Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User...
Transcript of Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User...
![Page 1: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/1.jpg)
Deploying Enterprise Scale User Firewall and Device IdentityHarry Cornwell
Technical Marketing Engineer--Security
![Page 2: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/2.jpg)
This statement of direction sets forth Juniper
Networks’ current intention and is subject to
change at any time without notice. No purchases
are contingent upon Juniper Networks delivering
any feature or functionality depicted in this
presentation.
This presentation contains proprietary roadmap
information and should not be discussed or shared
without a signed non-disclosure agreement (NDA).
![Page 3: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/3.jpg)
3
Agenda• Security Services Overview
• The Evolution of Security Policy
• Defining Context Aware Firewall
• Existing UserFW
• Juniper Identity Management Service (JIMS)
• Demo
• Summary
• Q&A
![Page 4: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/4.jpg)
Security ServicesOverview
4
![Page 5: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/5.jpg)
5
SRX Layered L7 Security: Defense in Depth
Internal Threats
ExternalThreatsINTERNET
AppSecureApplication level visibility and classificationApplication security policies tied to user roles
Firewall, VPN, NAT, UserID tied to FW policiesAllows UserID to apply to all L7 Security
Core Security with User Role FW
IPS IDP detects/stops Worms, Trojans, exploits, shellcode, Scans
SSL Proxy Inspect Encrypted Traffic
Stops known and unknown viruses, file-based trojans or spread of spyware, adware, keyloggers
Antivirus (known and unknown)
Enhanced Web FilteringBlock access to unapproved sitesReal time threat score for each URL
![Page 6: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/6.jpg)
6
SRX Foundation Services
Next Generation Firewall
Services
Firewall NAT VPN Routing
Application Control &
Visibility
Unified Threat Management
(Known Threats)
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-spam
Threat Intelligence
Platform
Botnets/C&C
GEO-IP
Custom Feeds, APT
Management SSL Proxy Analytics Automation
Juniper Security Services Overview
User-based Firewall
Cloud Based
Advanced Anti-Malware(Zero Day)
Sandboxing
Evasive Malware
Rich Reporting, Analytics
![Page 7: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/7.jpg)
The Evolution of Security Policy
![Page 8: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/8.jpg)
8
Security Policy Evolution
Time
Gra
nula
rity
IP addresses
Usernames
Devices ID
Device attributes
Zones
![Page 9: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/9.jpg)
9
It is no longer only about users..
![Page 10: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/10.jpg)
Context Aware Firewall
![Page 11: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/11.jpg)
11
What is a Context Aware Firewall?
• Richer Firewall Security Policy
• Leverage User and/or Device context (on top of IP addresses/zones)
• Flexible attributes for each endpoint
• Predefined attributes (id, os, category, vendor..)
• Custom attributes (anything!!)
• Apply security services in a granular way
• Visibility
• Enforcement
![Page 12: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/12.jpg)
12
Multi-dimension Security Policy
User
Device
ID
OS
Type
Family vendor
Posture
VM
Managed
unpatched
![Page 13: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/13.jpg)
Existing User FW
![Page 14: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/14.jpg)
14
Options previously available on SRX
Integrated User FW
Pulse Policy Secure
• DC polling
• Passive authentication
• Best effort
ClearPass
• Client probing
• Captive portal
• No agent
• Pull user info from Pulse
• Deterministic
• Captive portal
• Endpoint assessment
• Agent / Agentless
• Security Threat Correlation
• CPPM push to SRX
• SRX pull from CPPM
• Deterministic
• Security Threat Correlation
![Page 15: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/15.jpg)
15
The dilemma: Simplicity versus Security!
Device/User Firewall
• NGFW capabilities• Passive authentication (best effort)• Firewall enforced• No agents (802.1x supplicant)• Provides visibility & enforcement• Captive Portal fallback• Layer 3 to 7
Network Access Control
• End-to-end security• Deterministic (active authentication)• Enforced at access & firewall• SRX + NAC (Aruba CPPM, Pulse..)• Security conscious environments• Layer 2 to 7
![Page 16: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/16.jpg)
16
Integrated User FW
• SRX polls AD using WMI
• SRX probes the client directly (WMI)
• LDAP lookups for group membership
• Fallback to Captive Portal• HTTPS/HTTP
• Scalability, up to:
• 2 Domains
• 10 DCs
• 100K users
WM
I re
quests
WMI probing
LD
AP
re
quests
Ressources
Windows ADs
SRXClients
![Page 17: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/17.jpg)
17
Pulse Policy Secure Integration• Agent or agentless
• Clients authenticate with:
• L2 - 802.1x (EAP)
• L3 – HTTPS (Agent)
• UAC pushes username/IP/roles to the
SRX
• SRX enforces user policies
• If a user is unknown, SRX can redirect
the user to a captive portal hosted by
UAC
Ressources
Policy Policy Secure
(UAC)
SRXClients with
Pulse Agent
AAA
(802.1X)
RA
DIU
S
Push
/pull
update
Re
direct to
UA
C C
P
![Page 18: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/18.jpg)
18
ClearPass Policy Manager Integration
• 802.1x based (wire/wireless)
• Bi-directional communication
• CPPM pushes to SRX
• SRX pulls from CPPM
• Coordinate Threat Control
• SRX send threat events to CPPM
• CPPM send CoA to take action on the users Push
/pull
update
(802.1X)
Ressources
CPPM
SRXClients
Auth. servers
RA
DIU
S
Thre
at eve
nts
![Page 19: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/19.jpg)
Juniper Identity Management Service (JIMS)
![Page 20: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/20.jpg)
20
Why JIMS?
• Solving the N:M full matrix issue for User FW
![Page 21: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/21.jpg)
21
Juniper Identity Management Service
• A Windows based agent for collecting Users and Devices data
• Available for free
• Highly scalable (Up to 100 DC and 25 domains)
• 1 a single agent can query multiple domains !
• High performance
• Backward compatible with legacy SRX Hardware (12.3 code base)
• Enhanced interface for new hardware (15.1 code base)
• Constantly tracks Active Directory for user and group changes
• Global Filters
![Page 22: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/22.jpg)
22
Juniper Identity Management Service
• Easy to install, easy to configure.. Wait for the demo !
![Page 23: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/23.jpg)
23
Data Collection mechanisms
• Windows Event API to collect events (versus WMI)• Low resources usage• Low network bandwidth usage
• ADSI API to collect user’s attributes and groups• Faster than LDAP
• WMI to probe endpoints• Up 10 credential sets.• Triggered at the end of the session timeout (configurable)• Triggered if no information about a specific IP address
![Page 24: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/24.jpg)
24
Legacy SRX Backward Compatibility (12.3X48)
• Leverage existing SRX capabilities to support legacy hardware
• JIMS -> SRX (Web API)
• SRX -> JIMS (Aruba Query)
• Support on 12.3X48-D45+
• SRX1x0, SRX2xx, SRX550, SRX650, SRX1400, SRX3K, SXR5K (RE1)
12.3X48-D30+15.1X49-D40+
WinEvent (RPC)
tcp/135 + pinhole
WMI (RPC)
tcp/135 + pinhole
ADSI
tcp/389 -tcp/636
Domain Controller
Domain A
Domain Controller
Domain B
JIMS
Push
(Web API)
TCP/8443
Query
(Aruba)
TCP/443
Exchange Server 2010
ADSI
tcp/389 -tcp/636
SRX
Windows
Endpoints
WinEvent (RPC)
tcp/135 + pinhole
![Page 25: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/25.jpg)
25
Advanced Query Mode
• Pull mode only (batch)
• IP Query
• High Availability support
• Advanced filters
• Device info support
• Support on 15.1X49-D100+
• vSRX, SRX300 Series, SRX1500, SRX4K, SRX5K (RE2)
WinEvent (RPC)
tcp/135 + pinhole
WMI (RPC)
tcp/135 + pinhole
ADSI
tcp/389 -tcp/636
Domain Controller
Domain A
Domain Controller
Domain B
JIMS
primary
Enhanced
Query (v2)
TCP/443
Exchange Server 2010
ADSI
tcp/389 -tcp/636
SRX
Windows
Endpoints
WinEvent (RPC)
tcp/135 + pinhole
JIMS
secondary
pri
ma
ry
![Page 26: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/26.jpg)
26
Session Report Generation
Active DirectoryJIMSDomain
ControllerDevice
Report to SRX
Logon
Event notification
Query for group
User not in cache
AD responds with group
Session logon timeoutPC Probe
PC Probe responseUser profile changes
Change notification
Session logon timeout
PC Probe
PC Probe
No response
Event notification User in cache
Precipitating event
Session created
Session updated
Session deleted
![Page 27: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/27.jpg)
27
JIMS – Redundancy & FilteringMicrosoft
DCs
JIMS 0 JIMS 1
SRX D100+ HA
SRX-configured IP filter
SRX-configured Domain filter
SRX D45+
Global IP filter
Global Group filter
Applies to both Push and Batch Query Interface
![Page 28: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/28.jpg)
28
Captive Portal Local Authentication SharingJIMS
primary
SRX #1
JIMS
secondary
SRX #2
1 User fallback to Captive Portal
2 User authenticate successfully
3IP, User and Dain pushes to JIMS(red)
4User/Group lookupEntry is cached
5 SRX gets the report
P P
![Page 29: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/29.jpg)
Demo!
29
![Page 30: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/30.jpg)
30
Domain:
juniper16.lab
(Windows 2016)
SRX1500 (15.1X49-D100)
Security Director (17.1)
Domain:
Juniper12.lab
(Windows 2012)
JIMS
Primary
JIMS
Secondary
HTTPS
HTTPS
![Page 31: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/31.jpg)
Summary
![Page 32: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/32.jpg)
Takeaways
• Easy to install, easy to setup
• Highly scalable solution
• Does not require one agent per domain
• Visibility & enforcement based on users and devices
• Rich ecosystem: Leverage the right solution for the right need !
![Page 33: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/33.jpg)
Additional resources
• Download available on www.juniper.net
• JIMS Information• http://www.juniper.net/us/en/products-services/security/jims/
• JIMS Data Sheet• http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000618-en.pdf
• Security Director Information• https://www.juniper.net/us/en/products-services/security/security-director/
![Page 34: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/34.jpg)
![Page 35: Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content](https://reader035.fdocuments.us/reader035/viewer/2022081323/5f0676117e708231d4181c33/html5/thumbnails/35.jpg)
THANK YOU!