MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS



Similar documents
IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

Identity-Based Traffic Logging and Reporting

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Web Filtering For Branch SRX Series and J Series

Configuring and Implementing A10

Identity-Based Application and Network Profiling

NETWORK AND SECURITY MANAGER

CONFIGURATION OPTIONS FOR HARDWARE RULE SEARCH (RMS) AND SOFTWARE RULE SEARCH (SWRS)

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

WEB FILTERING FOR BRANCH SRX SERIES AND J SERIES

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Juniper Networks Solution Portfolio for Public Sector Network Security

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

Limitation of Riverbed s Quality of Service (QoS)

NETWORK AND SECURITY MANAGER APPLIANCES (NSMXPRESS AND NSM3000)

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

PRODUCT CATEGORY BROCHURE

Optimizing VoIP Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches

Meeting PCI Data Security Standards with

Juniper Networks WX Series Large. Integration on Cisco

How To Protect Your Network From Attack From A Malicious Computer (For A Network) With Juniper Networks)

Voice Modules for the CTP Series

Product Description. Product Overview

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated

Security Portfolio. Juniper Networks Integrated Firewall/VPN Platforms. Product Brochure. Internet SRX Fixed Telecommuter or Small Medium Office

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Deploying IP Telephony with EX-Series Switches

PRODUCT CATEGORY BROCHURE INTEGRATED FIREWALL/ VPN PLATFORMS

Application Note: Junos NAT Configuration Examples

ProteusElite:HowTo Proteus Networks Proteus Elite:HowTo Page 1

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

SECURE ACCESS TO THE VIRTUAL DATA CENTER

DEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES

White Paper. Copyright 2012, Juniper Networks, Inc. 1

Electronic Fulfillment of Feature, Capacity and Subscription License Activation Keys via the License Management System (LMS)

Simplifying the Data Center Network to Reduce Complexity and Improve Performance

ENTERPRISE SOLUTION FOR DIGITAL AND ANALOG VOICE TRANSPORT ACROSS IP/MPLS

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

WHITE PAPER. Copyright 2011, Juniper Networks, Inc. 1

Implementing Firewalls inside the Core Data Center Network

After you have created your text file, see Adding a Log Source.

Reasons Enterprises. Prefer Juniper Wireless

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Network Configuration Example

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Features and Benefits

Juniper Networks Solution Portfolio for Public Sector Network Security

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Junos Pulse Access Control Service 4.4R4-MDM Supported Platforms Document

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

Implementation Consulting

JUNOScope IP Service Manager

Protecting Physical and Virtual Workloads

Key Strategies for Long-Term Success

Interoperability Test Results for Juniper Networks EX Series Ethernet Switches and NetApp Storage Systems

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

JUNOS Software: The Power

Demonstrating the high performance and feature richness of the compact MX Series

Network Configuration Example

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

SRX SERIES AND J SERIES NETWORK ADDRESS TRANSLATION

Implementing Firewalls inside the Core Data Center Network

Pharmacy. Regulatory Agency. Medical Equipment. Clinic. Customers Guest Partners Vendors WEB

Implementation Guide. Juniper Networks SRX Series Services Gateways/ Websense V10000 G2 appliance. v7.6

PROFESSIONAL SECURITY SYSTEMS

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Firewall Migration. Migrating to Juniper Networks Firewall/VPN Solutions. White Paper

This technical note provides information on how to customize your notifications. This section includes the following topics:

SOLUTION BROCHURE. Juniper Networks. Intelligent Security and Performance for the Distributed Enterprise

Setting up an icap Server for ISG- 1000/2000 AV Support

Security Solutions Portfolio

Juniper Networks SRX 5000 Services Gateways

Juniper Networks Education Services

McAfee Network Security Platform Administration Course

The Global Attacker Security Intelligence Service Explained

JUNIPER NETWORKS WIRELESS LAN SOLUTION

Transcription:

APPLICATION NOTE MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS Migrating Advanced Security Policies to SRX Series Services Gateways Copyright 2009, Juniper Networks, Inc.

Table of Contents Introduction...1 Deployment... 1 Feature Parity... 1 Multi-Method Detection.......................................................................... 1 Logging... 1 Scope...1 Description and Deployment Scenario...2 Security Policy Migration... 2 Standalone IDP Series to SRX Series... 3 Sensor Settings... 3 Migrating Policy... 4 ISG Series to SRX Series... 8 About Juniper Networks...9 ii Copyright 2009, Juniper Networks, Inc.

Introduction This application note is intended to provide a brief overview of some basic considerations when moving from standalone Juniper Networks IDP Series Intrusion Detection and Protection Appliances, or Juniper Networks ISG Series Integrated Security Gateways with IDP security module, to the SRX Series Services Gateways. Deployment SRX Series Services Gateways can be deployed in inline mode only. In other words, it is not possible to configure the SRX Series in sniffer or transparent mode (like the standalone IDP Series) nor can it be configured in inline tap mode like the ISG Series with IDP. Feature Parity Feature parity between standalone IDP Series and Juniper Networks JUNOS Software-based SRX Series platforms will occur in the near future. Ultimately feature parity is a goal that will be achieved over time, giving customers greater flexibility and allowing customers to choose the best solution to fit their overall business and network security needs. It is recommended that feature availability/requirements be verified before weighing device capabilities and deployment options. Multi-Method Detection SRX Series devices deploy two rulebases: Main IDP Rulebase, and Exempt Rulebase. In addition, SRX Series uses security zones which are based on technology available with ScreenOS-based security devices, and provides detailed screen protection as an alternative for some basic standalone detection methods/rulebases. Logging Logging on an SRX Series gateway must be configured to send records in response to security events via syslog to a preconfigured syslog server, such as the Juniper Networks STRM Series Security Threat Response Managers. Scope Although an SRX Series IDP policy can be configured entirely from within Juniper Networks J-Web Software, this document focuses primarily on command-line interface (CLI) and Juniper Networks Network and Security Manager configuration steps, with the intention of providing an easy transition and learning path for both system engineers new to the IDP Series and those already familiar with managing standalone IDP Series and ISG Series with IDP solutions. That said, brief J-Web configuration steps are also provided at the end of this document. Copyright 2009, Juniper Networks, Inc. 1

Description and Deployment Scenario Security Policy Migration This document assumes that the SRX Series gateway has been configured according to the following network diagram with all the required interfaces, security zones, and other needed configuration settings in place. GUI 192.168.1.240 NSM 192.168.1.139 SYSLOG 192.168.2.212 192.168.1.211 fxp0 192.168.2.211 ge-0/0/7 ge-0/0/2 abc-trust abc-untrust ge-0/0/3 33.3.3.1 44.4.4.1 SRX Series Here is an example of a basic SRX Series configuration: Figure 1: SRX Series Deployment Example set security log format syslog set security log source-address 192.168.2.211 set security log stream jet severity debug set security log stream jet host 192.168.2.212 set interfaces ge-0/0/2 unit 0 family inet address 33.3.3.1/24 set interfaces ge-0/0/3 unit 0 family inet address 44.4.4.1/24 set interfaces ge-0/0/7 unit 0 family inet address 192.168.2.1/24 set interfaces fxp0 unit 0 family inet address 192.168.1.221/24 set system services ssh root-login allow set system services outbound-ssh client nsm device-id EEC4B8 set system services outbound-ssh client nsm secret $9$iqfz9CuIhrp0IcrlXxbs24aUF39 set system services outbound-ssh client nsm services netconf set system services outbound-ssh client nsm 192.168.1.139 port 7804 set security policies default-policy deny-all set security idp traceoptions file size 100m set security idp traceoptions flag all set security idp traceoptions level all set security zones security-zone abc-trust interfaces ge-0/0/2.0 set security zones security-zone abc-untrust interfaces ge-0/0/3.0 2 Copyright 2009, Juniper Networks, Inc.

Standalone IDP Series to SRX Series Because standalone IDP Series devices are typically deployed in either sniffer or transparent mode, additional considerations with regards to the network design must be made. These involve: Network interfaces configuration Security zones configuration In addition, there are considerations with regards to additional security features, such as: Denial of service (DoS)/flood protection Traffic anomaly detection or screens (as well as some of the detection methods which may have yet to be implemented as part of the current JUNOS release) Finally, security policy settings and, more specifically, configured actions have to be closely analyzed, because a new device has the potential to impact production network traffic flows as a result of its participation in Layer 3 processing. Sensor Settings On both standalone IDP Series and SRX Series devices, there are a number of sensor configuration settings which can be configured to fine-tune IDP Series behavior and can be accessed from CLI and Network and Security Manager. If any of the settings have been changed from the default value or need to be further modified, this would need to be done manually; there are no automated processes to export/import these settings. Note: In order to be able to update sensor configuration settings on the SRX Series from NSM, the SRX Series device needs to be configured in In-Device policy management mode. Copyright 2009, Juniper Networks, Inc. 3

Migrating Policy Following is a simple DMZ-based IDP Series security policy as it runs on a standalone IDP device. The task of porting this policy to the SRX Series device involves the following steps: 1. Make sure the SRX Series device is in Central Management Policy Mode. 2. Add and configure firewall rulebase. Configure source and destination zones Configure Install On Enable IDP Rename policy so it reflects new platform for easier management 4 Copyright 2009, Juniper Networks, Inc.

3. Change Install On in IDP policy and edit rules if needed. 4. Assign the policy. 5. Update device. Copyright 2009, Juniper Networks, Inc. 5

6. If the update fails due to inventory mismatch (between the device and associated information in NSM database such as the following Job Information example):.... then reconcile the Inventory:.... and update again 6 Copyright 2009, Juniper Networks, Inc.

7. Device update should resemble the following: mxb@perth# show security idp idp-policy SRX_DMZ display set set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match destination-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups IP - Major set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups IP - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups TCP - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups TCP - Major set security idp idp-policy SRX_DMZ rulebase-ips rule 1 then action drop-packet set security idp idp-policy SRX_DMZ rulebase-ips rule 1 then notification log-attacks alert set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match destination-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match attacks predefined-attack-groups DNS - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match attacks predefined-attack-groups DNS - Major Copyright 2009, Juniper Networks, Inc. 7

set security idp idp-policy SRX_DMZ rulebase-ips rule 2 then action drop-connection set security idp idp-policy SRX_DMZ rulebase-ips rule 2 then notification log-attacks alert set security idp idp-policy SRX_DMZ rulebase-ips rule 3 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 3 match destination-address any FINGER - Minor FTP - Minor GOPHER - Minor HTTP - Minor IMAP - Minor NNTP - Minor POP3 - Minor SHELLCODE - Minor SMTP - Minor SSH - Minor set security idp idp-policy SRX_DMZ rulebase-ips rule 3 then action no-action set security idp idp-policy SRX_DMZ rulebase-ips rule 3 then notification log-attacks ISG Series to SRX Series If the ISG Series with IDP is not configured in transparent (L2) mode and the network design is not to change, then the migration process becomes very straightforward. All considerations described in previous sections have already been addressed with the ISG Series and have been used for some length of time, providing greater confidence that the security policy will not impact production. The steps involved in migrating policy do not vary from the process involved in standalone IDP Series migration except that there is no need to additionally create firewall policy, and probably no need to redesign surrounding network and addressing, as well as required DoS and flood protection Even in the most demanding migration scenario, ISG Series migration involves only a subset of standalone IDP Series migration steps. A more demanding scenario would be if the ISG Series has been configured in Transparent (L2) mode. This process becomes more involved than in L3 mode, because breaking the broadcast domains can cause some concerns and would warrant additional care when configuring policy and its appropriate responses. However, just like in case of standalone IDP Series provided that networking configuration is done properly security policy rules (responses to specific events) can be enabled/changed selectively. 8 Copyright 2009, Juniper Networks, Inc.

About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Corporate And Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 Fax: 35.31.8903.601 Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 3500147-001-EN Mar 2009 Printed on recycled paper. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information