Software-Defined Secure Networks in Action Nguyễn Tiến Đức ASEAN Security Specialist

1 2 3 4 Agenda IoT Malware Software-Defined Secure Networks Juniper IPSec VPN Strategy (Juniper way to the thought leader within IPSec) Juniper IPSec VPN Technologies (What we offer) Auto VPN Phase III (Challenges and what we have done, AD-VPN) Roadmap 1 IoT Malware 2 Software-Defined Secure Networks 3 Software-Defined Secure Networks in Action 4 Summary

IoT malware

Real world examples of IoT malware/ransomware Thermostat ransomware1 Amazon cameras malware2 Jeep remote control3 http://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat http://www.securityweek.com/malware-found-iot-cameras-sold-amazon https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Software-Defined Secure Networks

Security Director Policy Enforcer Infected Endpoint Scenario Enables remediation via Policy Enforcer workflows in Security Director Delivers micro security services to switches such as EX, QFX Updates enforcement criteria automatically with new threat data Tracks infected host/endpoint movement from site to site via MAC address vs IP address Sky ATP detects malware; renders verdict 2 Threat Intel Sky ATP vSRX 3 Enforcement policy rendered Firewall 4 Policy Enforcer Security Director Switch 4 Enforcement policy automatically deployed Malware enters 1 5 Infected endpoint quarantined

The ATP verdict chain Staged analysis: combining rapid response and deep analysis Suspect file Suspect files enter the analysis chain in the cloud 1 Cache lookup: (~1 second) Files we’ve seen before are identified and a verdict immediately goes back to SRX 2 Anti-virus scanning: (~5 second) Multiple AV engines to return a verdict, which is then cached for future reference 3 Static analysis: (~30 second) The static analysis engine does a deeper inspection, with the verdict again cached for future reference 4 Dynamic analysis: (~7 minutes) Dynamic analysis in a custom sandbox leverages deception and provocation techniques to identify evasive malware

Software Defined Secure Networks Policy, Detection, and Enforcement The Software Defined Secure Network leverages the entire network to deliver a secure network and is comprised of three main components, using a bottoms-up and tops-down approach: First you leverage the entire network infrastructure and the ecosystem itself, which includes all network elements such as switches, routers and firewalls. Each element can provide threat intelligence and detect threats. Next, use cloud-based threat defense, which includes security intelligence feeds from all sources including 3rd party sources. It also includes cloud-based, scalable malware detection. By leveraging the economics and scale of cloud-based intelligence, you amplify your detection capability and significantly widen your capture net. The third element is the centralized policy engine and controller. The policy engine dynamically adapts policy to the constantly evolving threat conditions while the controller serves to execute the policy by communicating it to all network elements including 3rd party network devices such as wireless access points or other 3rd party switches. The SD-SN shares and distributes threat intelligence from all sources. It utilizes any point of the network as an enforcement point. It dynamically executes policy across all network elements including third party devices.   Unified and Responsive Automated Malware Defense Dynamic, Adaptive Policy Orchestration Leverage entire network and ecosystem for threat intelligence and detection DETECTION Threat Intelligence POLICY ENFORCEMENT Utilize any element of the network as an enforcement point Dynamically execute policy across all network components including third party devices DETECTION ENFORCEMENT

Software-Defined Secure Networks in Action

SDSN isolates infected host State-full filter on Firewall + Access list on the Switch port Threat Intel Sky ATP Infected host = 192168.10.225 Firewall Firewall Switch 192.168.10.225 Switch

SDSN tracks host and enforces Threat Intel Sky ATP Infected host = 192168.10.225 Firewall Firewall Switch 192.168.10.225 Switch 192.168.10.225

The Right Policy for the Right Job Different threat levels need different policies Now…let’s get back to our lightbulb With SDSN, you were able to detect anomalous behavior based on prior, correct network behavior, and make the decision to shut it down -- effectively eliminating the questionable data exchange at the nearest access switch (EX Series) or firewall device (SRX Series). SDSN then created a new security policy based on the correct volume of traffic flow for a smart lightbulb and distributed it to all policy enforcement points on the network, including switches, routers and firewalls.   Let’s look at a more complex and critical scenario: what if a core switch becomes compromised. Say a malicious threat makes its way on the core switch that creates a GRE tunnel--then mirrors all traffic on your network out to the illegitimate tunnel. In this scenario, SDSN would kill the illegitimate tunnel without impacting normal traffic through the core switch. All this is dynamically executed leveraging the network as the point of enforcement. Software Defined Secure Networks (SDSN) Policy Orchestration + Enforcement Shut down light bulb Kill illegitimate tunnel Anomalous lightbulb? Quarantine and create new policy for appropriate behavior OR Compromised core switch? Neutralize the threat and shut down the tunnel vs. killing the switch

SDSN Phase-1 (FRS 2016) Key Features Customer Benefits Use Case: Threat Remediation of infected hosts DETECTION Sky ATP – Known & Day-0 Malware analysis, Sandboxing, Infected Host identification, Command & Control, GeoIP POLICY Simplified Threat Remediation Policy (Block, Quarantine, Track) defined in Security Director Policy Enforcer ENFORCEMENT Juniper: SRX, vSRX, EX and QFX Security Fabric including Firewalls and Switches Infected Host Blocking Perimeter Firewall level for north – south traffic EX/QFX switches to protect from lateral movement of threats Infected Host Tracking Track infected host movement in network, and Quarantine or block infected hosts even if IP address changes Key Features Automates threat remediation workflows Real-time remediation of infected hosts Reduced time to remediate = Reduced exposure to attacks Leverage Network (EX/QFX) and Firewall (SRX/vSRX) to take remediation actions to address lateral movement of attacks inside the network in addition to limiting attacks from outside world Customer Benefits

Juniper and Non Juniper Switches SDSN Phase 2 Phase 2 SKY ATP 3rd Party Feeds Security Fabric SRX Firewalls EX/QFX/EX Fusion Clear Pass Connectors Sky Realm SRX and PE registered Threat Intelligence from SKY ATP Cloud Feeds Third Party feeds Enforcement On SRX via Security Director ATP policy pushed to SRX from SD SRX pulls Infected host feed from PE On EX/QFX Switches Legacy as P1 On EX/QFX and third party Wired and Wireless networks Enforcement through Clear pass by initiating Radius CoA WLC API 3rd Party connector Policy Enforcer Security Director Juniper and Non Juniper Switches Access Points Radius Server S/W Micro Service SRX Detection Layer 3rd Party connector Southbound API for IH remediation This release Clear pass connector as a reference implementation Connectors for Cisco ISE, Forescout… in the pipeline. EX/QFX

SDSN Threat Remediation Use Case: Mitigation of DDoS attack DETECTION Detection from JSA or a third party detection mechanism is fed to Policy enforcer as a custom Feed POLICY Simplified DDoS Policy (Block, Rate Limit, Forward to) defined in Security Director Policy Enforcer ENFORCEMENT Juniper: SRX, vSRX, MX Security Fabric including Firewalls and MX routers DDoS remediation BGP flow spec is modified to take one of the possible actions Block - Block Route Rate Limit – Limit bandwith on flow route Forward to – next hop to reroute packet for scrubbing Key Features Automates DDoS remediation workflows Reduced time to remediate = Reduced chances of service outage Leverage Network (MX) and BGP flow spec to counter DDoS attack and effectively prevent service outage. Remediation at the perimeter router protects down stream firewall and other devices. Customer Benefits