SRX als NGFW. Michel Tepper Consultant

Transcription

1 SRX als NGFW Michel Tepper Consultant

2 Firewall Security Challenges Organizations are looking for ways to protect their assets amidst today s ever-increasing threat landscape. The latest generation of web-based applications, combined with the proliferation of mobile devices, have made it challenging to effectively manage traffic and provide access to data while delivering the right mix of security and network services. There might be hundreds or thousands of applications running across a typical enterprise network some of these applications are important to the business and some are not. How do you control what applications are allowed on your network, and how do you restrict those that are not? How do you make sure your network traffic is prioritizing business-critical operations? How do you get stronger security without compromising your operational efficiency? How do you make sure your security doesn t negatively impact your business? This is where a next-generation firewall can help you. 2

3 Juniper Networks NGFW Protection Solution Juniper Networks NGFW Protection solution is a powerful solution that helps bring context and clarity to the setting and enforcement of security policies and helps stop modern malware attacks, all while delivering the industry s highest performance and with the capacity to grow with your business or traffic. SRX Series Services Gateways come in a broad range of models from all-in-one security and networking appliances to highly scalable, high-performance chassis solutions. All solutions can be centrally managed using Junos Space Security Director, and other security services are easily added to existing SRX Series platforms for a cost-effective solution. 3

4 User role-based Firewall Juniper Networks SRX Series Services Gateways deliver integrated next-generation firewall protection with application awareness, IPS, and user role-based controls plus best-in-class UTM to protect and control your business assets. Next-generation firewalls are able to perform full-packet inspection and apply application-specific and user-specific security policies. This means you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, and simultaneously examine the content that is traveling across your network. This helps protect your environment against threats, manages how your network bandwidth is allocated, and maintains appropriate access controls. 4

5 Integrated User Firewall and MORE 5

6 NGFW Application Visibility Juniper Networks AppSecure suite of application-aware security services for the SRX Series classifies traffic flows, while bringing greater visibility, enforcement, control, and protection to your network security. AppSecure uses a sophisticated classification engine to accurately identify applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification. It gives you the context to regain control of your network traffic, set and enforce policies based on accurate information, and deliver the performance and scale required to address your business needs. The services enabled by AppSecure include AppTrack for detailed visibility of application traffic, AppFW for granular policy enforcement of application traffic, and AppQoS for prioritization and metering of application traffic. 6

7 Juniper Networks Unified threat management (UTM) Comprehensive content security against malware, viruses, phishing attacks, intrusions, spam, and other threats is available with Juniper Networks UTM. This best-in-class solution includes antivirus, anti-spam, Web filtering, and content filtering in a group of services easily added to an SRX Series Gateway or Firefly Perimeter virtual firewall. 7

8 Junos space security director Next-generation capabilities in the SRX Series and Firefly Perimeter can be centrally managed from a single management platform. You can manage all your security services, perform logging and reporting, as well as segment management responsibilities through role-based access controls in Juniper Networks Junos Space Security Director. Juniper Networks centralized management is based on Juniper Networks Junos operating system so it shares the same resiliency and massive scalability as Juniper Networks highly regarded network solutions preferred by most of the world s largest service providers. 8

9 Why Juniper Networks NGFW Protection Solution? Juniper Networks is introducing new enhancements to its SRX Series Services Gateways that provide next-generation security to help customers protect against threats and control what is on their network without adding a heavy administrative burden: Simplified management: A single, central management platform delivers a simple method for managing all Juniper Networks firewalls, eliminating the complexity and time needed to support multiple management platforms Juniper Networks SRX now integrates directly with Active Directory to apply user role-based firewall policies without requiring any additional devices or agents AppID delivers granular management of application visibility and control on a per policy basis Greater protection: The new AppID engine includes a heuristics engine optimized for identifying evasive or tunneled applications. Important for blocking risky applications such as peer-to-peer applications or adding control over social, video and communications applications. AppID will also identify nearly twice as many unique applications as before. Firefly Perimeter now supports next-generation firewall capabilities like IPS and UTM Open solution for customization: Juniper Networks NGFW Protection solution offers a unique ability for customers to insert signatures for their custom-built applications or add IPS signatures to protect against exploits they discover. This capability helps organizations increase the amount of control they have over home grown application traffic in their network and it enables increased protection against exploits targeting these custom applications 9

10 SRX Series Services Gateway Campus and Branch SRX5800 SRX5600 SRX3600 SRX3400 SRX1400 DataCenter Campus / Enterprise SRX100/ 110 SRX210/220/ 240 SRX550 SRX650 10

11 Firefly Perimeter In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments. 11

12 Junos Space Security Director Junos Space Security Director reduces management costs and errors with efficient security policy, workflow tools, and a powerful app and platform architecture. Juniper Networks Junos Space Security Director, an application on Junos Space Network Management Platform, provides extensive security scale, granular policy control, and policy breadth across the network. It helps administrators quickly manage all phases of the security policy life cycle for stateful firewall, UTM, IPS, AppFW, VPN, and NAT through a centralized web-based interface. 12

13 Juniper Networks Conclusion NGFW Services Integrated user firewall AppID 2.0 Firefly Perimeter: IPS, UTM Full SRX portfolio Simplified Management Security Director Integrated logging & reporting Role-based access control UTM Open / Extensible Security Platform Open signatures 13

14 User case WSA Company WSA (Westcon Security Academy) wants to implement firewall with specs: Only domain authenticated users get internet access Sysadmin without firewall knowledge should be able to deny users access to social media Logs should be easy to access 14

15 WSA network Two users: sad and lucky to start with 15

16 User lucky: properties in AD 16

17 User sad: properties in AD 17

18 Users logon to the clients systems User sad to client1 User lucky to client2 Both can browse the internet Next they try to access myspace.com 18

19 Results Lucky: Get his access Sad: Gets even sadder: het gets a custom block message 19

20 This two firewall rules do the job: AD connection Application awareness 20

21 Oops Guest user couldn t access the internet anymore! Change of policy: After a few hours we lookup what the guests (students) are doing 21

22 Application access last 8 hours normal sites, plain text, so no application We could use UTM to categorize 22

23 Log details user Application 23

24 Agenda User Case Firewall for WSA SRX x47 Highlights Junos Space 14.1 highlights Competitive analyse 10 (or more) good reasons to buy SRX right now Q & (hopefully) A Tech talk 24

25 NG AppID What s New? Enhancements 1. Improved Evasive Application Detection 2. ~3000 Unique Applications 3. Improved Accuracy 4. Loadable Detector Module User Experience Changes No significant changes Q3 Enhancements Custom Application Support 25

26 INTEGRATED USER FIREWALL Windows ADs 1 Doman user logins into domain from domain member device 1 2 User attempts to make a connection through SRX Client 3 SRX Series Internet Data Finance Video 3 SRX checks local tables to see if user is already authenticated. 1. If so user continues. 2. If no local authentication, then SRX queries AD 3. If AD has an entry it will be used. 4. If no AD entry then fallback to captive portal 2 4 Apps Corporate Data Center 4 Authenticated user will be evaluated by policy according to the firewall rulebase. If traffic is permitted then user will be allowed to continue. 26

27 multiple zones per policy Problem To Solve Today when deploying security policy, customers need to setup separate policy entries even if most of their attributes are identical ( source-address, destination-address, application, action ) except for zone attributes ( from-zone, to-zone ) Four policies are need in order to apply the following security policies, even the source-address, Destination-address, application and actions are the same. Solution Add the from-zone/to-zone in global policy, just as the sourceaddress, destination-address and etc in global policy. As a result, only 1 policy are needed in this release. Note: Only global policy are changed to support multiple from/to zone. 27

28 Firewall RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering 28

29 Space for NG firewalling 13.3: Security Director 13.3 Networkdirector 1.6 All other apps 14.1 Security Director 14.1 No Networkdirector yet To complete a full NG implementation: Deploy logcollector (A separated virtual appliance) and the space app accessing it: 29

30 Tech talk: New possibilities in CLI Operational mode security flow debugging monitor security flow? Possible completions: file Trace file information filter Flow packet debug filter start Monitor flow start stop Monitor flow stop monitor security flow Operational mode IKE debugging Possible completions: local Local ip address remote Remote ip address request security ike debug-enable 30

31 Tech talk: IDP Senor tuning set security idp sensor-configuration? Possible completions: > log IDP Log Configuration > packet-log IDP Packetlog Configuration > application-identification Application identification > flow Flow configuration > re-assembler Re-assembler configuration > ips Ips configuration > global Global configuration > detector Detector Configuration > ssl-inspection SSL inspection > high-availability High availability configuration > security-configuration IDP security configuration disable-low-memory-handling Do not abort IDP operations under low memory condition [edit] Many details available 31

32 Tech talk: IP matching in security [edit security address-book example] set address example_address? Possible completions: <ip-prefix> Numeric IPv4 or IPv6 address with prefix + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups description Text description of address > dns-name DNS address name > range-address Address range > wildcard-address Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask [edit security address-book example] root@x47_test# set address example_address [edit security policies from-zone trust to-zone untrust] root@x47_test# set policy example match? Possible completions: + application Port-based application + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Match destination address destination-address-excluded Exclude destination addresses + source-address Match source address source-address-excluded Exclude source addresses + source-identity Match source identity [edit security policies from-zone trust to-zone untrust] 32

33 Tech talk: AD coupling show services user-identification active-directory-access { domain wsa.local { user { administrator; password "$9$rWzvXNsYoGUHgoz3n6AtvW8LdbsYg"; ## SECRET- DATA domain-controller AD01.wsa.local { address ; domain-controller AD02.wsa.local { address ; user-group-mapping { ldap { base OU=demo-users,dc=wsa,dc=local; user { Administrator; password "$9$BtOErKXxdsYoNdk.mPQzEcSyM8XxN"; ## SECRET-DATA 33

34 Tech talk: Application FW rules show security application-firewall profile test { block-message { type { custom-redirect-url { content rule-sets no-social-media-trust-untrust { rule 0 { match { dynamic-application-group junos:web:social-networking; then { deny; default-rule { permit; profile test; 34

35 Tech talk: NG policies [edit security policies from-zone trust to-zone untrust] show policy no-social-media { match { source-address any; destination-address any; application [ junos-http junos-https ]; source-identity "wsa.local\no-social-media"; then { permit { application-services { application-firewall { rule-set no-social-media-trust-untrust; log { session-close; policy trust-to-untrust { match { source-address any; destination-address any; application any; then { permit; log { session-close; 35

36 Tech talk: Check ad connection show services user-identification active-directoryaccess active-directory-authentication-table all Domain: wsa.local Total entries: 4 Source IP Username groups state mtepper Valid administrator Valid sad no-social-media Valid lucky Valid Many other checks implemented 36

37 Tech talk: NG in flow checking show security flow session dynamic-application junos:facebook-access Session ID: 1761, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: / > /443;tcp, If: vlan.0, Pkts: 39, Bytes: 8699 Out: /443 --> /11702;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 5668 Session ID: 1762, Policy name: trust-to-untrust/5, Timeout: 1760, Valid In: / > /443;tcp, If: vlan.0, Pkts: 108, Bytes: Out: /443 --> /4260;tcp, If: ge-0/0/0.0, Pkts: 120, Bytes: Session ID: 1763, Policy name: trust-to-untrust/5, Timeout: 1754, Valid In: / > /443;tcp, If: vlan.0, Pkts: 47, Bytes: Out: /443 --> /12957;tcp, If: ge-0/0/0.0, Pkts: 26, Bytes: 6552 Session ID: 1767, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: / > /443;tcp, If: vlan.0, Pkts: 18, Bytes: 3817 Out: /443 --> /30385;tcp, If: ge-0/0/0.0, Pkts: 12, Bytes:

38 Thank You