SDSN: Dynamic, Adaptive Multicloud Security

Similar documents
Extending Enterprise Security to Public and Hybrid Clouds

Extending Enterprise Security to Public and Hybrid Clouds

Software-Defined Secure Networks in Action

Juniper Sky Enterprise

Juniper Sky Advanced Threat Prevention

JUNIPER NETWORKS AND AEROHIVE NETWORKS: CLOUD- ENABLED SOLUTIONS FOR THE ENTERPRISE

Service Automation Made Easy

Policy Enforcer. Product Description. Data Sheet. Product Overview

Juniper Networks and Aerohive Networks: Cloud-Enabled Solutions for the Enterprise

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

JUNIPER NETWORKS PRODUCT BULLETIN

JUNIPER SKY ADVANCED THREAT PREVENTION

Juniper Solutions for Turnkey, Managed Cloud Services

Contrail Networking: Evolve your cloud with Containers

SECURING THE MULTICLOUD

Cluster Upgrade. SRX Series Services Gateways for the Branch Upgrade Junos OS with Minimal Traffic Disruption and a Single Command APPLICATION NOTE

Open Cloud Interconnect: Use Cases for the QFX10000 Coherent DWDM Line Card

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Juniper Networks Live-Live Technology

AWS Reference Design Document

Cloud-Enable the Enterprise with Junos Fusion

Topology-Independent In-Service Software Upgrades on the QFX5100

Juniper Care Plus Advanced Services Credits

Cisco Cloud Application Centric Infrastructure

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

CONFIGURING WEBAPP SECURE TO PROTECT AGAINST CREDENTIAL ATTACKS

Juniper Unite Cloud-Enabled Enterprise Reference Architecture

Building a Software-Defined Secure Network for Healthcare

Zero Trust Security with Software-Defined Secure Networks

Optimizing CloudEnabled Branch with. Juniper Services and Support. Protect and Ensure the Operational Success of Your Juniper Cloud-Enabled Branch

JUNIPER OPTIMUM CARE SERVICE

FIREFLY HOST. Product Description. Product Overview DATASHEET

The threat landscape is constantly

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

SYMANTEC DATA CENTER SECURITY

Best Practices in Securing a Multicloud World

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

Enterprise Guest Access

WX CENTRAL MANAGEMENT SYSTEM

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Instant evolution in the age of digitization. Turn technology into your competitive advantage

Cisco Start. IT solutions designed to propel your business

White Paper. Juniper Networks Cloud Security

Total Threat Protection. Whitepaper

SECURE HYBRID CLOUD Solution

Deploying Cisco SD-WAN on AWS

SRX als NGFW. Michel Tepper Consultant

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

Extending Enterprise Security to Multicloud and Public Cloud

Secure Remote Access with Comprehensive Client Certificate Management

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

Flexible IP and Ethernet Services Power the Digital Enterprise

AKAMAI CLOUD SECURITY SOLUTIONS

AlgoSec. Managing Security at the Speed of Business. AlgoSec.com

Cisco CloudCenter Use Case Summary

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Deliver Office 365 Without Compromise Ensure successful deployment and ongoing manageability of Office 365 and other SaaS apps

OUR SECURITY DELIVERED YOUR WAY

VMware Hybrid Cloud Solution

ENTERPRISE SECURITY MANAGEMENT. Frederick Verduyckt 20 September 2012

Deliver Office 365 Without Compromise

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

FROM CLOUD TO MULTICLOUD

Network Configuration Example

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

Nutanix and Big Switch: Cloud-First Networking for the Enterprise Cloud

Deploying Data Center Switching Solutions

SOLUTION BROCHURE. Mobility Changes Everything

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Veritas Backup Exec. Powerful, flexible and reliable data protection designed for cloud-ready organizations. Key Features and Benefits OVERVIEW

Enhanced Threat Detection, Investigation, and Response

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

Securing Your Amazon Web Services Virtual Networks

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Transformation Through Innovation

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

Product Description. Product Overview DATASHEET

Cisco Software-Defined Access

Mobility Optimized Access Layer

SIEM: Five Requirements that Solve the Bigger Business Issues

PROTECT WORKLOADS IN THE HYBRID CLOUD

Junos Genius FAQs. What is Junos Genius? How can I access the Junos Genius platform? What learning assets are available on Junos Genius?

Juniper Networks Universal Edge and Access Network for Residential Services

Securing the Software-Defined Data Center

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Alcatel-Lucent OmniVista Cirrus Simple, secure cloud-based network management as a service

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

White Paper. Platform9 ROI for Hybrid Clouds

How SD-WAN will Transform the Network. And lead to innovative, profitable business outcomes

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Cisco Collaborative Knowledge

McAfee epolicy Orchestrator

VMware vshield Edge Design Guide

Junos Security Bundle, JSEC & AJSEC

Nutanix and Big Switch: Cloud-First Networking for the Enterprise Cloud

Transcription:

SDSN: Dynamic, Adaptive Multicloud Security Evolving from firewall to user-intent for flexible in the cloud Challenge Legacy, which do not dynamically adapt to different workflows, must be individually configured and managed for every possible deployment option (physical deployment, private cloud, and public cloud). Solution User-intent based that leverage unified metadata across deployment realms dynamically adapt to different workflows, helping enterprises effectively handle the challenges of the multicloud era. Benefits Provides a single policy model across clouds Simplifies management and user readability Reduces operational expenses Enhances application deployment workflows by eliminating the need to commit configurations Improves workflows for administrators Enables administrators to rapidly take corrective action under critical situations Because traditional firewall rely heavily on IP addresses, they are fairly ineffective in today s cloud-based world. To handle the challenges of the multicloud era, enterprises must be able to adapt dynamically across different workflows and deployment options, employing a single yet flexible multicloud policy model. When a network is under attack, the need to rapidly isolate the threat and take corrective action is critical. Juniper Networks offers just such a solution with its Software-Defined Secure Network. With powerful workflows facilitated by dynamic access groups and a unified and intuitive metadata-based policy model that can be ported across clouds, SDSN gives admins complete command and control over their multicloud deployments. The Challenge Traditional firewall, which rely heavily on IP addresses, have not seen significant improvement in more than a decade. Unfortunately, these are not terribly effective in today s cloud-based world, where IP addresses are always changing as dynamic virtual instances are constantly being created and terminated. Furthermore, each environment has its own native elements such as groups in Amazon Web Services (AWS) or ware NSX, with tags that are hard to accommodate using traditional firewall, limiting business agility. Security for physical deployment Public cloudspecific Public Private cloudspecific Private Figure 1: Security need to be customized for each deployment realm To fully understand the impact this evolving environment will have on network, it s important to first know how an application is deployed in an enterprise. Once an application is developed, the app team asks the infrastructure team to allocate the necessary resources. The infrastructure team begins building the infrastructure, including compute, storage, and network resources, and then asks the team to allow these applications. The team analyzes each application, creates new or modifies existing as needed, and commits the changes. 1

While this whole process can take anywhere from four to six weeks in a physical deployment, it can be accomplished in a matter of minutes in a cloud environment. In a highly distributed environment, however, where the infrastructure is spread across multiple clouds, it gets more complicated for administrators tasked with reviewing the consistency of across the enterprise and committing the configuration changes. As the number of applications being deployed in a distributed system grows, the team itself becomes an obstacle to business agility. Application Development Figure 2: Typical application deployment timeframes The static nature of policy actions presents another challenge to responding effectively to different workflows. With traditional firewall, when the network is under attack, the admin must sift through literally thousands of rules, disabling unnecessary ones in order to isolate the source of the event. Similarly, admins need to constantly experiment with policy settings to determine the best posture for specific network performance conditions, switching between them based on business needs. Making these changes manually across a large rule base is time-consuming and extremely inefficient not ideal in time-sensitive or repetitive situations. The Juniper Networks User-Intent Policy Security Solution Juniper Networks addresses these challenges with a comprehensive solution based on user-intent that features a metadata-based policy model and powerful dynamic policy action capabilities. Part of Juniper s Software- Defined Secure Networking (SDSN) framework, this solution consists of the following components: Juniper Networks SRX Series Services Gateways and Virtual Firewall with integrated next-generation firewall (NGFW) and unified threat management (UTM). These products deliver: Core firewall functionality with IPsec VPN and featurerich networking services such as Network Address Translation (NAT) and routing Intrusion prevention system (IPS) 2.0 to detect and block network intrusions Application deployment in traditional waterfall model deploy necessary apps review, configure, and commit changes to firewall User-based firewalls to analyze, log, and enforce access control based on user roles and groups Application control and visibility with integrated Juniper Networks AppSecure 2.0 to provide application-level analysis, prioritization, and blocking to safely enable applications Antivirus, antispam, and Web and content filtering with UTM to protect against viruses, spam, and malicious URLs and content Support for Linux K, ware, AWS, and Azure platforms () Support for dynamic address groups to facilitate a nocommit architecture Juniper Networks Junos Space Security Director, which provides centralized, single-pane-of-glass management to deploy, monitor, and configure features and across all SRX Series physical and virtual firewalls in the network. Policy Enforcer, a component of Security Director, provides an additional level of centralized intelligence for deploying and enforcing on multivendor network elements such as switches, routers, Wi-Fi access points, and the like. With the introduction of user-intent, it also provides the ability to use metadata in and take dynamic actions on using the Dynamic Policy Actions (DPA) feature. Security Director includes a customizable dashboard with detailed drill-downs, threat maps, and event logs, providing unprecedented visibility into network measures. It is also available as a mobile app for Google s Android and Apple s ios systems to enable remote mobile monitoring. -Based Policy Model is defined as a dictionary of key value pairs gleaned from a list of possible values that associate attributes with endpoints. Most cloud deployments (ware NSX, Juniper Contrail Platform, Amazon AWS, etc.) use metadata native to their respective clouds. The ability to leverage metadata in significantly enhances traditional that already feature static identifiers such as IP addresses or address objects. By following common metadata-based tagging, the SDSN Policy Enforcer component of Security Director can configure all firewalls throughout the enterprise with the same without requiring any major customization to make it cloud-compatible. A network or DevOps admin simply assigns the right metadata to an endpoint, and a preconfigured policy can utilize it immediately. 2

Centralized Policy Management Security Director Policy Enforcer Feeds for DAG Aggregation Information Information Information ware NSX Enterprise Data Center Data Center SRX Series EC2 EC2 Contrail Private ware NSX SDDC Figure 3: aggregation and feeds for dynamic address groups on SRX Series and NGFWs Dynamic Address Groups on SRX Series and NGFWs Dynamic address groups on SRX Series physical and virtual NGFWs facilitate adaptive elements comprised of lists of IP addresses. Once a dynamic address group is used in a policy, IP addresses can be added or removed without requiring a configuration commit a tremendous benefit considering endpoint IP addresses change constantly due to the dynamic nature of creation and termination, and appending thousands of addresses is incredibly time-consuming. As an added benefit, the SRX Series and firewalls also dynamically populate and update IP addresses in the dynamic address group based on feeds from external sources. Mapping to Dynamic Address Groups Security Director Policy Enforcer serves as an aggregation server, learning the native metadata from different realms (Contrail, ware NSX, AWS, etc.) and their IP associations. This information is then fed to the SRX Series and NGFWs in different realms, acting as a metadata feed server as well as a policy management system. When applications migrate from physical on-premise hardware to the cloud, the firewall in the cloud will use the metadata from the application endpoint to determine the right action for traffic moving to and from that endpoint. This facilitates a much smoother and agile workflow for migrating applications without compromising. Using meaningful metadata also captures the user s intent, making endpoints easy to identify and work with in a policy. The solution also introduces the ability to use logical operators in, such as an AND and OR operation that can be performed on endpoint metadata. This level of flexibility simplifies the overall policy configuration. For example, if configuring a source field for all endpoints with metadata Type as DB and metadata PCI as no, it can be specified in the policy s source or destination address. The following tables offer a quick glimpse of the possibilities available to admins to reduce the burden on the enterprise and create a higher level of operational flexibility. Security for physical deployment Public cloudspecific Private cloudspecific Unified metadata-based (Policy portable across cloud and physical deployments) Public Private Public Private Figure 4: -based policy model 3

The policy using a static IP looks like this: # Source Destination Service Firewall IPS 1 Web server object Database address object http Permit None The backend address object-to-static IP mapping looks like this (requires the team): #Address Object HR_SR_object 1.1.1.1 Mapping SQL_FIN_OBJECT 2.2.2.1 When a new module needs to be added to an application, the DevOps or network admin provisions the necessary application and asks the team to add the IP address to the allowed list. The administrator makes the necessary changes to the address object or static address and commits the configuration. Configuration commits are typically a time-consuming process, adding an additional layer of overhead. # Source Destination Service Firewall IPS 1 PCI ==NO TYPE == DB && PCI ==YES Deny None The metadata-to-address object mapping looks like this: #Address Object HR_SR_ object SQL_FIN_ OBJECT IP Mapping Status PCI 1.1.1.1 Production No Web 2.2.2.1 Production Yes DB Type The admin creates based on metadata logic for the source and destination fields. When the DevOps or network admin provisions a new endpoint to the application, only the appropriate metadata needs to be associated with the new endpoint in order to deploy it in the application pool. Using templates or predefined metadata-based approved by the team can eliminate the 3-4 week process of configuring and committing configurations. This dramatically reduces application deployment times, ensures greater business agility, and significantly lowers OpEx. Similarly, endpoints can be removed from the application pool by simply deleting the associated metadata. Dynamic Policy Actions Security Director s Policy Enforcer includes a Dynamic Policy Action (DPA) feature based on configurable global NetSec environmental variables that allow preconfigured to take different actions under various conditions. This facilitates a proactive approach to threat response. The ability to take alternative actions across a large set of dramatically simplifies the posture, allowing the system to dynamically adjust its response under different attack conditions. When a network is under attack, the need to rapidly isolate the threat and take corrective action is critical. A typical workflow requires admins to manually disable all noncritical business applications until a diagnosis is made. In a normal enterprise, there could be thousands of governing noncritical applications such as video or audio streaming, private e-mails, and mobile apps. If the network is believed to be under attack, using a DPA can allow a single NetSec variable to perform customized policy actions on a large set of to protect the infrastructure. Similarly, when optimizing policy settings for performance and or mode-switch to prioritize one application over another, DPA achieves this with a single NetSec variable change. For example, a admin could set a NetSec variable to skip additional IPS settings on internal traffic when large data backups occur, switching back to Full Security mode once the backup is complete. Admins could also create an Experimental mode to find the right balance between and performance settings, then preconfigure the to take appropriate actions based on this setting. These fast-switch workflows not only allow teams to easily collaborate with other groups throughout the organization, it also allows admins to respond effectively in highpressure situations. Application deployment in traditional waterfall model Application deployment in cloud consumption model Application Development deploy necessary apps review, configure, and commit changes to firewall Deploys metadatabased App Team Team Deploy app with the appropriate metadata Security automatically updated on the firewalls based on dynamic metadata mapping to DAGs Figure 5: Reduced application deployment timeframes with metadata-based policy 4

Customer-Defined Environment Variables Firewall Rule Set # Src Dest Service Firewall IPS Env Threat Level Type String Possible Values Low, Medium, High Default Value Low Current Value High m Empl Internet Video http Permit None Rule Actions Based on Variable Values # Src Dest Service Firewall IPS n z Web Zone DB Zone DB Permit Deny Std_IPS_ Profile m Empl Internet Video http If (ThreatLevel= High) Deny Else Permit None n WebZone DBZone DB Permit If (ThreatLevel=High) Adv_profile Else Std_Profile Figure 6: aggregation and feeds for a dynamic access group on SRX Series and NGFWs Features and Benefits The Juniper intent-driven policy solution delivers the following features and benefits: Ensures agile application deployments by eliminating the need for manual configuration changes and commits Reduces operational expenses Improves user readability and flexibility when using metadata logic in Allows to be ported across different realms, including physical data centers, private clouds, and public clouds Dynamically adapts to network threat levels, facilitating efficient debugging and threat isolation workflows Summary Juniper Delivers Unified Security Solution for the Multicloud Era With the powerful workflows facilitated by dynamic access groups, and a unified and intuitive metadata-based policy model that can be ported across clouds, Juniper s SDSNbased user-intent policy solution gives admins complete command and control over their multicloud deployments. Next Steps For more information about Juniper Networks solutions, please visit us at www.juniper.net/us/en/products-services/ or contact your Juniper Networks sales representative. About Juniper Networks Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks or connect with Juniper on Twitter and Facebook. By supporting advanced L4-L7 features such as user firewall, application firewall, and IPS, coupled with powerful underlying features such as dynamic access group to facilitate a no-commit architecture, the SRX Series Services Gateways and Virtual Firewalls deliver the ideal cloud-ready NGFW. Corporate and Sales Headquarters Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 EXPLORE JUNIPER Get the App. Copyright 2017 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 3510634-001-EN Dec 2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback