Table of Contents HOL-PRT-1472

Transcription

1 Table of Contents Lab Overview - - Juniper Virtual Security Lab Overview... 2 Lab Overview... 3 Module 1 - Juniper Junos Space 101 (15 min)... 9 Introduction to Space Introduction to Virtual Director Introduction to Security Director Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space (45 min) Use Cases for Juniper Junos Space and Firefly Perimeter Deploying Firefly Perimeter Virtual Director - Greater Detail Security Director - Greater Detail Why Juniper for Your Physical and Virtual Infrastructure Module 3 - Juniper DDoS Secure (45 min) Introduction to Juniper DDoS Secure Introduction to Juniper DDoS Secure UI Configuration of Testing Environment Low and Slow Attack Why Juniper DDoS Secure Page 1

2 Lab Overview - HOL- PRT Juniper Virtual Security Lab Overview Page 2

3 Lab Overview So you have decided to incorporate a cloud and/or virtualization into your business, utilizing it for bursting, development, testing, or even using it for production applications. Have you built security into your virtual data center? Are you concerned about the DDoS attacks on your production applications? What about the ability to implement network based AV, VPN, NAT, IPS, and routing into your virtual data center, establishing a secure and operable software defined datacenter that is able to expand and maintain security throughout it's entire lifecycle. What about having a DDoS appliance in a virtual format for ease of deployment for any tenant? Building these technologies on the experience and confidence of Juniper Networks allows a solution that truly understands the functions and needs of networking and security for your true software defined datacenter. Only Juniper can understand security from a network standpoint because we are truly a network and security company. This lab will show you just a touch of our virtual security capabilities for your Enterprise or Service Provider environment. Understand that we have a full suite of virtualized security and network products and tools that allow you to manage your physical and virtual data center. Making Sure VMs are Running Before starting with the lab, lets make sure that all of your virtual machines are up and running. Launch Internet Explorer From the Control Center desktop, please double click the Internet Explorer icon. Log In To vsphere Web Client The login page for VMware vsphere Web Client will automatically launch. Please enter in the following credentials: User name: root Password: VMware1! Page 3

4 and click " Login " Home Tab Click the " Home " button. Page 4

5 VMs and Templates Click the " VMs and Templates " icon. Expand Datacenter Site A Click the arrow to the left of " Datacenter Site A " so that we can verify that the VMs are running. Page 5

6 List of VMs As you can see, the " DDoS Secure Virtual edition " is not running. This may not be the case with your lab. Your lab may have all the VM's running ( see note below ) or other VMs not running. This is why we are checking. NOTE : Attacker 32 does NOT need to be started Page 6

7 Starting VMs If any of the VMs are not running ( with the exception of Attacker 32 ), please right click on the VM and select " Power On " Page 7

8 Proceed With Lab Once you have verified that all the VMs ( with the exception of Attacker 32.. have I mentioned that already :) ), please proceed with the first Module. Thank you!!! Page 8

9 Module 1 - Juniper Junos Space 101 (15 min) Page 9

10 Introduction to Space Juniper Junos Space is a comprehensive Network Management Solution that simplifies and automates management of Juniper's switching, routing, and security devices. Junos Space consists of a network management platform for deep element and faultmanagement, configuration, accounting, performance, and security ( FCAPS ). FCAPS Network Management framework is created by ISO. FCAPS categorizes the working objectives of network management into five levels of management, plug-n-play management applications for reducing costs and provisioning new services quickly, and a programmable SDK for network customization. With each of these components working cohesively, Junos Space offers a unified network management and orchestration solution to help you more efficiently manage your network. In this lab, we will be covering the Virtual Director and Security Director applications. There are other applications available for Junos Space, such as Network Director but as indicated, we will not review at this time. Two of my favorite parts of the Junos Space Appliance is that it is available in a hardware and virtual appliance format. This gives you incredible flexibility in your data center and we are all for that. My second favorite part is that both versions support multiple nodes and this in turn provides the scalability and availability that your managed network requires as you add more devices, services, and users. You see, Junos Space manages BOTH virtual and physical components in your data center, but more of that later. Let's delve in to the Junos Space GUI. Launch Firefox On the Control Center box (the box you are logged in to) double click on the Mozilla Firefox image on the desktop. Page 10

11 Launch Junos Space Once Firefox is launched, Junos Space should be the homepage, but in case it is not, click on the "Junos Space Login" shortcut in the tool bar of the browser. Accepting Website's Security Certificate Note this is the Certificate message from Internet Explorer, it requires an acknowledgement but because we are using Firefox for this lab, we did not get one. In case you are seeing a certificate error, please accept it ( although in my testing, I did not but you never know :) ). Logging into Junos Space You will now see the Junos Space login. To log into Juniper Junos Space, use the following login Page 11

12 Username: super Password: VMware1! When you have entered the credentials, please click "Log In". Network Management Platform - Dashboard Once you first log in to Junos Space, you will see the main dashboard for the product. When you select any applications ( Security Director, Virtual Director ) in the box above the task tree, a dashboard displays graphical data above devices, jobs, users, administration, and so on. The dashboard provides a snapshot of the current status of objects managed and operations performed within a Junos Space application. The Network Management Platform dashboard ( as shown above ) displays the system health of your network and the percentage of jobs run successfully and in progress. The Network Management Platform dashboard contains gadgets ( graphs and charts ) that display statistics that provide a quick view of system health. They include a gauge Page 12

13 for overall system condition and graphs that display the fabric load and active users history. Page 13

14 Move the Gadgets Feel free to move and resize the gadgets. If you click on the blue bar of each of the gadgets, you will see the cursor changes form into an X, this means that it can be moved within the dashboard. Try it out! All dashboard gadgets are visible for all users and are updated in real time. Page 14

15 Saving and Printing If you right click on the "Job Information" gadget you will see that the images can be saved and/or printed. More Detailed Information Still within the "Job Information" gadget, if you double click on the Green "Success" section, it will bring you to greater detail such as the one shown above. Page 15

16 Job Management When you click the green circle you were automatically taken to the listing of jobs. Now thankful all my jobs are successful but you can imagine that jobs do fail for various reasons and they would show up here as well. Global Search Junos Space has this great Global Search capability. You can see that the search bar is always available no matter what screen you are on. You can use the feature to quickly locate any object within Junos Space. Junos Space allows you to perform a full-text search operation for objects within the system. You can do searches on object categories such as device name, Juniper platform ( Junos OS, Junos ES, etc ), OS version, serial number, IP of physical and logical interface, name of physical and logical interface, MAC address, software, and many many more. The global search operation supports query expressions. You can search for phrases and multiple terms. The default operator for multiple terms is the OR operator. Page 16

17 Applications for Space In this implementation of Space we have two additional applications installed. By clicking on the down arrow as described in the picture above, you can see what is available. We will not go into these applications at this time but we wanted you to see a quick viewing. In this lab configuration we have installed Virtual Director and Security Director. Service Now is part of the "default" Network Management Platform. Service Now is an automated troubleshooting capability that accelerates problem resolution by allowing you to open cases with Juniper Technical Support ( JTAC ) and include all related logs and diagnostics. Junos Space Service Now also reduces the time to integrate new Juniper products or releases into the network by using customized scripts installed on the Junos devices. Troubleshooting expertise is integrated into the products and therefore outage time is reduced. It also helps to lower the learning curve for operations personnel that are new to Juniper products. No need to click any of the applications now, just click the arrow again. Page 17

18 Task Group (Workspaces) Within each application ( in this case, Network Management Platform ) are the Task Groups or also sometimes referred to as Workspaces. These task groups are part of the task tree that is on the left side of the display. It is the navigation center for Junos Space. Note that you can collapse the task tree by clicking on the Double Left arrows but we will not do this at this time. These arrows are highlighted in the above image. Let's look at the Network Management Platform Task Groups. Page 18

19 Devices Task Group Expansion Click the " + " to the left of the "Devices" Task Group. Page 19

20 Devices Task Group As you can see there many options and Sub Task Groups available under "Devices". Let us spend some time in these options. Page 20

21 Devices "Dashboard" By clicking the "Devices" Task Group, you will get a dashboard on the right. A screen shot of the Devices Dashboard is above. Once again, these gadgets can be moved and you drill down into them for greater detail. There are three options "Device Count by Platform", "Device Status", and "Device Count by OS". We have not deployed any devices at this time and therefore the gadgets have no data. Page 21

22 Options and Sub Task Groups I have already expanded the additional Sub Task Groups in the image provided. I will admit that the data is not fun to look at at this time because there are no devices but like I said previously, feel free to click through all the options and see the data that is available. For instance, I love the "secure console" option available from the "Devices" Task Group. Page 22

23 Device Templates Expansion Click the " + " to the left of the "Device Templates" Task Group. Device Templates There are two options available under this Task Group, please select "definitions". Page 23

24 Definitions Here you will see the default device templates that are provided with Junos Space Network Management. As you can see, they list the majority of the types of device families available from Juniper. Note that these are for the hardware devices that Junos Space supports. Page 24

25 Select Default Syslog Config_Junos If you can please select the "Default Syslog_Config_JUNOS" Device Template and select the the pencil icon. Available Configuration Expansion Click the " + " to the left of the "Configuration" folder in "Available Configuration". Page 25

26 Configuration You will see that the template gives you a layout of the various options available. This will provide ease in your configurations of the devices that you can deploy through Junos Space. Page 26

27 CLI Configlets This Task Group allows you to easily apply a configuration to a device. Configlets are configuration tools by Junos OS that enables you to apply configuration onto the device by reducing configuration complexity. Configlet is a configuration template which is transformed to CLI configuration string before being applied to a device. The dynamic elements (strings) in configuration templates are defined using template variable. These variables act as an input to the process of transformation, to construct CLI configuration string. These variables can contain anything: it can be the interface name, device name, description text or any such dynamic values. Images and Scripts Junos Space facilitates management of devices running Junos OS (Juniper Operating System) by enabling you download a device image from Juniper's Software download site to your local file system. You can then upload the device images and deploy these device images onto a device or onto multiple devices of the same device family simultaneously. After you upload a device image you can stage a device image on a device, verify the checksum, and deploy the staged image whenever required. You can also schedule the staging, deployment, and validation of device images. You can also use Junos OS Scripts for configuration and diagnostic automation tools in order to deploy, verify, enable, disable, remove, and execute scripts that have been deployed to the devices. Reports The Reports Task Group is for... you guessed it... Reports. You can generate customized reports for managing the resources on your network. You can use the reports to gather data related to the device inventory details, job execution details, and audit trails. You first create a report definition to specify what information to retrieve from the Junos Space inventory database. You then use this report definition to generate, export, and Page 27

28 print the reports. Junos Space does provide some pre-defined categories to create report definitions. We will not be creating reports in this lab but feel free to speak with a Juniper Sales Rep for more information. Network Monitoring With the Network Monitoring task group, you can assess the performance of your network, not only at a point in time but also over a period of time. Click the "Network Monitoring" Task Group to see the dashboard. Page 28

29 Network Monitoring Dashboard As you can see that the " Network Management " Dashboard gives you a view into the "Nodes with Outages", "Availability over the past 24 hours", "Notification", "Resource Graphs", "KSC Reports", and "Quick Search". This dashboard provides great insight into your organization and quick searches against Node ID, Node Label like, TCP/IP address, Providing services ( ICMP or SNMP ). Network Monitoring Expansion Click on the " + " arrow to the left of the "Network Monitoring" Task Group. Page 29

30 Network Monitoring Task Group By expanding the "Network Monitoring" Task Group, you can see that there are many additional options. Feel free to review the screens associated with the additional Sub Task Groups. Configuration Files You can maintain copies of device configuration files are either running, candidate, or backup configuration files. This assists with device configuration recovery and maintaining consistency across multiple devices. Jobs The "Jobs" Task Group ironically monitors the progress of ongoing jobs. Crazy, I know! ( Note that the "Jobs" Task Group should already be open ). Page 30

31 Once again we have an amazing dashboard with drill down capability. There are three default gadgets available on the dashboard. Feel free to once again move them within the screen and to drill down into the various details. Users This surprisingly is where you add, mange, and delete users. I know... crazy place to put this right? Just Joshing... The Users Task group is where you can add you users and to assign roles to the users. Audit Logs In the Audit Logs task group you can view and filter system audit logs including those for user login and logout, tracking device management tasks, and displaying services that were provisioned on devices. Click on the "Audit Logs" Task Group. Page 31

32 Audit Logs Task Group The dashboard on the "Audit Logs" shows all statistics available from the audit log. Click on the blue section of the statistics. Page 32

33 Login Data In this case, I have only logged in as "super" but you can imagine that if there were other logins, these would show up as well. Please select the "IP Addresses" as identified in the image. Page 33

34 IP Address Data Here you see the IP addresses from which I have been accessing Junos Space. Page 34

35 Administration And lastly, Administration allows you to add network nodes, back up databases, manage the licenses and applications, or even troubleshoot. As you can see the administrative tasks are accomplished through this Task Group. This concludes our introduction to Juniper's Junos Space. Our next chapter will go into detail of the Virtual Director application. #JuniperLab #PewPew Page 35

36 Introduction to Virtual Director Junos Space Virtual Director is dedicated to provisioning, bootstrapping, monitoring, and lifecycle management of a variety of Juniper Virtual Appliances and related virtual security solutions. Virtual DIrector can be used to deploy, manage, and monitor instances of Firefly Perimeter ( more detail later ), which provides security and networking services at the perimeter in a virtualized private or public cloud environment. Virtual Director also registers each instance of Firefly Perimeter with the Junos Space Platform to allow other Junos Space applications, such as the Security Director application, to configure security policies. Page 36

37 Virtual Director Topology This above diagram shows where Virtual Director and Space sit in your virtual environment. As you can see, Virtual Director is used to support many of Juniper's virtual appliances. Security Director is used to manage many of Juniper's physical hardware devices. Juniper's Junos Space ties directly into VMware's vcenter Server. Page 37

38 Loading Virtual Director Virtual Director has already been installed into the Junos Space Network Management Platform. In order to launch the application, select the down arrow to the right of "Network Management Platform" and select "Virtual Director". Page 38

39 Virtual Director Dashboard Just like the dashboard in the "Network Management Platform", the "Virtual Director" "Dashboard" gives you a synopsis of environment. At this time, this is a clean install. We will populate this information in later articles in this lab. Take a note at how the "Summary" and "Deployment Alerts" looks at this time. As we do more activity in this lab, this information will change. Feel free to come back to the dashboard at any time. Page 39

40 Deployment Alerts Like I stated, this is a fresh installation and currently none of the deployments have failed, because we have not even tried. We will deploy later! This information shows on the bottom of the "Virtual Director" "Dashboard". Personally, I think It is nice to have this information for your data center in that single pane. Design Task Group Expansion Expand the "Design" Task Group. You will see there are three Sub Task Groups. Let us check them out. Design Task Group The "Design Task Group" has three Sub Task Groups Page 40

41 Virtualization Providers VM Image Files Virtual Director Templates Let's look at these individually. Virtualization Providers ( 1 ) Please click on the "Virtualization Providers" Sub Task Group. We do not have any at this time so let's connect one. We will only be connecting one but as you can tell, there can be multiple "virtualization providers" added to the system allowing you to manage different systems or tenants. ( 2 ) Please click on the green " + " circle. Page 41

42 Defining Virtualization Provider When the popup for "Define Virtualization Provider" appears, please provide the following information : Name : VMworld 2014 HoL Network Address : Administration Account Username : root Password : VMware1! VIrtualization Provider Type : [default] Connection : [default] and then click "Done". Page 42

43 New Virtualization Provider Once the connection is made, you will now see the new virtualization provider that you created is added. This connection is needed in order to deploy our Firefly Perimeter devices into our virtual data center for all types of customers. VM Image Files Please click on "VM Image Files". Page 43

44 Adding VM Image Files You will see that we currently do not have any VM image files in the system at this time, but it is incredibly simple to add additional files into Virtual Director. Please select the green " + " symbol. Load OVA The "Load OVA" screen will pop up. Please click the "Browse" box. Page 44

45 Downloads Directory Please make sure that you are in the "Downloads" directory if you are already not in this directory. Selecting OVA The downloads folder appears. Please select the "junos-vsrx-12.1x46-d10.2-domestic.ova" image file. Page 45

46 Click Open Now that you have selected the image, please click "Open" in the bottom right corner. Upload OVA Once back at the "Load OVA" screen, click the "Upload" button. Please Wait While your file uploads :). Page 46

47 Success #PewPew, the file has been uploaded. Please click the "OK" button. Updated VM Image Files You will now see your image in the "VM Image Files" screen. We will use this image for building our template and deploying the device. Page 47

48 Virtual Device Templates The "Virtual Device Templates" Sub Task Group allows you to see your previously created templates for deployment as well as to create new templates. Of course, we have not created one but we will be doing this in the next article. Manage Task Group Expansion Click on the " + " symbol to the left of the "Manage" Task Group. Page 48

49 Manage Task Group The "Manage" Task Group has two sub Task Groups. Feel free to review them but as you can imagine, they are empty :). Monitor Devices Task Group Expansion Click on the " + " symbol to the left of the "Monitor Devices" Task Group. Page 49

50 VM Connection Status Please click the "VM Connection Status" option. Unmanaged Devices As you can see, there is a Firefly Perimeter device listed. This Firefly Perimeter was deployed previously into the Juniper vpod. I needed to make sure you had some items to review :). Page 50

51 Moving Columns Notice that you can highlight a column and move it to your desired location on the bar for ease of management and viewing. Feel free to move a column to a new location by clicking on the column heading and dragging it to its new place. Expanding Columns Feel free to expand the columns to get greater detail. In this case, I have moved the IP Address column wider. When you click on the line in between the columns, the movement symbol will appear. Page 51

52 Search Capabilities You can imagine how many devices can appear in the screen. At times it may be going off the screen so the ability to search by "VM Name", "VM Status", "IP Address", and "Device Host Name" is in the top bar. Pretty handy huh? Deployment Status Task Group The "Deployment Status" Task group gives you a recap of all the request IDs that have occurred. For instance, you would see the request id for the power on and power off of the Firefly Perimeter Virtual Machines. It provides a summary of the succeeded and failed tasks. Application Settings Task Group And the last Task Group within "Virtual Director"... Click on "Application Settings". You will notice on the right the "Alert Settings" option comes up. This allows to set up addresses for the alerts to be ed to. And this closes out the Task Groups for the "Virtual Director" application within Junos Space. Let's look at how the Firefly Perimeters are managed next... so off to the next article in this module where we go into detail of Security Director. Page 52

53 #JuniperLab Page 53

54 Introduction to Security Director Security Director is a Junos Space application that is a quick and easy approach you can use to design your network security. With Security Director, you can create IPsec VPNs, firewall policies, NAT policies, and IPS configurations and push them to your security devices. These configurations use objects such as addresses, services, NAT pools, application signatures, policy profiles, VPN profiles, template definitions, and templates. These objects can be shared across multiple security configurations. You can create these objects prior to creating security configurations. Firewall policy, NAT policy, and IPS policy can be created and managed in a Tabular view. You can easily add new rules to the policies and choose to override policy-inherited settings by customizing the settings at a per-rule level. After you have added the rules to the policy, you can reorder these rules based on priority or group these rules for easy identification and modify them at a later time. A unified user interface approach for firewall, NAT, and IPS policies helps you reduce the learning time required to create different security configurations. You can periodically download the latest version of application signatures and IPS signatures from a URL provided by Juniper Networks. You can install these signatures on Juniper security devices. You can then use application signatures and IPS signatures when creating firewall policy configurations. Security Director also lets you create your own customized signature sets. All application firewall and IPS configurations are pushed to the devices when the firewall policy in which they are used is pushed to the devices. When you finish creating and verifying your security configurations, you can publish these configurations and keep them ready to be pushed to the security devices. Security Director helps you push all the security configurations to the devices all at once by providing a single interface that is intuitive. Pretty Cool Huh? Page 54

55 Launching Security Director From the Applications left column, ( 1 ) Select the down arrow to the right of "Virtual Director" ( the last application we were in ) ( 2 ) and select "Security Director" Page 55

56 Security Director Dashboard Here is a screen shot for the Task Groups that are available in the "Security Director" application. We will go into greater detail into these Task Groups after we do once last check on the dashboard. Page 56

57 Security Director Dashboard Cont'd From the "Security Director" dashboard you have the ability to Create, manage, and publish firewall policies Create and manage IPS signatures, IPS signature sets, and IPS policies Create, manage, and publish NAT policies Create, manage, and publish VPNs Firewall Policy Task Group Expansion Click on the " + " symbol to the left of the "Firewall Policy" Task Group. Page 57

58 Firewall Policy Task Group ( 1 ) Click the "Firewall Policy" Task Group. On the screen to the right, you will see two sections. Policies ( 2 ) will show firewall rules that have been previously created. The right pane ( 3 ) of the firewall policy Inventory Landing Page ( ILP ) divides the set of rules into two rule bases. All zone-based rules are grouped under Zone and the SRX Series All Devices rules are grouped under Global. Security Director provides you with five types of firewall policies All devices : this policy enables rules to be enforced globally to all the devices managed by Security Director Group : this type of policy is used when you want to update a specific firewall policy configuration to a large set of devices Device : this type of policy is used when you want to push a unique firewall policy configuration per device Device - Exception Policy : this type of firewall policy is created when a device is removed from a group policy Global Policy : these rules are enforced regardless of ingress or egress zones; they are enforced on any device transit Firewall Policy Sub Task Groups As you can see, the "Firewall Policy" Task Group is where you can Page 58

59 Create Policy Publish Policy Prioritize Policies Manage Policy Locks We have not created any policies yet but will in the subsequent articles. IP Policy Task Group Expansion Please click the " + " symbol to the left of the "IPS Policy" Task Group. Page 59

60 Sub Task Group Expansion Please click the " + " symbol to the left of the "IPS Signature" Sub Task Group and please click the " + " symbol to the left of the "IPS Signature-Set" Sub Task Group. IPS Policy Task Group IPS ( Intrusion Prevention ) is available as part of the overall functionality of the hardware devices. In future releases of Firefly Perimeter, this capability is included but again, Junos Space is a tool for both hardware and software versions of Junos OS products. You can use the IPS Policy Task Group to download and install the AppSecure signature database to security devices. You can automate the download and install process by scheduling the download and install tasks and configure there tasks to recur at specific time intervals. This ensures that your signature database to up-to-date. You can view the predefined IPS policy templates and create customized IPS policy-sets in this Task Group. You can also enable IPS Configuration is a firewall policy and provisions IPS related configuration with firewall policy. Page 60

61 NAT Policy Task Group Expansion Click on the " + " symbol to the left of the "NAT Policy" Task Group. NAT Policy Task Group Network Address Translation ( NAT ) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP address of the packets moving between the trust and untrust zones. Junos Space Security Director supports three types of NAT ( IPv6 is supported ): Source NAT - translates the source IP address of a packet leaving the trust zone ( outbound traffic ). It translates the traffic originating from the device in the trust zone. Using source NAT, an internal device can access the network by using the IP addresses specified in the NAT policy. Destination NAT - translates the destination IP address of a packet entering the trust zone ( inbound traffic ). It translates the traffic originating from a device outside the trust zone. Using destination NAT, an external device can send packets to a hidden internal device. Static NAT - always translates a private IP address to the sale public IP address. It translates traffic from both sides of the network ( both source and destination ). For example, a webserver with a private IP address can access the Internet using a static, one-to-one address translation. Page 61

62 VPN Policy Task Group Expansion Click on the " + " symbol to the left of the "VPN" Task Group. VPN Policy Task Group You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the Task Group. If you want to use a customer VPN profile, you must configure a VPN profile before creating a VPN. You can configure the following parameters for an IPsec VPN Endpoints for a site-to-site VPN and full-mesh VPN Spokes and hubs for a hub-and-spoke VPN External Interface, Tunnel Zone, and Protected networks/zones for each device Routing settings VPN endpoint configuration You can also customize endpoint-specific settings like VPN Name, IKE ID, and profile for each tunnel. After the VPN configuration is saved, you can provision this VPN on the security devices. In Security Director, route-based VPNs support OSPF and RIP routing along with static routing. Security Director supports dynamic routing in VPN addressing. Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. Page 62

63 Listing of VPNs If we had VPNs configured, you would see them in the left pane of the Tabular view. Object Builder Task Group Expansion Click on the " + " symbol to the left of the "Object Builder" Task Group. Object Builder Task Group You can use the Object Builder Task Group in Security Director to create objects used by firewall policies, VPNs, and NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple security policies, VPNs, and NAT Page 63

64 policies. This approach makes the design of services more structured and avoids the need to create the objects during the service design. You can use the Object Builder Task Group to create, modify, clone, and delete the following objects: Address and address groups Services and service groups Application signatures Extranet Devices NAT pools Policy profiles VPN profiles Variables Template and template definitions Page 64

65 Devices Task Group Expansion Click on the " + " symbol to the left of the "Devices" Task Group. Devices Task Group The "Devices" Task Group lists the devices that have been discovered by Junos Space. This Task Group gives you greater flexibility into the view of your virtual datacenter and your physical data center. Remember, this tool is for both virtual AND physical devices. It is a one stop shop. Pretty awesome huh? Page 65

66 Jobs Task Group The "Jobs" Task Group gives you a full listing of the all the jobs transitioned through or for Junos Space. Please click on "Jobs" in order to bring the dashboard up. Jobs Task Group Dashboard Once again a dashboard is available to give us visibility in to the system. Please double click on the "Add Application" job type. Page 66

67 Job Management You can see the "Job Type" of "Add Application" is listed. This shows the install of the Security Director and Virtual Director application. Security Director Devices Task Group The "Security Director Devices" Task Group allows you to update the devices with firewall policies, NAT policies, and VPN Configurations. Downloads Task Group The "Downloads" Task Group allows you to download AppFirewall and IPS Signatures. Page 67

68 While you are on this screen please click the " + " symbol to the left of "Downloads". Downloads Task Group Dashboard This particular dashboard provides you with a full listing of all of the AppFirewall and IPS Signature downloads. It is a great way of keeping track of all the updates that you have received and implemented within the system and the products. Page 68

69 Signature Database Please click on the "Signature Database" Sub Task Group. Page 69

70 Signature Database Dashboard The Signature Database page appears. You can see the active databases there were downloaded earlier. At any time, Security Director will have only one active signature database. You can see on the top of this screen there is an IPS Signature that can be installed on the system. Install Configuration Please select the "Install Configuration" Sub Task Group. Page 70

71 Install Configuration Dashboard We do not have Juniper SRX devices in the netwrok so we can not install the configuration at this time but you can see how the installation would occur from this screen, either at the present time or to be scheduled at a later time. You have the control to determine when this would be done. FYI, SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that pack high port density, advanced security, and flexible connectivity into easily managed platforms. SRX Series Services Gateways deliver next-generation firewall protection with application awareness, intrusion prevention system (IPS), and extensive user role-based control options, plus best-in-class unified threat management (UTM) to protect and control your business assets. Next-generation firewalls are able to perform full packet inspection and can apply security policies based on Layer 7 information. This means that you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, or the content that is traveling across your network to protect your environment against threats, manage the way your network bandwidth is allocated, and control who has access to what. SRX Series gateways come in a broad range of models from all-in-one security and networking appliances optimized for the enterprise edge to highly scalable, highperformance chassis solutions optimized for service providers and large data centers. All solutions can be centrally managed using Junos Space Security Director, and additional security services are easily added to existing SRX Series platforms for a cost-effective solution. Page 71

72 Download Configuration Select "Download Configuration" from the left hand bar. Download Configuration Information On this screen, you have the ability to download additional signature files that will be used with you virtual and hardware appliances. So as I described earlier, if you wanted to update the signatures in your SRX devices, this would be accomplished here. Page 72

73 I am also happy to note that Firefly Perimeter x47 will include UTM and IPS capabilities and in turn, Security Director would be used to update the devices as well. Audit Logs Select the "Audit Logs" Task Group. Audit Logs Dashboard You will see the dashboard on the right hand side of the page. Feel free to drill down into the various tasks for greater detail. Please note that your image may look different with regard to the tasks that were implemented in the system. Page 73

74 This concludes the introduction to Security Director. Please proceed on to the next module where you will learn more about Firefly Perimeters advanced security services and network capabilities. #JuniperLab Page 74

75 Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space (45 min) Page 75

76 Use Cases for Juniper Junos Space and Firefly Perimeter For Service Providers ( SP ), the network is the money-maker. SP s look to their network to create innovative services that solve business problems and demonstrate the added value they can bring to their customers. These services must always be available to ensure end- subscriber satisfaction, and new services need to be offered frequently as demands and technology change in order to obtain additional revenue streams. For Enterprises, the network is both a strategic and critical corporate asset, where costs have to be controlled. Explosive demand for smart devices, social media applications, and mobility-based services has placed unprecedented pressure on network operators who must provide a compelling experience to increasingly demanding, tech savvy consumers. The unrelenting expectations of highly secure and always-on connectivity and service, coupled with the growing use of cloud environments, make the network increasingly complex to manage and secure. Juniper addresses these network challenges with Junos Space to help Service Providers and Enteprise customers maximize their network value and scale solutions, all while reducing complexity. Junos Space is a critical component of Juniper s SDN strategy as it provides a centralized management plane for a single source of truth and a common management platform for managing and creating applications to meet your specific needs. Page 76

77 Virtualization Use Case As we will see in the following articles, Firefly Perimeter is the virtualized appliance with advanced security and networking features based on Junos OS. In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments. Firefly Perimeter provides: Stateful packet processing and application-layer gateway ALG features Rich connectivity features based on a powerful Junos OS foundation, including routing, NAT, and VPN Granular security between zones, creating boundaries between organizations, lines of business, and applications Firefly Perimeter for Managed Security Service Providers (MSSP) Firefly Perimeter enables Managed Security Service Providers ( MSSP ) to launch and activate new services more quickly by decoupling security services from customer premises ( CPE ) hardware. With Firefly Perimeter, MSSPs can migrate from the Page 77

78 monolithic architecture and design limitations of a physical firewall to diversified virtual firewall implementations. They can decentralize fault domains by deploying Firefly Perimeter VMs instead of dedicating a physical firewall to each tenant/customer or sharing one physical firewall across multiple tenants, reaping better returns on their investment. This reduces capital expenditure while aligning the billing with the actual usage. Additionally, having a firewall in a VM mapped to a single customer allows MSSPs to customize policies and perform maintenance, which only impacts that single customer instead of the traditional approach where numerous customers sharing the same physical firewall are all impacted. Firefly Perimeter enables MSSPs to offer value-added security services such as managed firewall, MPLS, VPN, clean pipe, and secure VM hosting, with a deployment model that lowers time to revenue. Clustering for Firefly Perimeter And one of the coolest things that Firefly Perimeter supports is clustering. Firefly Perimeter provides mission-critical reliability, supporting chassis clustering for both active/active as well as active/ passive modes. This support provides full stateful failover for any connections being processed. In addition, it is possible for the cluster members to span hypervisors. When Firefly Perimeter VMs are configured in a cluster, the VM synchronizes connection/session state and flow information, IPsec security associations, NAT traffic, address book information, configuration changes, and more. As a result, not only is the session preserved during failover but security is kept intact. In an unstable network, Firefly Perimeter also mitigates link flapping. Page 78

79 Physical Use Case Like Junos Space works with virtual appliances, such as Firefly Perimeter, it also works with the physical devices available from Juniper. Having the capability to manage both your physical and virtual data centers both as an Enterprise or as a Service Provider. It is all about ease and greater functionality on the tools provided to you. Saving time means saving money and Juniper's Junos Space does just that. What we will be covering in this lab is just the tip of the iceberg. Page 79

80 Deploying Firefly Perimeter As discussed earlier, Firefly Perimeter is an amazing virtualized security and networking tool that every Enterprise or Service Provider should have within their virtualized data center. There are many reasons why that is the case, the technology of course is one of the reasons but when you add the ease of deployment, configuration, and the automation capabilities, you begin to understand the possibilites of your virtual data center, the growth and the future you can have. Log In To Juniper Junos Space In case you have been logged out, log back in to Junos Space with the following credentials: Username : super Password : VMware1! Click "Log In". Page 80

81 Virtual Director No matter what application is available when you log in, make sure you end up at "Virtual Director". To do this, ( 1 ) Click the down arrow for the applications ( 2 ) Select "Virtual Director" Design Task Group Expansion Please click the " + " symbol to the left of the "Design" Task Group. Page 81

82 Virtual Device Templates Select "Virtual Device Templates". Adding New Template Click the green " + " circle in the dashboard. Create Template Wizard Fill in the following information in to the wizard. Page 82

83 Template Name : Firefly Perimeter VM Image File : ( Click the down arrow ) Select the OVF file that we have already brought in to the system - "junos-vsrx-12.1x46-d10.2-domestic,ovf". Page 83

84 Additional Information Once the image is selected, the Product Type and Version are already loaded. Click "Next". Page 84

85 Virtualization Host For "Virtualization Host" click the down arrow and select the pre-loaded IP address ( ). Page 85

86 Data Center For "Data Center" click the down arrow and select the pre-loaded Data Center ( Datacenter Site A ). Page 86

87 Cluster / Host For "Cluster/Host" click the down arrow and select the pre-loaded Data Center ( Cluster Site A ). Page 87

88 Resource Pool For "Resource Pool" click the down arrow and select the pre-loaded Resource Pool ( None ). Page 88

89 Data Store ( 1 ) For "Data Store" click the down arrow ( 2 ) select "ds-site-a-nfs1" ( 3 ) Once completed, select "Next". Page 89

90 Virtual Machine Configuration In this screen, fill in the following information Virtual Machine Name : Firefly_Perimeter Keep the "Edit network mapping" as the default Click "Next". Page 90

91 Device Boot Up Configuration Fill out this screen with the following information Create Root Password : VMware1! Confirm Password : VMware1! Hostname Pattern : Click the down arrow and select the " # ". Page 91

92 Additional Device Boot Up Configuration Continue with the configuration of the "Device boot up configuration" IP Assignment : [default] Default Gateway : Starting IP/Subnet : /24 Click "Next". Page 92

93 Final Review - General Information Please review the information listed under "General Information". If changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step. Page 93

94 Final Review - Virtual Machine Host Configuration Expansion Click the " + " symbol to the right of "Virtual machine host configuration". Page 94

95 Final Review - Virtual Machine Host Configuration Review the configuration information for the "Virtual machine host configuration". Again, if changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step. Page 95

96 Final Review - Virtual Machine Configuration Expansion Click the " + " symbol to the right of "Virtual machine configuration". Page 96

97 Final Review - Virtual Machine Configuration Review the configuration information for "Virtual Machine Configuration". If changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step. Page 97

98 Final Review - Device Boot Up Configuration Expansion Click the " + " symbol to the right of "Device boot up configuration". Page 98

99 Final Review - Device Boot Up Configuration ( 1 ) Review the "Device boot up configuration" data ( 2 ) When you feel the information is correct, click " Submit " If it is not correct, guess what... click "Previous". Added Virtual Device Template You will now see the template listed in the dashboard for "Virtual Device Templates". Page 99

100 Deploying Template ( 1 ) Click the Firefly Perimeter template ( 2 ) Click the down arrow to the right of "Actions" ( 3 ) Select the "Deploy Template" option. Page 100

101 Number of Virtual Machines to Deploy ( 1 ) On the bottom of the "Deploy Virtual Machine" pop up, keep the default of " 1 " for the "Number of Virtual Machines to Deploy" ( 2 ) Click "Deploy". Page 101

102 Status A pop-up with the "Status" ID will appear Click the "OK" button. vsphere Web Client Tab You should already have a vsphere Web Client tab available in the Firefox browser. If not, use the shortcut in the menu. Page 102

103 vsphere Web Client Login Use the following credentials to log in to the vsphere Web Client User name : root Password : VMware1! Home Button Click the "Home" button on the top menu bar. Page 103

104 VMs and Templates Click on "VMs and Templates" in the Inventories section. Datacenter Site A Expansion Select the arrow to the left of the "Datacenter Site A". Firefly_Perimeter1 And there it is, our Firefly Perimeter that we configured and deployed.. Yay!! Now wasn't that simple!!! Page 104

105 Imagine how easy it is to deploy these Firefly Perimeter virtual machines for multiple tenants in your Enterprise or Service Providers. This concludes this article, please proceed to the next article which will cover Virtual Director in greater detail. #JuniperLab Page 105

106 Virtual Director - Greater Detail We have already spent some time talking about Virtual Director, but now that we have deployed a Firefly Perimeter, lets look at the application with greater detail. Junos Space Tab In Internet Explorer, click the first tab which should be Junos Space. If this tab is not available, use the shortcut in the menu bar. Virtual Director Application Make sure the "Virtual Director" application is loaded. PS... if you are logged out of the system, the account information is Username : super Password : VMware1! Page 106

107 Virtual Director Dashboard Please select the "Dashboard" in Virtual Director. You will see on the right hand the "Number of Deployed Devices" and "Number of Virtual Director Templates" now has been increased. Page 107

108 Deployed Devices Menu Please click on the "Manage" > "Deployed Devices" option in the left menu. Deployed Devices You can now see the Firefly Perimeter that we have deployed. Actions Available ( 1 ) Please click on the Firefly Perimeter device ( 2 ) Select the arrow to the right of "Actions" You will see the you can "PowerOff Device(s)", "PowerOn Device(s)", "Reset Device(s)". Yes, if you have other devices, you could power off/on multiple devices at once. You have the ability to control the device from Junos Space. Please note that this does not Page 108

109 take control away from the controls you have through the vsphere client, it just allows you to manage everything from one location. VM Connection Status Please select "VM Connection Status" under the "Monitor Devices" Task Group. Virtual Machines You will now see that both virtual machines are listed. Remember that a Firefly Perimeter was deployed already. Page 109

110 Virtual Director vs Security Director I just wanted to make it clear that once a virtual machine, like Firefly Perimeter, is brought into Virtual Director you have controls over it but the configurations will be done through Security Director. No matter what form the security device is in ( hardware vs. virtual ) security policies will be done through Security Director. This concludes this article. Let us now proceed to the next article which covers Security Director in greater detail. #JuniperLab Page 110

111 Security Director - Greater Detail In this part of the lab, we will go into greater detail and provide more hands on capability for Security Director now that we have deployed a Firefly Perimeter virtual machine from Virtual Director. Launching Security Director Click the arrow to the right of "Virtual Director" and select "Security Director". Firewall Policy Expand the "Firewall Policy" Task Group. Page 111

112 Creating the Global Policy Click "Create Policy" Sub Task Group. Page 112

113 Name Set up the following configurations: (1) Type : [default] (2) Name : HoL Policy (3) Description : Creating firewall policy for VMworld (4) Check Manage Zone Policy [default] - used to manage zone-based firewall rules (5) Policy Priority : Medium [default] (6) Precedence Value : keep default (value should be less the number of existing policies of the same priority. The number of existing policies are displayed as part of the Precedence field. For example, if the system has 4 policies with Low priority, 5 policies with Medium priority, and 3 policies with High priority, you can set the precedence as follows: low priority policies - 1 through 4 medium priority policies - 1 through 5 high priority policies - 1 through 3 (7) Profile : All Logging Enabled Note that we created a Group vs. Device policy. In this case, since we have only one device, it may have been more appropriate but it is nice to see that you can create policies for many devices... even if we don't have them in this simulation. Page 113

114 Page 114

115 Create Policy ( 1 ) Select the "corp_fw1.juniper.net" listing under "Available" ( 2 ) Click the " -> " in the middle to move the selection to the "Selected" side ( 3 ) Click "Create". Back to Firewall Policy Just make sure that you are back on the "Firewall Policy" Task Group. Page 115

116 Policies Under "HoL Policy" select the "corp_fw1.juniper.net". On the right you will see where the rules are implemented. Lock to Edit Click the Lock symbol in the top bar so that policy can be edited ( we do want to make sure that others are not editing the policy at the same time ). Page 116

117 Create Device Rule Click "Create Device Rule". Going Green Initially the rule will do green and change to white ( this is normal ). Page 117

118 Rule Name Click on "Device Zone - 1" in order to get the option to change the name. Change the Name Change the rule name to "FW-HoL", and click "OK". Source Trust Zone A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. Page 118

119 By default, the Source zone is set to trust. The zones that appear in the list are dependent on the type of security policy that you choose to add rules to. When adding a rule for a group policy, all the zones present on all devices are available for selection. In this case we will keep "trust". Source IP Address Click the "Any" option under the Source Address. You will see the ability to Include or Negate IPv4 and/or IPv6 Addresses. At this time, we will keep the default of "Any". Page 119

120 Destination Untrust Zone Next is the opportunity to change the "Destination Trust Zone". If you click on "untrust" you once again see the options. Let us keep the default of "untrust". Destination Address We will keep the default of "Any" for the Destination Address. Page 120

121 Service Options If you click the "Any" option for Service you will see the Available services that we will take actions against. Feel free to move the bar up and down to see all the services that are available. At this time, we will keep to "Any". Page 121

122 Action You may need to move the screen to the right to see all the options. As you see the default of "Deny", IPS is "Not applicable" because we are denying the traffic, but please change the "Action" option to "Permit". To do this, click on the "Action" to see the options and select "Permit". Understand that as stated in previous modules, the IPS rules are published as part of the Firewall rules. Permit Action Now that we have changed the "Action" to "Permit", IPS is now Off. Note that in the Firefly Perimeter x 47 release, IPS wil be incorporated. Just think about the capability to have IPS embedded capabilities in virtual machine. Page 122

123 Additional Actions As you can see, there are additional options, including "Tunnel". By clicking on "Tunnel" you will see that there is the ability to implement a VPN tunnel. AppFw Next, click on the "AppFw" section. AppFW - Disabled Initially when you click on AppFW the capability is disabled. Please click on "White List" to see the options. Note that there is also the capability to select "Black List" as well. Page 123

124 This is one of my favorite parts of this configuration, that you can easily specify "White List" or "Black List". Page 124

125 AppFW Enabled ( 1 ) Feel free to scroll the 36 pages or just the one :) of the Pre-defined Apps ( 2 ) Note that there are other options of "Pre-defined Group", "Customer Apps", or "Custom Group" ( 3) You can also search if need be. ( 4 ) Click "Cancel". Page 125

126 Validate Please click "Validate" on the bottom of the screen. No Validation Errors You will see a pop up stating there are no Validation errors. Save Click "Save" please. Page 126

127 Publish Policy Select the "Publish Policy" under the "Firewall Policy" Task Group. Selecting Firewall Policy Select the firewall policy that we just created. Select Next Please unselect the "Include IPS Policy" and Select "Next" on the bottom of the screen. Page 127

128 Affected Devices Select the name of our firewall policy under "Affected Devices". Select Publish Select "Publish" on the bottom of the page. Job Id A "Publish Information" Job ID will appear. Click "OK". Page 128

129 Jobs Management Please select "Job Management" under the "Job" Task Group. Success View the Job Id that was provided and the successful publishing to the number of devices. YAY!!! Page 129

130 IPS Policy As indicated, at this time of developing the lab, Firefly Perimeter does not support IPS and therefore we can not develop a policy. We could develop policies for other Juniper products like SRX but we are currently not using one in this lab. Firefly Perimeter will support IPS in the x47 version and at that time, you will use Junos Space to create that policy. NAT Configuration Information Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network. Security Director views each logical system as an other security devices and takes ownership of the security configuration of the logical systems. In Security Director, each logical system is managed as a unique security devices. Page 130

131 NAT Policy Please select "Create NAT Policy" under the "NAT Policy" Task Group. Device NAT Policy On the right side, a window will pop up will appear, at this time, we will create a "Device" rule ( 1 ) Select Device ( 2 ) Name : NAT_VMworld_2014 ( 3 ) Description : NAT Policy for VMworld 2014 ( 4 ) Click the down arrow next to Device and select "corp_fw1.juniper.net". Page 131

132 Select Create On the bottom of the screen, click "Create". Lock to Edit - NAT You will automatically go to the creating page. Click the "lock" symbol in order to lock the policy. Create Source Rule Click "Create Source Rule". Page 132

133 Renaming Device Select "Device-1" and change the name to "NAT_2014" Ingress Zones You will see the same Trust Zones appears that we had available in the Firewall portion. Page 133

134 Interface Zones At this time, we will be choosing the interfaces as the Zones. Please note that the Firefly Perimeter ( like all virtual machines ) can have up to 10 interfaces. This is eth0 interface. Please select "ge-0/0/0.0" and click the arrow to bring it to the selected side. Select "Ok". Page 134

135 Egress Zones ( 1 ) Please click the "Egress Zones" in order to see our options ( 2 ) Click "Interface" ( 3 ) Select "ge-0/0/0.0" ( 4 ) Select the " -> " to move to selected ( 5 ) Click "Ok". Page 135

136 Translated Packet Source Click the "No Translation" under "Translated Packet Source" in order to get the pop-up. Please select the down arrow to get out options. Translated Type Select "Pool" as our "Translation Type". Page 136

137 New Source Pool Please click the green " + " circle to the right of "Source Pool" in order to create a new source pool for NAT. Create Source NAT Pool Please fill in the following information Name : Source_NAT_2014 Description : Source NAT policy for VMworld 2014 We have no "Pool Address" so lets create one through this step. Please click the green " + " circle to the right of "Pool Address". Note that you can create the pool through the Object Builder Task Group". Page 137

138 Create Address Object Let's create the Address Object Type. Please fill in the following information Object Type : Address Name : VMworld_2014 Type: ( Click the down arrow ) Range NOTE You may get an "Inactivity Timeout" so please make sure you click "Yes". Page 138

139 Address Object Information Please fill in the following information Object Type : Address Name : VMworld_2014 Description : Addresses for VMworld 2014 Type: Range Start IP : End IP : Click "Create". Page 139

140 Advanced Prpoerties Click the arrow next to "Translation". Select "Port/Range". Page 140

141 Advanced Properties Cont'd Select the arrow next to "Address Pooling" and select "Paired". Select the arrow next to "Port" and select "Any". Click "Create". Click OK As you can see our configuration has been added. Please click "Ok". Page 141

142 Validate Please click "Validate". No Validation Errors You will see the "Information" screen on the right pop up showing that there are no Validation errors. Click Save Click "Save". Page 142

143 Object Builder Expansion Please click the " + " symbol to the left of "Object Builder" Task Group. Addresses Please select the "Addresses" Sub Task Group. Page 143

144 Object Builder > Addresses Note that we previously walked through these steps on the specific actions BUT we can create them before hand. As you can see our VMworld_2014 Addresses are listed. For planning purposes, you can easily create all your addresses before you start to create your policies. NAT Pools Please select "NAT Pools" Sub Task Group. Object Builder > NAT Pools Once again, you have the opportunity to create your NAT pools for the tenants before you build your NAT policy. Creating them in individual pieces will assist with management of your pools. Page 144

145 VPN Expansion Please click the " + " symbol to the left of the "VPN" Task Group. Create VPN Please select the "Create VPN" sub Task Group. Route Based VPN Please fill in the following information Name : VPN_VMworld_2014 Description : VPN for the VMworld 2014 Tunnel Mode: Route Based Notice the type of Route Based VPNs available: Page 145

146 Site to Site Full Mesh Hub and Spoke We will be keeping the default, "Site to Site" at this time. Page 146

147 Route Based VPN Profiles Please click the down arrow to the right for "VPN Profile" Notice the types that are available AggressiveModeProfile MainModeProfile RSAProfile At this time, we will keep the default of "MainModeProfile". Page 147

148 Route Based VPN Profiles Cont'd The "Preshared Key" is the last option for the VPN configuration. Note that you can either have the key auto-generated or set up manually. Page 148

149 Policy Based VPN Profiles Change the "Tunnel Mode" to "Policy Based" in order to see these options. Notice the "Type" is still "Site to Site" and the "VPN Profile" is still "Aggressive Mode Profile", "MainModeProfile", "RSAProfile". Please keep the default, "MainModeProfile". Policy Based VPN Profiles Cont'd Once again, we have the option to auto-generate or manually add the "Preshared Key". Page 149

150 Next Please select "Next" at the bottom of the page. VPN Wizard Under the available side, please select "corp_fw1.juniper.net" and click "Add as Endpoint" in order to move it to the selected side. Page 150

151 Next Please click "Next" on the bottom of the screen. More Than One Sorry but this is just a vpod and not set up in a real world scenario. Since we do not have another endpoint, we can not continue on with configuration. I wanted to make sure that you saw the steps that we would take to at least configure our side of the VPN connection. Please click "OK". Conclusion At this time, this is the end of the specific configurations that we will be covering within this lab. Please feel free to review the components of "Security Director" that we have not covered in this article. Page 151

152 When done, please proceed to the next article where we discuss why Juniper for your physical and virtual infrastructure. #JuniperLab Page 152

153 Why Juniper for Your Physical and Virtual Infrastructure Now that you have finalized the introduction of Juniper's Junos Space, by reviewing the Network Management Platform, Virtual Director, and Security Director, we just wanted to reiterate the importance and ease of the product. We believe in virtualization as much as you do but the infrastructure isn't always all virtualized. Simply put, if you can manage your physical and virtual infrastructure from one interface, why would you not use Juniper in your data center? With Junos Space, you benefit from : Network-wide visibility and control Quick scaling of operations and services Rapid deployment of switching, routing, and security infrastructure Total management of Juniper devices Cross-Vendor event and performance management Network intelligence for extending core platform capabilities Fast problem identification and resolution SDK and APIs for customization and integration Reduced OpEx Hot-pluggable/multi-tenant applications Application fabric Software image management Configuration templates Configuration file management For companies that want to extract value from their network and deliver on solutions that truly work for their business, Junos Space is the platform of choice. You can create and deploy custom management applications using our programmable interface. Junos Space improves network agility by providing a SDK toolkit and APIs both at the platform and application level for a complete customized solution so you can meet the specific needs of your business or internal procedures. Junos Space SDK includes the following components : Development tools : Junos Space Eclipse plug-in that allows wizard-based creation of different types of Junos Space applications, code generation, REST Explorer, automated build, deployment of applications for test and debug purposes, control of device simulations on device simulator, and other tools. REST Web Services Interfaces : Interfaces to the core capabilities of the Junos Space Platform, which are a part of the Junos Space network Management platform. Device and Environment Simulators : Device and element simulators providing the ability to test applications against virtual Juniper devices. Page 153

154 Performance, Analytics, Security, and Profiling tools : While the Junos Space SDK does not ship performance, analytics, security, or profiling tools, it is compatible with the most popular tools available today, such as VisualVM, JBoss Tools, etc. It is also important to know that Juniper has the following products in virtual format : WebApp Secure SA Series SSL VPN Firefly Perimeter Firefly Host Secure Analytics DDoS Secure Junos Space Security Director Virtual Director Network Director Log Director Contrail ( SDN ) Next Module The next module in this lab covers Juniper DDoS Secure. We hope that you will continue the lab to experience this awesome virtualized security product. If you are on twitter don't forget to tweet your thoughts or her at PewPew@juniper.net she would love to know them. #JuniperLab #PewPew Page 154

155 Module 3 - Juniper DDoS Secure (45 min) Page 155

156 Introduction to Juniper DDoS Secure DDoS flood attacks are a major problem for online businesses. Juniper DDoS Secure can nullify these problems by continually monitoring and logging all in- and out-bound Web traffic. DDoS Secure uses its CHARM algorithm to learn which IP addresses can be trusted, and is able to respond intelligently and in real time by dropping suspect or noncompliant packets as soon as the optimum performance from critical resources begins to degrade. This heuristic and granular approach to DDoS mitigation guarantees availability for legitimate users while blocking bad traffic, even under the most extreme attack conditions. This truly is my favorite part about DDoS. Traditionally, a DDoS outage occurs when resources are unable to handle the volume of connection requests at a particular point in time. This might be through an induced malicious attack using a Botnet for some financial, ideological, or political motive, or the result of a legitimate flash-crowd effect during peak traffic periods. To the end user, there is no real difference at best they experience degraded response times; at worst, it is a disruption in the resource s availability resulting in an outage with serious business impact. Adding more horsepower to the server or increasing bandwidth connectivity can provide some insurance against a volumetric DDoS attack, but they are ultimately in-effective against today s new breed of sophisticated DDoS threats. Simply throttling all traffic or blacklisting particular groups of IP addresses is also not a lasting solution, particularly as these measures can impact legitimate users. DDoS Secure software is different. Its innovative heuristic technology continually monitors and logs all inbound and outbound network traffic. Using its unique CHARM algorithm DDoS Secure learns which clients pose a risk through their use of available resources, and then intelligently responds in real time by disrupting an attack as soon as performance of critical resources begins to degrade. DDoS Secure is available in Virtual and Hardware appliance version. Key Features of DDoS Secure Dynamic and self-learning Effective against latest application layer, stealth, attack vectors Ultra-low latency Up to 40Gb/s throughput capacity Fully IPv6 compliant Plug & Play, simple to install and configure Fully automated for the fastest response and the lowest cost of ownership Bi-directional traffic analysis and inspection Fail-safe and clustering options SSL Inspection enables protection of HTTP and HTTPS applications Page 156

157 DDoS Secure Heuristic Mitigation in Action The grey normal Internet traffic flows through the DDoS Secure device, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal latency. The red DDoS attack traffic show the DDoS Secure appliance uses complex data analysis techniques to detect attacks and take the defensive measures and drop the traffic. Traffic Analysis This diagram illustrates how all inbound traffic that is identified as normal ( good CHARM score ) passes through the appliance without any change. All inbound traffic that is identified as malicious ( bad CHARM score ) is discarded if the protected resource cannot handle the load. There are no IP addresses to configure on the appliance's Internet traffic interfaces, and the appliance may be installed without changing the network configuration of any existing equipment. However, an IP address is required for the secure control connection to the management PC. The management PC requires a browser that supports HTML frames, JavaScript, and the HTTPS protocol, or, alternatively, an SSH client. The management PC is used to initially configure the appliance and then to report on the traffic statistics. During an attack, the appliance uses its built-in heuristic analysis to identify the most likely attackers within a few microseconds of the beginning of an attack. The longer the appliance analyzes the traffic, the better the heuristic analysis. Attacks are tracked on a per-incident basis for easy reporting and analysis. Page 157

158 Lets continue on to the next chapter where we investigate the Juniper DDoS Secure Users Interface ( UI ). #JuniperLab Page 158

159 Introduction to Juniper DDoS Secure UI Juniper DDoS Secure is a fully automatic DDoS protection system used for websites and web-connected e-commerce site. DDoS protects all TCP/IP protocols. In this article we will cover the user interface ( UI ) of the DDoS Secure appliance. There is so much data to cover regarding this appliance but since we are in a lab scenario, we will not be able to cover everything. We did want to make sure that you had time to review everything that is at your fingertips with this amazing product. Launching Internet Explorer Double Click the "Internet Explorer" icon on the Control Center desktop. New Tab Click on the box on the URL bar in order to bring up a new tab. Page 159

160 Launching DDoS Secure Click the "DDoS Secure Login" shortcut on the tool bar. Page 160

161 Accept Certificate You will more than likely get the above certificate error, click "Continue to this website (not recommended)"... yeah yeah I know it is not recommended but please do it anyway :) Page 161

162 Click "Login" Button Click the "Login" button in the middle of the page please. Page 162

163 Log into DDoS Secure To log into DDoS Secure, use the following credentials Username: user Password: password Web Interface Layout Above is a layout for the statistical display part of the user interface. Each individual segment of the page is divided in to categories. Options on the left pane are : Configuration/Logs - used to access the configuration and logs window. Summary Dashboard - used to display the summary dashboard. Menu Buttons - on the left pane of the page. Options on the center pane are : Display Output Configuration Input Options on the right pane are : Operational Mode Protected Info Defense Status - when an item in defense status turns from black to red, then DDoS secure is actively defending this situation. Page 163

164 Additional Status Options on the top center pane : Page Specific Action View Filters - the view filter button is available from any page within the statistical display section of DDoS Secure. Any value entered into the filter will be set until the filter is cleared, even when accessing another page within the DDoS secure statistical display section. Summary Dashboard Your login takes you directly to the real time dashboard for DDoS secure. On the top is the "Traffic Monitor" section. In the middle are "Load Status" and "Attack Status" graphs. Note that there is no traffic and attacks at this time but we will simulating two attacks in the future articles. The bottom row has "Good Traffic", "Bad Traffic", and "Protected Performance". You more than likely will see "Good Traffic" change over time. Page 164

165 The descriptions of the sections: Traffic Monitor Displays the average speed of data processed, both inbound and outbound, for the appliance, as well as the most active portals. Load Status Displays how busy the DDoS Secure appliance engine is. Attack Status Displays how aggressively the DDoS Secure appliance is dropping traffic to defend the appropriate resources. Good Traffic Displays the distribution of where good traffic is coming from. Bad Traffic Displays distribution of where bad traffic is coming from. Protected Performance Displays how busy a protected IP address is from an aggregated CHARM perspective, and what the average traffic to and from the IP address is. Page 165

166 Traffic Monitor The traffic monitor pane shows the peak traffic usage ( inbound and outbound ) over the selected period. Note that the default is 24 hours. Highlighting Traffic If you select the top "Appliance inbound" you will see it highlighted in the graph. Feel free to do this to the other three options available in the "Traffic Monitor" screen. Note that your "Traffic Monitor" pane may look different than the one shown above. Page 166

167 Changing Time As previously specified, you can change the time frame for your "Traffic Monitor" pane. In the top right, above the graph is a tab that allow you to change the time. Click the arrow to the right of "Last 24 Hours" to see the options. Page 167

168 Changing Viewing Note that you can also changing what appliances/portals/ip are shown on the "Traffic Monitor" page as well by clicking the arrow to the right of "Viewing: global" on the top right. Protected Performance View the bottom right corner and you will see the "Protected_ App" and "Unprotected_App" portals. These portals we will be using in our testing in subsequent. You can see that the "Protected_App" is in defending mode and "Unprotected_App" is in logging mode. This reports on how busy a protected IP address is from an aggregated CHARM perspective, and what the average traffic to and from the IP is. The DDoS Secure supports different components in one of two operational modes: Defending - if DDoS Secure appliance detects an undesirable packet, it logs the issue, and the packet is dropped. Logging - if DDoS Secure appliance detects an undesirable packet, it logs the issue, and the packet is passed. Examples of different components are: Overall Protection - logging or defending Portal Operation - logging or defending Protected IP Address Operation - logging or defending White-listed Client IP Address - logging Black-listed Client IP Address - defending Page 168

169 If an activity uses components that contain a combination of defending and logging, the resultant operational mode will be logging. Thus, for a black-listed client IP address and an overall operation of defending, a portal operation of logging, and a protected IP address operation of defending, the client IP address is not dropped. Page 169

170 Left Taskbar The left taskbar shows the menu buttons. These menu buttons gives you the more detailed information of the traffic that is through the DDoS Secure. Feel free to select them individually for review but note that because we have limited traffic ( at this time only Juniper's Junos Space is on the network ), the information is limited. We will be looking at some of these menus in other articles. Configuration/Logs Please click the "Configuration/Logs" tab. Page 170

171 This pop out screen provides you with administrative tasks as well as additional data for the configuration. Second Tab Please click the tab listed "Admin " that has popped up because you selected "Configuration/Logs". Log File The log file is the first screen that pops up showing everything that is occurring the the virtual appliance. Information like logins ( GUI ) and Info messages are shown. Page 171

172 Configure Portals Please click the "Configure Portals" option in the left pane menu. Portals - Defending / Logging As you will see from this screen, this is where I set up the configuration for the two portals to be put into defending and logging mode. The "Protected_app" will be defended and the "Unprotected_App" will be in logging mode. Page 172

173 Configure Interfaces Please select "Configure Interfaces" from the left menu pane. Network Modes As you will see in the screen on the left, under the "Internet/Protected Global Definitions", there are multiple ways to configure the DDoS Secure appliance. In our case we have it setup as an L3 ( Router ) because this scenario works best for the vpod. Note that the configurations for L2 ( Bridge ) and L2/L3 ( Split Network ) can also be configured. As an FYI, DDoS Secure uses "Internet" and "Protected" to differentiate the side of the attackers ( Internet ) and the side of the applications ( Protected ). Shutdown Although we do NOT want you shutting down the DDoS Secure appliance, please note that this is where you would do it. Note that this option is available in the bottom of the left menu pane. Page 173

174 This concludes a quick look at the DDOS Secure User Interface. Please proceed to the configuration of the testing environment article. #JuniperLab Page 174

175 Configuration of Testing Environment In this lab, we will be simulating a low and slow DDoS attack. Low and Slow attacks use as you can imagine "Slow" traffic, making it appear more notmal to an organization. The often go undetected because the do not violate any specific protocol, they do not match any specific signature. The end users will see low reaction to the calls to the systems creating incredible performance impact. vsphere Tab Proceed back to the first tab in the Internet Explorer browser. vsphere Web Client login Log into the VMware vsphere Web Client with the following credentials User name : root Password : VMware1! Click "Login" Page 175

176 Home Click the "Home" button in the top blue bar. VMs and Templates Click the "VMs and Templates" icon in the Inventories pane. Page 176

177 Expand Datacenter Click the arrow to the right of "Datacenter Site A". VM's We Will Be Using In our scenario we will be using the vm's highlighted. Protected and Unprotected Applications In our simulation we will have a "Protected Application" ( 2 Protected Application ) and an "Unprotected Application" ( 2 Unprotected Application ). These applications are on the Protected side of the DDoS Secure. Page 177

178 Remember when we were in the DDoS Secure Dashboard and the "Protected_App" was identified as Defending and "Unprotected_App" was identified as Logging. As you can imagine the Protected Application will be protected by the Juniper DDoS Secure virtual edition appliance and the Unprotected Application will not. Note that these two virtual machines are exactly the same. They are simulated webservers with databases. Page 178

179 Attacker "Attacker 42" will simulate a low and slow attack. Please note that this is a Linux box with customized scripts for their various attacks. This virtual machine is on the Internet side of the DDoS Secure. Attacker 42 has two interfaces specifically for the simulation. Page 179

180 Windows Box The "base-w7-01a" box will be used to show the impact of the attack. Page 180

181 DDoS Secure Virtual Edition Lastly our "DDoS Secure virtual edition" virtual application will send inline between the attackers and portals, collecting the data and doing it's thing. Let us see it in action. Please proceed to the next article where we will simulate a low and slow attack and show how Juniper DDoS Secure protects the protected site. #JuniperLab Page 181

182 Low and Slow Attack As mentioned previously a low and slow DDoS often become unnoticed by conventional tools. In this low and slow DDoS attack simulation, we will show you how Juniper's DDoS Secure can easily "catch" the data and protect the "Protected Application". Applicationlayer attacks, often referred to as low and slow ( to describe the attacker s goal of staying under threshold detection systems ), have exposed weaknesses in netflow and threshold based detection techniques. RUDY ( R-U-Dead- Yet ) and Slow Loris are two types of application-layer attacks that target the HTTP protocol. The attacker seeks to launch a multitude of requests that are difficult to serve back to the requester, depleting application resources and quickly bringing the website down. vsphere Web Client Make sure you are still in the "vsphere Web Client" tab within Internet Explorer. Launch Windows Console Select "Open Console" for the "base-w7-01a" virtual machine. Note that it will pop up in the next tab. Logging into Windows VM Use password : VMware1! Page 182

183 click " -> " button to the right of the password for the vmware account for the windows vm. Launch Firefox Double click the "Mozilla Firefox" icon on the desktop. Page 183

184 Launch Protected App Please select the "Protected App" shortcut in the menu bar. Protected App Notice the image in the Protected App is the Juniper Networks image. Firebug You will see that we have added the additional tool Firebug into Firefox. This tool is used to show how long it takes for the website to make it's calls once under attack. Notice the time while the site is running cleanly. In this case, it is 421 ms ( note that your time may be different ). Page 184

185 New Tab Please click the " + " symbol in order to bring up a second tab. Launch Unprotected App Please click the "Unprotected App" shortcut on the menu of Firefox. Page 185

186 Unprotected App Notice that the image in Unprotected App site is tomato cart ( we wanted to differentiate between them in case you got confused... I did at times : ) ) Firebug is also available on the bottom of the screen. Feel free to look at the time to load the unprotected site. Back to vsphere Web Client Please proceed back to the "vsphere Web Client" tab in Internet Explorer. Page 186

187 Launch Attacker 42 Please "Open Console" of "Attacker 42" by right clicking on "Attacker 42" virtual machine. Log into Attacker 42 Please log into the Attacker 42 with the following credentials Attacker login : root Password : Juniper1! Ping Protected App At the prompt, type ping Page 187

188 This is the IP address of the Protected Application. Exit Console Select < Ctrl + Alt > to escape the window, please keep the ping going. Proceed to DDoS Secure Please click on the DDoS Secure tab in Internet Explorer. Page 188

189 Select ICMP Info Please select "ICMP Info" on the left column. ICMP Info As you can see the Attacker 42 vm is pinging the Protected Application and the Juniper DDoS Secure appliance can see it. Back to Attacker 42 Please proceed back to the "Attacker 42" tab in Internet Explorer. Page 189

190 Stop Ping Stop the ping by entering < Ctrl + C > in the console. Start Attack at the command prompt, type sh slow_query_attack.sh Leave Attacker 42 As the message show, please hit < Ctrl + alt > to release the cursor. Page 190

191 DDoS Secure Dashboard Please proceed to the DDoS Secure tab in Internet Explorer. Traffic Numbers You will see the numbers increase on the right hand side of the dashboard. Remember this is a low and slow attack and it will take some time for the attack to show and for the site to be protected and it will take time for the sites to recover. It is a cool simulation so give it time please. Page 191

192 Proceed to URL Info Please proceed to the "URL Info" option in the left pane. URL Info You can see the top two lines show the Unprotected App and the Protected App. This is a low and slow attack but you will see the number increasing. At this time, you will see the pending numbers are approximately the same. Did you want me to remind you that it is low and wait for it... slow... attack. Pending Numbers After some time, you will see the pending numbers start to have a huge differentiation!!! Right now the unprotected app has 236 requests pending and the protected app has 53 requests pending. Note that your numbers will be different. Page 192

193 Clearly the Juniper DDoS is protecting the protected app!!! But wait, we are not done... Proceed to Windows VM Please proceed to the "base-w7-01a" tab in Internet Explorer. Page 193

194 Reload Protected App In Firefox ( 1 ) Reload the Protected App website by selecting the circle arrow. ( 2 ) You will notice that it launches in a specific amount of time. In this case, it is 46 ms. Unprotected App Please click the first tab to go the Unprotected App. Page 194

195 Reload Unprotected App ( 1 ) reload the Unprotected Application site by click the circle arrow ( 2 ) Notice the time it takes to load the site. In this case, 14.59s Note that the longer you wait for the attack to progress, the longer the response time will be. For instance, we have seen this take 200 s or even time out. There is a big difference between 46 ms and sec. Juniper DDoS Secure protected our Protected App from the low and slow DDoS Attack. Cool huh? I told you!!! Final Thoughts So what we just saw is a low and slow attack from our "Attacker 42" virtual machine against two seb servers. We saw the Juniper DDoS Secure automatically saw the attack Page 195