Table of Contents - VMware · 2016-05-05 · Launch Junos Space Once Firefox is launched, Junos Space should be the homepage, but in case it is not, click on the "Junos Space Login"

Table of ContentsLab Overview - HOL-PRT-1472 - Juniper Virtual Security Lab Overview.............................2

Lab Overview .......................................................................................................... 3Module 1 - Juniper Junos Space 101 (15 min) ................................................................... 9

Introduction to Space............................................................................................ 10Introduction to Virtual Director.............................................................................. 36Introduction to Security Director ........................................................................... 54

Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space(45 min) .......................................................................................................................... 75

Use Cases for Juniper Junos Space and Firefly Perimeter ......................................76Deploying Firefly Perimeter ................................................................................... 80Virtual Director - Greater Detail .......................................................................... 106Security Director - Greater Detail........................................................................ 111Why Juniper for Your Physical and Virtual Infrastructure .....................................153

Module 3 - Juniper DDoS Secure (45 min) ..................................................................... 155Introduction to Juniper DDoS Secure................................................................... 156Introduction to Juniper DDoS Secure UI............................................................... 159Configuration of Testing Environment ................................................................. 175Low and Slow Attack ........................................................................................... 182Why Juniper DDoS Secure ................................................................................... 197

HOL-PRT-1472

Page 1HOL-PRT-1472

Lab Overview - HOL-PRT-1472 - Juniper Virtual

Security Lab Overview

HOL-PRT-1472

Page 2HOL-PRT-1472

Lab OverviewSo you have decided to incorporate a cloud and/or virtualization into your business,utilizing it for bursting, development, testing, or even using it for productionapplications. Have you built security into your virtual data center? Are you concernedabout the DDoS attacks on your production applications? What about the ability toimplement network based AV, VPN, NAT, IPS, and routing into your virtual data center,establishing a secure and operable software defined datacenter that is able to expandand maintain security throughout it's entire lifecycle. What about having a DDoSappliance in a virtual format for ease of deployment for any tenant? Building thesetechnologies on the experience and confidence of Juniper Networks allows a solutionthat truly understands the functions and needs of networking and security for your truesoftware defined datacenter. Only Juniper can understand security from a networkstandpoint because we are truly a network and security company. This lab will show youjust a touch of our virtual security capabilities for your Enterprise or Service Providerenvironment. Understand that we have a full suite of virtualized security and networkproducts and tools that allow you to manage your physical and virtual data center.

Making Sure VMs are Running

Before starting with the lab, lets make sure that all of your virtual machines are up andrunning.

Launch Internet Explorer

From the Control Center desktop, please double click the Internet Explorer icon.

Log In To vSphere Web Client

The login page for VMware vSphere Web Client will automatically launch. Please enter inthe following credentials:

User name: root

Password: VMware1!

HOL-PRT-1472

Page 3HOL-PRT-1472

and click " Login "

Home Tab

Click the " Home " button.

HOL-PRT-1472

Page 4HOL-PRT-1472

VMs and Templates

Click the " VMs and Templates " icon.

Expand Datacenter Site A

Click the arrow to the left of " Datacenter Site A " so that we can verify that the VMs arerunning.

HOL-PRT-1472

Page 5HOL-PRT-1472

List of VMs

As you can see, the " DDoS Secure Virtual edition " is not running. This may not be thecase with your lab. Your lab may have all the VM's running ( see note below ) or otherVMs not running. This is why we are checking.

NOTE : Attacker 32 does NOT need to be started

HOL-PRT-1472

Page 6HOL-PRT-1472

Starting VMs

If any of the VMs are not running ( with the exception of Attacker 32 ), please right clickon the VM and select " Power On "

HOL-PRT-1472

Page 7HOL-PRT-1472

Proceed With Lab

Once you have verified that all the VMs ( with the exception of Attacker 32.. have Imentioned that already :) ), please proceed with the first Module.

Thank you!!!

HOL-PRT-1472

Page 8HOL-PRT-1472

Module 1 - Juniper JunosSpace 101 (15 min)

HOL-PRT-1472

Page 9HOL-PRT-1472

Introduction to SpaceJuniper Junos Space is a comprehensive Network Management Solution that simplifiesand automates management of Juniper's switching, routing, and security devices. JunosSpace consists of a network management platform for deep element and fault-management, configuration, accounting, performance, and security ( FCAPS ). FCAPSNetwork Management framework is created by ISO. FCAPS categorizes the workingobjectives of network management into five levels of management, plug-n-playmanagement applications for reducing costs and provisioning new services quickly, anda programmable SDK for network customization. With each of these componentsworking cohesively, Junos Space offers a unified network management andorchestration solution to help you more efficiently manage your network. In this lab, wewill be covering the Virtual Director and Security Director applications. There are otherapplications available for Junos Space, such as Network Director but as indicated, wewill not review at this time.

Two of my favorite parts of the Junos Space Appliance is that it is available in a hardwareand virtual appliance format. This gives you incredible flexibility in your data center andwe are all for that. My second favorite part is that both versions support multiple nodesand this in turn provides the scalability and availability that your managed networkrequires as you add more devices, services, and users. You see, Junos Space managesBOTH virtual and physical components in your data center, but more of that later.

Let's delve in to the Junos Space GUI.

Launch Firefox

On the Control Center box (the box you are logged in to) double click on the MozillaFirefox image on the desktop.

HOL-PRT-1472

Page 10HOL-PRT-1472

Launch Junos Space

Once Firefox is launched, Junos Space should be the homepage, but in case it is not,click on the "Junos Space Login" shortcut in the tool bar of the browser.

Accepting Website's Security Certificate

Note this is the Certificate message from Internet Explorer, it requires anacknowledgement but because we are using Firefox for this lab, we did not get one.

In case you are seeing a certificate error, please accept it ( although in my testing, I didnot but you never know :) ).

Logging into Junos Space

You will now see the Junos Space login.

To log into Juniper Junos Space, use the following login

HOL-PRT-1472

Page 11HOL-PRT-1472

Username: super

Password: VMware1!

When you have entered the credentials, please click "Log In".

Network Management Platform - Dashboard

Once you first log in to Junos Space, you will see the main dashboard for the product.When you select any applications ( Security Director, Virtual Director ) in the box abovethe task tree, a dashboard displays graphical data above devices, jobs, users,administration, and so on.

The dashboard provides a snapshot of the current status of objects managed andoperations performed within a Junos Space application. The Network ManagementPlatform dashboard ( as shown above ) displays the system health of your network andthe percentage of jobs run successfully and in progress.

The Network Management Platform dashboard contains gadgets ( graphs and charts )that display statistics that provide a quick view of system health. They include a gauge

HOL-PRT-1472

Page 12HOL-PRT-1472

for overall system condition and graphs that display the fabric load and active usershistory.

HOL-PRT-1472

Page 13HOL-PRT-1472

Move the Gadgets

Feel free to move and resize the gadgets.

If you click on the blue bar of each of the gadgets, you will see the cursor changes forminto an X, this means that it can be moved within the dashboard. Try it out!

All dashboard gadgets are visible for all users and are updated in real time.

HOL-PRT-1472

Page 14HOL-PRT-1472

Saving and Printing

If you right click on the "Job Information" gadget you will see that the images can besaved and/or printed.

More Detailed Information

Still within the "Job Information" gadget, if you double click on the Green "Success"section, it will bring you to greater detail such as the one shown above.

HOL-PRT-1472

Page 15HOL-PRT-1472

Job Management

When you click the green circle you were automatically taken to the listing of jobs. Nowthankful all my jobs are successful but you can imagine that jobs do fail for variousreasons and they would show up here as well.

Global Search

Junos Space has this great Global Search capability. You can see that the search bar isalways available no matter what screen you are on. You can use the feature to quicklylocate any object within Junos Space. Junos Space allows you to perform a full-textsearch operation for objects within the system. You can do searches on objectcategories such as device name, Juniper platform ( Junos OS, Junos ES, etc ), OS version,serial number, IP of physical and logical interface, name of physical and logicalinterface, MAC address, software, and many many more. The global search operationsupports query expressions. You can search for phrases and multiple terms. The defaultoperator for multiple terms is the OR operator.

HOL-PRT-1472

Page 16HOL-PRT-1472

Applications for Space

In this implementation of Space we have two additional applications installed. Byclicking on the down arrow as described in the picture above, you can see what isavailable. We will not go into these applications at this time but we wanted you to see aquick viewing. In this lab configuration we have installed Virtual Director and SecurityDirector. Service Now is part of the "default" Network Management Platform. ServiceNow is an automated troubleshooting capability that accelerates problem resolution byallowing you to open cases with Juniper Technical Support ( JTAC ) and include all relatedlogs and diagnostics. Junos Space Service Now also reduces the time to integrate newJuniper products or releases into the network by using customized scripts installed onthe Junos devices. Troubleshooting expertise is integrated into the products andtherefore outage time is reduced. It also helps to lower the learning curve foroperations personnel that are new to Juniper products.

No need to click any of the applications now, just click the arrow again.

HOL-PRT-1472

Page 17HOL-PRT-1472

Task Group (Workspaces)

Within each application ( in this case, Network Management Platform ) are the TaskGroups or also sometimes referred to as Workspaces. These task groups are part of thetask tree that is on the left side of the display. It is the navigation center for JunosSpace. Note that you can collapse the task tree by clicking on the Double Left arrowsbut we will not do this at this time. These arrows are highlighted in the above image.

Let's look at the Network Management Platform Task Groups.

HOL-PRT-1472

Page 18HOL-PRT-1472

Devices Task Group Expansion

Click the " + " to the left of the "Devices" Task Group.

HOL-PRT-1472

Page 19HOL-PRT-1472

Devices Task Group

As you can see there many options and Sub Task Groups available under "Devices". Letus spend some time in these options.

HOL-PRT-1472

Page 20HOL-PRT-1472

Devices "Dashboard"

By clicking the "Devices" Task Group, you will get a dashboard on the right.

A screen shot of the Devices Dashboard is above. Once again, these gadgets can bemoved and you drill down into them for greater detail. There are three options "DeviceCount by Platform", "Device Status", and "Device Count by OS". We have not deployedany devices at this time and therefore the gadgets have no data.

HOL-PRT-1472

Page 21HOL-PRT-1472

Options and Sub Task Groups

I have already expanded the additional Sub Task Groups in the image provided.

I will admit that the data is not fun to look at at this time because there are no devicesbut like I said previously, feel free to click through all the options and see the data thatis available.

For instance, I love the "secure console" option available from the "Devices" Task Group.

HOL-PRT-1472

Page 22HOL-PRT-1472

Device Templates Expansion

Click the " + " to the left of the "Device Templates" Task Group.

Device Templates

There are two options available under this Task Group, please select "definitions".

HOL-PRT-1472

Page 23HOL-PRT-1472

Definitions

Here you will see the default device templates that are provided with Junos SpaceNetwork Management. As you can see, they list the majority of the types of devicefamilies available from Juniper. Note that these are for the hardware devices that JunosSpace supports.

HOL-PRT-1472

Page 24HOL-PRT-1472

Select Default Syslog Config_Junos

If you can please select the "Default Syslog_Config_JUNOS" Device Template and selectthe the pencil icon.

Available Configuration Expansion

Click the " + " to the left of the "Configuration" folder in "Available Configuration".

HOL-PRT-1472

Page 25HOL-PRT-1472

Configuration

You will see that the template gives you a layout of the various options available. Thiswill provide ease in your configurations of the devices that you can deploy through JunosSpace.

HOL-PRT-1472

Page 26HOL-PRT-1472

CLI Configlets

This Task Group allows you to easily apply a configuration to a device. Configlets areconfiguration tools by Junos OS that enables you to apply configuration onto the deviceby reducing configuration complexity. Configlet is a configuration template which istransformed to CLI configuration string before being applied to a device. The dynamicelements (strings) in configuration templates are defined using template variable. Thesevariables act as an input to the process of transformation, to construct CLI configurationstring. These variables can contain anything: it can be the interface name, device name,description text or any such dynamic values.

Images and Scripts

Junos Space facilitates management of devices running Junos OS (Juniper OperatingSystem) by enabling you download a device image from Juniper's Software downloadsite to your local file system. You can then upload the device images and deploy thesedevice images onto a device or onto multiple devices of the same device familysimultaneously. After you upload a device image you can stage a device image on adevice, verify the checksum, and deploy the staged image whenever required. You canalso schedule the staging, deployment, and validation of device images.

You can also use Junos OS Scripts for configuration and diagnostic automation tools inorder to deploy, verify, enable, disable, remove, and execute scripts that have beendeployed to the devices.

Reports

The Reports Task Group is for... you guessed it... Reports. You can generate customizedreports for managing the resources on your network. You can use the reports to gatherdata related to the device inventory details, job execution details, and audit trails. Youfirst create a report definition to specify what information to retrieve from the JunosSpace inventory database. You then use this report definition to generate, export, and

HOL-PRT-1472

Page 27HOL-PRT-1472

print the reports. Junos Space does provide some pre-defined categories to create reportdefinitions. We will not be creating reports in this lab but feel free to speak with aJuniper Sales Rep for more information.

Network Monitoring

With the Network Monitoring task group, you can assess the performance of yournetwork, not only at a point in time but also over a period of time.

Click the "Network Monitoring" Task Group to see the dashboard.

HOL-PRT-1472

Page 28HOL-PRT-1472

Network Monitoring Dashboard

As you can see that the " Network Management " Dashboard gives you a view into the"Nodes with Outages", "Availability over the past 24 hours", "Notification", "ResourceGraphs", "KSC Reports", and "Quick Search". This dashboard provides great insight intoyour organization and quick searches against Node ID, Node Label like, TCP/IP address,Providing services ( ICMP or SNMP ).

Network Monitoring Expansion

Click on the " + " arrow to the left of the "Network Monitoring" Task Group.

HOL-PRT-1472

Page 29HOL-PRT-1472

Network Monitoring Task Group

By expanding the "Network Monitoring" Task Group, you can see that there are manyadditional options. Feel free to review the screens associated with the additional SubTask Groups.

Configuration Files

You can maintain copies of device configuration files are either running, candidate, orbackup configuration files. This assists with device configuration recovery andmaintaining consistency across multiple devices.

Jobs

The "Jobs" Task Group ironically monitors the progress of ongoing jobs. Crazy, I know! (Note that the "Jobs" Task Group should already be open ).

HOL-PRT-1472

Page 30HOL-PRT-1472

Once again we have an amazing dashboard with drill down capability. There are threedefault gadgets available on the dashboard. Feel free to once again move them withinthe screen and to drill down into the various details.

Users

This surprisingly is where you add, mange, and delete users. I know... crazy place to putthis right? Just Joshing....

The Users Task group is where you can add you users and to assign roles to the users.

Audit Logs

In the Audit Logs task group you can view and filter system audit logs including thosefor user login and logout, tracking device management tasks, and displaying servicesthat were provisioned on devices.

Click on the "Audit Logs" Task Group.

HOL-PRT-1472

Page 31HOL-PRT-1472

Audit Logs Task Group

The dashboard on the "Audit Logs" shows all statistics available from the audit log.

Click on the blue section of the statistics.

HOL-PRT-1472

Page 32HOL-PRT-1472

Login Data

In this case, I have only logged in as "super" but you can imagine that if there wereother logins, these would show up as well.

Please select the "IP Addresses" as identified in the image.

HOL-PRT-1472

Page 33HOL-PRT-1472

IP Address Data

Here you see the IP addresses from which I have been accessing Junos Space.

HOL-PRT-1472

Page 34HOL-PRT-1472

Administration

And lastly, Administration allows you to add network nodes, back up databases, managethe licenses and applications, or even troubleshoot. As you can see the administrativetasks are accomplished through this Task Group.

This concludes our introduction to Juniper's Junos Space. Our next chapter will go intodetail of the Virtual Director application.

#JuniperLab

#PewPew

HOL-PRT-1472

Page 35HOL-PRT-1472

Introduction to Virtual DirectorJunos Space Virtual Director is dedicated to provisioning, bootstrapping, monitoring, andlifecycle management of a variety of Juniper Virtual Appliances and related virtualsecurity solutions. Virtual DIrector can be used to deploy, manage, and monitorinstances of Firefly Perimeter ( more detail later ), which provides security andnetworking services at the perimeter in a virtualized private or public cloudenvironment. Virtual Director also registers each instance of Firefly Perimeter with theJunos Space Platform to allow other Junos Space applications, such as the SecurityDirector application, to configure security policies.

HOL-PRT-1472

Page 36HOL-PRT-1472

Virtual Director Topology

This above diagram shows where Virtual Director and Space sit in your virtualenvironment. As you can see, Virtual Director is used to support many of Juniper'svirtual appliances. Security Director is used to manage many of Juniper's physicalhardware devices.

Juniper's Junos Space ties directly into VMware's vCenter Server.

HOL-PRT-1472

Page 37HOL-PRT-1472

Loading Virtual Director

Virtual Director has already been installed into the Junos Space Network ManagementPlatform. In order to launch the application, select the down arrow to the right of"Network Management Platform" and select "Virtual Director".

HOL-PRT-1472

Page 38HOL-PRT-1472

Virtual Director Dashboard

Just like the dashboard in the "Network Management Platform", the "Virtual Director""Dashboard" gives you a synopsis of environment. At this time, this is a clean install. Wewill populate this information in later articles in this lab.

Take a note at how the "Summary" and "Deployment Alerts" looks at this time. As we domore activity in this lab, this information will change. Feel free to come back to thedashboard at any time.

HOL-PRT-1472

Page 39HOL-PRT-1472

Deployment Alerts

Like I stated, this is a fresh installation and currently none of the deployments havefailed, because we have not even tried. We will deploy later! This information shows onthe bottom of the "Virtual Director" "Dashboard". Personally, I think It is nice to have thisinformation for your data center in that single pane.

Design Task Group Expansion

Expand the "Design" Task Group. You will see there are three Sub Task Groups. Let uscheck them out.

Design Task Group

The "Design Task Group" has three Sub Task Groups

HOL-PRT-1472

Page 40HOL-PRT-1472

• Virtualization Providers• VM Image Files• Virtual Director Templates

Let's look at these individually.

Virtualization Providers

( 1 ) Please click on the "Virtualization Providers" Sub Task Group. We do not have any atthis time so let's connect one. We will only be connecting one but as you can tell, therecan be multiple "virtualization providers" added to the system allowing you to managedifferent systems or tenants.

( 2 ) Please click on the green " + " circle.

HOL-PRT-1472

Page 41HOL-PRT-1472

Defining Virtualization Provider

When the popup for "Define Virtualization Provider" appears, please provide thefollowing information :

Name : VMworld 2014 HoL

Network Address : 192.168.110.22

Administration Account Username : root

Password : VMware1!

VIrtualization Provider Type : [default]

Connection : [default]

and then click "Done".

HOL-PRT-1472

Page 42HOL-PRT-1472

New Virtualization Provider

Once the connection is made, you will now see the new virtualization provider that youcreated is added.

This connection is needed in order to deploy our Firefly Perimeter devices into ourvirtual data center for all types of customers.

VM Image Files

Please click on "VM Image Files".

HOL-PRT-1472

Page 43HOL-PRT-1472

Adding VM Image Files

You will see that we currently do not have any VM image files in the system at this time,but it is incredibly simple to add additional files into Virtual Director.

Please select the green " + " symbol.

Load OVA

The "Load OVA" screen will pop up.

Please click the "Browse" box.

HOL-PRT-1472

Page 44HOL-PRT-1472

Downloads Directory

Please make sure that you are in the "Downloads" directory if you are already not in thisdirectory.

Selecting OVA

The downloads folder appears.

Please select the "junos-vsrx-12.1X46-D10.2-domestic.ova" image file.

HOL-PRT-1472

Page 45HOL-PRT-1472

Click Open

Now that you have selected the image, please click "Open" in the bottom right corner.

Upload OVA

Once back at the "Load OVA" screen, click the "Upload" button.

Please Wait

While your file uploads :).

HOL-PRT-1472

Page 46HOL-PRT-1472

Success

#PewPew, the file has been uploaded.

Please click the "OK" button.

Updated VM Image Files

You will now see your image in the "VM Image Files" screen.

We will use this image for building our template and deploying the device.

HOL-PRT-1472

Page 47HOL-PRT-1472

Virtual Device Templates

The "Virtual Device Templates" Sub Task Group allows you to see your previouslycreated templates for deployment as well as to create new templates. Of course, wehave not created one but we will be doing this in the next article.

Manage Task Group Expansion

Click on the " + " symbol to the left of the "Manage" Task Group.

HOL-PRT-1472

Page 48HOL-PRT-1472

Manage Task Group

The "Manage" Task Group has two sub Task Groups. Feel free to review them but as youcan imagine, they are empty :).

Monitor Devices Task Group Expansion

Click on the " + " symbol to the left of the "Monitor Devices" Task Group.

HOL-PRT-1472

Page 49HOL-PRT-1472

VM Connection Status

Please click the "VM Connection Status" option.

Unmanaged Devices

As you can see, there is a Firefly Perimeter device listed. This Firefly Perimeter wasdeployed previously into the Juniper vPod.

I needed to make sure you had some items to review :).

HOL-PRT-1472

Page 50HOL-PRT-1472

Moving Columns

Notice that you can highlight a column and move it to your desired location on the barfor ease of management and viewing. Feel free to move a column to a new location byclicking on the column heading and dragging it to its new place.

Expanding Columns

Feel free to expand the columns to get greater detail. In this case, I have moved the IPAddress column wider. When you click on the line in between the columns, themovement symbol will appear.

HOL-PRT-1472

Page 51HOL-PRT-1472

Search Capabilities

You can imagine how many devices can appear in the screen. At times it may be goingoff the screen so the ability to search by "VM Name", "VM Status", "IP Address", and"Device Host Name" is in the top bar. Pretty handy huh?

Deployment Status Task Group

The "Deployment Status" Task group gives you a recap of all the request IDs that haveoccurred. For instance, you would see the request id for the power on and power off ofthe Firefly Perimeter Virtual Machines. It provides a summary of the succeeded andfailed tasks.

Application Settings Task Group

And the last Task Group within "Virtual Director"...

Click on "Application Settings". You will notice on the right the "Alert Settings" optioncomes up. This allows to set up email addresses for the alerts to be emailed to.

And this closes out the Task Groups for the "Virtual Director" application within JunosSpace. Let's look at how the Firefly Perimeters are managed next... so off to the nextarticle in this module where we go into detail of Security Director.

HOL-PRT-1472

Page 52HOL-PRT-1472

#JuniperLab

HOL-PRT-1472

Page 53HOL-PRT-1472

Introduction to Security DirectorSecurity Director is a Junos Space application that is a quick and easy approach you canuse to design your network security. With Security Director, you can create IPsec VPNs,firewall policies, NAT policies, and IPS configurations and push them to your securitydevices. These configurations use objects such as addresses, services, NAT pools,application signatures, policy profiles, VPN profiles, template definitions, and templates.These objects can be shared across multiple security configurations. You can createthese objects prior to creating security configurations.

Firewall policy, NAT policy, and IPS policy can be created and managed in a Tabular view.You can easily add new rules to the policies and choose to override policy-inheritedsettings by customizing the settings at a per-rule level. After you have added the rulesto the policy, you can reorder these rules based on priority or group these rules for easyidentification and modify them at a later time. A unified user interface approach forfirewall, NAT, and IPS policies helps you reduce the learning time required to createdifferent security configurations.

You can periodically download the latest version of application signatures and IPSsignatures from a URL provided by Juniper Networks. You can install these signatures onJuniper security devices. You can then use application signatures and IPS signatureswhen creating firewall policy configurations. Security Director also lets you create yourown customized signature sets. All application firewall and IPS configurations arepushed to the devices when the firewall policy in which they are used is pushed to thedevices.

When you finish creating and verifying your security configurations, you can publishthese configurations and keep them ready to be pushed to the security devices.Security Director helps you push all the security configurations to the devices all at onceby providing a single interface that is intuitive.

Pretty Cool Huh?

HOL-PRT-1472

Page 54HOL-PRT-1472

Launching Security Director

From the Applications left column,

( 1 ) Select the down arrow to the right of "Virtual Director" ( the last application wewere in )

( 2 ) and select "Security Director"

HOL-PRT-1472

Page 55HOL-PRT-1472

Security Director Dashboard

Here is a screen shot for the Task Groups that are available in the "Security Director"application. We will go into greater detail into these Task Groups after we do once lastcheck on the dashboard.

HOL-PRT-1472

Page 56HOL-PRT-1472

Security Director Dashboard Cont'd

From the "Security Director" dashboard you have the ability to

• Create, manage, and publish firewall policies• Create and manage IPS signatures, IPS signature sets, and IPS policies• Create, manage, and publish NAT policies• Create, manage, and publish VPNs

Firewall Policy Task Group Expansion

Click on the " + " symbol to the left of the "Firewall Policy" Task Group.

HOL-PRT-1472

Page 57HOL-PRT-1472

Firewall Policy Task Group

( 1 ) Click the "Firewall Policy" Task Group.

On the screen to the right, you will see two sections.

Policies ( 2 ) will show firewall rules that have been previously created.

The right pane ( 3 ) of the firewall policy Inventory Landing Page ( ILP ) divides the set ofrules into two rule bases. All zone-based rules are grouped under Zone and the SRXSeries All Devices rules are grouped under Global.

Security Director provides you with five types of firewall policies

• All devices : this policy enables rules to be enforced globally to all the devicesmanaged by Security Director

• Group : this type of policy is used when you want to update a specific firewallpolicy configuration to a large set of devices

• Device : this type of policy is used when you want to push a unique firewall policyconfiguration per device

• Device - Exception Policy : this type of firewall policy is created when a device isremoved from a group policy

• Global Policy : these rules are enforced regardless of ingress or egress zones;they are enforced on any device transit

Firewall Policy Sub Task Groups

As you can see, the "Firewall Policy" Task Group is where you can

HOL-PRT-1472

Page 58HOL-PRT-1472

• Create Policy• Publish Policy• Prioritize Policies• Manage Policy Locks

We have not created any policies yet but will in the subsequent articles.

IP Policy Task Group Expansion

Please click the " + " symbol to the left of the "IPS Policy" Task Group.

HOL-PRT-1472

Page 59HOL-PRT-1472

Sub Task Group Expansion

Please click the " + " symbol to the left of the "IPS Signature" Sub Task Group and

please click the " + " symbol to the left of the "IPS Signature-Set" Sub Task Group.

IPS Policy Task Group

IPS ( Intrusion Prevention ) is available as part of the overall functionality of thehardware devices. In future releases of Firefly Perimeter, this capability is included butagain, Junos Space is a tool for both hardware and software versions of Junos OSproducts.

You can use the IPS Policy Task Group to download and install the AppSecure signaturedatabase to security devices. You can automate the download and install process byscheduling the download and install tasks and configure there tasks to recur at specifictime intervals. This ensures that your signature database to up-to-date.

You can view the predefined IPS policy templates and create customized IPS policy-setsin this Task Group. You can also enable IPS Configuration is a firewall policy andprovisions IPS related configuration with firewall policy.

HOL-PRT-1472

Page 60HOL-PRT-1472

NAT Policy Task Group Expansion

Click on the " + " symbol to the left of the "NAT Policy" Task Group.

NAT Policy Task Group

Network Address Translation ( NAT ) is a form of network masquerading where you canhide devices between the zones or interfaces. A trust zone is a segment of the networkwhere security measures are applied. It is usually assigned to the internal LAN. Anuntrust zone is the Internet. NAT modifies the IP address of the packets moving betweenthe trust and untrust zones.

Junos Space Security Director supports three types of NAT ( IPv6 is supported ):

• Source NAT - translates the source IP address of a packet leaving the trust zone (outbound traffic ). It translates the traffic originating from the device in the trustzone. Using source NAT, an internal device can access the network by using the IPaddresses specified in the NAT policy.

• Destination NAT - translates the destination IP address of a packet entering thetrust zone ( inbound traffic ). It translates the traffic originating from a deviceoutside the trust zone. Using destination NAT, an external device can sendpackets to a hidden internal device.

• Static NAT - always translates a private IP address to the sale public IP address. Ittranslates traffic from both sides of the network ( both source and destination ).For example, a webserver with a private IP address can access the Internet usinga static, one-to-one address translation.

HOL-PRT-1472

Page 61HOL-PRT-1472

VPN Policy Task Group Expansion

Click on the " + " symbol to the left of the "VPN" Task Group.

VPN Policy Task Group

You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the Task Group. If youwant to use a customer VPN profile, you must configure a VPN profile before creating aVPN.

You can configure the following parameters for an IPsec VPN

• Endpoints for a site-to-site VPN and full-mesh VPN• Spokes and hubs for a hub-and-spoke VPN• External Interface, Tunnel Zone, and Protected networks/zones for each device• Routing settings• VPN endpoint configuration

You can also customize endpoint-specific settings like VPN Name, IKE ID, and profile foreach tunnel.

After the VPN configuration is saved, you can provision this VPN on the security devices.

In Security Director, route-based VPNs support OSPF and RIP routing along with staticrouting.

Security Director supports dynamic routing in VPN addressing. Security Directorsimplifies VPN address management by enabling the administrator to export staticroutes to a remote site over a tunnel, allowing the static route networks to participate inthe VPN.

HOL-PRT-1472

Page 62HOL-PRT-1472

Listing of VPNs

If we had VPNs configured, you would see them in the left pane of the Tabular view.

Object Builder Task Group Expansion

Click on the " + " symbol to the left of the "Object Builder" Task Group.

Object Builder Task Group

You can use the Object Builder Task Group in Security Director to create objects used byfirewall policies, VPNs, and NAT policies. These objects are stored in the Junos Spacedatabase. You can reuse these objects with multiple security policies, VPNs, and NAT

HOL-PRT-1472

Page 63HOL-PRT-1472

policies. This approach makes the design of services more structured and avoids theneed to create the objects during the service design.

You can use the Object Builder Task Group to create, modify, clone, and delete thefollowing objects:

• Address and address groups• Services and service groups• Application signatures• Extranet Devices• NAT pools• Policy profiles• VPN profiles• Variables• Template and template definitions

HOL-PRT-1472

Page 64HOL-PRT-1472

Devices Task Group Expansion

Click on the " + " symbol to the left of the "Devices" Task Group.

Devices Task Group

The "Devices" Task Group lists the devices that have been discovered by Junos Space.This Task Group gives you greater flexibility into the view of your virtual datacenter andyour physical data center. Remember, this tool is for both virtual AND physical devices.It is a one stop shop. Pretty awesome huh?

HOL-PRT-1472

Page 65HOL-PRT-1472

Jobs Task Group

The "Jobs" Task Group gives you a full listing of the all the jobs transitioned through orfor Junos Space.

Please click on "Jobs" in order to bring the dashboard up.

Jobs Task Group Dashboard

Once again a dashboard is available to give us visibility in to the system.

Please double click on the "Add Application" job type.

HOL-PRT-1472

Page 66HOL-PRT-1472

Job Management

You can see the "Job Type" of "Add Application" is listed. This shows the install of theSecurity Director and Virtual Director application.

Security Director Devices Task Group

The "Security Director Devices" Task Group allows you to update the devices withfirewall policies, NAT policies, and VPN Configurations.

Downloads Task Group

The "Downloads" Task Group allows you to download AppFirewall and IPS Signatures.

HOL-PRT-1472

Page 67HOL-PRT-1472

While you are on this screen please click the " + " symbol to the left of "Downloads".

Downloads Task Group Dashboard

This particular dashboard provides you with a full listing of all of the AppFirewall and IPSSignature downloads. It is a great way of keeping track of all the updates that you havereceived and implemented within the system and the products.

HOL-PRT-1472

Page 68HOL-PRT-1472

Signature Database

Please click on the "Signature Database" Sub Task Group.

HOL-PRT-1472

Page 69HOL-PRT-1472

Signature Database Dashboard

The Signature Database page appears. You can see the active databases there weredownloaded earlier. At any time, Security Director will have only one active signaturedatabase.

You can see on the top of this screen there is an IPS Signature that can be installed onthe system.

Install Configuration

Please select the "Install Configuration" Sub Task Group.

HOL-PRT-1472

Page 70HOL-PRT-1472

Install Configuration Dashboard

We do not have Juniper SRX devices in the netwrok so we can not install theconfiguration at this time but you can see how the installation would occur from thisscreen, either at the present time or to be scheduled at a later time. You have thecontrol to determine when this would be done.

FYI, SRX Series Services Gateways are high-performance network security solutions forenterprises and service providers that pack high port density, advanced security, andflexible connectivity into easily managed platforms.

SRX Series Services Gateways deliver next-generation firewall protection withapplication awareness, intrusion prevention system (IPS), and extensive user role-basedcontrol options, plus best-in-class unified threat management (UTM) to protect andcontrol your business assets. Next-generation firewalls are able to perform full packetinspection and can apply security policies based on Layer 7 information. This meansthat you can create security policies based on the application running across yournetwork, the user who is receiving or sending network traffic, or the content that istraveling across your network to protect your environment against threats, manage theway your network bandwidth is allocated, and control who has access to what.

SRX Series gateways come in a broad range of models from all-in-one security andnetworking appliances optimized for the enterprise edge to highly scalable, high-performance chassis solutions optimized for service providers and large data centers. Allsolutions can be centrally managed using Junos Space Security Director, and additionalsecurity services are easily added to existing SRX Series platforms for a cost-effectivesolution.

HOL-PRT-1472

Page 71HOL-PRT-1472

Download Configuration

Select "Download Configuration" from the left hand bar.

Download Configuration Information

On this screen, you have the ability to download additional signature files that will beused with you virtual and hardware appliances.

So as I described earlier, if you wanted to update the signatures in your SRX devices,this would be accomplished here.

HOL-PRT-1472

Page 72HOL-PRT-1472

I am also happy to note that Firefly Perimeter x47 will include UTM and IPS capabilitiesand in turn, Security Director would be used to update the devices as well.

Audit Logs

Select the "Audit Logs" Task Group.

Audit Logs Dashboard

You will see the dashboard on the right hand side of the page. Feel free to drill down intothe various tasks for greater detail.

Please note that your image may look different with regard to the tasks that wereimplemented in the system.

HOL-PRT-1472

Page 73HOL-PRT-1472

This concludes the introduction to Security Director. Please proceed on to the nextmodule where you will learn more about Firefly Perimeters advanced security servicesand network capabilities.

#JuniperLab

HOL-PRT-1472

Page 74HOL-PRT-1472

Module 2 - Managing YourPhysical and VirtualInfrastructure with

Juniper Junos Space (45min)

HOL-PRT-1472

Page 75HOL-PRT-1472

Use Cases for Juniper Junos Space andFirefly PerimeterFor Service Providers ( SP ), the network is the money-maker. SP’s look to their networkto create innovative services that solve business problems and demonstrate the addedvalue they can bring to their customers. These services must always be available toensure end- subscriber satisfaction, and new services need to be offered frequently asdemands and technology change in order to obtain additional revenue streams.

For Enterprises, the network is both a strategic and critical corporate asset, where costshave to be controlled. Explosive demand for smart devices, social media applications,and mobility-based services has placed unprecedented pressure on network operatorswho must provide a compelling experience to increasingly demanding, tech savvyconsumers. The unrelenting expectations of highly secure and always-on connectivityand service, coupled with the growing use of cloud environments, make the networkincreasingly complex to manage and secure.

Juniper addresses these network challenges with Junos Space to help Service Providersand Enteprise customers maximize their network value and scale solutions, all whilereducing complexity. Junos Space is a critical component of Juniper’s SDN strategy as itprovides a centralized management plane for a single source of truth and a commonmanagement platform for managing and creating applications to meet your specificneeds.

HOL-PRT-1472

Page 76HOL-PRT-1472

Virtualization Use Case

As we will see in the following articles, Firefly Perimeter is the virtualized appliance withadvanced security and networking features based on Junos OS.

In addition to its advanced security services and network capabilities, Firefly Perimeteralso empowers network and security administrators to quickly provision and scalefirewall protection to meet dynamic demand using Junos Space Virtual Director. Whencombined with Junos Space Security Director, administrators can significantly improvesecurity policy configuration, management, and visibility of their virtual and non-virtualenvironments.

Firefly Perimeter provides:

• Stateful packet processing and application-layer gateway ALG features• Rich connectivity features based on a powerful Junos OS foundation, including

routing, NAT, and VPN• Granular security between zones, creating boundaries between organizations,

lines of business, and applications

Firefly Perimeter for Managed Security Service Providers(MSSP)

Firefly Perimeter enables Managed Security Service Providers ( MSSP ) to launch andactivate new services more quickly by decoupling security services from customerpremises ( CPE ) hardware. With Firefly Perimeter, MSSPs can migrate from the

HOL-PRT-1472

Page 77HOL-PRT-1472

monolithic architecture and design limitations of a physical firewall to diversified virtualfirewall implementations.

They can decentralize fault domains by deploying Firefly Perimeter VMs instead ofdedicating a physical firewall to each tenant/customer or sharing one physical firewallacross multiple tenants, reaping better returns on their investment. This reduces capitalexpenditure while aligning the billing with the actual usage.

Additionally, having a firewall in a VM mapped to a single customer allows MSSPs tocustomize policies and perform maintenance, which only impacts that single customerinstead of the traditional approach where numerous customers sharing the samephysical firewall are all impacted. Firefly Perimeter enables MSSPs to offer value-addedsecurity services such as managed firewall, MPLS, VPN, clean pipe, and secure VMhosting, with a deployment model that lowers time to revenue.

Clustering for Firefly Perimeter

And one of the coolest things that Firefly Perimeter supports is clustering.

Firefly Perimeter provides mission-critical reliability, supporting chassis clustering forboth active/active as well as active/passive modes. This support provides full statefulfailover for any connections being processed. In addition, it is possible for the clustermembers to span hypervisors. When Firefly Perimeter VMs are configured in a cluster,the VM synchronizes connection/session state and flow information, IPsec securityassociations, NAT traffic, address book information, configuration changes, and more. Asa result, not only is the session preserved during failover but security is kept intact. Inan unstable network, Firefly Perimeter also mitigates link flapping.

HOL-PRT-1472

Page 78HOL-PRT-1472

Physical Use Case

Like Junos Space works with virtual appliances, such as Firefly Perimeter, it also workswith the physical devices available from Juniper. Having the capability to manage bothyour physical and virtual data centers both as an Enterprise or as a Service Provider. It isall about ease and greater functionality on the tools provided to you. Saving time meanssaving money and Juniper's Junos Space does just that. What we will be covering in thislab is just the tip of the iceberg.

HOL-PRT-1472

Page 79HOL-PRT-1472

Deploying Firefly PerimeterAs discussed earlier, Firefly Perimeter is an amazing virtualized security and networkingtool that every Enterprise or Service Provider should have within their virtualized datacenter. There are many reasons why that is the case, the technology of course is one ofthe reasons but when you add the ease of deployment, configuration, and theautomation capabilities, you begin to understand the possibilites of your virtual datacenter, the growth and the future you can have.

Log In To Juniper Junos Space

In case you have been logged out, log back in to Junos Space with the followingcredentials:

Username : super

Password : VMware1!

Click "Log In".

HOL-PRT-1472

Page 80HOL-PRT-1472

Virtual Director

No matter what application is available when you log in, make sure you end up at"Virtual Director". To do this,

( 1 ) Click the down arrow for the applications

( 2 ) Select "Virtual Director"

Design Task Group Expansion

Please click the " + " symbol to the left of the "Design" Task Group.

HOL-PRT-1472

Page 81HOL-PRT-1472

Virtual Device Templates

Select "Virtual Device Templates".

Adding New Template

Click the green " + " circle in the dashboard.

Create Template Wizard

Fill in the following information in to the wizard.

HOL-PRT-1472

Page 82HOL-PRT-1472

Template Name : Firefly Perimeter

VM Image File : ( Click the down arrow ) Select the OVF file that we have already broughtin to the system - "junos-vsrx-12.1x46-D10.2-domestic,ovf".

HOL-PRT-1472

Page 83HOL-PRT-1472

Additional Information

Once the image is selected, the Product Type and Version are already loaded.

Click "Next".

HOL-PRT-1472

Page 84HOL-PRT-1472

Virtualization Host

For "Virtualization Host" click the down arrow and select the pre-loaded IP address (192.168.110. 2 ).

HOL-PRT-1472

Page 85HOL-PRT-1472

Data Center

For "Data Center" click the down arrow and select the pre-loaded Data Center (Datacenter Site A ).

HOL-PRT-1472

Page 86HOL-PRT-1472

Cluster / Host

For "Cluster/Host" click the down arrow and select the pre-loaded Data Center ( ClusterSite A ).

HOL-PRT-1472

Page 87HOL-PRT-1472

Resource Pool

For "Resource Pool" click the down arrow and select the pre-loaded Resource Pool ( None).

HOL-PRT-1472

Page 88HOL-PRT-1472

Data Store

( 1 ) For "Data Store" click the down arrow

( 2 ) select "ds-site-a-nfs1"

( 3 ) Once completed, select "Next".

HOL-PRT-1472

Page 89HOL-PRT-1472

Virtual Machine Configuration

In this screen, fill in the following information

Virtual Machine Name : Firefly_Perimeter

Keep the "Edit network mapping" as the default

Click "Next".

HOL-PRT-1472

Page 90HOL-PRT-1472

Device Boot Up Configuration

Fill out this screen with the following information

Create Root Password : VMware1!

Confirm Password : VMware1!

Hostname Pattern : Click the down arrow and select the " # ".

HOL-PRT-1472

Page 91HOL-PRT-1472

Additional Device Boot Up Configuration

Continue with the configuration of the "Device boot up configuration"

IP Assignment : [default]

Default Gateway : 192.168.120.1

Starting IP/Subnet : 192.168.120.70/24

Click "Next".

HOL-PRT-1472

Page 92HOL-PRT-1472

Final Review - General Information

Please review the information listed under "General Information".

If changes need to be made, select "Previous" to edit. If it looks correct, please proceedto the next step.

HOL-PRT-1472

Page 93HOL-PRT-1472

Final Review - Virtual Machine Host ConfigurationExpansion

Click the " + " symbol to the right of "Virtual machine host configuration".

HOL-PRT-1472

Page 94HOL-PRT-1472

Final Review - Virtual Machine Host Configuration

Review the configuration information for the "Virtual machine host configuration". Again,if changes need to be made, select "Previous" to edit. If it looks correct, please proceedto the next step.

HOL-PRT-1472

Page 95HOL-PRT-1472

Final Review - Virtual Machine Configuration Expansion

Click the " + " symbol to the right of "Virtual machine configuration".

HOL-PRT-1472

Page 96HOL-PRT-1472

Final Review - Virtual Machine Configuration

Review the configuration information for "Virtual Machine Configuration". If changesneed to be made, select "Previous" to edit.

If it looks correct, please proceed to the next step.

HOL-PRT-1472

Page 97HOL-PRT-1472

Final Review - Device Boot Up Configuration Expansion

Click the " + " symbol to the right of "Device boot up configuration".

HOL-PRT-1472

Page 98HOL-PRT-1472

Final Review - Device Boot Up Configuration

( 1 ) Review the "Device boot up configuration" data

( 2 ) When you feel the information is correct, click " Submit "

If it is not correct, guess what... click "Previous".

Added Virtual Device Template

You will now see the template listed in the dashboard for "Virtual Device Templates".

HOL-PRT-1472

Page 99HOL-PRT-1472

Deploying Template

( 1 ) Click the Firefly Perimeter template

( 2 ) Click the down arrow to the right of "Actions"

( 3 ) Select the "Deploy Template" option.

HOL-PRT-1472

Page 100HOL-PRT-1472

Number of Virtual Machines to Deploy

( 1 ) On the bottom of the "Deploy Virtual Machine" pop up, keep the default of " 1 " forthe "Number of Virtual Machines to Deploy"

( 2 ) Click "Deploy".

HOL-PRT-1472


Status

A pop-up with the "Status" ID will appear

Click the "OK" button.

vSphere Web Client Tab

You should already have a vSphere Web Client tab available in the Firefox browser.

If not, use the shortcut in the menu.

HOL-PRT-1472


vSphere Web Client Login

Use the following credentials to log in to the vSphere Web Client

User name : root

Password : VMware1!

Home Button

Click the "Home" button on the top menu bar.

HOL-PRT-1472


VMs and Templates

Click on "VMs and Templates" in the Inventories section.

Datacenter Site A Expansion

Select the arrow to the left of the "Datacenter Site A".

Firefly_Perimeter1

And there it is, our Firefly Perimeter that we configured and deployed.. Yay!! Now wasn'tthat simple!!!

HOL-PRT-1472


Imagine how easy it is to deploy these Firefly Perimeter virtual machines for multipletenants in your Enterprise or Service Providers.

This concludes this article, please proceed to the next article which will cover VirtualDirector in greater detail.

#JuniperLab

HOL-PRT-1472


Virtual Director - Greater DetailWe have already spent some time talking about Virtual Director, but now that we havedeployed a Firefly Perimeter, lets look at the application with greater detail.

Junos Space Tab

In Internet Explorer, click the first tab which should be Junos Space.

If this tab is not available, use the shortcut in the menu bar.

Virtual Director Application

Make sure the "Virtual Director" application is loaded.

PS... if you are logged out of the system, the account information is

Username : super

Password : VMware1!

HOL-PRT-1472


Virtual Director Dashboard

Please select the "Dashboard" in Virtual Director.

You will see on the right hand the "Number of Deployed Devices" and "Number of VirtualDirector Templates" now has been increased.

HOL-PRT-1472


Deployed Devices Menu

Please click on the "Manage" > "Deployed Devices" option in the left menu.

Deployed Devices

You can now see the Firefly Perimeter that we have deployed.

Actions Available

( 1 ) Please click on the Firefly Perimeter device

( 2 ) Select the arrow to the right of "Actions"

You will see the you can "PowerOff Device(s)", "PowerOn Device(s)", "Reset Device(s)".

Yes, if you have other devices, you could power off/on multiple devices at once. Youhave the ability to control the device from Junos Space. Please note that this does not

HOL-PRT-1472


take control away from the controls you have through the vSphere client, it just allowsyou to manage everything from one location.

VM Connection Status

Please select "VM Connection Status" under the "Monitor Devices" Task Group.

Virtual Machines

You will now see that both virtual machines are listed.

Remember that a Firefly Perimeter was deployed already.

HOL-PRT-1472


Virtual Director vs Security Director

I just wanted to make it clear that once a virtual machine, like Firefly Perimeter, isbrought into Virtual Director you have controls over it but the configurations will bedone through Security Director. No matter what form the security device is in ( hardwarevs. virtual ) security policies will be done through Security Director. This concludes thisarticle. Let us now proceed to the next article which covers Security Director in greaterdetail.

#JuniperLab

HOL-PRT-1472


Security Director - Greater DetailIn this part of the lab, we will go into greater detail and provide more hands oncapability for Security Director now that we have deployed a Firefly Perimeter virtualmachine from Virtual Director.

Launching Security Director

Click the arrow to the right of "Virtual Director" and select "Security Director".

Firewall Policy

Expand the "Firewall Policy" Task Group.

HOL-PRT-1472


Creating the Global Policy

Click "Create Policy" Sub Task Group.

HOL-PRT-1472


Name

Set up the following configurations:

(1) Type : [default]

(2) Name : HoL Policy

(3) Description : Creating firewall policy for VMworld

(4) Check Manage Zone Policy [default] - used to manage zone-based firewall rules

(5) Policy Priority : Medium [default]

(6) Precedence Value : keep default (value should be less the number of existing policiesof the same priority. The number of existing policies are displayed as part of thePrecedence field. For example, if the system has 4 policies with Low priority, 5 policieswith Medium priority, and 3 policies with High priority, you can set the precedence asfollows:

• low priority policies - 1 through 4• medium priority policies - 1 through 5• high priority policies - 1 through 3

(7) Profile : All Logging Enabled

Note that we created a Group vs. Device policy. In this case, since we have only onedevice, it may have been more appropriate but it is nice to see that you can createpolicies for many devices ... even if we don't have them in this simulation.

HOL-PRT-1472


HOL-PRT-1472


Create Policy

( 1 ) Select the "corp_fw1.juniper.net" listing under "Available"

( 2 ) Click the " -> " in the middle to move the selection to the "Selected" side

( 3 ) Click "Create".

Back to Firewall Policy

Just make sure that you are back on the "Firewall Policy" Task Group.

HOL-PRT-1472


Policies

Under "HoL Policy" select the "corp_fw1.juniper.net".

On the right you will see where the rules are implemented.

Lock to Edit

Click the Lock symbol in the top bar so that policy can be edited ( we do want to makesure that others are not editing the policy at the same time ).

HOL-PRT-1472


Create Device Rule

Click "Create Device Rule".

Going Green

Initially the rule will do green and change to white ( this is normal ).

HOL-PRT-1472


Rule Name

Click on "Device Zone - 1" in order to get the option to change the name.

Change the Name

Change the rule name to "FW-HoL", and click "OK".

Source Trust Zone

A trust zone is a segment of the network where security measures are applied. It isusually assigned to the internal LAN. An untrust zone is the Internet.

HOL-PRT-1472


By default, the Source zone is set to trust. The zones that appear in the list aredependent on the type of security policy that you choose to add rules to. When adding arule for a group policy, all the zones present on all devices are available for selection.

In this case we will keep "trust".

Source IP Address

Click the "Any" option under the Source Address. You will see the ability to Include orNegate IPv4 and/or IPv6 Addresses.

At this time, we will keep the default of "Any".

HOL-PRT-1472


Destination Untrust Zone

Next is the opportunity to change the "Destination Trust Zone". If you click on "untrust"you once again see the options.

Let us keep the default of "untrust".

Destination Address

We will keep the default of "Any" for the Destination Address.

HOL-PRT-1472


Service Options

If you click the "Any" option for Service you will see the Available services that we willtake actions against. Feel free to move the bar up and down to see all the services thatare available.

At this time, we will keep to "Any".

HOL-PRT-1472


Action

You may need to move the screen to the right to see all the options.

As you see the default of "Deny", IPS is "Not applicable" because we are denying thetraffic, but please change the "Action" option to "Permit". To do this,

click on the "Action" to see the options and select "Permit".

Understand that as stated in previous modules, the IPS rules are published as part of theFirewall rules.

Permit Action

Now that we have changed the "Action" to "Permit", IPS is now Off. Note that in theFirefly Perimeter x 47 release, IPS wil be incorporated. Just think about the capability tohave IPS embedded capabilities in virtual machine.

HOL-PRT-1472


Additional Actions

As you can see, there are additional options, including "Tunnel". By clicking on "Tunnel"you will see that there is the ability to implement a VPN tunnel.

AppFw

Next, click on the "AppFw" section.

AppFW - Disabled

Initially when you click on AppFW the capability is disabled.

Please click on "White List" to see the options.

Note that there is also the capability to select "Black List" as well.

HOL-PRT-1472


This is one of my favorite parts of this configuration, that you can easily specify "WhiteList" or "Black List".

HOL-PRT-1472


AppFW Enabled

( 1 ) Feel free to scroll the 36 pages or just the one :) of the Pre-defined Apps

( 2 ) Note that there are other options of "Pre-defined Group", "Customer Apps", or"Custom Group"

( 3) You can also search if need be.

( 4 ) Click "Cancel".

HOL-PRT-1472


Validate

Please click "Validate" on the bottom of the screen.

No Validation Errors

You will see a pop up stating there are no Validation errors.

Save

Click "Save" please.

HOL-PRT-1472


Publish Policy

Select the "Publish Policy" under the "Firewall Policy" Task Group.

Selecting Firewall Policy

Select the firewall policy that we just created.

Select Next

Please unselect the "Include IPS Policy" and Select "Next" on the bottom of the screen.

HOL-PRT-1472


Affected Devices

Select the name of our firewall policy under "Affected Devices".

Select Publish

Select "Publish" on the bottom of the page.

Job Id

A "Publish Information" Job ID will appear.

Click "OK".

HOL-PRT-1472


Jobs Management

Please select "Job Management" under the "Job" Task Group.

Success

View the Job Id that was provided and the successful publishing to the number ofdevices. YAY!!!

HOL-PRT-1472


IPS Policy

As indicated, at this time of developing the lab, Firefly Perimeter does not support IPSand therefore we can not develop a policy. We could develop policies for other Juniperproducts like SRX but we are currently not using one in this lab. Firefly Perimeter willsupport IPS in the x47 version and at that time, you will use Junos Space to create thatpolicy.

NAT Configuration Information

Junos Space Security Director provides you with a workflow where you can create andapply NAT policies on devices in a network.

Security Director views each logical system as an other security devices and takesownership of the security configuration of the logical systems. In Security Director, eachlogical system is managed as a unique security devices.

HOL-PRT-1472


NAT Policy

Please select "Create NAT Policy" under the "NAT Policy" Task Group.

Device NAT Policy

On the right side, a window will pop up will appear, at this time, we will create a"Device" rule

( 1 ) Select Device

( 2 ) Name : NAT_VMworld_2014

( 3 ) Description : NAT Policy for VMworld 2014

( 4 ) Click the down arrow next to Device and select "corp_fw1.juniper.net".

HOL-PRT-1472


Select Create

On the bottom of the screen, click "Create".

Lock to Edit - NAT

You will automatically go to the creating page.

Click the "lock" symbol in order to lock the policy.

Create Source Rule

Click "Create Source Rule".

HOL-PRT-1472


Renaming Device

Select "Device-1" and change the name to "NAT_2014"

Ingress Zones

You will see the same Trust Zones appears that we had available in the Firewall portion.

HOL-PRT-1472


Interface Zones

At this time, we will be choosing the interfaces as the Zones. Please note that the FireflyPerimeter ( like all virtual machines ) can have up to 10 interfaces. This is eth0interface.

Please select "ge-0/0/0.0" and click the arrow to bring it to the selected side.

Select "Ok".

HOL-PRT-1472


Egress Zones

( 1 ) Please click the "Egress Zones" in order to see our options

( 2 ) Click "Interface"

( 3 ) Select "ge-0/0/0.0"

( 4 ) Select the " -> " to move to selected

( 5 ) Click "Ok".

HOL-PRT-1472


Translated Packet Source

Click the "No Translation" under "Translated Packet Source" in order to get the pop-up.

Please select the down arrow to get out options.

Translated Type

Select "Pool" as our "Translation Type".

HOL-PRT-1472


New Source Pool

Please click the green " + " circle to the right of "Source Pool" in order to create a newsource pool for NAT.

Create Source NAT Pool

Please fill in the following information

Name : Source_NAT_2014

Description : Source NAT policy for VMworld 2014

We have no "Pool Address" so lets create one through this step.

Please click the green " + " circle to the right of "Pool Address".

Note that you can create the pool through the Object Builder Task Group".

HOL-PRT-1472


Create Address Object

Let's create the Address Object Type. Please fill in the following information

Object Type : Address

Name : VMworld_2014

Type: ( Click the down arrow ) Range

NOTE

You may get an "Inactivity Timeout" so please make sure you click "Yes".

HOL-PRT-1472


Address Object Information


Object Type : Address

Name : VMworld_2014

Description : Addresses for VMworld 2014

Type: Range

Start IP : 192.168.120.200

End IP : 192.168.120.250

Click "Create".

HOL-PRT-1472


Advanced Prpoerties

Click the arrow next to "Translation".

Select "Port/Range".

HOL-PRT-1472


Advanced Properties Cont'd

Select the arrow next to "Address Pooling" and select "Paired".

Select the arrow next to "Port" and select "Any".

Click "Create".

Click OK

As you can see our configuration has been added.

Please click "Ok".

HOL-PRT-1472


Validate

Please click "Validate".

No Validation Errors

You will see the "Information" screen on the right pop up showing that there are noValidation errors.

Click Save

Click "Save".

HOL-PRT-1472


Object Builder Expansion

Please click the " + " symbol to the left of "Object Builder" Task Group.

Addresses

Please select the "Addresses" Sub Task Group.

HOL-PRT-1472


Object Builder > Addresses

Note that we previously walked through these steps on the specific actions BUT we cancreate them before hand. As you can see our VMworld_2014 Addresses are listed. Forplanning purposes, you can easily create all your addresses before you start to createyour policies.

NAT Pools

Please select "NAT Pools" Sub Task Group.

Object Builder > NAT Pools

Once again, you have the opportunity to create your NAT pools for the tenants beforeyou build your NAT policy. Creating them in individual pieces will assist withmanagement of your pools.

HOL-PRT-1472


VPN Expansion

Please click the " + " symbol to the left of the "VPN" Task Group.

Create VPN

Please select the "Create VPN" sub Task Group.

Route Based VPN


Name : VPN_VMworld_2014

Description : VPN for the VMworld 2014

Tunnel Mode: Route Based

Notice the type of Route Based VPNs available:

HOL-PRT-1472


• Site to Site• Full Mesh• Hub and Spoke

We will be keeping the default, "Site to Site" at this time.

HOL-PRT-1472


Route Based VPN Profiles

Please click the down arrow to the right for "VPN Profile"

Notice the types that are available

• AggressiveModeProfile• MainModeProfile• RSAProfile

At this time, we will keep the default of "MainModeProfile".

HOL-PRT-1472


Route Based VPN Profiles Cont'd

The "Preshared Key" is the last option for the VPN configuration. Note that you caneither have the key auto-generated or set up manually.

HOL-PRT-1472


Policy Based VPN Profiles

Change the "Tunnel Mode" to "Policy Based" in order to see these options.

Notice the "Type" is still "Site to Site" and the "VPN Profile" is still "Aggressive ModeProfile", "MainModeProfile", "RSAProfile".

Please keep the default, "MainModeProfile".

Policy Based VPN Profiles Cont'd

Once again, we have the option to auto-generate or manually add the "Preshared Key".

HOL-PRT-1472


Next

Please select "Next" at the bottom of the page.

VPN Wizard

Under the available side, please select "corp_fw1.juniper.net" and click "Add asEndpoint" in order to move it to the selected side.

HOL-PRT-1472


Next

Please click "Next" on the bottom of the screen.

More Than One

Sorry but this is just a vPod and not set up in a real world scenario. Since we do nothave another endpoint, we can not continue on with configuration.

I wanted to make sure that you saw the steps that we would take to at least configureour side of the VPN connection.

Please click "OK".

Conclusion

At this time, this is the end of the specific configurations that we will be covering withinthis lab.

Please feel free to review the components of "Security Director" that we have notcovered in this article.

HOL-PRT-1472


When done, please proceed to the next article where we discuss why Juniper for yourphysical and virtual infrastructure.

#JuniperLab

HOL-PRT-1472


Why Juniper for Your Physical andVirtual InfrastructureNow that you have finalized the introduction of Juniper's Junos Space, by reviewing theNetwork Management Platform, Virtual Director, and Security Director, we just wantedto reiterate the importance and ease of the product. We believe in virtualization asmuch as you do but the infrastructure isn't always all virtualized. Simply put, if you canmanage your physical and virtual infrastructure from one interface, why would you notuse Juniper in your data center?

With Junos Space, you benefit from :

• Network-wide visibility and control• Quick scaling of operations and services• Rapid deployment of switching, routing, and security infrastructure• Total management of Juniper devices• Cross-Vendor event and performance management• Network intelligence for extending core platform capabilities• Fast problem identification and resolution• SDK and APIs for customization and integration• Reduced OpEx• Hot-pluggable/multi-tenant applications• Application fabric• Software image management• Configuration templates• Configuration file management

For companies that want to extract value from their network and deliver on solutionsthat truly work for their business, Junos Space is the platform of choice. You can createand deploy custom management applications using our programmable interface. JunosSpace improves network agility by providing a SDK toolkit and APIs both at the platformand application level for a complete customized solution so you can meet the specificneeds of your business or internal procedures.

Junos Space SDK includes the following components :

• Development tools : Junos Space Eclipse plug-in that allows wizard-based creationof different types of Junos Space applications, code generation, REST Explorer,automated build, deployment of applications for test and debug purposes, controlof device simulations on device simulator, and other tools.

• REST Web Services Interfaces : Interfaces to the core capabilities of the JunosSpace Platform, which are a part of the Junos Space network Managementplatform.

• Device and Environment Simulators : Device and element simulators providingthe ability to test applications against virtual Juniper devices.

HOL-PRT-1472


• Performance, Analytics, Security, and Profiling tools : While the Junos Space SDKdoes not ship performance, analytics, security, or profiling tools, it is compatiblewith the most popular tools available today, such as VisualVM, JBoss Tools, etc.

It is also important to know that Juniper has the following products in virtual format :

• WebApp Secure• SA Series SSL VPN• Firefly Perimeter• Firefly Host• Secure Analytics• DDoS Secure• Junos Space• Security Director• Virtual Director• Network Director• Log Director• Contrail ( SDN )

Next Module

The next module in this lab covers Juniper DDoS Secure. We hope that you will continuethe lab to experience this awesome virtualized security product. If you are on twitterdon't forget to tweet your thoughts to @banksek or email her at [email protected] would love to know them.

#JuniperLab

#PewPew

HOL-PRT-1472


Module 3 - Juniper DDoSSecure (45 min)

HOL-PRT-1472


Introduction to Juniper DDoS SecureDDoS flood attacks are a major problem for online businesses. Juniper DDoS Secure cannullify these problems by continually monitoring and logging all in- and out-bound Webtraffic.

DDoS Secure uses its CHARM algorithm to learn which IP addresses can be trusted, andis able to respond intelligently and in real time by dropping suspect or noncompliantpackets as soon as the optimum performance from critical resources begins to degrade.

This heuristic and granular approach to DDoS mitigation guarantees availability forlegitimate users while blocking bad traffic, even under the most extreme attackconditions. This truly is my favorite part about DDoS. Traditionally, a DDoS outageoccurs when resources are unable to handle the volume of connection requests at aparticular point in time. This might be through an induced malicious attack using aBotnet for some financial, ideological, or political motive, or the result of a legitimate“flash-crowd” effect during peak traffic periods. To the end user, there is no realdifference—at best they experience degraded response times; at worst, it is a disruptionin the resource’s availability resulting in an outage with serious business impact.

Adding more horsepower to the server or increasing bandwidth connectivity can providesome insurance against a volumetric DDoS attack, but they are ultimately in-effectiveagainst today’s new breed of sophisticated DDoS threats. Simply throttling all traffic orblacklisting particular groups of IP addresses is also not a lasting solution, particularly asthese measures can impact legitimate users.

DDoS Secure software is different. Its innovative heuristic technology continuallymonitors and logs all inbound and outbound network traffic. Using its unique CHARMalgorithm DDoS Secure learns which clients pose a risk through their use of availableresources, and then intelligently responds in real time by disrupting an attack as soon asperformance of critical resources begins to degrade.

DDoS Secure is available in Virtual and Hardware appliance version.

Key Features of DDoS Secure

• Dynamic and self-learning• Effective against latest application layer, stealth, attack vectors• Ultra-low latency• Up to 40Gb/s throughput capacity• Fully IPv6 compliant• Plug & Play, simple to install and configure• Fully automated for the fastest response and the lowest cost of ownership• Bi-directional traffic analysis and inspection• Fail-safe and clustering options• SSL Inspection enables protection of HTTP and HTTPS applications

HOL-PRT-1472


DDoS Secure Heuristic Mitigation in Action

The grey normal Internet traffic flows through the DDoS Secure device, while thesoftware analyses the type, origin, flow, data rate, sequencing, style and protocol beingutilized by all inbound and outbound traffic. The analysis is heuristic in nature andadjusts over time but is applied in real time with minimal latency.

The red DDoS attack traffic show the DDoS Secure appliance uses complex dataanalysis techniques to detect attacks and take the defensive measures and drop thetraffic.

Traffic Analysis

This diagram illustrates how all inbound traffic that is identified as normal ( good CHARMscore ) passes through the appliance without any change. All inbound traffic that isidentified as malicious ( bad CHARM score ) is discarded if the protected resourcecannot handle the load. There are no IP addresses to configure on the appliance'sInternet traffic interfaces, and the appliance may be installed without changing thenetwork configuration of any existing equipment. However, an IP address is required forthe secure control connection to the management PC. The management PC requires abrowser that supports HTML frames, JavaScript, and the HTTPS protocol, or,alternatively, an SSH client. The management PC is used to initially configure theappliance and then to report on the traffic statistics. During an attack, the applianceuses its built-in heuristic analysis to identify the most likely attackers within a fewmicroseconds of the beginning of an attack. The longer the appliance analyzes thetraffic, the better the heuristic analysis. Attacks are tracked on a per-incident basis foreasy reporting and analysis.

HOL-PRT-1472


Lets continue on to the next chapter where we investigate the Juniper DDoS SecureUsers Interface ( UI ).

#JuniperLab

HOL-PRT-1472


Introduction to Juniper DDoS Secure UIJuniper DDoS Secure is a fully automatic DDoS protection system used for websites andweb-connected e-commerce site. DDoS protects all TCP/IP protocols. In this article wewill cover the user interface ( UI ) of the DDoS Secure appliance. There is so much datato cover regarding this appliance but since we are in a lab scenario, we will not be ableto cover everything. We did want to make sure that you had time to review everythingthat is at your fingertips with this amazing product.

Launching Internet Explorer

Double Click the "Internet Explorer" icon on the Control Center desktop.

New Tab

Click on the box on the URL bar in order to bring up a new tab.

HOL-PRT-1472


Launching DDoS Secure

Click the "DDoS Secure Login" shortcut on the tool bar.

HOL-PRT-1472


Accept Certificate

You will more than likely get the above certificate error, click "Continue to this website(not recommended)"... yeah yeah I know it is not recommended but please do it anyway:)

HOL-PRT-1472


Click "Login" Button

Click the "Login" button in the middle of the page please.

HOL-PRT-1472


Log into DDoS Secure

To log into DDoS Secure, use the following credentials

Username: user

Password: password

Web Interface Layout

Above is a layout for the statistical display part of the user interface. Each individualsegment of the page is divided in to categories.

Options on the left pane are :

• Configuration/Logs - used to access the configuration and logs window.• Summary Dashboard - used to display the summary dashboard.• Menu Buttons - on the left pane of the page.

Options on the center pane are :

• Display Output• Configuration Input

Options on the right pane are :

• Operational Mode• Protected Info• Defense Status - when an item in defense status turns from black to red, then

DDoS secure is actively defending this situation.

HOL-PRT-1472


• Additional Status

Options on the top center pane :

• Page Specific Action• View Filters - the view filter button is available from any page within the statistical

display section of DDoS Secure. Any value entered into the filter will be set untilthe filter is cleared, even when accessing another page within the DDoS securestatistical display section.

Summary Dashboard

Your login takes you directly to the real time dashboard for DDoS secure.

On the top is the "Traffic Monitor" section.

In the middle are "Load Status" and "Attack Status" graphs. Note that there is no trafficand attacks at this time but we will simulating two attacks in the future articles.

The bottom row has "Good Traffic", "Bad Traffic", and "Protected Performance". You morethan likely will see "Good Traffic" change over time.

HOL-PRT-1472


The descriptions of the sections:

• Traffic Monitor—Displays the average speed of data processed, both inbound andoutbound, for the appliance, as well as the most active portals.

• Load Status— Displays how busy the DDoS Secure appliance engine is.• Attack Status— Displays how aggressively the DDoS Secure appliance is dropping

traffic to defend the appropriate resources.• Good Traffic—Displays the distribution of where good traffic is coming from.• Bad Traffic—Displays distribution of where bad traffic is coming from.• Protected Performance—Displays how busy a protected IP address is from an

aggregated CHARM perspective, and what the average traffic to and from the IPaddress is.

HOL-PRT-1472


Traffic Monitor

The traffic monitor pane shows the peak traffic usage ( inbound and outbound ) over theselected period. Note that the default is 24 hours.

Highlighting Traffic

If you select the top "Appliance 192.168.120.11 inbound" you will see it highlighted inthe graph. Feel free to do this to the other three options available in the "Traffic Monitor"screen. Note that your "Traffic Monitor" pane may look different than the one shownabove.

HOL-PRT-1472


Changing Time

As previously specified, you can change the time frame for your "Traffic Monitor" pane.In the top right, above the graph is a tab that allow you to change the time. Click thearrow to the right of "Last 24 Hours" to see the options.

HOL-PRT-1472


Changing Viewing

Note that you can also changing what appliances/portals/IP are shown on the "TrafficMonitor" page as well by clicking the arrow to the right of "Viewing: global" on the topright.

Protected Performance

View the bottom right corner and you will see the "Protected_ App" and"Unprotected_App" portals. These portals we will be using in our testing in subsequent.You can see that the "Protected_App" is in defending mode and "Unprotected_App" is inlogging mode. This reports on how busy a protected IP address is from an aggregatedCHARM perspective, and what the average traffic to and from the IP is.

The DDoS Secure supports different components in one of two operational modes:

• Defending - if DDoS Secure appliance detects an undesirable packet, it logs theissue, and the packet is dropped.

• Logging - if DDoS Secure appliance detects an undesirable packet, it logs theissue, and the packet is passed.

Examples of different components are:

• Overall Protection - logging or defending• Portal Operation - logging or defending• Protected IP Address Operation - logging or defending• White-listed Client IP Address - logging• Black-listed Client IP Address - defending

HOL-PRT-1472


If an activity uses components that contain a combination of defending and logging, theresultant operational mode will be logging. Thus, for a black-listed client IP address andan overall operation of defending, a portal operation of logging, and a protected IPaddress operation of defending, the client IP address is not dropped.

HOL-PRT-1472


Left Taskbar

The left taskbar shows the menu buttons. These menu buttons gives you the moredetailed information of the traffic that is through the DDoS Secure. Feel free to selectthem individually for review but note that because we have limited traffic ( at this timeonly Juniper's Junos Space is on the network ), the information is limited. We will belooking at some of these menus in other articles.

Configuration/Logs

Please click the "Configuration/Logs" tab.

HOL-PRT-1472


This pop out screen provides you with administrative tasks as well as additional data forthe configuration.

Second Tab

Please click the tab listed "Admin 192.168.120.11" that has popped up because youselected "Configuration/Logs".

Log File

The log file is the first screen that pops up showing everything that is occurring the thevirtual appliance. Information like logins ( GUI ) and Info messages are shown.

HOL-PRT-1472


Configure Portals

Please click the "Configure Portals" option in the left pane menu.

Portals - Defending / Logging

As you will see from this screen, this is where I set up the configuration for the twoportals to be put into defending and logging mode. The "Protected_app" will bedefended and the "Unprotected_App" will be in logging mode.

HOL-PRT-1472


Configure Interfaces

Please select "Configure Interfaces" from the left menu pane.

Network Modes

As you will see in the screen on the left, under the "Internet/Protected GlobalDefinitions", there are multiple ways to configure the DDoS Secure appliance. In ourcase we have it setup as an L3 ( Router ) because this scenario works best for the vPod.Note that the configurations for L2 ( Bridge ) and L2/L3 ( Split Network ) can also beconfigured.

As an FYI, DDoS Secure uses "Internet" and "Protected" to differentiate the side of theattackers ( Internet ) and the side of the applications ( Protected ).

Shutdown

Although we do NOT want you shutting down the DDoS Secure appliance, please notethat this is where you would do it.

Note that this option is available in the bottom of the left menu pane.

HOL-PRT-1472


This concludes a quick look at the DDOS Secure User Interface. Please proceed to theconfiguration of the testing environment article.

#JuniperLab

HOL-PRT-1472


Configuration of Testing EnvironmentIn this lab, we will be simulating a low and slow DDoS attack.

Low and Slow attacks use as you can imagine "Slow" traffic, making it appear morenotmal to an organization. The often go undetected because the do not violate anyspecific protocol, they do not match any specific signature. The end users will see lowreaction to the calls to the systems creating incredible performance impact.

vSphere Tab

Proceed back to the first tab in the Internet Explorer browser.

vSphere Web Client login

Log into the VMware vSphere Web Client with the following credentials

User name : root

Password : VMware1!

Click "Login"

HOL-PRT-1472


Home

Click the "Home" button in the top blue bar.

VMs and Templates

Click the "VMs and Templates" icon in the Inventories pane.

HOL-PRT-1472


Expand Datacenter

Click the arrow to the right of "Datacenter Site A".

VM's We Will Be Using

In our scenario we will be using the vm's highlighted.

Protected and Unprotected Applications

In our simulation we will have a "Protected Application" ( 2 Protected Application ) andan "Unprotected Application" ( 2 Unprotected Application ). These applications are onthe Protected side of the DDoS Secure.

HOL-PRT-1472


Remember when we were in the DDoS Secure Dashboard and the "Protected_App" wasidentified as Defending and "Unprotected_App" was identified as Logging. As you canimagine the Protected Application will be protected by the Juniper DDoS Secure virtualedition appliance and the Unprotected Application will not.

Note that these two virtual machines are exactly the same. They are simulatedwebservers with databases.

HOL-PRT-1472


Attacker

"Attacker 42" will simulate a low and slow attack.

Please note that this is a Linux box with customized scripts for their various attacks. Thisvirtual machine is on the Internet side of the DDoS Secure.

Attacker 42 has two interfaces specifically for the simulation.

HOL-PRT-1472


Windows Box

The "base-w7-01a" box will be used to show the impact of the attack.

HOL-PRT-1472


DDoS Secure Virtual Edition

Lastly our "DDoS Secure virtual edition" virtual application will send inline between theattackers and portals, collecting the data and doing it's thing.

Let us see it in action. Please proceed to the next article where we will simulate a lowand slow attack and show how Juniper DDoS Secure protects the protected site.

#JuniperLab

HOL-PRT-1472


Low and Slow AttackAs mentioned previously a low and slow DDoS often become unnoticed by conventionaltools. In this low and slow DDoS attack simulation, we will show you how Juniper's DDoSSecure can easily "catch" the data and protect the "Protected Application". Application-layer attacks, often referred to as “low and slow” ( to describe the attacker’s goal ofstaying under threshold detection systems ), have exposed weaknesses in netflow andthreshold based detection techniques. RUDY ( R-U-Dead- Yet ) and Slow Loris are twotypes of application-layer attacks that target the HTTP protocol. The attacker seeks tolaunch a multitude of requests that are difficult to serve back to the requester, depletingapplication resources and quickly bringing the website down.

vSphere Web Client

Make sure you are still in the "vSphere Web Client" tab within Internet Explorer.

Launch Windows Console

Select "Open Console" for the "base-w7-01a" virtual machine.

Note that it will pop up in the next tab.

Logging into Windows VM

Use

password : VMware1!

HOL-PRT-1472


click " -> " button to the right of the password

for the vmware account for the windows vm.

Launch Firefox

Double click the "Mozilla Firefox" icon on the desktop.

HOL-PRT-1472


Launch Protected App

Please select the "Protected App" shortcut in the menu bar.

Protected App

Notice the image in the Protected App is the Juniper Networks image.

Firebug

You will see that we have added the additional tool Firebug into Firefox. This tool is usedto show how long it takes for the website to make it's calls once under attack.

Notice the time while the site is running cleanly. In this case, it is 421 ms ( note thatyour time may be different ).

HOL-PRT-1472


New Tab

Please click the " + " symbol in order to bring up a second tab.

Launch Unprotected App

Please click the "Unprotected App" shortcut on the menu of Firefox.

HOL-PRT-1472


Unprotected App

Notice that the image in Unprotected App site is tomato cart ( we wanted todifferentiate between them in case you got confused... I did at times : ) )

Firebug is also available on the bottom of the screen. Feel free to look at the time toload the unprotected site.

Back to vSphere Web Client

Please proceed back to the "vSphere Web Client" tab in Internet Explorer.

HOL-PRT-1472


Launch Attacker 42

Please "Open Console" of "Attacker 42" by right clicking on "Attacker 42" virtualmachine.

Log into Attacker 42

Please log into the Attacker 42 with the following credentials

Attacker login : root

Password : Juniper1!

Ping Protected App

At the prompt, type

ping 192.168.130.77

HOL-PRT-1472


This is the IP address of the Protected Application.

Exit Console

Select < Ctrl + Alt > to escape the window, please keep the ping going.

Proceed to DDoS Secure

Please click on the DDoS Secure tab in Internet Explorer.

HOL-PRT-1472


Select ICMP Info

Please select "ICMP Info" on the left column.

ICMP Info

As you can see the Attacker 42 vm is pinging the Protected Application and the JuniperDDoS Secure appliance can see it.

Back to Attacker 42

Please proceed back to the "Attacker 42" tab in Internet Explorer.

HOL-PRT-1472


Stop Ping

Stop the ping by entering < Ctrl + C > in the console.

Start Attack

at the command prompt, type

sh slow_query_attack.sh

Leave Attacker 42

As the message show, please hit < Ctrl + alt > to release the cursor.

HOL-PRT-1472


DDoS Secure Dashboard

Please proceed to the DDoS Secure tab in Internet Explorer.

Traffic Numbers

You will see the numbers increase on the right hand side of the dashboard. Rememberthis is a low and slow attack and it will take some time for the attack to show and for thesite to be protected and it will take time for the sites to recover. It is a cool simulation sogive it time please.

HOL-PRT-1472


Proceed to URL Info

Please proceed to the "URL Info" option in the left pane.

URL Info

You can see the top two lines show the Unprotected App and the Protected App.

This is a low and slow attack but you will see the number increasing. At this time, youwill see the pending numbers are approximately the same. Did you want me to remindyou that it is low and wait for it... slow... attack.

Pending Numbers

After some time, you will see the pending numbers start to have a huge differentiation!!!

Right now the unprotected app has 236 requests pending and the protected app has 53requests pending. Note that your numbers will be different.

HOL-PRT-1472


Clearly the Juniper DDoS is protecting the protected app!!! But wait, we are not done...

Proceed to Windows VM

Please proceed to the "base-w7-01a" tab in Internet Explorer.

HOL-PRT-1472


Reload Protected App

In Firefox

( 1 ) Reload the Protected App website by selecting the circle arrow.

( 2 ) You will notice that it launches in a specific amount of time. In this case, it is 46 ms.

Unprotected App

Please click the first tab to go the Unprotected App.

HOL-PRT-1472


Reload Unprotected App

( 1 ) reload the Unprotected Application site by click the circle arrow

( 2 ) Notice the time it takes to load the site. In this case, 14.59s

Note that the longer you wait for the attack to progress, the longer the response timewill be. For instance, we have seen this take 200 s or even time out.

There is a big difference between 46 ms and 14.59 sec.

Juniper DDoS Secure protected our Protected App from the low and slow DDoS Attack.

Cool huh? I told you!!!

Final Thoughts

So what we just saw is a low and slow attack from our "Attacker 42" virtual machineagainst two seb servers. We saw the Juniper DDoS Secure automatically saw the attack

HOL-PRT-1472


and protected the "Protected App" from the attack so that no impact was made to theend users. No configuration was needed on your part for this use case, DDoS Secure didit automatically!!

Please provide to the final article in this module, "Why Juniper DDoS Secure".

#JuniperLab

HOL-PRT-1472


Why Juniper DDoS SecureI thought it was important to follow up regarding the Juniper DDoS Secure product.When I think about the capabilities inherit to the product such as CHARM, it is hard toignore why you should not be using DDoS. The first distributed denial of service (DDoS)attack occurred in 2000 and was used to take out Amazon, eBay, and a host of other e-commerce sites. The weapon used was a volumetric flood attack, and the attackersused a rudimentary botnet of multiple computers to flood the network with high volumetraffic that brought the e-commerce sites down, causing an estimated $1.7 billion incollective damages.

Since then, DDoS attacks have evolved from being a blunt weapon, using high volumeattacks to bring down Web servers, to highly sophisticated application-level attacksdesigned to zero in on strategic business resources. 2012 saw a series of attacksagainst the banking industry, some politically motivated and high profile, while othersinvolved financial theft and fraud. The e-commerce sectors were subject to attack aswell following the real world trends of major shopping holidays respectively.

2012 saw a sharp increase in Layer 7 DDoS attacks. What makes L7 attacks so stealthyis the fact that they masquerade as legitimate traffic to carry out the attack. A Layer 7or application-layer, attack exploits inherent flaws and vulnerabilities in applicationsoftware rather than using brute force to achieve desired results. The majority ofapplication-layer attacks target well-known applications such as HTTP, HTTPS, domainname system ( DNS ), and VoIP ( Session Initiation Protocol or SIP ). Much like volumetricattacks, L7 attacks require very little investment by attackers. It is more than possible tobring down major websites with a laptop and as few as 40 to 60 of the same request persecond ( aka PPS, or packets per second ). To give this some context, volumetric attackswill range from the low hundreds of thousands PPS to millions of PPS. Their appearanceof legitimacy ( adhering to protocol rules, with normal and complete TCP connections ) iswhat makes L7 attacks benign in appearance and exceedingly difficult to detect andmitigate.

What is at stake is costly service outages that can result in lost business and defectionof end customers, along with sometimes irreparable damage to brand and reputation. Inthe financial services industry, more likely than not it also involves theft of sensitivedata and financial fraud. In the education and healthcare sectors, a primary concern isaccess to student information, electronic medical records, and theft of sensitive datathat could result in huge lawsuits and terrible outcomes for individuals who have theirinformation stolen. A loss of availability for airline ticketing sites or e-commerce sites,large or small, could result in a loss of revenue and credibility. Inevitably, a DDoS attackis accompanied by financial losses that can be hard to recover from.

Junipers' DDoS Secure’s innovative design uses a “ closed loop ” process to look at thefull cycle of the packet coming in, the resource it is destined for, the resource’s ability toreturn the request in a timely manner, and finally the request being served back to therequester. DDoS Secure is self-learning and requires no tuning or thresholds to be set. It

HOL-PRT-1472


monitors how the application responds and learns from each encounter. This innovativeheuristics-based approach enables the technology to determine both what normal trafficlooks like and what normal responses from an application look like. As new attacksoccur, DDoS Secure updates the algorithm to include the characteristics of the newattack, creating a highly intelligent DDoS defense system that incorporates dynamicupdates and removes confusion from attacks that may be occurring as the systemlearns the limitations of the application environment. In the case of a DNS amplificationattack, DDoS Secure applies intelligence about the behavior of the DNS resource to shutdown the attack before it can overwhelm and bring down the DNS server. DDoS Secure’sintelligence filters out repetitive requests to a DNS system for the same information,thereby averting a DNS amplification attack and protecting the unsuspecting targetfrom rogue requests impacting its availability.

In other words... the question becomes Why NOT Juniper DDoS Secure!!!

End of Lab

We wanted to thank you personally for taking the Juniper lab at the VMworld 2014Hands-on Lab.

If you have a twitter account, please tweet to @banksek or email her [email protected] and let her know your thought.

Have a great day!!

#JuniperLab

#PewPew

HOL-PRT-1472


ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-PRT-1472

Version: 20150227-070315

HOL-PRT-1472


http://hol.vmware.com/

Documents

Table of Contents - VMware · 2016-05-05 · Launch Junos Space Once Firefox is launched, Junos Space should be the homepage, but in case it is not, click on the "Junos Space Login"