Junos Space Security Director Technical Overview Student Guide

e d u c a t io n se rv ic e s c o u rse w a re
Junos Space Security

Director Technical Overview
Student Guide
Junos Space Security Director Technical Overview
NOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will have
conversational English. The purpose of this transcript is to help you follow the online presentation and may require
reference to it.
Slide 1
Build the Best
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 1
Course PRT-SD01A-ML5 Juniper Networks, Inc. 2

Slide 2
Junos Space
Security Director
Technical Overview
2015 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Welcome to Juniper Networks Junos Space Security Director Technical Overview eLearning module.

Slide 3
Navigation
Throughout this module, you will find slides with valuable detailed information. You can stop any slide with the Pause
button to study the details. You can also read the notes by using the Notes tab. You can click the Feedback link at any
time to submit suggestions or corrections directly to the Juniper Networks eLearning team.

Slide 4
Course Objectives
After successfully completing this course, you will be

able to:
Describe the capabilities and use of the Junos Space
platform
Describe the Junos Space Security Director application, its
capabilities, and features
Explore how to login to Junos Space and perform device
discovery
Configure VPNs
Configure firewall policies
After successfully completing this course, you will be able to:

Describe the capabilities and use of the Junos Space platform;
Describe the Junos Space Security Director application, its capabilities, and features;
Explore how to login to Junos Space and perform device discovery;
Configure VPNs; and
Configure firewall policies.

Slide 5
Agenda: Junos Space Security Director

Technical Overview
Overview of Junos Space and Security Director
VPN Policies
Firewall Policies
This course consists of three sections. The three main sections are as follows:
Overview of Junos Space and Security Director;
VPN Policies; and
Firewall Policies.

Slide 6
Junos Space
Security Director
Technical Overview
Overview of Junos Space and Security

Director
Overview of Junos Space and Security Director

Slide 7
Section Objectives
After successfully completing this section, you will be

able to:
Describe Junos Space features and capabilities
Describe the Security Director application
Discuss the features and capabilities of Security Director
After successfully completing this section, you will be able to:

Describe Junos Space features and capabilities;
Describe the Security Director application; and
Discuss the features and capabilities of Security Director.

Slide 8
Juniper Security Management Approaches
Network and Security Manager Security Director

(NSM) (Junos Space Application)
Flagship Management for 10 Yrs Next-Gen Management
Client-Server Architecture Scalable SOA Architecture
Responsive Web App

Stand-Alone Program
Built Upon
Junos Space Open Platform
NOTE: Junos Space Security Director was previously called Junos Space Security Design.
Juniper Security Management Approaches
Todays network is seeing exponential growth in traffic, changes in mobile user behavior, and an onslaught of new
cloud services and applications, all of which are expanding the avenues available to malicious attackers. Managing
enterprise security policy in these complex environments can become prone to error and overly time-consuming,
especially if management solutions are slow, unintuitive, or restricted in their level of granularity and control. Poor
policy management can also lead to security misconfiguration, making the enterprise vulnerable to sophisticated
threats and regulatory noncompliance.
Network and Security Manager (NSM) has been Juniper Networks flagship management product for Juniper devices
for the past 10 years. Now, as the next-generation security management platform, Security Director, running on Junos
Space, will manage security across the enterprise. This course and the accompanying labs are based on Security
Director version 12.2. The product name was recently changed from Security Design to Security Director. We will refer
to the product by its new name, Security Director, throughout this course. However, you will notice that within the lab,
and on some of the screen shots in the course, the previous name of Security Design still appears. This will be
changed to the new name, Security Director, in the next software release.

Slide 9
Junos Space Network Application Platform

Open, secure,
scalable software
platform
Open Access APIs RESTful URLs
Manage and analyze
Application
Activation
Services
Network
Security
Content
Director
Director
Director
Director
Partner
Service
Service
Control
Insight
Virtual
Joulex
DMS
network element data
Now
Optimize Juniper Apps 3rd Party Apps
infrastructure and
SDK / API
operations
management Shared Services Plug/Play App Transparent Scale Subscriber Insight
Platform
Available as a
hardware appliance Open Device API DMI / Adapters
or software package
Network Application Platform
virtual appliance
Junos Space Network Application Platform
Junos Space is an open, secure, and scalable software platform, that allows customers, partners, and developers to
build and deploy simple, smart applications that manage and analyze network element data and optimize network
infrastructure and operations management.
This slide depicts a very high level architecture of Junos Space. As you can see it is a layered architecture. Let us look
at the various layers starting from the bottom layer.
The Junos Space Network Application Platform interfaces with the managed network devices using an open
application programming interface (API) which is called the Device Management Interface (DMI). DMI is based on the
industry standard Netconf protocol and uses Extensible Markup Language (XML) remote procedure calls (RPCs) over
an SSHv2 transport connection with the managed device.
On top of the device access layer, we have the platform itself which is built using Java 2 Enterprise Edition (J2EE)
technologies to provide core infrastructure services such as persistence and messaging as well as common EMS
services such as device discovery, inventory management, and so on.
On top of the platform, we have the software development kit (SDK) API layer. All the platform components expose
well-defined Web services APIs which can be used to develop applications on top of the platform. The SDK provides
an integrated development platform (IDE) with various plug-ins, documentation, and other resources to rapidly
develop Junos Space applications.
On top of this layer, we have the various applications that are hosted on the platform. As shown on the left hand side,
these could be applications developed in-house by Junipersuch as Security Director, the focus of this course. Or, as
shown on the right-hand side, these could be applications developed by a partner, an independent software vendor
(ISV), or by the customer.
The top-most layer shows the open Web services APIs that are exposed by the platform as well as the hosted
applications. These APIs can be used to integrate with northbound systems or back office applications that the
customer might have in their environment.

Slide 10
The Platform
The Platform is the underlying base application which

runs Junos Space
Applications are
managed, installed, and
upgraded under the
Manage Applications
section
The Platform
Network Application Platform (the Platform) is the underlying base application managing Junos Space itself. The
Platform allows admins to define user-roles with role-based access control (RBAC), administration of installed
applications, system audit-logs, and much more.
Applications are managed, installed, and upgraded under the Manage Applications section. This is where Security
Director is managed. Once installed, SRX Series devices can be managed with Security Director.

Slide 11
Juniper Platform Support
Security Director supports Juniper Networks

devices running Junos OS 10.3 and later
Only SRX Series devices are currently supported
ScreenOS devices are not currently supported
Juniper Platform Support
Junos Space Security Director supports Juniper Networks devices running Junos OS 10.3 and later releases.
Currently, only the SRX Series are supported. Security Director does not currently support ScreenOS devices.

Slide 12
Scalability
REST
REST
HTTP
HTTP
Ease of scaling
the system WS-
WS- API EXT-
EXT-JS WS-
WS-API EXT-
EXT-JS
Just add a node
App1
App2
App3
App1
App2
App3
to the fabric

REST
REST
HTTP
HTTP
System takes
Platform Platform
care of starting all WS-
WS-API EXT-
EXT-JS WS-
WS-API EXT-
EXT-JS
services and Apps
App1
App2
App3
App1
App2
App3
in additional

nodes
1:1 DB redundancy
Platform Platform
Active-
Active
Clustering
across DC
Primary DC Secondary DC
Easy to Load Reduced

Scale Balancing Cost
Scalability
Junos Space architecture provides excellent scalability with respect to the number of managed devices as well as the
number of simultaneous user sessions. Also we have drastically simplified the process of scaling-up with demand.
You can start with a single appliance in the fabric and add more appliances to the fabric using the graphical user
interface (GUI). The new appliances become part of the fabric automatically in the back-end, and start sharing the
load immediately.

Slide 13
Element Management Functionality

Devices
Discovery and Inventory / Tagging /
Configuration Editor
Device templates
Topology visualization
Device images
Image management
Advanced image management / operations
scripts + images
Network monitoring
Fault / performance management
Scripts (Junos Script Management)
Config files
Configuration file management
Job management
Audit logs
Administration
(Partial capture of Job Management screen)
Includes schema management
Element Management Functionality
Junos Space is an element management system and provides services to applications, including Security Director.
For example, it is responsible for job management. Security Director will give it a job, such as updating a devices
configuration, and Junos Space will execute the job. One of the more important things that the Junos Space platform
provides is RBAC, which allows the customer to separate who can do what. For example, one person or a group of
people might be given the authorization to manage firewall policies but not virtual private networks (VPNs), and
another group might be given the capability to manage intrusion prevention system (IPS) policy but not firewall policy.
RBAC is a very useful feature, particularly in large organizations.

Slide 14
Junos Space Deployment

Delivered to customers as a fabric
Embodied in a number of common appliances
(physical and virtual)
Apps enabled by simple licenses
Quad-core processor Identical ISO, including OS

8 GB memory Current release is VMware-based
3x 1TB HDD Other Hypervisors planned in
Hot-swappable drives (RAID 5) future releases
2U rack-mountable chassis Identical deployment options
Runs CentOS operating system
Junos Space Deployment
The Junos Space platform is available in two form-factors to offer a wide range of deployment options to suit the
needs of your organization. The two form-factors are the JA1500 hardware appliance and a Virtual Appliance that can
be hosted on VMware ESX servers. The JA1500 appliance is purpose-built to host the Junos Space Network
Management Platform and is fine-tuned to ensure high availability and high performance of Junos Space applications.
It does not require hardware and operating system configuration expertise to deploy the appliance and also makes
initial configuration and deployment quite easy by providing a simple menu-driven console interface. Another
advantage of deploying Junos Space hardware appliance is that it simplifies ordering, maintenance, and support of
your network by making Juniper Networks the single destination for all your hardware and software requirements for
Junos Space, as well as your other networking devices.
A Junos Space Virtual Appliance includes the same software and all the functionality available in a Junos Space
hardware appliance. However, you must deploy the virtual appliance on a VMware ESX server (version 3.5 or higher)
or an ESXI server (version 4.0 or higher). The main driver for choosing Junos Space Virtual Appliances would be that
it allows you to utilize any existing investment already made in VMware virtualization infrastructure instead of
purchasing new hardware. You can also scale up a Junos Space Virtual Appliance by increasing the resources
assigned to it in terms of CPU, memory, and disk space. The environment for the lab exercises you will undertake in
this course uses the Junos Space Virtual Appliance.
Extending the breadth of the Junos Space Network Management Platform are multiple Junos Space Management
Applications that optimize network management for various domains. These applications, with their easy-to-use
interface, enable you to provision new services across thousands of devices and optimize workflow tasks for specific
domains, such as core, edge, data center, campus, security, mobile, and more. The applications available for Junos
Space today include Services Activation Director, Network Director, Service Now, Service Insight, Content Director,
Virtual Control, and Security Director.
Now, lets take a closer look at Security Director.

Slide 15
Security Director
Building the Foundation for Security Management
Global search tool
Security Director Dashboard
Security Director
Security Director is a management application that runs on the Junos Space Network Management Platform that
provides deep element management for extensive fault, configuration, accounting, performance, and security
management (FCAPS) capability, same day support for new devices and Junos releases, a task-specific user
interface, and northbound APIs to easily integrate into existing network management system (NMS) or operations
support systems/business support systems (OSS/BSS) deployments. The latest Security Director features include
powerful application identification control with AppSecure, as well as firewall, IPS, Network Address Translation
(NAT), and VPN security policy management.
The image on this slide shows the Security Director Dashboard. This is the landing page for Security Director. Notice
that it contains a global search tool. This search tool allows you to search for IP addresses that belong to hosts, or
even if an IP address belongs to a range. The search is free-text and you can enter multiple terms and phrases using
AND or OR operators.
The task tree in the left pane will take you to the different areas and workspaces within Security Director. As you can
see on the image on the slide, at the top of the task tree you will find Firewall Policy, which is where we will begin our
discussion.

Slide 16
Manage Firewall Policies
Allow Secure
1 All Devices Policy Communication
Deny
2 Group of Devices Policy Facebook
Allow
3 Device-
Device-Level Policy Email Services
Granular and flexible control of policies 1

Better organization for compliance Deployed
2
in order
Reuse of policies across devices 3
Device can be a member of multiple groups
Manage Firewall Policies
In addition to scalability and reliability benefits, using Security Director with SRX Series devices offers administrators a
scalable and maintainable approach to managing firewall policies. Security Director supports Policy Groups which
can be defined once and applied to multiple SRX Series devices. SRX Series devices can be in multiple groups
providing fine-grained control while increasing maintainability. Also included are Security Director configuration
templates which can be used to configure any function typically handled through the CLI, thus providing zero-day
support for new SRX Series features. As additional SRX Series innovations become available, Security Director
administrators will continue to benefit.

Slide 17
IPS Signature Management
IPS Signatures IPS Signature Set IPS Policy

Granular signature Built-in recommended Basic / Express:
management signatures View generated IPS policy
Static and Clone and customize
dynamic groups Juniper pre-defined Advanced: Edit IPS policy
Dynamic filter and searches signature sets with full IPS rulebase editor
Create Custom Signatures Simple firewall integration
Easier management with IPS integrated into firewall policies

Automatically download and install signature DB updates
Faster remediation through quick search and research on IPS
signatures, sorted by your criteria
IPS Signature Management
Security Director provides quite a bit of flexibility when it comes to managing IPS. You can use the IPS Management
workspace to download and install the AppSecure signature database to security devices. You can automate the
download and install process by scheduling the download and install tasks and configure these tasks to recur at
specific time intervals. This ensures that your signature database is up-to-date. You can view the predefined IPS
policy templates and create customized IPS policy-sets in this workspace. You can also enable IPS configuration in a
firewall policy and provision IPS related configuration with firewall policy.
IPS signature management provides administrators with the following:

A granular view into thousands of signatures that are downloaded;
The ability to schedule downloads of the latest signatures from Junipers Security site, and once signatures are
downloaded, Security Director provides administrators with a granular and flexible way of filtering information;
The capability to take action from the signature page and create dynamic and static groups on the fly, then apply
them to existing firewall policies; and
The ability to have a common single-policy view across devicesadministrators dont have to jump to different
places to configure policies.
Juniper Networks provides built-in signature sets that are like getting started guides. This allows administrators to
clone signatures and incorporate their own changes resulting in a learning curve reduction, while speeding up time to
deployment. Advanced policies allow advanced users to manipulate all aspects of IPS signatures by giving then more
control.

Slide 18
Manage NAT Policies
Source Destination Static
Granular control of NAT policies

Easier management of complex NAT rules
Less administration through reuse of NAT policies across devices
Manage NAT Policies
Security Director supports management of three types of NATsource, destination, and static.
Security Director provides an easy way to manage and deploy NAT policies across devices. An intuitive user-interface
workflow allows administrators to configure simple and advanced NAT scenarios with ease.
A simple tabular view allows administrators to add new NAT rules; similar to adding a firewall rule. Administrators
have granular control of NAT policies and can reuse NAT policies across devices.

Slide 19
Simplify Management of
IPsec VPN Tunnels
Fully Meshed Hub-

Hub-and-
and-Spoke Site-
Site-to-
to-Site
Rapid deployment of fully meshed and hub-and-spoke VPNs

Flexibility to deploy thousands of spokes with multiple hubs
Better scale across thousands of site-to-site VPNs
Simplify Management of IPsec VPN Tunnels
Security Director simplifies management and deployment of IPsec VPNs. Administrators can use VPN Profiles and
apply them to multiple VPN tunnel configurations across multiple SRX Series devices. Security Director can mass
deploy fully-meshed, hub-and-spoke, and site-to-site VPNs. Security Director interprets the administrators desired
functionality and publishes the required configuration necessary for all the SRX Series devices.

Slide 20
Object Builder Overview
Create objects used by firewall policies, VPNs, and

NAT policies
Objects are stored in the Junos Space database
Objects can be reused with multiple security polices,
VPNs, and NAT policies
Create, modify, clone, and delete:
Addresses and address groups
Services and service groups
Application signatures
Extranet devices
NAT pools
Policy profiles
VPN profiles
Variables, and
Template and template definitions
Object Builder Overview
You can use the Object Builder workspace in Security Director to create objects used by firewall policies, VPNs, and
NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple
security policies, VPNs, and NAT policies. This approach makes the design of services more structured and avoids
the need to create the objects during the service design.
You can use the Object Builder workspace to create, modify, clone, and delete the following objects:
Addresses and address groups;
Services and service groups;
Application signatures;
Extranet devices;
NAT pools;
Policy profiles;
VPN profiles;
Variables; and
Template and template definitions.
You will not be able to delete any of the objects you have created in Object Builder (except Template definitions and
Templates) if they are already used in one of the firewall policies, NAT policies, or VPNs.
Object Builder supports concurrent editing of its objects, with a save as option to save your changes with a different
name.

Slide 21
Devices
Discover, configure, and monitor devices from

Junos Space
Devices
From the Devices workspace, you use device discovery to discover devices and (if the network is the system of
record) synchronize device configurations with the Junos Space database. You can use device discovery to discover
one or many devices at a time.
After Junos Space discovers your network devices, you can perform the following tasks to monitor and configure
devices from Junos Space:
View statistics about the managed devices in your network, including the number of devices by platform and the
number of Junos family devices by release.
View connection status and configuration status for managed devices.
View operational and administrator status of the physical interfaces on which devices are running.
View hardware inventory for a selected device, such as information about power supplies, chassis cards, fans,
FPCs, and available PIC slots.
If the network is the system of record, resynchronize a managed device to update the device configuration in the
Junos Space database to reflect that of the physical device. (If Junos Space is the system of record, this capability is
not available.)
Deploy service orders to activate a service on your network devices, and
Troubleshoot devices.

Slide 22
Job Management
Search feature
available
Security Director assigns an
ID to all jobs
Various information is
stored and associated with
the Job ID
Warning messages and

further information
associated with jobs can
be viewed by double-
clicking on the job
Job Management
Whenever users modify configurations, publish changes, or perform any kind of action with Security Director, it is seen
as a job in the Job Management workspace. Security Director assigns an ID to the job for future reference and audits.
Depending on the Job Type, various information is collected, stored, and associated with the Job ID. This is essential
to keeping track of activity, collaborating amongst users, and troubleshooting.
The Job Management search feature can be used to search for specific information.
Warning messages and further information associated with jobs can be viewed by double-clicking on the job.

Slide 23
Security Design Devices
View and perform device level operations

Displays only the devices under the Security Director
application
Security Design Devices
Under the Security Design Devices workspace in the task tree, you can view and perform device level operations. This
tabular view displays only the devices managed under the Security Director application.
Lets take a look at the most commonly referenced columns.
Connection Status is the primary indicator of basic connectivity. Once the connection status is UP, only then can
Junos Space attempt to discover and gain management status.
The Management Status indicator shows whether Junos Space is connecting, out-of-sync, synchronizing, and so on.
Configuration Status indicates whether the device configuration matches that of the Junos Space database.
Pending Services shows you what published changes have not been updated onto the device. These could be any of
either, Firewall Policy, NAT Policy, VPN Policies, or IPS Policies.
Next, lets take a look at the Action menu available in the upper right corner of the screen.
Preview Configuration will display the changes that are published but not yet pushed to the devices.
The Update option will update the device and commit the selected published changes. This will bring the device into
the In-Sync state.
Junos Space enables an auto-resynchronization feature on the physical device when initiating a commit operation.
After auto-resynchronization is enabled, any configuration changes made on the physical device, including out-of-
band CLI commits and change-request updates, automatically trigger resynchronization on the device. We can set the
System Of Record as Space DB or Device, so if changes are made external to Junos Space, Junos Space will import
those changes.
The Resynchronize with Platform option allows you to resynchronize a managed device at any time. That is, when a
managed device is updated by a device administrator from the device's native GUI or CLI, we can resynchronize the
device configuration with the Junos Space database and the physical device.

Slide 24
Downloads and Audit Logs

Download AppFW
and IPS signatures
View signature
download logs
View active
databases
Monitor Security
Director events
Audit logs by task,
user, workspace, or
application
Downloads and Audit Logs
There are two final sections to briefly point out in the Security Director task tree.
The first is Downloads, which is where you can download AppFirewall and IPS signatures. By clicking Downloads you
will be able to see the signature download logs from the last two weeks. You will see the active databases that were
downloaded earlier. At any time, Security Director will have only one active signature database. This section also
allows you to download and install a signature database.
The final section to mention from the task tree is Audit Logs. You can monitor Security Director events using the Audit
Logs section. Security Director automatically logs user events. The Audit Logs section will allow you to view audit logs
by task, user, workspace, and application.

Slide 25
Publish Workflow
Delegate and Check Policy Work
Before Provisioning
With Publish Workflow
Publish
Create Policy Schedule updates
Create VPN Bulk update
Create NAT View impacted devices Granularity
Create IPS View CLI Device status
Signatures Verification
Optimization
Design Update
Better policy oversight via cross checks at every stage of the workflow
Fewer errors by separating policy work by role
(designer, reviewer, operator)
Approve policies by viewing actual CLI before provisioning
Publish Workflow
To make a configuration change on an SRX device, theres a three step process and these three steps can be
assigned to different people using the role-based access control (RBAC) in the Junos Space platform.
The first step is design. The design step is performed in Security Director, where you make edits to the firewall policy,
VPNs, NAT, or just objects. After you finish making your changes, you click save, and that saves it locally within
Security Director. At this point, it is saved, but it has not been sent to the device.
The next step is the publish stage, and this is typically where a separate person is verifying the design changes that
have been made. In this step, the person can see the configuration that will be sent to the device. Literally you can
see the CLI set or delete commands that can be sent to the device and you can review them and decide what is
appropriate. If it is appropriate and you want to proceed, then you publish the changes. Publishing makes the changes
available for the update process.
The update process is what does the writing to the device using the Junos Space platform to execute the changes.
This update can be done just by clicking a button if you want to do it now or it is very easy to schedule it for a later
date and time. Again, in large organizations, we typically see the design being performed by many people, while
publishing is typically limited to the more senior people, the ones reviewing and approving. Finally, the update is
typically done by the operations group. In a smaller organization, these three roles are probably done by one or two
people, so it just depends on the scale of the organization.
Publish Workflow is a feature supported across all the functional modulesfirewall, VPN, NAT, and IPS.
In the lab you will perform next, you will have a chance to take a hands-on look at Junos Space and verify that
Security Director is installed. You will revisit Security Director in subsequent labs.

Slide 26
Lab 1: Logging in to the Junos Space GUI

and Implementing Device Discovery
Log in to Junos Space Verify installed applications
Verify the Junos Space version
Pause this presentation, follow the link shown below to

Junipers Virtual Lab environment, open the Lab Guide, and
complete Lab 1
https://virtuallabs.juniper.net/
Upon completing Lab 1, return to this presentation and

click the Play button ( ) to proceed.
Lab 1: Logging in to the Junos Space GUI and Implementing Device Discovery
In this lab you will:

Log in to Junos Space;
Verify the Junos Space version; and
Verify installed applications.
At this point, you should pause this presentation, follow the link to Junipers Virtual Lab environment, open the Lab
Guide, and complete the lab portion of this section. When you are finished, return to this presentation and click Play to
continue.
Enter Virtual Lab:


Slide 27
Section Summary
In this section, we:

Described Junos Space features and capabilities
Described the Security Director application
Discussed the features and capabilities of Security Director

Described Junos Space features and capabilities;
Described the Security Director application; and
Discussed the features and capabilities of Security Director.

Slide 28
Learning Activity 1: Question 1
True or false: Security Director is the new name for

Security Design.
A. True
B. False

Slide 28
What are the three types of NAT management

supported on Security Director? (Select three.)
A. Source
B. Destination
C. Stateful
D. Static

Slide 29
Junos Space
Security Director
Technical Overview
Creating VPN Policies
Creating VPN Policies
In this section, you will learn how to create and deploy IPsec VPNs using Security Director.

Slide 30
Section Objectives

able to:
Describe VPN Profiles
Describe the creation and publishing process for IPsec VPNs
using Security Director

Describe VPN Profiles; and
Describe the creation and publishing process for IPsec VPNs using Security Director.

Slide 31
VPN Profiles Overview
Find Create VPN Profile

under Object Builder in
the Security Director
task tree
VPN Profiles Overview
Prior to creating VPNs, you should ensure that you have any necessary custom VPN proposals already configured
under the Object Builder by creating VPN Profiles. VPN Profiles are relatively static configurations, they do not change
often. Once created, these profiles can then be applied to the creation and management of VPN tunnels.
You can use a VPN Profile Wizard to create an object that specifies the VPN proposals, mode of the VPN, and other
parameters used in a route-based IPsec VPN. You can also configure the Phase 1 and Phase 2 settings in a VPN
profile. When a VPN Profile is created, Junos Space creates an object in the Junos Space database to represent the
VPN Profile. You can use this object to create route-based IPsec VPNs.

Slide 32
Create VPN
Select VPN > Create VPN from the task tree on the
Security Director Dashboard view
Policy Based VPN was

introduced in version 12.1
You can select a

VPN Profile here
Create VPN
From the Security Director task tree, select VPN, then select the Create VPN link.
When you create a VPN, the first step is to configure the basic VPN parameters and topology types. Policy Based
VPNs are only used in site-to-site VPN topologies. Route-based VPNs are more flexible and scalable and typically the
VPN of choice for most deployments. You can select between Site-to-Site, Full-Mesh, and Hub-and-Spoke VPN types.
From this screen you can also apply the necessary VPN Profile and choose the Pre-Shared Key options.

Slide 33
Create VPNAdd as Endpoint Screen

Filter to quickly
find devices
Create VPNAdd as Endpoint Screen
On the next screen, select the SRX Series devices that will become end-points from the Available pane. For hub-and-
spoke topologies, you can select the devices that will be hubs (designated by the H in the Selected column) and
end-points, (designated with an E in the Selected pane).

Slide 34
Create VPNTunnel, Route, and Global

Setting Pane
OSPF and RIP routing

(new since version 12.1)
Create VPNTunnel, Route, and Global Setting Pane
On the next screen, select the interface type in the Tunnel Settings pane. If you select Numbered as the tunnel
setting, enter the IP subnet in the IP Subnet field that will appear when the Numbered radio button is selected.
Select the routing options in the Route Settings pane. If you select OSPF, the following check boxes are available:
Export Static RoutesCheck this box to export static routes.
Export RIP RoutesCheck this box to export RIP routes.
AreaThis is a numeric field where you enter the area ID.
If you select RIP, the following check boxes are available:

Export Static RoutesCheck this box to export static routes.
Export OSPF RoutesCheck this box to export OSPF routes.
In the Global Settings pane, enter the external interface in the External Interface field, the tunnel zone in the Tunnel
Zone field, and the zone type in the Protected Network Zone field.
If you have chosen to create a hub-and-spoke VPN, you will see Hub and Spoke under the Type column. Enter the
appropriate values in the External Interface, Tunnel Zone, and Protected Network Zone fields. The tunnel is shared
accordingly based on the value specified for the number of spoke devices per tunnel interface.

Slide 35
Create VPNSummary Screen
Any errors on this

page must be
eliminated by
modifying the
configuration before
you can proceed to
the next step.
Create VPNSummary Screen
The screen that appears next gives you a preview of the values you entered for the VPN. The screen displays error
indicators if the options you have configured do not map to the device. You can also click the Show all Errors check
box to view all errors in the configuration. If errors are present, you must modify the configuration to eliminate them
before you can proceed to the next step.

Slide 36
Publish and Update VPN
Select the VPN

you want to
publish by
checking the
checkbox
Current publish Click View to preview the

state configuration changes
before publishing. The CLI
Configuration tab appears by
default. You can view the
configuration details
in the CLI format.
Publish buttons
Publish and Update VPN
Click Publish VPN from the Security Director task tree. The Services page appears with all the VPNs listed. It also
displays the publish states of all the VPNs. Select the checkbox next to the VPN that you want to publish.
Configuration changes can be viewed, published, and updated. VPNs are moved into Published state once the
configuration is published to all the devices involved in the VPN. If the configuration is not published to all the devices
involved in the VPN, the VPN is placed in the Partially Published state. If a VPN is created but not published, the VPN
is placed in the Unpublished state. If any modifications are made to the VPN configuration after it is published, the
VPN is placed in the Republish Required state. You can view the states of the VPN by hovering over them. A new job
is created and the Job ID appears in the Job Information dialog box.
If you get an error message during the publish process or if the VPN publish process fails, go to the Job Management
workspace and view the relevant Job ID to see why the publish process failed.

Slide 37
Lab 2: Create and Deploy VPN Policies
Implement device discovery

Create and deploy VPN policies
Upon completing the lab, return to this presentation

and click the Play button ( ) to proceed.
Lab 2: Create and Deploy VPN Policies

Implement device discovery; and
Create and deploy VPN policies.
At this point, you should return to the Virtual Lab session you opened previously and complete the lab portion of this
section. When you are finished, return to this presentation and continue.
Enter Virtual Lab:


Slide 38
Section Summary

Described VPN Profiles
Described the creation and publishing process for IPsec
VPNs using Security Director

Described VPN Profiles; and
Describe the creation and publishing process for IPsec VPNs using Security Director

Slide 39
Policy-based VPNs are only used in what type of

topology?
A. Hub-and-spoke
B. Fully meshed
C. Site-to-site
D. None of the above

Slide 39
Which of the following are VPN publish states? (Select

all that apply.)
A. Published
B. Partially published
C. Republish Required
D. Unpublished

Slide 40
Junos Space
Security Director
Technical Overview
Creating Firewall Policies
Creating Firewall Policies
In this section, you will learn how to create and deploy firewall policies using Security Director.

Slide 41
Section Objectives

able to:
Identify the primary firewall types and their characteristics
Describe firewall policy creation
Discuss adding and modifying firewall policies
Describe locking firewalls policies for editing

Identify the primary firewall types and their characteristics;
Describe firewall policy creation;
Discuss adding and modifying firewall policies; and
Describe locking firewalls policies for editing.

Slide 42
Firewall Policies
Two primary firewall policy types

Zone policies
All-devices
Group
Device
Global policies
All-devices
Group
Device
All-
All-Devices: all managed devices
Group: group of devices
Device: device specific
Firewall Policies
There are two primary types of firewall policieszone and global.
Zone policies are typical inter-zone policies configured on the SRX Series devices, and Security Director breaks these
down into rule types of All-Devices, Group, and Device.
Global policies are also broken down into All-Devices, Group, and Device. Global policy rules are enforced regardless
of ingress or egress zones; they are enforced on any device transit. Any objects defined in the global policy rules must
be defined in the global address book.
Thus, for each policy type, there are three kinds of rules we will discussAll-Devices (all managed devices), Group
(group of devices) and Device (device specific).
You do not have to use global policies, you could just use zone policies if you wish. However, if you want to perform
actions on traffic and do not care about the zones (for example, you want to permit all traffic to access a given server
in the DMZ), you would have to configure multiple inter-zone policies. Global policies provide you with the flexibility to
perform actions on traffic without the restrictions of zone specifications. Security Director allows you to further scale
this feature across multiple devices.
Note that regular, inter-zone policies, take precedence over global policies.

Slide 43
Policy Versioning for Firewall Policy
Snapshot, rollback, delete, and compare versions

Maximum number of versions maintained for any
policy is 60
Versioning and rollback are independent operations
for each policy
Tasks that can be performed on the snapshots:
Roll back to a specific version
View the differences between two versions
Delete versions from the system
A snapshot is captured automatically when a policy is published
Policy Versioning for Firewall Policy
Policy versioning allows users to snapshot, rollback, delete, and compare policy versions. You create a policy version
by taking a snapshot of the policy. You can create versions for all types of firewall policies including All-Devices,
Group, Device, and Device exceptions. The maximum number of versions maintained for any policy is 60. If the
maximum limit is reached, you must delete the unwanted versions before saving a new version. Versioning and
rollback are independent operations for each policy. For example, if you take a snapshot of a group firewall policy, it
does not version all device policy rules and hence you must separately version each of the policy rules. A snapshot is
also captured automatically when a policy is published.
You can view or manage all available versions of a selected policy. The following tasks can be performed on the
snapshots:
Roll back to a specific version. The rollback operation replaces all the rules and rule groups of the current version
with rules and rule groups from the selected version.
Compare the differences between any two versions of the policy (including the current version), and
Delete one or more versions from the system.

Slide 44
Configuring Firewall Policies
Configuring Firewall Policies
To begin configuring a firewall policy, click Create Policy under Firewall Policy in the Security Director task tree. The
Create Policy pane appears. From this screen, along with giving the policy a name and description, you can select the
policy type, priority, precedence, and select a profile. You also select the devices the policy is for, and the IPS
configuration mode.
When creating a policy, you can define whether it is zone or global. Security Director permits users to manage the
current inter-zone firewall policies and the new global policy rules supported on SRX Series devices. Because both
are managed within a single firewall policy, there is no change in workflow for publish and update. Essentially, zone
and global policies are published and updated together.
Note that creating zones is currently done under Network Application Platform. Enhancements will be made to future
Security Director releases. Zones are typically one-time settings defined along with interface settings.

Slide 45
Policy Tabular View
Firewall policy names Rules for the selected firewall policy
Precedence:
Zone [All-Device (pre)Group(Pre)DeviceGroup(post)All-Device(post)]
Global [All-Device (pre)Group(Pre)DeviceGroup(post)All-Device(post)]
Policy Tabular View
When you first select Firewall Policy, the policy tabular view appears. This tabular view is a table with two panes as
shown on the slide. The left pane is the tabular view with the firewall policies listed by their names. In Security
Director, a firewall policy is a set of rules arranged in order of precedence. The right pane displays the rules that the
firewall policy actually consists of. You can search on information pertaining to firewall policies on the left pane, and
you can search on information pertaining to rules on the right pane, such as zones, addresses, descriptions, and so
on.

Slide 46
Adding and Modifying Rules
A new rule can be added before or after a selected rule

By default, the source zone is trust, destination zone
is untrust, services are set to any, and action is set
to deny
Default settings can be modified as needed
Adding and Modifying Rules
When you select a rule, you can add a new rule before or after that rule. The new rule is assigned a serial number
based on the number of rules already added to the policy. By default the source zone is trust, the destination zone is
untrust, the services are set to any, and the action is set to deny. You can modify the default settings as needed. The
action can be permit, deny, reject, or tunnel.

Slide 47
All Devices Policies
All Devices policies are predefined firewall policies

available with Security Director
All Devices Policies
All Devices policies are predefined firewall policies available with Security Directorfor example, allowing
management access. You can add prerules and postrules. All Devices enables rules to be enforced globally to all the
devices managed by Security Director.

Slide 48
Group Policies
Group policies are firewall policies shared with

multiple devices
Used to update a specific firewall policy config to a
large set of devices
Group Policies
Group policies are firewall policies shared with multiple devices. This type of policy is used when you want to update a
specific firewall policy configuration to a large set of devices. You can create group prerules, group postrules, and
device rules for a group.

Slide 49
Device Policies
Device policies are device specific policies unique to

an SRX Series device
Device Policies
Device policies are a type of firewall policy that is created per device. This type of policy is used when you want to
push a unique firewall policy configuration per device. You can create device rules for a device firewall policy.

Slide 50
Policy Locking for Firewall and NAT (1 of 2)
Prevents users from editing the same policy at the

same time
Users can lock more than one policy at a time
User will be notified if they try to lock a policy that is
already locked by another user
Click lock icon to lock the
selected policy for editing
A lock symbol appears next

to the locked policies
Policy Locking for Firewall and NAT: Part 1
The locking feature within Security Director prevents multiple users from editing the same policy at the same time,
thereby avoiding conflicts. Policy objects such as firewall and NAT policies support exclusive locking for editing.
Objects used in the policies (such as Address, Service, NAT pools, and Variables) support save as functionality if the
objects were changed since they were open for editing.
Before you can edit a policy, you must lock it by clicking the lock icon, which is available in the policy view toolbar. You
can hold more than one policy lock at a given time. You can unlock the policy by clicking the unlock icon next to the
lock icon in the policy tabular view. If you attempt to lock a policy that is already locked by another user a message will
appear to let you know the policy has been locked by another user. There is also an Admin screen available which
shows who holds locks and allows the admin to override any of the locks.

Slide 51
Policy Locking for Firewall and NAT (2 of 2)
Default inactivity timer value is 5 minutes

Various warning messages will appear due to
inactivity, lock expiration, unsaved changes, lock
release, and so on...
Policy Locking for Firewall and NAT: Part 2
When a locked policy is inactive, a message will appear to the user 1 minute before the timeout interval expires to give
the user the option to click Yes and extend the locking periodthe default timeout value is 5 minutes. If No is clicked,
and if there is activity on the policy within the last minute of the locks life, the timer will be reset and the lock will not
be released. If you ignore the message, when the policy lock timeout interval expires 1 minute later, you are prompted
to either save the edited policy with a different name or lose the changes.
The system will use these and other messages to prompt or alert the user throughout the process.

Slide 52
AppFW Rules
Firewall policy rules can be extended to leverage the

application firewall featurepart of the AppSecure
feature-set
AppFW Rules
Firewall policy rules can be extended to leverage the application firewall feature. Application firewalling is part of the
AppSecure feature-set that can be licensed on the SRX Series. Devices that support AppFW, will additionally have
AppFW rules to further enhance security of detected Layer 7 application-sessions that might have bypassed the Layer
3 Layer 4 rules.
AppFW is a column within the firewall policy. Shown on screen is what happens if you click on a cell for one of the
rulesit pops up the AppFW Configuration window. The AppFW Configuration window allows you to specify whether
you want to create a blacklist, a whitelist, or simply disable AppFW.

Slide 53
Application Signature Selector Example: Granular control

of Facebook applications
Application Signature Selector
The advanced application signature selector is shown on screen. In this example, the user has filtered for Facebook,
and in this case Farmville has been selected for the purposes of blacklisting. You can perform similar actions either by
searching (using the search box in the top right corner), or you can filter based on categories as shown on the left.

Slide 54
AppSecure User / Role Policy
Source identity field

Provides more granularity for user access (who can
get access to which application)
Works very well with AppFW
SRX interacts with UAC to get roles

SD queries firewall for roles
AppSecure User / Role Policy
A new feature in Security Director version 12.2 is the source identity field. This feature allows for further granularity in
who can get access to which applications, so it works very well with the AppFW feature. For example, in this particular
rule that is being edited on this slide, the user is selecting Marketing to be allowed access to Facebook. Similarly, they
could block Engineering from accessing Farmville for example. The SRX Series device talks to the UAC (or Infranet
Controller) to get the roles, and then Security Director talks to the firewall to find out which roles it is aware of. Then
you can select one or more of the roles to be used in the firewall policy.

Slide 55
Lab 3: Create and Deploy Firewall Policies

Configure firewall policies on an SRX Series device using
Security Director
Explore policy versioning
Upon completing the lab, return to this presentation

and click the Play button ( ) to proceed.
Lab 3: Create and Deploy Firewall Policies

Configure firewall policies on an SRX Series device using Security Director; and
Explore policy versioning.
At this point, you should return to the Virtual Lab session you opened previously and complete the lab portion of this
section. When you are finished, return to this presentation and continue.
Enter Virtual Lab:


Slide 56
Section Summary

Identified the primary firewall types and their characteristics
Described firewall policy creation
Discussed adding and modifying firewall policies, and
Described locking firewalls policies for editing

Identified the primary firewall types and their characteristics;
Described firewall policy creation;
Discussed adding and modifying firewall policies; and
Described locking firewalls policies for editing.

Slide 57
Name the two primary types of firewall policies.

(Select two.)
A. Internal
B. Zone
C. Global
D. Permanent

Slide 57
True or false: In Security Director version 12.2, you

have to lock a policy before you can edit it.
A. True
B. False

Slide 58
Course Summary
In this course, we:

Described the capabilities and use of the Junos Space
platform
Described the Junos Space Security Director application, its
capabilities, and features
Explored how to login to Junos Space and perform device
discovery
Configured VPNs
Configured firewall policies
In this course, we:

Described the capabilities and use of the Junos Space platform;
Described the Junos Space Security Director application, its capabilities, and features;
Explored how to login to Junos Space and perform device discovery;
Configured VPNs; and
Configured firewall policies.

Slide 59
Additional Resources
Education Services training classes

http://www.juniper.net/training/technical_education/
Juniper Networks Certification Program Web site
www.juniper.net/certification
Juniper Networks documentation and white papers
www.juniper.net/techpubs
To submit errata or for general questions
elearning@juniper.net
For additional resources or to contact the Juniper Networks eLearning team, click the links on the screen.

Slide 60
Evaluation and Survey
You have reached the end of this Juniper Networks

eLearning module
You should now return to your Juniper Learning
Center to take the assessment and the student
survey
After successfully completing the assessment, you will earn
credits that will be recognized through certificates and non-
monetary rewards
The survey will allow you to give feedback on
the quality and usefulness of the course
You have reached the end of this Juniper Networks eLearning module. You should now return to your Juniper
Learning Center to take the assessment and the student survey. After successfully completing the assessment, you
will earn credits that will be recognized through certificates and non-monetary rewards. The survey will allow you to
give feedback on the quality and usefulness of the course.

Slide 61
Copyright 2015 Juniper Networks, Inc.
All rights reserved. JUNIPER NETWORKS, the Juniper Networks logo,

JUNOS, QFABRIC, NETSCREEN, and SCREENOS are registered
trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their
respective owners.
Copyright 2015 Juniper Networks, Inc.
All rights reserved. JUNIPER NETWORKS, the Juniper Networks logo, JUNOS, QFABRIC, NETSCREEN, and
SCREENOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective
owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without
notice.

Slide 62
CONFIDENTIAL

e d u c a t io n se r v ic e s c o u rse w a re
Co rp o rat e and Sales Head q uart ers APAC Head q uart ers EM EA Head q ua rt ers Copyright 20 10 Junip er Net w orks, Inc.
All right s reserved. Junip er Net w o rks,
Junip er Net w orks, Inc. Junip er Net w orks ( Ho ng Kong) Junip er Net w orks Ireland t he Junip er Net w orks lo go, Juno s,
119 4 Nort h Mat hild a Avenue 26 / F, Cit yp laza One Airsid e Business Park Net Screen, and ScreenOS are regist ered
Sunnyvale, CA 9 4 0 8 9 USA 1111 Kings Ro ad Sw ord s, Co unt y Dub l in, Ireland t rad em arks of Junip er Net w o rks, Inc. in
Phone: 8 8 8 .JUNIPER Taikoo Shing, Ho ng Kong Phone: 35 .31.8 9 0 3.6 0 0 t he Unit ed St at es and ot her count ries.
( 8 8 8 .5 8 6 .4737) Phone: 8 5 2.2332.36 36 EMEA Sales: 0 0 8 0 0 .4 58 6 .4737 All o t her t rad em arks, service m arks,
or 4 0 8 .74 5 .20 0 0 Fax: 8 5 2.2574 .78 0 3 Fax: 35 .31.8 9 0 3.6 0 1 regist ered m arks, or regist ered service
Fax: 4 0 8 .74 5.210 0 m arks are t he p ro p ert y of t heir
w w w.junip er.net resp ect ive ow ners. Junip er Net w orks
assum es no resp o nsib ilit y f or any
inaccuracies in t his d o cum ent . Junip er
Net w orks reserves t he right t o change,
m o d if y, t ransf er, o r ot herw ise revise t his
p ub l icat ion w it hout not ice.

Junos Space Security Director Technical Overview Student Guide

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Junos Space Security Director Technical Overview Student Guide

Загружено:

Авторское право:

Доступные форматы

e d u c a t io n se rv ic e s c o u rse w a re

Junos Space Security

Build the Best

Course PRT-SD01A-ML5 Juniper Networks, Inc. 2

Course PRT-SD01A-ML5 Juniper Networks, Inc. 3

Course PRT-SD01A-ML5 Juniper Networks, Inc. 4

After successfully completing this course, you will be

After successfully completing this course, you will be able to:

Course PRT-SD01A-ML5 Juniper Networks, Inc. 5

Agenda: Junos Space Security Director

Course PRT-SD01A-ML5 Juniper Networks, Inc. 6

Overview of Junos Space and Security

Overview of Junos Space and Security Director

Course PRT-SD01A-ML5 Juniper Networks, Inc. 7

After successfully completing this section, you will be

After successfully completing this section, you will be able to:

Course PRT-SD01A-ML5 Juniper Networks, Inc. 8

Juniper Security Management Approaches

Network and Security Manager Security Director

Flagship Management for 10 Yrs Next-Gen Management

Client-Server Architecture Scalable SOA Architecture

Responsive Web App

Juniper Security Management Approaches

Course PRT-SD01A-ML5 Juniper Networks, Inc. 9

Junos Space Network Application Platform

Manage and analyze

Junos Space Network Application Platform

Course PRT-SD01A-ML5 Juniper Networks, Inc. 10

The Platform is the underlying base application which

Course PRT-SD01A-ML5 Juniper Networks, Inc. 11

Juniper Platform Support

Security Director supports Juniper Networks

Juniper Platform Support

Course PRT-SD01A-ML5 Juniper Networks, Inc. 12

Just add a node

services and Apps

Easy to Load Reduced

Course PRT-SD01A-ML5 Juniper Networks, Inc. 13

Element Management Functionality

Element Management Functionality

Course PRT-SD01A-ML5 Juniper Networks, Inc. 14

Junos Space Deployment

Quad-core processor Identical ISO, including OS

Junos Space Deployment

Now, lets take a closer look at Security Director.

Course PRT-SD01A-ML5 Juniper Networks, Inc. 15

Global search tool

Security Director Dashboard

Course PRT-SD01A-ML5 Juniper Networks, Inc. 16

Manage Firewall Policies

Granular and flexible control of policies 1

Manage Firewall Policies

Course PRT-SD01A-ML5 Juniper Networks, Inc. 17

IPS Signature Management

IPS Signatures IPS Signature Set IPS Policy

Easier management with IPS integrated into firewall policies

IPS Signature Management

IPS signature management provides administrators with the following:

Course PRT-SD01A-ML5 Juniper Networks, Inc. 18

Manage NAT Policies

Source Destination Static

Granular control of NAT policies

Manage NAT Policies