Business Use Only

THOUGHTS ON SRX SOURCE NAT POOLS PROTECTION ? Source NAT pools can be high profile targets (impacting subscribers) When DDoS is above SRX screening capacity TDD would block destination IP(effectively causing DoS by blocking the source NAT IP address) Junos 18.3 SRX can do session scan only for IPs removed from NAT pool Blast zone reduction as the entire session table is not wiped upon NAT pool change Possibilities to automate pool changes based on TDD analytics/actions (REST API, PyEZ ) 2019 Juniper NetworksJuniper Business Use Only

SCALING AND DEPLOYMENT OPTIONSJuniper Thread Defense Director 2019 Juniper NetworksJuniper Business Use Only19

SCALING DATA / RESOURCE UTILIZATIONSmartWall TDD(Threat Defense Director)Sampled Mirror (tuple payload)TDDJuniper MXSampled Mirror 1:10001Tbps ingress 1GbpssamplesStreaming Telemetry fewkB every 10 seconds perRouterSampled Mirror (1:1000)StreamingTelemetryIngress TrafficMX Filter Generation (tuple payload)Netconf Configuration fewkB every second per RouterTDD software VMs on standard 1RU server can- monitor 10Tbs (10Gbps samples)- mitigate via NETCONF to 50 MX RoutersScales linearly beyond that. 2019 Juniper NetworksJuniper Business Use OnlyEgress TrafficDynamic Filter (tuple payload)MX Router (MPC/MIC Trio) with negligible overhead- can sample selected ingress interfaces at 1:1000- support 100s of dynamic filter terms- streaming telemetry for each filter term- ephemeral config update 1 sec, 100 times/minute

OPTION 1: DISTRIBUTED DE (RECOMMENDED)In this option, the DE is distributed.SKU configurations requirement: Advantages of this Option are: Commercial: - if cost of international orsite interconnection are high, then thisoption will save on cost ofbackhauling mirrored traffic to central site Technical: more simple to operatebecause customer does not need to setupand maintain L2 / GRE connectivitybetween sites 2019 Juniper Networks1x J-COR-DOS-DD-1T-1 (capacitylicense can be shared among multiplesites)2x J-COR-DOS-DE-1P-1 (capacitylicense comes with 1xDE, thus, 2additional DE licenses are needed)Note: MX mirrors packet to DE at thesame siteProduct NumberDescriptionQuantityJ-COR-DOS-DD-1T-1Corero SmartWall Threat Defense Director VirtEdi 1 Yr software subsc. Includes 1 DetectionEngine lic, max 5, for up to 1Tbps agg monitoringand mitigation. Includes J-Care, Soft Maint andUpdates. Each DE with 10G proc capacity1J-COR-DOS-DE-1P-1Corero SmartWall Threat Defense DirectorDetection Engine, 1 pack, Virtual Edition 1 Yearsoftware subscription with 10 Gbps of processingcapacity. Includes Juniper Care Support,Software Maintenance and Updates.2Juniper Business Use Only21

OPTION 2 – CENTRALIZED DEIn this option, the TDD components are centralized andso, only the included DE is required.Advantages of this Options are: Commercial: if the cost of inter-site bandwidth isnot issue, then you save on the cost of having topurchase additional DETechnical: Only 3 VMs are needed, but customersends samples to centralized DESKU configuration requirement: 1x J-COR-DOS-DD-1T-1 (capacity licensecan be shared among multiple sites) Note: MX mirrors packet to DE at thecentralized site E.g. if the b/w of each site is 300Gbps,the mirrored b/w is 300Mbps (1:1000)Product NumberDescriptionCorero SmartWall Threat Defense Director Virt Edi 1 YrJ-COR-DOS-DD-1T-1 software subsc. Includes 1 Detection Engine lic, max 5,for up to 1Tbps aggmonitoring and mitigation. Includes JCare, Soft Maint and Updates. Each DE with 10G proccapacity 2019 Juniper NetworksJuniper Business Use OnlyQty122

DEMO VIDEOSJuniper Thread Defense Director 2019 Juniper NetworksJuniper Business Use Only23

DEMO LAYOUT 2019 Juniper NetworksJuniper Business Use Only

Q&A?THANKS!Karel HendrychConsulting Engineer, EMEAkhe@juniper.net 2019 Juniper NetworksJuniper Business Use Only25

Juniper Business Use Only OPTION 2 –CENTRALIZED DE 22 SKU configuration requirement: 1x J-COR-DOS-DD-1T-1 (capacity license can be shared among multiple sites) Note: MX mirrors packet to DE at the ce

Related Books

federaldental.metlife (888) 865-6854 TDD (888) 260 .

federaldental.metlife (888) 865-6854 TDD (888) 260 .

Cisco Email Security - Advanced Threat Defense for Office .

Cisco Email Security - Advanced Threat Defense for Office .

Cisco Cyber Threat Defense Solution: Delivering Visibility .

Cisco Cyber Threat Defense Solution: Delivering Visibility .

Laboratory Director Director Responsibilities

Laboratory Director Director Responsibilities

Junos OS: The Power of One Operating System - Juniper

Junos OS: The Power of One Operating System - Juniper

Product Description - Juniper

Product Description - Juniper

Juniper vs Cisco

Juniper vs Cisco

Juniper Networks MX240, MX480, and MX960 3D Universal Edge .

Juniper Networks MX240, MX480, and MX960 3D Universal Edge .

LicensingGuide - Juniper

LicensingGuide - Juniper

Nick Sacke, Zack Zilakakis, Al Taylor, p7 Juniper Networks .

Nick Sacke, Zack Zilakakis, Al Taylor, p7 Juniper Networks .

Learn About Secure Analytics - Juniper

Learn About Secure Analytics - Juniper

JSA Series Secure Analytics - Juniper

JSA Series Secure Analytics - Juniper

PopularTags

Recent Views