SRX als NGFW. Michel Tepper Consultant

Similar documents
Junos Security Bundle, JSEC & AJSEC

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Network Configuration Example

User Role Firewall Policy

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

Palo Alto Networks PCNSE7 Exam

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

A Comprehensive CyberSecurity Policy

Exam Questions JN0-633

Juniper Security Update. Karel Hendrych Juniper Networks

CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT

Juniper Networks Certified Professional Security Bootcamp, AJSEC and JIPS (JNCIP-SEC BC)

BUILDING A NEXT-GENERATION FIREWALL

NSG100 Nebula Cloud Managed Security Gateway

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

All-in one security for large and medium-sized businesses.

Junos Security (JSEC)

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Check Point Virtual Systems & Identity Awareness

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Realms and Identity Policies

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Juniper SRX Services Gateway Performance Testing

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Juniper Sky Advanced Threat Prevention

Network Configuration Example

NSG50/100/200 Nebula Cloud Managed Security Gateway

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Configuring Dynamic VPN v2.0 Junos 10.4 and above

NNTF12_51 SIMPLY CONNECTED IN ACTION : AN OVERVIEW OF DIFFERENT USE-CASES. Tim McCarthy

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Paloalto Networks PCNSA EXAM

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

WatchGuard XTMv Setup Guide

Juniper Sky Enterprise

Junos OS Release 12.1X47 Feature Guide

CyberP3i Course Module Series

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

Implementing Cisco Network Security (IINS) 3.0

Identity Awareness Software Blade Check Point Software Technologies Ltd. [Unrestricted] For everyone

Network Configuration Example

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Training UNIFIED SECURITY. Signature based packet analysis

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

Seqrite TERMINATOR (UTM) Unified Threat Management Solution.

Monitoring the Device

Juniper JN0-634 EXAM Security, Professional (JNCIP-SEC) m/ Product: Demo. For More Information:

Security Partner Activation Kit

Remote Access VPN Helping enterprise businesses implement strong authentication for their remote workforce

ForeScout Extended Module for VMware AirWatch MDM

Managing SonicWall Gateway Anti Virus Service

Business Strategy Theatre

Next-Generation Firewall Series Datasheet

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Future-ready security for small and mid-size enterprises

Cloud-Enable Your District s Network For Digital Learning

Identity Based Network Access

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Who We Are.. ideras Features. Benefits

Network Configuration Example

Introduction to Network Discovery and Identity

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

ForeScout Extended Module for MaaS360

MOBILE SECURITY, SECURE ACCESS AND BYOD AS A SERVICE. Jonas Gyllenhammar NNTF 2012

Configuring Access Rules

JUNIPER SKY ADVANCED THREAT PREVENTION

SDSN: Dynamic, Adaptive Multicloud Security

Cisco s Appliance-based Content Security: IronPort and Web Security

Introduction to Network Discovery and Identity

NSG50/100/200 Nebula Cloud Managed Security Gateway

Cisco ASA Next-Generation Firewall Services

Software-Defined Secure Networks. Sergei Gotchev April 2016

vshield Administration Guide

WatchGuard XTMv Setup Guide Fireware XTM v11.8

Extending Enterprise Security to Public and Hybrid Clouds

JNCIE-SEC v1.3 workbook (2018) Demo workbook

Enterasys 2B Enterasys Certified Internetworking Engineer(ECIE)

ASA Access Control. Section 3

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Firewall and IDS/IPS. What is a firewall?

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

ForeScout Extended Module for MobileIron

ENTERPRISE SECURITY MANAGEMENT. Frederick Verduyckt 20 September 2012

McAfee Network Security Platform Administration Course

CIS Controls Measures and Metrics for Version 7

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Juniper Sky Advanced Threat Prevention

Transcription:

SRX als NGFW Michel Tepper Consultant

Firewall Security Challenges Organizations are looking for ways to protect their assets amidst today s ever-increasing threat landscape. The latest generation of web-based applications, combined with the proliferation of mobile devices, have made it challenging to effectively manage traffic and provide access to data while delivering the right mix of security and network services. There might be hundreds or thousands of applications running across a typical enterprise network some of these applications are important to the business and some are not. How do you control what applications are allowed on your network, and how do you restrict those that are not? How do you make sure your network traffic is prioritizing business-critical operations? How do you get stronger security without compromising your operational efficiency? How do you make sure your security doesn t negatively impact your business? This is where a next-generation firewall can help you. 2

Juniper Networks NGFW Protection Solution Juniper Networks NGFW Protection solution is a powerful solution that helps bring context and clarity to the setting and enforcement of security policies and helps stop modern malware attacks, all while delivering the industry s highest performance and with the capacity to grow with your business or traffic. SRX Series Services Gateways come in a broad range of models from all-in-one security and networking appliances to highly scalable, high-performance chassis solutions. All solutions can be centrally managed using Junos Space Security Director, and other security services are easily added to existing SRX Series platforms for a cost-effective solution. 3

User role-based Firewall Juniper Networks SRX Series Services Gateways deliver integrated next-generation firewall protection with application awareness, IPS, and user role-based controls plus best-in-class UTM to protect and control your business assets. Next-generation firewalls are able to perform full-packet inspection and apply application-specific and user-specific security policies. This means you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, and simultaneously examine the content that is traveling across your network. This helps protect your environment against threats, manages how your network bandwidth is allocated, and maintains appropriate access controls. 4

Integrated User Firewall and MORE 5

NGFW Application Visibility Juniper Networks AppSecure suite of application-aware security services for the SRX Series classifies traffic flows, while bringing greater visibility, enforcement, control, and protection to your network security. AppSecure uses a sophisticated classification engine to accurately identify applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification. It gives you the context to regain control of your network traffic, set and enforce policies based on accurate information, and deliver the performance and scale required to address your business needs. The services enabled by AppSecure include AppTrack for detailed visibility of application traffic, AppFW for granular policy enforcement of application traffic, and AppQoS for prioritization and metering of application traffic. 6

Juniper Networks Unified threat management (UTM) Comprehensive content security against malware, viruses, phishing attacks, intrusions, spam, and other threats is available with Juniper Networks UTM. This best-in-class solution includes antivirus, anti-spam, Web filtering, and content filtering in a group of services easily added to an SRX Series Gateway or Firefly Perimeter virtual firewall. 7

Junos space security director Next-generation capabilities in the SRX Series and Firefly Perimeter can be centrally managed from a single management platform. You can manage all your security services, perform logging and reporting, as well as segment management responsibilities through role-based access controls in Juniper Networks Junos Space Security Director. Juniper Networks centralized management is based on Juniper Networks Junos operating system so it shares the same resiliency and massive scalability as Juniper Networks highly regarded network solutions preferred by most of the world s largest service providers. 8

Why Juniper Networks NGFW Protection Solution? Juniper Networks is introducing new enhancements to its SRX Series Services Gateways that provide next-generation security to help customers protect against threats and control what is on their network without adding a heavy administrative burden: Simplified management: A single, central management platform delivers a simple method for managing all Juniper Networks firewalls, eliminating the complexity and time needed to support multiple management platforms Juniper Networks SRX now integrates directly with Active Directory to apply user role-based firewall policies without requiring any additional devices or agents AppID delivers granular management of application visibility and control on a per policy basis Greater protection: The new AppID engine includes a heuristics engine optimized for identifying evasive or tunneled applications. Important for blocking risky applications such as peer-to-peer applications or adding control over social, video and communications applications. AppID will also identify nearly twice as many unique applications as before. Firefly Perimeter now supports next-generation firewall capabilities like IPS and UTM Open solution for customization: Juniper Networks NGFW Protection solution offers a unique ability for customers to insert signatures for their custom-built applications or add IPS signatures to protect against exploits they discover. This capability helps organizations increase the amount of control they have over home grown application traffic in their network and it enables increased protection against exploits targeting these custom applications 9

SRX Series Services Gateway Campus and Branch SRX5800 SRX5600 SRX3600 SRX3400 SRX1400 DataCenter Campus / Enterprise SRX100/ 110 SRX210/220/ 240 SRX550 SRX650 10

Firefly Perimeter In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments. 11

Junos Space Security Director Junos Space Security Director reduces management costs and errors with efficient security policy, workflow tools, and a powerful app and platform architecture. Juniper Networks Junos Space Security Director, an application on Junos Space Network Management Platform, provides extensive security scale, granular policy control, and policy breadth across the network. It helps administrators quickly manage all phases of the security policy life cycle for stateful firewall, UTM, IPS, AppFW, VPN, and NAT through a centralized web-based interface. 12

Juniper Networks Conclusion NGFW Services Integrated user firewall AppID 2.0 Firefly Perimeter: IPS, UTM Full SRX portfolio Simplified Management Security Director Integrated logging & reporting Role-based access control UTM Open / Extensible Security Platform Open signatures 13

User case WSA Company WSA (Westcon Security Academy) wants to implement firewall with specs: Only domain authenticated users get internet access Sysadmin without firewall knowledge should be able to deny users access to social media Logs should be easy to access 14

WSA network Two users: sad and lucky to start with 15

User lucky: properties in AD 16

User sad: properties in AD 17

Users logon to the clients systems User sad to client1 User lucky to client2 Both can browse the internet Next they try to access myspace.com 18

Results Lucky: Get his access Sad: Gets even sadder: het gets a custom block message 19

This two firewall rules do the job: AD connection Application awareness 20

Oops Guest user couldn t access the internet anymore! Change of policy: After a few hours we lookup what the guests (students) are doing 21

Application access last 8 hours normal sites, plain text, so no application We could use UTM to categorize 22

Log details user Application 23

Agenda User Case Firewall for WSA SRX x47 Highlights Junos Space 14.1 highlights Competitive analyse 10 (or more) good reasons to buy SRX right now Q & (hopefully) A Tech talk 24

NG AppID What s New? Enhancements 1. Improved Evasive Application Detection 2. ~3000 Unique Applications 3. Improved Accuracy 4. Loadable Detector Module User Experience Changes No significant changes Q3 Enhancements Custom Application Support 25

INTEGRATED USER FIREWALL Windows ADs 1 Doman user logins into domain from domain member device 1 2 User attempts to make a connection through SRX Client 3 SRX Series Internet Data Finance Video 3 SRX checks local tables to see if user is already authenticated. 1. If so user continues. 2. If no local authentication, then SRX queries AD 3. If AD has an entry it will be used. 4. If no AD entry then fallback to captive portal 2 4 Apps Corporate Data Center 4 Authenticated user will be evaluated by policy according to the firewall rulebase. If traffic is permitted then user will be allowed to continue. 26

multiple zones per policy Problem To Solve Today when deploying security policy, customers need to setup separate policy entries even if most of their attributes are identical ( source-address, destination-address, application, action ) except for zone attributes ( from-zone, to-zone ) Four policies are need in order to apply the following security policies, even the source-address, Destination-address, application and actions are the same. Solution Add the from-zone/to-zone in global policy, just as the sourceaddress, destination-address and etc in global policy. As a result, only 1 policy are needed in this release. Note: Only global policy are changed to support multiple from/to zone. 27

Firewall RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering 28

Space for NG firewalling 13.3: Security Director 13.3 Networkdirector 1.6 All other apps 14.1 Security Director 14.1 No Networkdirector yet To complete a full NG implementation: Deploy logcollector (A separated virtual appliance) and the space app accessing it: 29

Tech talk: New possibilities in CLI Operational mode security flow debugging root@x47_test> monitor security flow? Possible completions: file Trace file information filter Flow packet debug filter start Monitor flow start stop Monitor flow stop root@x47_test> monitor security flow Operational mode IKE debugging Possible completions: local Local ip address remote Remote ip address root@x47_test> request security ike debug-enable 30

Tech talk: IDP Senor tuning root@x47_test# set security idp sensor-configuration? Possible completions: > log IDP Log Configuration > packet-log IDP Packetlog Configuration > application-identification Application identification > flow Flow configuration > re-assembler Re-assembler configuration > ips Ips configuration > global Global configuration > detector Detector Configuration > ssl-inspection SSL inspection > high-availability High availability configuration > security-configuration IDP security configuration disable-low-memory-handling Do not abort IDP operations under low memory condition [edit] Many details available 31

Tech talk: IP matching in security [edit security address-book example] root@x47_test# set address example_address? Possible completions: <ip-prefix> Numeric IPv4 or IPv6 address with prefix + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups description Text description of address > dns-name DNS address name > range-address Address range > wildcard-address Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask [edit security address-book example] root@x47_test# set address example_address [edit security policies from-zone trust to-zone untrust] root@x47_test# set policy example match? Possible completions: + application Port-based application + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Match destination address destination-address-excluded Exclude destination addresses + source-address Match source address source-address-excluded Exclude source addresses + source-identity Match source identity [edit security policies from-zone trust to-zone untrust] 32

Tech talk: AD coupling root@x47_test# show services user-identification active-directory-access { domain wsa.local { user { administrator; password "$9$rWzvXNsYoGUHgoz3n6AtvW8LdbsYg"; ## SECRET- DATA domain-controller AD01.wsa.local { address 172.27.72.10; domain-controller AD02.wsa.local { address 172.27.72.11; user-group-mapping { ldap { base OU=demo-users,dc=wsa,dc=local; user { Administrator; password "$9$BtOErKXxdsYoNdk.mPQzEcSyM8XxN"; ## SECRET-DATA 33

Tech talk: Application FW rules root@x47_test# show security application-firewall profile test { block-message { type { custom-redirect-url { content http://172.27.72.10/badluck.htm; rule-sets no-social-media-trust-untrust { rule 0 { match { dynamic-application-group junos:web:social-networking; then { deny; default-rule { permit; profile test; 34

Tech talk: NG policies [edit security policies from-zone trust to-zone untrust] root@x47_test# show policy no-social-media { match { source-address any; destination-address any; application [ junos-http junos-https ]; source-identity "wsa.local\no-social-media"; then { permit { application-services { application-firewall { rule-set no-social-media-trust-untrust; log { session-close; policy trust-to-untrust { match { source-address any; destination-address any; application any; then { permit; log { session-close; 35

Tech talk: Check ad connection root@x47_test> show services user-identification active-directoryaccess active-directory-authentication-table all Domain: wsa.local Total entries: 4 Source IP Username groups state 172.27.72.12 mtepper Valid 172.27.72.20 administrator Valid 172.27.78.1 sad no-social-media Valid 172.27.78.2 lucky Valid Many other checks implemented 36

Tech talk: NG in flow checking root@x47_test> show security flow session dynamic-application junos:facebook-access Session ID: 1761, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52549 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 39, Bytes: 8699 Out: 23.65.181.96/443 --> 134.27.1.2/11702;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 5668 Session ID: 1762, Policy name: trust-to-untrust/5, Timeout: 1760, Valid In: 172.27.78.2/52548 --> 31.13.93.3/443;tcp, If: vlan.0, Pkts: 108, Bytes: 10988 Out: 31.13.93.3/443 --> 134.27.1.2/4260;tcp, If: ge-0/0/0.0, Pkts: 120, Bytes: 133001 Session ID: 1763, Policy name: trust-to-untrust/5, Timeout: 1754, Valid In: 172.27.78.2/52551 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 47, Bytes: 10869 Out: 23.65.181.96/443 --> 134.27.1.2/12957;tcp, If: ge-0/0/0.0, Pkts: 26, Bytes: 6552 Session ID: 1767, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52558 --> 195.10.11.105/443;tcp, If: vlan.0, Pkts: 18, Bytes: 3817 Out: 195.10.11.105/443 --> 134.27.1.2/30385;tcp, If: ge-0/0/0.0, Pkts: 12, Bytes: 6337 37

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback