SRX als NGFW

Michel Tepper Consultant

2

Firewall Security Challenges

Organizations are looking for ways to protect their assets amidst today’s ever-increasing threat landscape. The latest generation of web-based applications, combined with the proliferation of mobile devices, have made it challenging to effectively manage traffic and provide access to data while delivering the right mix of security and network services. There might be hundreds or thousands of applications running across a typical enterprise network—some of these applications are important to the business and some are not.

How do you control what applications are allowed on your network, and how do you restrict those that are not? How do you make sure your network traffic is prioritizing business-critical operations? How do you get stronger security without compromising your operational efficiency? How do you make sure your security doesn’t negatively impact your business? This is where a next-generation firewall can help you.

3

Juniper Networks NGFW Protection Solution

Juniper Networks NGFW Protection solution is a powerful solution that helps bring context and clarity to the setting and enforcement of security policies and helps stop modern malware attacks, all while delivering the industry’s highest performance and with the capacity to grow with your business or traffic. SRX Series Services Gateways come in a broad range of models from all-in-one security and networking appliances to highly scalable, high-performance chassis solutions. All solutions can be centrally managed using Junos Space Security Director, and other security services are easily added to existing SRX Series platforms for a cost-effective solution.

4

User role-based Firewall

Juniper Networks SRX Series Services Gateways deliver integrated next-generation firewall protection with application awareness, IPS, and user role-based controls plus best-in-class UTM to protect and control your business assets. Next-generation firewalls are able to perform full-packet inspection and apply application-specific and user-specific security policies. This means you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, and simultaneously examine the content that is traveling across your network. This helps protect your environment against threats, manages how your network bandwidth is allocated, and maintains appropriate access controls.

5

Integrated User Firewall and MORE

6

NGFW Application Visibility

Juniper Networks AppSecure suite of application-aware security services for the SRX Series classifies traffic flows, while bringing greater visibility, enforcement, control, and protection to your network security. AppSecure uses a sophisticated classification engine to accurately identify applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification. It gives you the context to regain control of your network traffic, set and enforce policies based on accurate information, and deliver the performance and scale required to address your business needs. The services enabled by AppSecure include AppTrack for detailed visibility of application traffic, AppFW for granular policy enforcement of application traffic, and AppQoS for prioritization and metering of application traffic.

7

Juniper Networks Unified threat management (UTM)

Comprehensive content security against malware, viruses, phishing attacks, intrusions, spam, and other threats is available with Juniper Networks UTM. This best-in-class solution includes antivirus, anti-spam, Web filtering, and content filtering in a group of services easily added to an SRX Series Gateway or Firefly Perimeter virtual firewall.

8

Junos space security director

Next-generation capabilities in the SRX Series and Firefly Perimeter can be centrally managed from a single management platform. You can manage all your security services, perform logging and reporting, as well as segment management responsibilities through role-based access controls in Juniper Networks Junos Space Security Director. Juniper Networks centralized management is based on Juniper Networks Junos operating system so it shares the same resiliency and massive scalability as Juniper Networks highly regarded network solutions preferred by most of the world’s largest service providers.

9

Why Juniper Networks NGFW Protection Solution? Juniper Networks is introducing new enhancements to its SRX Series Services Gateways that provide next-generation security to help customers protect against threats and control what is on their network without adding a heavy administrative burden:

Greater protection: • The new AppID engine includes a heuristics engine optimized for identifying

evasive or tunneled applications. Important for blocking risky applications such as peer-to-peer applications or adding control over social, video and communications applications. AppID will also identify nearly twice as many unique applications as before.

• Firefly Perimeter now supports next-generation firewall capabilities like IPS and UTM

Simplified management: • A single, central management platform delivers a simple method for

managing all Juniper Networks firewalls, eliminating the complexity and time needed to support multiple management platforms

• Juniper Networks SRX now integrates directly with Active Directory to apply user role-based firewall policies without requiring any additional devices or agents

• AppID delivers granular management of application visibility and control on a per policy basis

Open solution for customization: • Juniper Networks NGFW Protection solution offers a unique ability for

customers to insert signatures for their custom-built applications or add IPS signatures to protect against exploits they discover. This capability helps organizations increase the amount of control they have over home grown application traffic in their network and it enables increased protection against exploits targeting these custom applications

10

SRX Series Services Gateway – Campus and Branch

SRX1400 SRX3400 SRX3600 SRX5600

SRX5800

SRX100/110

SRX210/220/240

SRX550 SRX650

DataCenter

Campus / Enterprise

11

Firefly Perimeter

In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments.

12

Junos Space Security Director

Juniper Networks Junos Space Security Director, an application on Junos Space Network Management Platform, provides extensive security scale, granular policy control, and policy breadth across the network. It helps administrators quickly manage all phases of the security policy life cycle for stateful firewall, UTM, IPS, AppFW, VPN, and NAT through a centralized web-based interface.

Junos Space Security Director reduces management costs and errors with efficient security policy, workflow tools, and a powerful “app” and platform architecture.

13

Juniper Networks Conclusion

Open / Extensible Security Platform Open signatures

Simplified Management Security Director Integrated logging & reporting Role-based access control UTM

NGFW Services Integrated user firewall AppID 2.0 Firefly Perimeter: IPS, UTM Full SRX portfolio

14

User case WSA

Company WSA (Westcon Security Academy) wants to implement firewall with specs:

• Only domain authenticated users get internet access

• Sysadmin without firewall knowledge should be able to deny users access to social media

• Logs should be easy to access

15

WSA network

Two users: sad and lucky to start with

16

User lucky: properties in AD

17

User sad: properties in AD

18

Users logon to the clients systems

• User sad to client1

• User lucky to client2

• Both can browse the internet

• Next they try to access myspace.com

19

Results

Lucky: Get his access

Sad: Gets even sadder: het gets a custom block message

20

This two firewall rules do the job:

AD connection Application awareness

21

Oops

• Guest user couldn’t access the internet anymore!

• Change of policy:

• After a few hours we lookup what the guests (students) are doing

22

Application access last 8 hours

“normal” sites, plain text, so no application We could use UTM to categorize

23

Log details

user

Application

24

Agenda

• User Case Firewall for WSA

• SRX x47 Highlights • Junos Space 14.1 highlights

• Competitive analyse

• 10 (or more) good reasons to buy SRX right now

• Q & (hopefully) A

• Tech talk

25

Enhancements

1. Improved Evasive Application Detection

2. ~3000 Unique Applications

3. Improved Accuracy

4. Loadable Detector Module

User Experience Changes

• No significant changes

Q3 Enhancements

• Custom Application Support

NG AppID – What’s New?

26

INTEGRATED USER FIREWALL

Windows ADs

Client

SRX Series

Corporate Data Center

Apps

Data

Finance

Video

Internet

1 2

3

4

1 Doman user logins into domain from domain member device

User attempts to make a connection through SRX

SRX checks local tables to see if user is already authenticated.

1. If so user continues. 2. If no local authentication,

then SRX queries AD 3. If AD has an entry it will be

used. 4. If no AD entry then fallback

to captive portal

Authenticated user will be evaluated by policy according to the firewall rulebase. If traffic is permitted then user will be allowed to continue.

2

3

4

27

multiple zones per policy

• Problem To Solve

• Today when deploying security policy, customers need to setup separate policy entries even if most of their attributes are identical ( source-address, destination-address, application, action ) except for zone attributes ( from-zone, to-zone )

• Solution

• Add the from-zone/to-zone in global policy, just as the source-address, destination-address and etc in global policy. As a result, only 1 policy are needed in this release.

• Note: Only global policy are changed to support multiple from/to zone.

Four policies are need in order to apply the following security policies, even the source-address, Destination-address, application and actions are the same.

28

Firewall RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering

29

Space for NG firewalling

13.3: Security Director 13.3 Networkdirector 1.6 All other apps 14.1 Security Director 14.1 No Networkdirector yet

To complete a full NG implementation: Deploy logcollector (A separated virtual appliance) and the space app accessing it:

30

Tech talk: New possibilities in CLI

• Operational mode security flow debugging

• Operational mode IKE debugging

root@x47_test> monitor security flow ? Possible completions: file Trace file information filter Flow packet debug filter start Monitor flow start stop Monitor flow stop root@x47_test> monitor security flow

Possible completions: local Local ip address remote Remote ip address root@x47_test> request security ike debug-enable

31

Tech talk: IDP Senor tuning

root@x47_test# set security idp sensor-configuration ? Possible completions: > log IDP Log Configuration > packet-log IDP Packetlog Configuration > application-identification Application identification > flow Flow configuration > re-assembler Re-assembler configuration > ips Ips configuration > global Global configuration > detector Detector Configuration > ssl-inspection SSL inspection > high-availability High availability configuration > security-configuration IDP security configuration disable-low-memory-handling Do not abort IDP operations under low memory condition [edit]

Many details available

32

Tech talk: IP matching in security [edit security address-book example] root@x47_test# set address example_address ? Possible completions: <ip-prefix> Numeric IPv4 or IPv6 address with prefix + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups description Text description of address > dns-name DNS address name > range-address Address range > wildcard-address Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask [edit security address-book example] root@x47_test# set address example_address [edit security policies from-zone trust to-zone untrust] root@x47_test# set policy example match ? Possible completions: + application Port-based application + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Match destination address destination-address-excluded Exclude destination addresses + source-address Match source address source-address-excluded Exclude source addresses + source-identity Match source identity [edit security policies from-zone trust to-zone untrust]

33

Tech talk: AD coupling root@x47_test# show services user-identification active-directory-access { domain wsa.local { user { administrator; password "$9$rWzvXNsYoGUHgoz3n6AtvW8LdbsYg"; ## SECRET-DATA } domain-controller AD01.wsa.local { address 172.27.72.10; } domain-controller AD02.wsa.local { address 172.27.72.11; } user-group-mapping { ldap { base OU=demo-users,dc=wsa,dc=local; user { Administrator; password "$9$BtOErKXxdsYoNdk.mPQzEcSyM8XxN"; ## SECRET-DATA } } } } }

34

Tech talk: Application FW rules

root@x47_test# show security application-firewall profile test { block-message { type { custom-redirect-url { content http://172.27.72.10/badluck.htm; } } } } rule-sets no-social-media-trust-untrust { rule 0 { match { dynamic-application-group junos:web:social-networking; } then { deny; } } default-rule { permit; } profile test; }

35

Tech talk: NG policies [edit security policies from-zone trust to-zone untrust] root@x47_test# show policy no-social-media { match { source-address any; destination-address any; application [ junos-http junos-https ]; source-identity "wsa.local\no-social-media"; } then { permit { application-services { application-firewall { rule-set no-social-media-trust-untrust; } } } log { session-close; } } } policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } }

36

Tech talk: Check ad connection

• Many other checks implemented

root@x47_test> show services user-identification active-directory-access active-directory-authentication-table all Domain: wsa.local Total entries: 4 Source IP Username groups state 172.27.72.12 mtepper Valid 172.27.72.20 administrator Valid 172.27.78.1 sad no-social-media Valid 172.27.78.2 lucky Valid

37

Tech talk: NG in flow checking root@x47_test> show security flow session dynamic-application junos:FACEBOOK-ACCESS Session ID: 1761, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52549 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 39, Bytes: 8699 Out: 23.65.181.96/443 --> 134.27.1.2/11702;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 5668 Session ID: 1762, Policy name: trust-to-untrust/5, Timeout: 1760, Valid In: 172.27.78.2/52548 --> 31.13.93.3/443;tcp, If: vlan.0, Pkts: 108, Bytes: 10988 Out: 31.13.93.3/443 --> 134.27.1.2/4260;tcp, If: ge-0/0/0.0, Pkts: 120, Bytes: 133001 Session ID: 1763, Policy name: trust-to-untrust/5, Timeout: 1754, Valid In: 172.27.78.2/52551 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 47, Bytes: 10869 Out: 23.65.181.96/443 --> 134.27.1.2/12957;tcp, If: ge-0/0/0.0, Pkts: 26, Bytes: 6552 Session ID: 1767, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52558 --> 195.10.11.105/443;tcp, If: vlan.0, Pkts: 18, Bytes: 3817 Out: 195.10.11.105/443 --> 134.27.1.2/30385;tcp, If: ge-0/0/0.0, Pkts: 12, Bytes: 6337

Thank You