SRX als NGFW -...
Transcript of SRX als NGFW -...
SRX als NGFW
Michel Tepper Consultant
2
Firewall Security Challenges
Organizations are looking for ways to protect their assets amidst today’s ever-increasing threat landscape. The latest generation of web-based applications, combined with the proliferation of mobile devices, have made it challenging to effectively manage traffic and provide access to data while delivering the right mix of security and network services. There might be hundreds or thousands of applications running across a typical enterprise network—some of these applications are important to the business and some are not.
How do you control what applications are allowed on your network, and how do you restrict those that are not? How do you make sure your network traffic is prioritizing business-critical operations? How do you get stronger security without compromising your operational efficiency? How do you make sure your security doesn’t negatively impact your business? This is where a next-generation firewall can help you.
3
Juniper Networks NGFW Protection Solution
Juniper Networks NGFW Protection solution is a powerful solution that helps bring context and clarity to the setting and enforcement of security policies and helps stop modern malware attacks, all while delivering the industry’s highest performance and with the capacity to grow with your business or traffic. SRX Series Services Gateways come in a broad range of models from all-in-one security and networking appliances to highly scalable, high-performance chassis solutions. All solutions can be centrally managed using Junos Space Security Director, and other security services are easily added to existing SRX Series platforms for a cost-effective solution.
4
User role-based Firewall
Juniper Networks SRX Series Services Gateways deliver integrated next-generation firewall protection with application awareness, IPS, and user role-based controls plus best-in-class UTM to protect and control your business assets. Next-generation firewalls are able to perform full-packet inspection and apply application-specific and user-specific security policies. This means you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, and simultaneously examine the content that is traveling across your network. This helps protect your environment against threats, manages how your network bandwidth is allocated, and maintains appropriate access controls.
5
Integrated User Firewall and MORE
6
NGFW Application Visibility
Juniper Networks AppSecure suite of application-aware security services for the SRX Series classifies traffic flows, while bringing greater visibility, enforcement, control, and protection to your network security. AppSecure uses a sophisticated classification engine to accurately identify applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification. It gives you the context to regain control of your network traffic, set and enforce policies based on accurate information, and deliver the performance and scale required to address your business needs. The services enabled by AppSecure include AppTrack for detailed visibility of application traffic, AppFW for granular policy enforcement of application traffic, and AppQoS for prioritization and metering of application traffic.
7
Juniper Networks Unified threat management (UTM)
Comprehensive content security against malware, viruses, phishing attacks, intrusions, spam, and other threats is available with Juniper Networks UTM. This best-in-class solution includes antivirus, anti-spam, Web filtering, and content filtering in a group of services easily added to an SRX Series Gateway or Firefly Perimeter virtual firewall.
8
Junos space security director
Next-generation capabilities in the SRX Series and Firefly Perimeter can be centrally managed from a single management platform. You can manage all your security services, perform logging and reporting, as well as segment management responsibilities through role-based access controls in Juniper Networks Junos Space Security Director. Juniper Networks centralized management is based on Juniper Networks Junos operating system so it shares the same resiliency and massive scalability as Juniper Networks highly regarded network solutions preferred by most of the world’s largest service providers.
9
Why Juniper Networks NGFW Protection Solution? Juniper Networks is introducing new enhancements to its SRX Series Services Gateways that provide next-generation security to help customers protect against threats and control what is on their network without adding a heavy administrative burden:
Greater protection: • The new AppID engine includes a heuristics engine optimized for identifying
evasive or tunneled applications. Important for blocking risky applications such as peer-to-peer applications or adding control over social, video and communications applications. AppID will also identify nearly twice as many unique applications as before.
• Firefly Perimeter now supports next-generation firewall capabilities like IPS and UTM
Simplified management: • A single, central management platform delivers a simple method for
managing all Juniper Networks firewalls, eliminating the complexity and time needed to support multiple management platforms
• Juniper Networks SRX now integrates directly with Active Directory to apply user role-based firewall policies without requiring any additional devices or agents
• AppID delivers granular management of application visibility and control on a per policy basis
Open solution for customization: • Juniper Networks NGFW Protection solution offers a unique ability for
customers to insert signatures for their custom-built applications or add IPS signatures to protect against exploits they discover. This capability helps organizations increase the amount of control they have over home grown application traffic in their network and it enables increased protection against exploits targeting these custom applications
10
SRX Series Services Gateway – Campus and Branch
SRX1400 SRX3400 SRX3600 SRX5600
SRX5800
SRX100/110
SRX210/220/240
SRX550 SRX650
DataCenter
Campus / Enterprise
11
Firefly Perimeter
In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments.
12
Junos Space Security Director
Juniper Networks Junos Space Security Director, an application on Junos Space Network Management Platform, provides extensive security scale, granular policy control, and policy breadth across the network. It helps administrators quickly manage all phases of the security policy life cycle for stateful firewall, UTM, IPS, AppFW, VPN, and NAT through a centralized web-based interface.
Junos Space Security Director reduces management costs and errors with efficient security policy, workflow tools, and a powerful “app” and platform architecture.
13
Juniper Networks Conclusion
Open / Extensible Security Platform Open signatures
Simplified Management Security Director Integrated logging & reporting Role-based access control UTM
NGFW Services Integrated user firewall AppID 2.0 Firefly Perimeter: IPS, UTM Full SRX portfolio
14
User case WSA
Company WSA (Westcon Security Academy) wants to implement firewall with specs:
• Only domain authenticated users get internet access
• Sysadmin without firewall knowledge should be able to deny users access to social media
• Logs should be easy to access
15
WSA network
Two users: sad and lucky to start with
16
User lucky: properties in AD
17
User sad: properties in AD
18
Users logon to the clients systems
• User sad to client1
• User lucky to client2
• Both can browse the internet
• Next they try to access myspace.com
19
Results
Lucky: Get his access
Sad: Gets even sadder: het gets a custom block message
20
This two firewall rules do the job:
AD connection Application awareness
21
Oops
• Guest user couldn’t access the internet anymore!
• Change of policy:
• After a few hours we lookup what the guests (students) are doing
22
Application access last 8 hours
“normal” sites, plain text, so no application We could use UTM to categorize
23
Log details
user
Application
24
Agenda
• User Case Firewall for WSA
• SRX x47 Highlights • Junos Space 14.1 highlights
• Competitive analyse
• 10 (or more) good reasons to buy SRX right now
• Q & (hopefully) A
• Tech talk
25
Enhancements
1. Improved Evasive Application Detection
2. ~3000 Unique Applications
3. Improved Accuracy
4. Loadable Detector Module
User Experience Changes
• No significant changes
Q3 Enhancements
• Custom Application Support
NG AppID – What’s New?
26
INTEGRATED USER FIREWALL
Windows ADs
Client
SRX Series
Corporate Data Center
Apps
Data
Finance
Video
Internet
1 2
3
4
1 Doman user logins into domain from domain member device
User attempts to make a connection through SRX
SRX checks local tables to see if user is already authenticated.
1. If so user continues. 2. If no local authentication,
then SRX queries AD 3. If AD has an entry it will be
used. 4. If no AD entry then fallback
to captive portal
Authenticated user will be evaluated by policy according to the firewall rulebase. If traffic is permitted then user will be allowed to continue.
2
3
4
27
multiple zones per policy
• Problem To Solve
• Today when deploying security policy, customers need to setup separate policy entries even if most of their attributes are identical ( source-address, destination-address, application, action ) except for zone attributes ( from-zone, to-zone )
• Solution
• Add the from-zone/to-zone in global policy, just as the source-address, destination-address and etc in global policy. As a result, only 1 policy are needed in this release.
• Note: Only global policy are changed to support multiple from/to zone.
Four policies are need in order to apply the following security policies, even the source-address, Destination-address, application and actions are the same.
28
Firewall RULEBASE Firewall Rulebase It is here in the firewall rulebase where you activate what Security Intelligence Policy that you want to enable for what type of traffic. It work in combination with all other existing SRX L7 features such as: - IPS - AppFW / AppQoS - AntiVirus - WebFiltering
29
Space for NG firewalling
13.3: Security Director 13.3 Networkdirector 1.6 All other apps 14.1 Security Director 14.1 No Networkdirector yet
To complete a full NG implementation: Deploy logcollector (A separated virtual appliance) and the space app accessing it:
30
Tech talk: New possibilities in CLI
• Operational mode security flow debugging
• Operational mode IKE debugging
root@x47_test> monitor security flow ? Possible completions: file Trace file information filter Flow packet debug filter start Monitor flow start stop Monitor flow stop root@x47_test> monitor security flow
Possible completions: local Local ip address remote Remote ip address root@x47_test> request security ike debug-enable
31
Tech talk: IDP Senor tuning
root@x47_test# set security idp sensor-configuration ? Possible completions: > log IDP Log Configuration > packet-log IDP Packetlog Configuration > application-identification Application identification > flow Flow configuration > re-assembler Re-assembler configuration > ips Ips configuration > global Global configuration > detector Detector Configuration > ssl-inspection SSL inspection > high-availability High availability configuration > security-configuration IDP security configuration disable-low-memory-handling Do not abort IDP operations under low memory condition [edit]
Many details available
32
Tech talk: IP matching in security [edit security address-book example] root@x47_test# set address example_address ? Possible completions: <ip-prefix> Numeric IPv4 or IPv6 address with prefix + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups description Text description of address > dns-name DNS address name > range-address Address range > wildcard-address Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask [edit security address-book example] root@x47_test# set address example_address [edit security policies from-zone trust to-zone untrust] root@x47_test# set policy example match ? Possible completions: + application Port-based application + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Match destination address destination-address-excluded Exclude destination addresses + source-address Match source address source-address-excluded Exclude source addresses + source-identity Match source identity [edit security policies from-zone trust to-zone untrust]
33
Tech talk: AD coupling root@x47_test# show services user-identification active-directory-access { domain wsa.local { user { administrator; password "$9$rWzvXNsYoGUHgoz3n6AtvW8LdbsYg"; ## SECRET-DATA } domain-controller AD01.wsa.local { address 172.27.72.10; } domain-controller AD02.wsa.local { address 172.27.72.11; } user-group-mapping { ldap { base OU=demo-users,dc=wsa,dc=local; user { Administrator; password "$9$BtOErKXxdsYoNdk.mPQzEcSyM8XxN"; ## SECRET-DATA } } } } }
34
Tech talk: Application FW rules
root@x47_test# show security application-firewall profile test { block-message { type { custom-redirect-url { content http://172.27.72.10/badluck.htm; } } } } rule-sets no-social-media-trust-untrust { rule 0 { match { dynamic-application-group junos:web:social-networking; } then { deny; } } default-rule { permit; } profile test; }
35
Tech talk: NG policies [edit security policies from-zone trust to-zone untrust] root@x47_test# show policy no-social-media { match { source-address any; destination-address any; application [ junos-http junos-https ]; source-identity "wsa.local\no-social-media"; } then { permit { application-services { application-firewall { rule-set no-social-media-trust-untrust; } } } log { session-close; } } } policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } }
36
Tech talk: Check ad connection
• Many other checks implemented
root@x47_test> show services user-identification active-directory-access active-directory-authentication-table all Domain: wsa.local Total entries: 4 Source IP Username groups state 172.27.72.12 mtepper Valid 172.27.72.20 administrator Valid 172.27.78.1 sad no-social-media Valid 172.27.78.2 lucky Valid
37
Tech talk: NG in flow checking root@x47_test> show security flow session dynamic-application junos:FACEBOOK-ACCESS Session ID: 1761, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52549 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 39, Bytes: 8699 Out: 23.65.181.96/443 --> 134.27.1.2/11702;tcp, If: ge-0/0/0.0, Pkts: 22, Bytes: 5668 Session ID: 1762, Policy name: trust-to-untrust/5, Timeout: 1760, Valid In: 172.27.78.2/52548 --> 31.13.93.3/443;tcp, If: vlan.0, Pkts: 108, Bytes: 10988 Out: 31.13.93.3/443 --> 134.27.1.2/4260;tcp, If: ge-0/0/0.0, Pkts: 120, Bytes: 133001 Session ID: 1763, Policy name: trust-to-untrust/5, Timeout: 1754, Valid In: 172.27.78.2/52551 --> 23.65.181.96/443;tcp, If: vlan.0, Pkts: 47, Bytes: 10869 Out: 23.65.181.96/443 --> 134.27.1.2/12957;tcp, If: ge-0/0/0.0, Pkts: 26, Bytes: 6552 Session ID: 1767, Policy name: trust-to-untrust/5, Timeout: 1752, Valid In: 172.27.78.2/52558 --> 195.10.11.105/443;tcp, If: vlan.0, Pkts: 18, Bytes: 3817 Out: 195.10.11.105/443 --> 134.27.1.2/30385;tcp, If: ge-0/0/0.0, Pkts: 12, Bytes: 6337
Thank You