Академический Документы
Профессиональный Документы
Культура Документы
NOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will have
conversational English. The purpose of this transcript is to help you follow the online presentation and may require
reference to it.
Slide 1
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 1
Slide 2
Junos Space
Security Director
Technical Overview
2015 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Welcome to Juniper Networks Junos Space Security Director Technical Overview eLearning module.
Slide 3
Navigation
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 3
Throughout this module, you will find slides with valuable detailed information. You can stop any slide with the Pause
button to study the details. You can also read the notes by using the Notes tab. You can click the Feedback link at any
time to submit suggestions or corrections directly to the Juniper Networks eLearning team.
Slide 4
Course Objectives
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 4
Slide 5
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 5
This course consists of three sections. The three main sections are as follows:
Overview of Junos Space and Security Director;
VPN Policies; and
Firewall Policies.
Slide 6
Junos Space
Security Director
Technical Overview
2015 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 7
Section Objectives
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 7
Slide 8
NOTE: Junos Space Security Director was previously called Junos Space Security Design.
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 8
Todays network is seeing exponential growth in traffic, changes in mobile user behavior, and an onslaught of new
cloud services and applications, all of which are expanding the avenues available to malicious attackers. Managing
enterprise security policy in these complex environments can become prone to error and overly time-consuming,
especially if management solutions are slow, unintuitive, or restricted in their level of granularity and control. Poor
policy management can also lead to security misconfiguration, making the enterprise vulnerable to sophisticated
threats and regulatory noncompliance.
Network and Security Manager (NSM) has been Juniper Networks flagship management product for Juniper devices
for the past 10 years. Now, as the next-generation security management platform, Security Director, running on Junos
Space, will manage security across the enterprise. This course and the accompanying labs are based on Security
Director version 12.2. The product name was recently changed from Security Design to Security Director. We will refer
to the product by its new name, Security Director, throughout this course. However, you will notice that within the lab,
and on some of the screen shots in the course, the previous name of Security Design still appears. This will be
changed to the new name, Security Director, in the next software release.
Slide 9
Application
Activation
Services
Network
Security
Content
Director
Director
Director
Director
Partner
Service
Service
Control
Insight
Virtual
Joulex
DMS
network element data
Now
Optimize Juniper Apps 3rd Party Apps
infrastructure and
SDK / API
operations
management Shared Services Plug/Play App Transparent Scale Subscriber Insight
Platform
Available as a
hardware appliance Open Device API DMI / Adapters
or software package
Network Application Platform
virtual appliance
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 9
Junos Space is an open, secure, and scalable software platform, that allows customers, partners, and developers to
build and deploy simple, smart applications that manage and analyze network element data and optimize network
infrastructure and operations management.
This slide depicts a very high level architecture of Junos Space. As you can see it is a layered architecture. Let us look
at the various layers starting from the bottom layer.
The Junos Space Network Application Platform interfaces with the managed network devices using an open
application programming interface (API) which is called the Device Management Interface (DMI). DMI is based on the
industry standard Netconf protocol and uses Extensible Markup Language (XML) remote procedure calls (RPCs) over
an SSHv2 transport connection with the managed device.
On top of the device access layer, we have the platform itself which is built using Java 2 Enterprise Edition (J2EE)
technologies to provide core infrastructure services such as persistence and messaging as well as common EMS
services such as device discovery, inventory management, and so on.
On top of the platform, we have the software development kit (SDK) API layer. All the platform components expose
well-defined Web services APIs which can be used to develop applications on top of the platform. The SDK provides
an integrated development platform (IDE) with various plug-ins, documentation, and other resources to rapidly
develop Junos Space applications.
On top of this layer, we have the various applications that are hosted on the platform. As shown on the left hand side,
these could be applications developed in-house by Junipersuch as Security Director, the focus of this course. Or, as
shown on the right-hand side, these could be applications developed by a partner, an independent software vendor
(ISV), or by the customer.
The top-most layer shows the open Web services APIs that are exposed by the platform as well as the hosted
applications. These APIs can be used to integrate with northbound systems or back office applications that the
customer might have in their environment.
Slide 10
The Platform
Applications are
managed, installed, and
upgraded under the
Manage Applications
section
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 10
The Platform
Network Application Platform (the Platform) is the underlying base application managing Junos Space itself. The
Platform allows admins to define user-roles with role-based access control (RBAC), administration of installed
applications, system audit-logs, and much more.
Applications are managed, installed, and upgraded under the Manage Applications section. This is where Security
Director is managed. Once installed, SRX Series devices can be managed with Security Director.
Slide 11
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 11
Junos Space Security Director supports Juniper Networks devices running Junos OS 10.3 and later releases.
Currently, only the SRX Series are supported. Security Director does not currently support ScreenOS devices.
Slide 12
Scalability
REST
REST
HTTP
HTTP
Ease of scaling
the system WS-
WS- API EXT-
EXT-JS WS-
WS-API EXT-
EXT-JS
App1
App2
App3
App1
App2
App3
to the fabric
REST
REST
HTTP
HTTP
System takes
Platform Platform
care of starting all WS-
WS-API EXT-
EXT-JS WS-
WS-API EXT-
EXT-JS
App1
App2
App3
App1
App2
App3
in additional
nodes
1:1 DB redundancy
Platform Platform
Active-
Active
Clustering
across DC
Primary DC Secondary DC
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 12
Scalability
Junos Space architecture provides excellent scalability with respect to the number of managed devices as well as the
number of simultaneous user sessions. Also we have drastically simplified the process of scaling-up with demand.
You can start with a single appliance in the fabric and add more appliances to the fabric using the graphical user
interface (GUI). The new appliances become part of the fabric automatically in the back-end, and start sharing the
load immediately.
Slide 13
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 13
Junos Space is an element management system and provides services to applications, including Security Director.
For example, it is responsible for job management. Security Director will give it a job, such as updating a devices
configuration, and Junos Space will execute the job. One of the more important things that the Junos Space platform
provides is RBAC, which allows the customer to separate who can do what. For example, one person or a group of
people might be given the authorization to manage firewall policies but not virtual private networks (VPNs), and
another group might be given the capability to manage intrusion prevention system (IPS) policy but not firewall policy.
RBAC is a very useful feature, particularly in large organizations.
Slide 14
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 14
The Junos Space platform is available in two form-factors to offer a wide range of deployment options to suit the
needs of your organization. The two form-factors are the JA1500 hardware appliance and a Virtual Appliance that can
be hosted on VMware ESX servers. The JA1500 appliance is purpose-built to host the Junos Space Network
Management Platform and is fine-tuned to ensure high availability and high performance of Junos Space applications.
It does not require hardware and operating system configuration expertise to deploy the appliance and also makes
initial configuration and deployment quite easy by providing a simple menu-driven console interface. Another
advantage of deploying Junos Space hardware appliance is that it simplifies ordering, maintenance, and support of
your network by making Juniper Networks the single destination for all your hardware and software requirements for
Junos Space, as well as your other networking devices.
A Junos Space Virtual Appliance includes the same software and all the functionality available in a Junos Space
hardware appliance. However, you must deploy the virtual appliance on a VMware ESX server (version 3.5 or higher)
or an ESXI server (version 4.0 or higher). The main driver for choosing Junos Space Virtual Appliances would be that
it allows you to utilize any existing investment already made in VMware virtualization infrastructure instead of
purchasing new hardware. You can also scale up a Junos Space Virtual Appliance by increasing the resources
assigned to it in terms of CPU, memory, and disk space. The environment for the lab exercises you will undertake in
this course uses the Junos Space Virtual Appliance.
Extending the breadth of the Junos Space Network Management Platform are multiple Junos Space Management
Applications that optimize network management for various domains. These applications, with their easy-to-use
interface, enable you to provision new services across thousands of devices and optimize workflow tasks for specific
domains, such as core, edge, data center, campus, security, mobile, and more. The applications available for Junos
Space today include Services Activation Director, Network Director, Service Now, Service Insight, Content Director,
Virtual Control, and Security Director.
Slide 15
Security Director
Building the Foundation for Security Management
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 15
Security Director
Security Director is a management application that runs on the Junos Space Network Management Platform that
provides deep element management for extensive fault, configuration, accounting, performance, and security
management (FCAPS) capability, same day support for new devices and Junos releases, a task-specific user
interface, and northbound APIs to easily integrate into existing network management system (NMS) or operations
support systems/business support systems (OSS/BSS) deployments. The latest Security Director features include
powerful application identification control with AppSecure, as well as firewall, IPS, Network Address Translation
(NAT), and VPN security policy management.
The image on this slide shows the Security Director Dashboard. This is the landing page for Security Director. Notice
that it contains a global search tool. This search tool allows you to search for IP addresses that belong to hosts, or
even if an IP address belongs to a range. The search is free-text and you can enter multiple terms and phrases using
AND or OR operators.
The task tree in the left pane will take you to the different areas and workspaces within Security Director. As you can
see on the image on the slide, at the top of the task tree you will find Firewall Policy, which is where we will begin our
discussion.
Slide 16
Allow Secure
1 All Devices Policy Communication
Deny
2 Group of Devices Policy Facebook
Allow
3 Device-
Device-Level Policy Email Services
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 16
In addition to scalability and reliability benefits, using Security Director with SRX Series devices offers administrators a
scalable and maintainable approach to managing firewall policies. Security Director supports Policy Groups which
can be defined once and applied to multiple SRX Series devices. SRX Series devices can be in multiple groups
providing fine-grained control while increasing maintainability. Also included are Security Director configuration
templates which can be used to configure any function typically handled through the CLI, thus providing zero-day
support for new SRX Series features. As additional SRX Series innovations become available, Security Director
administrators will continue to benefit.
Slide 17
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 17
Security Director provides quite a bit of flexibility when it comes to managing IPS. You can use the IPS Management
workspace to download and install the AppSecure signature database to security devices. You can automate the
download and install process by scheduling the download and install tasks and configure these tasks to recur at
specific time intervals. This ensures that your signature database is up-to-date. You can view the predefined IPS
policy templates and create customized IPS policy-sets in this workspace. You can also enable IPS configuration in a
firewall policy and provision IPS related configuration with firewall policy.
Juniper Networks provides built-in signature sets that are like getting started guides. This allows administrators to
clone signatures and incorporate their own changes resulting in a learning curve reduction, while speeding up time to
deployment. Advanced policies allow advanced users to manipulate all aspects of IPS signatures by giving then more
control.
Slide 18
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 18
Security Director supports management of three types of NATsource, destination, and static.
Security Director provides an easy way to manage and deploy NAT policies across devices. An intuitive user-interface
workflow allows administrators to configure simple and advanced NAT scenarios with ease.
A simple tabular view allows administrators to add new NAT rules; similar to adding a firewall rule. Administrators
have granular control of NAT policies and can reuse NAT policies across devices.
Slide 19
Simplify Management of
IPsec VPN Tunnels
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 19
Security Director simplifies management and deployment of IPsec VPNs. Administrators can use VPN Profiles and
apply them to multiple VPN tunnel configurations across multiple SRX Series devices. Security Director can mass
deploy fully-meshed, hub-and-spoke, and site-to-site VPNs. Security Director interprets the administrators desired
functionality and publishes the required configuration necessary for all the SRX Series devices.
Slide 20
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 20
You can use the Object Builder workspace in Security Director to create objects used by firewall policies, VPNs, and
NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple
security policies, VPNs, and NAT policies. This approach makes the design of services more structured and avoids
the need to create the objects during the service design.
You can use the Object Builder workspace to create, modify, clone, and delete the following objects:
Addresses and address groups;
Services and service groups;
Application signatures;
Extranet devices;
NAT pools;
Policy profiles;
VPN profiles;
Variables; and
Template and template definitions.
You will not be able to delete any of the objects you have created in Object Builder (except Template definitions and
Templates) if they are already used in one of the firewall policies, NAT policies, or VPNs.
Object Builder supports concurrent editing of its objects, with a save as option to save your changes with a different
name.
Slide 21
Devices
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 21
Devices
From the Devices workspace, you use device discovery to discover devices and (if the network is the system of
record) synchronize device configurations with the Junos Space database. You can use device discovery to discover
one or many devices at a time.
After Junos Space discovers your network devices, you can perform the following tasks to monitor and configure
devices from Junos Space:
View statistics about the managed devices in your network, including the number of devices by platform and the
number of Junos family devices by release.
View connection status and configuration status for managed devices.
View operational and administrator status of the physical interfaces on which devices are running.
View hardware inventory for a selected device, such as information about power supplies, chassis cards, fans,
FPCs, and available PIC slots.
If the network is the system of record, resynchronize a managed device to update the device configuration in the
Junos Space database to reflect that of the physical device. (If Junos Space is the system of record, this capability is
not available.)
Deploy service orders to activate a service on your network devices, and
Troubleshoot devices.
Slide 22
Job Management
Search feature
available
Security Director assigns an
ID to all jobs
Various information is
stored and associated with
the Job ID
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 22
Job Management
Whenever users modify configurations, publish changes, or perform any kind of action with Security Director, it is seen
as a job in the Job Management workspace. Security Director assigns an ID to the job for future reference and audits.
Depending on the Job Type, various information is collected, stored, and associated with the Job ID. This is essential
to keeping track of activity, collaborating amongst users, and troubleshooting.
The Job Management search feature can be used to search for specific information.
Warning messages and further information associated with jobs can be viewed by double-clicking on the job.
Slide 23
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 23
Under the Security Design Devices workspace in the task tree, you can view and perform device level operations. This
tabular view displays only the devices managed under the Security Director application.
Lets take a look at the most commonly referenced columns.
Connection Status is the primary indicator of basic connectivity. Once the connection status is UP, only then can
Junos Space attempt to discover and gain management status.
The Management Status indicator shows whether Junos Space is connecting, out-of-sync, synchronizing, and so on.
Configuration Status indicates whether the device configuration matches that of the Junos Space database.
Pending Services shows you what published changes have not been updated onto the device. These could be any of
either, Firewall Policy, NAT Policy, VPN Policies, or IPS Policies.
Next, lets take a look at the Action menu available in the upper right corner of the screen.
Preview Configuration will display the changes that are published but not yet pushed to the devices.
The Update option will update the device and commit the selected published changes. This will bring the device into
the In-Sync state.
Junos Space enables an auto-resynchronization feature on the physical device when initiating a commit operation.
After auto-resynchronization is enabled, any configuration changes made on the physical device, including out-of-
band CLI commits and change-request updates, automatically trigger resynchronization on the device. We can set the
System Of Record as Space DB or Device, so if changes are made external to Junos Space, Junos Space will import
those changes.
The Resynchronize with Platform option allows you to resynchronize a managed device at any time. That is, when a
managed device is updated by a device administrator from the device's native GUI or CLI, we can resynchronize the
device configuration with the Junos Space database and the physical device.
Slide 24
Monitor Security
Director events
Audit logs by task,
user, workspace, or
application
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 24
There are two final sections to briefly point out in the Security Director task tree.
The first is Downloads, which is where you can download AppFirewall and IPS signatures. By clicking Downloads you
will be able to see the signature download logs from the last two weeks. You will see the active databases that were
downloaded earlier. At any time, Security Director will have only one active signature database. This section also
allows you to download and install a signature database.
The final section to mention from the task tree is Audit Logs. You can monitor Security Director events using the Audit
Logs section. Security Director automatically logs user events. The Audit Logs section will allow you to view audit logs
by task, user, workspace, and application.
Slide 25
Publish Workflow
Delegate and Check Policy Work
Before Provisioning
With Publish Workflow
Publish
Create Policy Schedule updates
Create VPN Bulk update
Create NAT View impacted devices Granularity
Create IPS View CLI Device status
Signatures Verification
Optimization
Design Update
Better policy oversight via cross checks at every stage of the workflow
Fewer errors by separating policy work by role
(designer, reviewer, operator)
Approve policies by viewing actual CLI before provisioning
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 25
Publish Workflow
To make a configuration change on an SRX device, theres a three step process and these three steps can be
assigned to different people using the role-based access control (RBAC) in the Junos Space platform.
The first step is design. The design step is performed in Security Director, where you make edits to the firewall policy,
VPNs, NAT, or just objects. After you finish making your changes, you click save, and that saves it locally within
Security Director. At this point, it is saved, but it has not been sent to the device.
The next step is the publish stage, and this is typically where a separate person is verifying the design changes that
have been made. In this step, the person can see the configuration that will be sent to the device. Literally you can
see the CLI set or delete commands that can be sent to the device and you can review them and decide what is
appropriate. If it is appropriate and you want to proceed, then you publish the changes. Publishing makes the changes
available for the update process.
The update process is what does the writing to the device using the Junos Space platform to execute the changes.
This update can be done just by clicking a button if you want to do it now or it is very easy to schedule it for a later
date and time. Again, in large organizations, we typically see the design being performed by many people, while
publishing is typically limited to the more senior people, the ones reviewing and approving. Finally, the update is
typically done by the operations group. In a smaller organization, these three roles are probably done by one or two
people, so it just depends on the scale of the organization.
Publish Workflow is a feature supported across all the functional modulesfirewall, VPN, NAT, and IPS.
In the lab you will perform next, you will have a chance to take a hands-on look at Junos Space and verify that
Security Director is installed. You will revisit Security Director in subsequent labs.
Slide 26
https://virtuallabs.juniper.net/
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 26
Lab 1: Logging in to the Junos Space GUI and Implementing Device Discovery
At this point, you should pause this presentation, follow the link to Junipers Virtual Lab environment, open the Lab
Guide, and complete the lab portion of this section. When you are finished, return to this presentation and click Play to
continue.
Slide 27
Section Summary
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 27
Slide 28
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 28
Slide 28
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 28
Slide 29
Junos Space
Security Director
Technical Overview
2015 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
In this section, you will learn how to create and deploy IPsec VPNs using Security Director.
Slide 30
Section Objectives
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 30
Slide 31
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 31
Prior to creating VPNs, you should ensure that you have any necessary custom VPN proposals already configured
under the Object Builder by creating VPN Profiles. VPN Profiles are relatively static configurations, they do not change
often. Once created, these profiles can then be applied to the creation and management of VPN tunnels.
You can use a VPN Profile Wizard to create an object that specifies the VPN proposals, mode of the VPN, and other
parameters used in a route-based IPsec VPN. You can also configure the Phase 1 and Phase 2 settings in a VPN
profile. When a VPN Profile is created, Junos Space creates an object in the Junos Space database to represent the
VPN Profile. You can use this object to create route-based IPsec VPNs.
Slide 32
Create VPN
Select VPN > Create VPN from the task tree on the
Security Director Dashboard view
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 32
Create VPN
From the Security Director task tree, select VPN, then select the Create VPN link.
When you create a VPN, the first step is to configure the basic VPN parameters and topology types. Policy Based
VPNs are only used in site-to-site VPN topologies. Route-based VPNs are more flexible and scalable and typically the
VPN of choice for most deployments. You can select between Site-to-Site, Full-Mesh, and Hub-and-Spoke VPN types.
From this screen you can also apply the necessary VPN Profile and choose the Pre-Shared Key options.
Slide 33
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 33
On the next screen, select the SRX Series devices that will become end-points from the Available pane. For hub-and-
spoke topologies, you can select the devices that will be hubs (designated by the H in the Selected column) and
end-points, (designated with an E in the Selected pane).
Slide 34
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 34
On the next screen, select the interface type in the Tunnel Settings pane. If you select Numbered as the tunnel
setting, enter the IP subnet in the IP Subnet field that will appear when the Numbered radio button is selected.
Select the routing options in the Route Settings pane. If you select OSPF, the following check boxes are available:
Export Static RoutesCheck this box to export static routes.
Export RIP RoutesCheck this box to export RIP routes.
AreaThis is a numeric field where you enter the area ID.
In the Global Settings pane, enter the external interface in the External Interface field, the tunnel zone in the Tunnel
Zone field, and the zone type in the Protected Network Zone field.
If you have chosen to create a hub-and-spoke VPN, you will see Hub and Spoke under the Type column. Enter the
appropriate values in the External Interface, Tunnel Zone, and Protected Network Zone fields. The tunnel is shared
accordingly based on the value specified for the number of spoke devices per tunnel interface.
Slide 35
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 35
The screen that appears next gives you a preview of the values you entered for the VPN. The screen displays error
indicators if the options you have configured do not map to the device. You can also click the Show all Errors check
box to view all errors in the configuration. If errors are present, you must modify the configuration to eliminate them
before you can proceed to the next step.
Slide 36
Publish buttons
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 36
Click Publish VPN from the Security Director task tree. The Services page appears with all the VPNs listed. It also
displays the publish states of all the VPNs. Select the checkbox next to the VPN that you want to publish.
Configuration changes can be viewed, published, and updated. VPNs are moved into Published state once the
configuration is published to all the devices involved in the VPN. If the configuration is not published to all the devices
involved in the VPN, the VPN is placed in the Partially Published state. If a VPN is created but not published, the VPN
is placed in the Unpublished state. If any modifications are made to the VPN configuration after it is published, the
VPN is placed in the Republish Required state. You can view the states of the VPN by hovering over them. A new job
is created and the Job ID appears in the Job Information dialog box.
If you get an error message during the publish process or if the VPN publish process fails, go to the Job Management
workspace and view the relevant Job ID to see why the publish process failed.
Slide 37
https://virtuallabs.juniper.net/
At this point, you should return to the Virtual Lab session you opened previously and complete the lab portion of this
section. When you are finished, return to this presentation and continue.
Slide 38
Section Summary
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 38
Slide 39
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 39
Slide 39
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 39
Slide 40
Junos Space
Security Director
Technical Overview
2015 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
In this section, you will learn how to create and deploy firewall policies using Security Director.
Slide 41
Section Objectives
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 41
Slide 42
Firewall Policies
All-
All-Devices: all managed devices
Group: group of devices
Device: device specific
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 42
Firewall Policies
Zone policies are typical inter-zone policies configured on the SRX Series devices, and Security Director breaks these
down into rule types of All-Devices, Group, and Device.
Global policies are also broken down into All-Devices, Group, and Device. Global policy rules are enforced regardless
of ingress or egress zones; they are enforced on any device transit. Any objects defined in the global policy rules must
be defined in the global address book.
Thus, for each policy type, there are three kinds of rules we will discussAll-Devices (all managed devices), Group
(group of devices) and Device (device specific).
You do not have to use global policies, you could just use zone policies if you wish. However, if you want to perform
actions on traffic and do not care about the zones (for example, you want to permit all traffic to access a given server
in the DMZ), you would have to configure multiple inter-zone policies. Global policies provide you with the flexibility to
perform actions on traffic without the restrictions of zone specifications. Security Director allows you to further scale
this feature across multiple devices.
Note that regular, inter-zone policies, take precedence over global policies.
Slide 43
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 43
Policy versioning allows users to snapshot, rollback, delete, and compare policy versions. You create a policy version
by taking a snapshot of the policy. You can create versions for all types of firewall policies including All-Devices,
Group, Device, and Device exceptions. The maximum number of versions maintained for any policy is 60. If the
maximum limit is reached, you must delete the unwanted versions before saving a new version. Versioning and
rollback are independent operations for each policy. For example, if you take a snapshot of a group firewall policy, it
does not version all device policy rules and hence you must separately version each of the policy rules. A snapshot is
also captured automatically when a policy is published.
You can view or manage all available versions of a selected policy. The following tasks can be performed on the
snapshots:
Roll back to a specific version. The rollback operation replaces all the rules and rule groups of the current version
with rules and rule groups from the selected version.
Compare the differences between any two versions of the policy (including the current version), and
Delete one or more versions from the system.
Slide 44
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 44
To begin configuring a firewall policy, click Create Policy under Firewall Policy in the Security Director task tree. The
Create Policy pane appears. From this screen, along with giving the policy a name and description, you can select the
policy type, priority, precedence, and select a profile. You also select the devices the policy is for, and the IPS
configuration mode.
When creating a policy, you can define whether it is zone or global. Security Director permits users to manage the
current inter-zone firewall policies and the new global policy rules supported on SRX Series devices. Because both
are managed within a single firewall policy, there is no change in workflow for publish and update. Essentially, zone
and global policies are published and updated together.
Note that creating zones is currently done under Network Application Platform. Enhancements will be made to future
Security Director releases. Zones are typically one-time settings defined along with interface settings.
Slide 45
Precedence:
Zone [All-Device (pre)Group(Pre)DeviceGroup(post)All-Device(post)]
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 45
When you first select Firewall Policy, the policy tabular view appears. This tabular view is a table with two panes as
shown on the slide. The left pane is the tabular view with the firewall policies listed by their names. In Security
Director, a firewall policy is a set of rules arranged in order of precedence. The right pane displays the rules that the
firewall policy actually consists of. You can search on information pertaining to firewall policies on the left pane, and
you can search on information pertaining to rules on the right pane, such as zones, addresses, descriptions, and so
on.
Slide 46
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 46
When you select a rule, you can add a new rule before or after that rule. The new rule is assigned a serial number
based on the number of rules already added to the policy. By default the source zone is trust, the destination zone is
untrust, the services are set to any, and the action is set to deny. You can modify the default settings as needed. The
action can be permit, deny, reject, or tunnel.
Slide 47
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 47
All Devices policies are predefined firewall policies available with Security Directorfor example, allowing
management access. You can add prerules and postrules. All Devices enables rules to be enforced globally to all the
devices managed by Security Director.
Slide 48
Group Policies
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 48
Group Policies
Group policies are firewall policies shared with multiple devices. This type of policy is used when you want to update a
specific firewall policy configuration to a large set of devices. You can create group prerules, group postrules, and
device rules for a group.
Slide 49
Device Policies
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 49
Device Policies
Device policies are a type of firewall policy that is created per device. This type of policy is used when you want to
push a unique firewall policy configuration per device. You can create device rules for a device firewall policy.
Slide 50
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 50
The locking feature within Security Director prevents multiple users from editing the same policy at the same time,
thereby avoiding conflicts. Policy objects such as firewall and NAT policies support exclusive locking for editing.
Objects used in the policies (such as Address, Service, NAT pools, and Variables) support save as functionality if the
objects were changed since they were open for editing.
Before you can edit a policy, you must lock it by clicking the lock icon, which is available in the policy view toolbar. You
can hold more than one policy lock at a given time. You can unlock the policy by clicking the unlock icon next to the
lock icon in the policy tabular view. If you attempt to lock a policy that is already locked by another user a message will
appear to let you know the policy has been locked by another user. There is also an Admin screen available which
shows who holds locks and allows the admin to override any of the locks.
Slide 51
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 51
When a locked policy is inactive, a message will appear to the user 1 minute before the timeout interval expires to give
the user the option to click Yes and extend the locking periodthe default timeout value is 5 minutes. If No is clicked,
and if there is activity on the policy within the last minute of the locks life, the timer will be reset and the lock will not
be released. If you ignore the message, when the policy lock timeout interval expires 1 minute later, you are prompted
to either save the edited policy with a different name or lose the changes.
The system will use these and other messages to prompt or alert the user throughout the process.
Slide 52
AppFW Rules
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 52
AppFW Rules
Firewall policy rules can be extended to leverage the application firewall feature. Application firewalling is part of the
AppSecure feature-set that can be licensed on the SRX Series. Devices that support AppFW, will additionally have
AppFW rules to further enhance security of detected Layer 7 application-sessions that might have bypassed the Layer
3 Layer 4 rules.
AppFW is a column within the firewall policy. Shown on screen is what happens if you click on a cell for one of the
rulesit pops up the AppFW Configuration window. The AppFW Configuration window allows you to specify whether
you want to create a blacklist, a whitelist, or simply disable AppFW.
Slide 53
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 53
The advanced application signature selector is shown on screen. In this example, the user has filtered for Facebook,
and in this case Farmville has been selected for the purposes of blacklisting. You can perform similar actions either by
searching (using the search box in the top right corner), or you can filter based on categories as shown on the left.
Slide 54
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 54
A new feature in Security Director version 12.2 is the source identity field. This feature allows for further granularity in
who can get access to which applications, so it works very well with the AppFW feature. For example, in this particular
rule that is being edited on this slide, the user is selecting Marketing to be allowed access to Facebook. Similarly, they
could block Engineering from accessing Farmville for example. The SRX Series device talks to the UAC (or Infranet
Controller) to get the roles, and then Security Director talks to the firewall to find out which roles it is aware of. Then
you can select one or more of the roles to be used in the firewall policy.
Slide 55
At this point, you should return to the Virtual Lab session you opened previously and complete the lab portion of this
section. When you are finished, return to this presentation and continue.
Slide 56
Section Summary
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 56
Slide 57
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 57
Slide 57
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 57
Slide 58
Course Summary
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 58
Slide 59
Additional Resources
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 59
For additional resources or to contact the Juniper Networks eLearning team, click the links on the screen.
Slide 60
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 60
You have reached the end of this Juniper Networks eLearning module. You should now return to your Juniper
Learning Center to take the assessment and the student survey. After successfully completing the assessment, you
will earn credits that will be recognized through certificates and non-monetary rewards. The survey will allow you to
give feedback on the quality and usefulness of the course.
Slide 61
2015 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL PRT-SD01A-ML5 www.juniper.net | 61
All rights reserved. JUNIPER NETWORKS, the Juniper Networks logo, JUNOS, QFABRIC, NETSCREEN, and
SCREENOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective
owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without
notice.
Slide 62
CONFIDENTIAL
Co rp o rat e and Sales Head q uart ers APAC Head q uart ers EM EA Head q ua rt ers Copyright 20 10 Junip er Net w orks, Inc.
All right s reserved. Junip er Net w o rks,
Junip er Net w orks, Inc. Junip er Net w orks ( Ho ng Kong) Junip er Net w orks Ireland t he Junip er Net w orks lo go, Juno s,
119 4 Nort h Mat hild a Avenue 26 / F, Cit yp laza One Airsid e Business Park Net Screen, and ScreenOS are regist ered
Sunnyvale, CA 9 4 0 8 9 USA 1111 Kings Ro ad Sw ord s, Co unt y Dub l in, Ireland t rad em arks of Junip er Net w o rks, Inc. in
Phone: 8 8 8 .JUNIPER Taikoo Shing, Ho ng Kong Phone: 35 .31.8 9 0 3.6 0 0 t he Unit ed St at es and ot her count ries.
( 8 8 8 .5 8 6 .4737) Phone: 8 5 2.2332.36 36 EMEA Sales: 0 0 8 0 0 .4 58 6 .4737 All o t her t rad em arks, service m arks,
or 4 0 8 .74 5 .20 0 0 Fax: 8 5 2.2574 .78 0 3 Fax: 35 .31.8 9 0 3.6 0 1 regist ered m arks, or regist ered service
Fax: 4 0 8 .74 5.210 0 m arks are t he p ro p ert y of t heir
w w w.junip er.net resp ect ive ow ners. Junip er Net w orks
assum es no resp o nsib ilit y f or any
inaccuracies in t his d o cum ent . Junip er
Net w orks reserves t he right t o change,
m o d if y, t ransf er, o r ot herw ise revise t his
p ub l icat ion w it hout not ice.