Vous êtes sur la page 1sur 29

Implementation Guide

Secure Network Access Across


the Distributed Enterprise

Adaptive Threat Management Solutions for Insider Threat Mitigation

Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided
herein. Third party product descriptions and related technical details provided in this document are for information purposes only and such products are not supported by Juniper
Networks. All information provided in this guide is provided “as is”, with all faults, and without warranty of any kind, either expressed or implied or statutory. Juniper Networks
and its suppliers hereby disclaim all warranties related to this guide and the information contained herein, whether expressed or implied of statutory including, without limitation,
those of merchantability, fitness for a particular purpose and noninfringement, or arising from a course of dealing, usage, or trade practice.

Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Design Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Requirements and Recommended Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Juniper’s Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Major Components of the Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IC Series Unified Access Control Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
EX Series Ethernet Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
STRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Challenges and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Traffic Inspection and Coordinated Threat Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Centralized Security Management, Visibility, and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network and Security Devices Generating Events/Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Secure Threat Response Manager Operational Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Monitoring the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Enterprise Security State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Enterprise Vulnerability State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Most Severe and Most Recent Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Top Attackers and Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Offense Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Implementation Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Coordinated Threat Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a Onetime Password on the IDP Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure a Route to the IC Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure the IDP Series Policies for Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configure IDP Sensor on the IC Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure a Remediation Role for Restricted Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure the Sensor Event Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enable the IDP Series and IC Series Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Network and Security Device Integration with STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configure J-Flow on the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure NSM Log Export to the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure IC Series Device for Log Forwarding to the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Send Flow Records to STRM Series from Junos OS Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Troubleshoot STRM Series Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Troubleshooting Coordinated Threat Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Policies and Roles Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Failure of Logs to Appear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Loss of Signal or Signaling Event Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appendix A: Layer 2 Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configure 802.1X on Each Port of the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure for Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Enable 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Use UAC Manager in Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Enable 802.1X via Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix B: Overlay Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Junos OS Enforcer—SRX Series Services Gateway as an UAC Enforcement Point . . . . . . . . . . . . . . . . . . . . . . . . . 28
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table of Figures
Figure 1: Verizon data breach statistics, 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Architecture overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 3: Coordinated threat control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 4: Example of STRM Series dashboard view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 5: Example of offense investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 6: Event analysis window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 7: Configure IC Series routing table entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 8: NSM console configuration policies display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 9: New Sensor screen display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 10: Event Option—any IDP signal screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 11: STRM Series sensor devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 12: Protocol configuration parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 13: Editing a sensor device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 14: Configuring IC Series UAC Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 15: Flow surce configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 16: Device log action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 17: IC Series UAC Appliances device syslog configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 18: Defining the RADIUS server screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 19: Screen for configuring 802.1X on each port of the switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 20: Screen for configuring a guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 21: Screen enabling 802.1X authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 22: Sample EX Series 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 23: Screen used to select ports to enable .1X on device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Copyright © 2010, Juniper Networks, Inc. 3


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Introduction
The increased velocity of business has forced corporations to face security challenges that years ago were not even
considered. In today’s competitive markets, the desire to be closer to the customer and hire employees to work
outside of headquarters are two major factors for the increase in the number of branch offices worldwide. Because
branch office workers need access to the same set of applications as do headquarters and campus employees, there
is an increased demand on applications and network performance, and most importantly, a greater demand for
enterprise-wide, distributed security.
One of the biggest challenges involves a security issue that has taken center stage and threatens the very existence
of the enterprise. In 2008, the “outside-in” attacks have been eclipsed by the insider threat, both in terms of the
sheer number of incidents and also the associated dollar figure for damage that can result from this type of breach.
The average dollar figure for damage due to an insider attack has grown by over 108 percent in just 12 months (Feb.
2009). Therefore, more than ever, security policies and measures must be enhanced to mitigate insider threats.
Regardless of the motivation behind an employee committing the “insider threat,” the results can be devastating to
the organization, to the shareholders, and to an individual if their credentials are involved in the breach. Attacks occur
quickly and are usually over within hours to days. Unfortunately, the detection of an attack has historically not been
as fast, often taking weeks or even months to detect. This is particularly challenging because the breach has been
committed and the breached data is long gone before the breach is ever discovered and acted upon by the organization.

Years Minutes
Months 0% Minutes Years 0% Hours
7% 11% 2% 3%
Days
14%
Weeks
18%

Weeks
18%

Hours
36%

Days Months
28% 63%

POINT OF ENTRY COPROMISE


TO COMPROMISE TO DISCOVERY
Source: Verizon Business “2008 Data Breach Investigations Report”
Figure 1: Verizon data breach statistics, 2008

Today’s enterprise security is typically designed around a strong perimeter protecting the enterprise from external
attacks. However, enterprises usually overlook the seriousness of internal attacks with minimal, if any protection.
Because these internal attacks are generated from within the trusted walls of the distributed enterprise, it is
no surprise that reputable businesses do not want to advertise these internal breaches to the outside world. A
company’s reputation is at stake. Therefore, most security breaches that news organizations are privy to are external
attacks and not internal ones.

Scope
This paper specifically highlights one of the most important aspects of Juniper Networks® Adaptive Threat
Management Solutions—insider threat protection—and emphasizes implementation around centralized
management and integration among Juniper Networks devices. This paper also explains how enterprise customers
can mitigate insider threats by implementing such products as Juniper Networks SRX Series Services Gateways,
Juniper Networks EX Series Ethernet Switches, Juniper Networks Unified Access Control, Juniper Networks IDP
Series Intrusion Detection and Prevention Appliances, Juniper Networks STRM Series Security Threat Response
Managers, and Juniper Networks Network and Security Manager.

4 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Target Audience
• Network security architects
• Security engineers

Design Considerations
This section covers the key design considerations for mitigating insider threats, which is an integral part of Juniper
Networks Adaptive Threat Management Solutions. For further details regarding these solutions, refer to the Adaptive
Threat Management Reference Architecture document.
Most branch offices and campuses connect directly to headquarters through either a private WAN link or through a
VPN over the Internet, or they choose to deploy VPN over a private WAN link. In addition, as more and more branch
offices connect directly to the Internet to leverage fast and inexpensive broadband connections, they demand a
new set of security features that can protect them from internal threats. Note that most employees (workers) who
access their corporate network via the Internet are concentrated within the branch and campus environment. This
is the point at which a corporation must enforce stringent corporate security policies to its trusted users. However,
these trusted users also pose serious threats to their own corporate network due to file sharing, video streaming,
attachments, and so on.
Figure 2 depicts a sample reference network showing Juniper Networks security and access control devices such as:
• Juniper Networks ISG Series Integrated Security Gateways
• SRX Series Services Gateways
• Juniper Networks SSG Series Secure Services Gateways
• EX Series Ethernet Switches
• Juniper Networks IC Series Unified Access Control Appliances
• IDP Series Intrusion Detection and Prevention Appliances
• STRM Series Security Threat Response Managers
• Network and Security Manager
All of these security and access control devices address insider threat mitigation. See Table 1 for requirements and
recommended devices. This sample reference network consists of a small data center that connects to the Internet,
a large campus location, and a branch location.
As illustrated in the figure, a Juniper Networks ISG Series Integrated Security Gateway acts as the firewall protecting
the network perimeter. The IDP Series Intrusion Detection and Prevention Appliance and IC Series Unified Access
Control Appliance sit behind the ISG Series Integrated Security Gateway. The EX Series Ethernet switches sit behind the
IDP Series connecting to the rest of the LAN network. The management tools that connect to the network to monitor
and manage the various devices include the STRM Series and Juniper Networks Network and Security Manager (NSM).
Figure 2 illustrates a process in which a user within the branch office, using his laptop, attempts to log on to his
corporate network via the Internet. The user attempts to access applications that reside in the data center and is
required to log in through the IC Series Unified Access Control Appliances via the UAC Agent (or using UAC’s agentless
mode). However, prior to gaining full access to the desired applications, the user’s security posture is validated against
corporate security policies via the Host Checker, which is built into the UAC Agent (and agentless mode).
The IC Series UAC Appliances, acting as a RADIUS server, perform 802.1X authentication and authorization for
endpoints, using their robust AAA capabilities to interoperate with the organization’s existing AAA appliances and
backend data stores and databases. Layer 2 authentication and enforcement is used to control network access
policies at the edge of the network via an 802.1X-enabled switch or access point such as an EX Series switch,
enabling administrators to enforce an access control policy on a heterogeneous switch and wireless infrastructure.
SRX Series Secure Services Gateways for the branch provide Unified Access Control enforcement by applying
dynamic access control policies at Layer 3 based on user identity, endpoint integrity, and location.
The access control policies are provisioned by the IC Series, which validates user identity, endpoint identity, and
network location, and determines appropriate resource access for the end user. UAC denies users access to the
network until their user credentials and endpoint integrity status have been validated. A user who does not meet
security criteria (as shown in Figure 1) is denied access because his credentials are not valid, or his endpoint health
does not meet the corporation’s required security criteria.

Copyright © 2010, Juniper Networks, Inc. 5


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

REMOTE USER

BRANCH OFFICE CAMPUS

INTERNET EX4200
line
SSG Series/ SRX5600
SRX Series

M Series DATA CENTER


NOC
NSMXpress

ISG Series SA Series

IDP Series IC Series

STRM Series

Figure 2: Architecture overview

Requirements and Recommended Devices


Table 1 lists the requirements and recommended devices that define insider threat protection. To effectively
and efficiently monitor and control threats originating from trusted LAN users, the enterprise needs to provide
preventative and proactive security features such as authorized secure LAN access, traffic inspection, and
coordinated threat control that function throughout the entire distributed enterprise network. In addition, allowing
LAN access devices to integrate with a centralized security management system that provides visibility and control,
such as the STRM Series and NSM, is crucial to the successful mitigation of insider threats. The STRM Series is
explained in detail in the following sections.

Table 1: Requirements and Recommended Devices


REQUIREMENTS RECOMMENDED DEVICES
Authorized LAN access • EX Series Ethernet Switches
• SRX Series Services Gateways
• SSG Series Secure Services Gateways
• IC Series Unified Access Control Appliances
Traffic inspection and coordinated threat control • IDP Series Intrusion Detection and Prevention
Appliances
Centralized security management, visibility, and control • Network and Security Manager
• STRM Series Security Threat Response Managers

6 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Juniper’s Solution
Today’s networks need to effectively handle unmanaged devices and branch/guest users attempting network
access, as well as address support for unmanaged devices and a session-specific access control policy for each
user. Juniper Networks Unified Access Control combines user identity and device security state information with
network location to create a unique, session-specific access control policy for each user that is enforced throughout
the network. UAC can be applied at Layer 2 using any vendor’s 802.1X-enabled wireless access points and switches,
including EX Series Ethernet Switches, or at Layer 3 using any Juniper Networks firewall (such as the SSG Series,
SRX Series, or ISG Series gateways), or a combination of both.
Unified Access Control enables businesses to establish and enforce policies that grant users differentiated network
access based on their roles. For instance, full-time employees may have unrestricted access, while partners and
contractors may be able to reach designated servers, and guests may have limited-bandwidth Internet access.
Individual devices can also be scrutinized to ensure compliance with security standards. For example, if a laptop
does not contain the latest antivirus software, the user may be directed to a quarantine VLAN and given the option
to update the computer’s security software or be denied access altogether. The UAC solution delivers rich policy
enforcement capabilities that extend to the network edge. Securing intranet application and resource traffic is vital to
protecting your network from insider threats. Coordinated Threat Control, which integrates an IDP Series appliance
into the UAC solution, adds application security to detect internal threats generated from branch and campus users
who are authenticated through UAC, and works with UAC to identity the threat—enabling a focused, surgical access
control response to mitigate the threat of the specific offending user or device.

Major Components of the Solution


The following comprise additional solution components and how they are implemented.
• UAC (for policy management and enforcement—see Table 2)
• IDP Series Intrusion Detection and Prevention Appliances (for threat detection and prevention)
• STRM Series Security Threat Response Managers (for monitoring)
• Network and Security Manager (for management)
As listed in Table 2, UAC deployment uses the following major components to secure a network and ensure that only
qualified, legitimate end users can access protected resources.

Table 2: UAC Major Components and Description


MAJOR COMPONENTS DESCRIPTION
IC Series Unified Access The appliance is the policy decision point in the network. Centralized policy
Control Appliances management engine is optimized for LAN access control. The appliance uses
authentication information, endpoint posture, and location, combined with policy
rules to determine whether or not to provide access to specific resources on the
network. You can deploy one or more ICs in your network.
UAC enforcement points These are policy enforcement points in the network. For Layer 2 policy
enforcement, UAC works with any vendor’s standards-compliant 802.1X-enabled
wired or wireless switching infrastructure, including the EX Series Ethernet
Switches. Layer 3-7 enforcement is delivered through any Juniper Networks
firewall/VPN platform, including the ISG Series, SSG Series, and SRX Series.
The UAC enforcement points receive policies from UAC and apply those policies
to control endpoint access to resources. You deploy the UAC enforcement points
at the edge (switches/access points) or in front of the servers and resources
that you want to protect (firewalls).
UAC agent or agentless mode The UAC Agent is a client-side component that runs directly on network
endpoints (such as users’ computers) It provides access to the network both
at Layer 2 via 802.1X, as well as acting as a lightweight agent at Layer 3. The
UAC Agent collects user and device credentials, and it assesses the security
state of an endpoint device. Network access control can also be provisioned in
UAC agentless mode for circumstances where downloads of software are not
practical, such as guest access.

Copyright © 2010, Juniper Networks, Inc. 7


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

IC Series Unified Access Control Appliances


Juniper Networks IC Series UAC Appliances are the standards-based, hardened, centralized, highly scalable policy
engine in the UAC solution. They also serve as the interface to existing AAA infrastructure. The IC Series pushes the
UAC Agent (or via UAC agentless mode) to gather user credentials, endpoint security state, and location. After user
credentials are validated and device security state established, the IC Series dynamically implements the appropriate
access policy for each user per session—pushing that policy to enforcement points such as the EX Series switches,
other IEEE 802.1X–compatible switches and wireless access points, and Juniper Networks firewalls throughout the
network. The standards-based IC Series adopts the Trusted Network Connect (TNC) standard specification, Interface
for Metadata Access Point (IF-MAP)—it can serve as a MAP server, gathering session and security metadata from
third-party network devices and appliances, and using the collected data when determining user and device access
policies and rights.

EX Series Ethernet Switches


EX Series switches are designed to address unique business requirements and create a secure, reliable network that
is ideal for today’s converged network deployments. The latest UAC enforcement points are the EX Series Ethernet
Switches. These include EX3200 line of fixed-configuration Ethernet switches and EX4200 Switches with Virtual
Chassis technology. Both the EX3200 line and the EX4200 line deliver scalable, high-performance Layer 2/Layer 3
Ethernet connectivity solutions in the data center, campus, and branch office environments. The EX Series switches
serve as enforcement points within the UAC environment, using the 802.1X standard to perform port-level access
control and Layer 2 through Layer 4 policy enforcement.

Firewalls
Juniper Networks firewalls—including the SRX Series Services Gateways, ISG Series Integrated Security Gateways,
and SSG Series Secure Services Gateways—deliver high-performance network security to protect all types of
enterprises and networks from unauthorized access as well as from network and application-level attacks. The
enforcement of Juniper’s firewall capabilities can be dynamically changed according to user, role, location, and
endpoint information. SRX Series for the branch and the SSG Series support a complete set of optional unified threat
management (UTM) features such as intrusion prevention system (IPS), antivirus (anti-spyware, anti-phishing, anti-
adware), anti-spam, and Web filtering to protect against a wide range of content-borne threats such as:
• Worms and viruses
• Trojans, spyware. adware, and keyloggers
• Malware
• Phishing attacks
• Day zero threats
The SRX Series for the branch and SSG Series platforms, together with Juniper Networks Unified Access Control,
can apply these UTM features on a per-user/per-session basis to unify the application of access and security policies
for comprehensive network access and threat control.

Intrusion Prevention System


Juniper Networks IDP Series Intrusion Detection and Prevention Appliances provide inline protection against
current and emerging threats at both the application and network layers. The IDP Series resides in your network and
monitors traffic from endpoints that are authenticated and authorized by UAC. You can position the IDP Series inline,
or you can configure the IDP Series in sniffer mode.
The IDP Series protects against attacks from user to application (some forms of protection depend on the specific
configuration), and detects and blocks the following:
• Most network worms based on software vulnerabilities
• Non-file-based trojans
• Application exploits
• Zero-day attacks via anomaly detection

8 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

STRM
Juniper Networks STRM Series Security Threat Response Managers are a network security management platform
that provides situational awareness and compliance support through the combination of flow-based network
knowledge, security event correlation, and asset-based vulnerability assessment.
STRM Series appliances are designed to respond to the right threats at the right time through effective analysis
of networks, events, and audit log files. The STRM Series has the ability to identify environmental anomalies in
the network, an attack path, and the source of a threat. The STRM Series provides network remediation for threat
responses across all security products.
STRM Series appliances use two drivers, Security Information Management (SIM) and Security Event Management
(SEM), for security analysis of external and internal threats. SIM provides reporting and analysis of data from
host systems, applications, and security devices to support security policy compliance management, internal
threat management, and regulatory compliance initiatives. SEM improves security incident response capabilities
by processing data from security devices and network devices, helping network administrators provide effective
responses to external and internal threats.

Network and Security Manager


Juniper Networks Network and Security Manager provides centralized management of Juniper Networks firewall/
IPsec VPN and IDP Series devices.
NMS’s architecture is composed of a device server, a GUI server, and a UI. To maintain flexibility and performance,
the device driver handles all device interaction and log storage, while all configuration information is placed on
the GUI server. Both device and GUI components can reside on the same server where cost and/or simplicity are
the primary requirements, or reside on separate servers where performance and deployment flexibility are more
important. Independent of the chosen deployment of the device and GUI servers, the UI provides a single point of
access for the administrator to all of the information and capabilities of the system.
Juniper Networks NSM Central Manager can manage up to 10 regional NSM servers and solves scalability problems
by allowing for management of up to 6,000 routers, 3,000 switches, 6,000 firewall/VPN devices, or 2,000 firewall/
VPN devices with 100 IDP Series appliances per regional server. Juniper Networks NSMXpress manages up to 100
routers, 150 switches, and 500 firewall/VPN devices. Together, these provide an overall solution to scale for large
enterprise and service provider environments.

Challenges and Solutions


Table 3 lists and defines access control solutions.

Table 3: Access Control Solutions


CHALLENGES ACCESS CONTROL SOLUTIONS
Network and content Protection from unauthorized users, malware, applications, and devices
protection significantly reduces the costs associated with viruses, trojans, and malware
by automating assessment and remediation of both managed and unmanaged
endpoint devices and by limiting network resource access to job-related activities.
Secure guest access Benefits include saving on CapEx, avoiding additional OpEx, and creating a
convenience for network guests by allowing them network access without
adding risk to your network environment. Guests can include partners,
contractors, customers, and others. Each group receives appropriate,
authorized, and differentiated role-based network access.
Compliance User and application visibility and control are enabled—plus the capability to
report on user access associated with network traffic, and the ability to ensure
that only authorized users can access specific network segments, applications,
and data—as well as to ensure adherence to a security policy baseline,in order
to comply with a broad range of regulations and standards.
Application and role access Corporate productivity and competitiveness are increased while managing risk by
supporting employees, outsource workers, contractors, and partners by allowing
only job-required, role-based, network, and application resource access.

Copyright © 2010, Juniper Networks, Inc. 9


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

CHALLENGES ACCESS CONTROL SOLUTIONS


Comprehensive visibility Network-wide visibility and monitoring of users and devices attempting network
and control and application access enable enterprises to know when a user accesses the
network, whether the user is compliant, what application the user used, and
when the user used the application—all information that is required to meet
compliance and standards requirements.
Identity-based QoS Differentiated application priorities are provided in accordance with users’
corporate responsibilities. For example, limit guest bandwidth and offer higher
priority to real-time applications on any switch port to which a user connects.
Alarm IT and stop applications that use more than normal bandwidth, such as
IP phones and softphones violating normal use patterns, which could be an
early warning of a spoofed network device.
Mitigating insider threats Fraudulent activities originating from the trusted users in the distributed
enterprise environment can be identified and mitigated in real time.

Traffic Inspection and Coordinated Threat Control


Continuous traffic inspection allows a network administrator to identify attacks, such as those infecting critical
resources or inserting worms or harmful traffic into the network. Integrating various security and network devices (to
take preventive action when a threat is identified) is critical in preventing any attack from succeeding. This also allows
you to provision the security device either manually or automatically to respond to any potential future threats.
• The traffic from authenticated LAN users of network resources is inspected using the IDP Series. IDP Series
Intrusion Detection and Prevention Appliances use multiple methods to identify malicious traffic. The IDP Series
can be installed in sniffer mode to detect the attacks or in inline mode not only to detect but also to prevent
attacks. Network administrators can use the system in sniffer mode for fine-tuning the security policy and then
deploy it in inline mode to prevent threats.
• IDP Series devices provide a coordinated threat control mechanism by communicating with IC Series UAC
Appliances using adaptive threat messages when any threat is detected from trusted LAN users. The IC Series
can be configured to take adaptive action, such as quarantine the user or drop a connection, in order to restrict
user access to resources and proactively defend the network from any potential threat. This adaptive action
is enforced either on the access device (802.1X-enabled switch or access point, including EX Series switches)
or the overlay enforcement device (ISG Series/SSG Series/SRX Series firewall). Figure 3 illustrates Juniper’s
coordinated threat control mechanism. You can secure remote access using coordinated threat control with
Juniper’s secure access appliance.

CAMPUS HQ
WIRED/WIRELESS
IC Series DATA CENTER
Application

IDP Series

INTERNET
EX Series
Wireless L2
Access Switch
Point

User

Figure 3: Coordinated threat control

10 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Centralized Security Management, Visibility, and Control


Network access control (NAC) solution components should integrate with the enterprise’s centralized security
management solution. A critical requirement of any security solution that spans the entire enterprise is that it must
provide a network-wide perspective of all security events occurring across all locations at any time. Moreover, all
aspects of the solution should be managed centrally, and events/logs from multiple devices in the path of traffic
(switches, routers, firewalls, intrusion prevention systems), should be managed and correlated to gain a realistic
perspective of security attacks. Further, saving the events/logs for forensic analysis is also a critical requirement.
• Juniper Networks Network and Security Manager provides a centralized configuration management and
policy deployment capability. NSM can be used to collect logs from security devices and forward them to the
STRM Series.
• Juniper Networks STRM Series Security Threat Response Managers integrate and correlate logs from all
network and security devices for centralized monitoring and reporting.
• Events can be correlated in real time, thus detecting fraudulent user activity early in the process.
• Based on the event and flow information, patterns can be generated to form baselines, and alarms can be
triggered based on anomalies and deviations.
• Profiling can be conducted.

Network and Security Devices Generating Events/Logs


Table 4 lists the network and security devices that generate/trigger events and logs. This table also provides
a summary of how the STRM Series integrates and correlates events and traffic log information to provide a
comprehensive report of network threats and vulnerabilities. For a visual perspective of STRM Series capabilities,
see the screen graphics that illustrate the STRM Series dashboard. This dashboard view allows a network
administrator to easily see the current health of the network and in particular, provides periodic reports for baseline
and trend analysis.

Table 4: Network and Security Devices, Logs, and Results


NETWORK AND SECURITY DEVICES LOG FORWARDING TYPES RESULTS
IC Series UAC Appliances WebTrends Enhanced Log File Username, login time, mapped
(WELF) logs role, role change due to adaptive
threat management.
ISG Series, SSG Series, SRX Series, Logs are forwarded to the STRM These logs provide information
IDP Series Series via NSM. Forwarding logs about malicious traffic, threats
via NSM reduces CPU utilization like exploits, worms, viruses,
on security devices. reconnaissance attacks, and
Types of events/logs to report: unauthorized access attempts.
• Screen alarm log
• Traffic log
• Deep Inspection alarm log
EX Series, Juniper Networks J Series • sFlow Provides traffic details for
Services Routers, Juniper Networks M • J-Flow correlation with network attack
Series Multiservice Edge Routers • Event logs and threat status.

Secure Threat Response Manager Operational Guidelines


STRM Series Security Threat Response Managers have a rich graphical user interface that provides a snapshot
of the day-to-day operations giving insight into the current health of the network. The integration of remote
access protection, an essential component of Juniper Networks Adaptive Threat Management Solutions, provides
centralized control for automated day-to-day operations. Explained and illustrated in the following sections are some
of the most important operational tasks that a network administrator should perform to ensure security across his
or her enterprise network.

Copyright © 2010, Juniper Networks, Inc. 11


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Monitoring the Dashboard


The dashboard allows you to monitor your overall network behavior, security and vulnerability posture, top targeted
assets, top attackers, and worst and most recent security offenses—all from one window. Figure 4 is a snapshot of
the STRM Series dashboard.

Figure 4: Example of STRM Series dashboard view

Enterprise Security State


The Enterprise Security State represents your network’s current security posture. The security state is formulated
from monitoring the security data from flows, external events, and security data to create a single metric that reveals
the security health of your network.

Enterprise Vulnerability State


The Enterprise Vulnerability State represents the network’s current vulnerability posture. The vulnerability
state is formulated from monitoring all vulnerability data across the entire network to create a single “current
vulnerability” metric.

Most Severe and Most Recent Offenses


The most recent and severe offenses are identified and classed with a magnitude bar to inform you of the importance
of the offense. Point your mouse to the IP address to view detailed information for the particular IP address.

Top Attackers and Targets


The Attackers and Targets option displays the top five attackers or top five local targets. Each target is identified with
a magnitude bar to inform you of the importance of the target. Point your mouse to the IP address to view detailed
information for a particular IP address.

Offense Investigation
The STRM Series enables an administrator to investigate potential threats and attacks by allowing you to save an
attack report and then perform a quarantine/analysis investigation.
The STRM Series allows you to investigate any reported offense with necessary data from all security devices for
forensic analysis. Following are the two steps for offense investigation.

12 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

From the most Recent Offenses or from the Offense Manager tab, double-click the offense to access a more detailed
report. The following is a sample of the offense report (Offense 3) for reference. The offense report provides a
summary of such information as attacker source, attacker location, attack target, magnitude of the attack, and
primary events. Figure 5 shows an example of offense investigation.

Figure 5: Example of offense investigation

The report also provides drill-down capability for forensic analysis of the offense. For further analysis, click the
Events icon and open an event detail screen to analyze relevant events reported from all security devices. You can
further customize the search using different filters and time intervals. Figure 6 shows an example of event analysis.

Figure 6: Event analysis window

Copyright © 2010, Juniper Networks, Inc. 13


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Implementation Guidelines
This section enables solution implementation by describing device configuration of all associated network
components and then showing readers how to verify operation of the solution. This section specifically focuses on
coordinated threat control configuration and troubleshooting practices. See Appendix A for configuration instructions
for providing Layer 2 enforcement using the EX Series Ethernet Switches; see Appendix B for configuration steps for
the IC Series and SRX Series in order to create overlay enforcement.

Coordinated Threat Control Configuration


This section covers configuring the IDP Series and IC Series devices. Configuration is broken down into the following
major steps:
• Create a onetime password
• Create a route to the IC Series device
• Configure the IDP policies for event logging
• Configure IDP sensor on the IC Series device
• Configure a remediation role for restricted access
• Configure the sensor event policy
• Enable the IDP Series and IC Series connection

Create a Onetime Password on the IDP Series Device


The following steps help you to create a onetime password on the IDP Series device:
1. Launch the IDP Application Configuration Manager (ACM) and in the ACM menu. Choose Reconfigure
Management Server and IDP Instant Virtual Extranet (IVE) Communication.
2. To generate a onetime password, check the Reset IVE OTP? check box and click Next Step.
The new IVE OTP displays at the top of the Final Configuration page and will be activated once the administrator
confirms and applies the changes. For details, refer to the Intrusion Detection and Prevention Administration Guide
Version 4.2r2/4.1r3 at https://softserv.juniper.net/download/4.2---05292008/IDP/

Configure a Route to the IC Series Device


The connection from the IDP Series to the IC Series device uses port 7103 and the inside address of the IC Series
device. Configure a route to the IC Series inside address. The port configuration is within the IC Series configuration.
See Figure 7.

14 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Figure 7: Configure IC Series routing table entry

Configure the IDP Series Policies for Event Logging


As an example, Figure 8 shows configuration policies, their level of severity, and the logging that displays on the
Network and Security Manager console.

Figure 8: NSM console configuration policies display

Copyright © 2010, Juniper Networks, Inc. 15


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Configure IDP Sensor on the IC Series Device


To configure the sensor on the IC Series UAC Appliances, do the following:
1. Select Configure>Sensors.
2. Insert the onetime password (configured in Step 1) into the IC Series configuration. In addition, configure the
name and IP address of the IDP Series device. The port used for communication is 7103. This will have to be
opened in firewalls that are in the path of the IC Series to IDP Series communication.
3. Configure the addresses or address range that the remote clients will use and the address of the IC Series
device. These addresses are the only addresses that the IDP Series device will use to send a signal to the IC
Series device once an attack is triggered by an IDP Series policy.
The severity filter determines a threshold of the signal’s severity that will be sent to the IC Series device. If medium
severity is configured, then all attacks of medium severity and higher are communicated to the IC Series device. You
can set the severity level to high, medium, or low. Figure 9 shows an example of a New Sensor screen.

Figure 9: New Sensor screen display

Configure a Remediation Role for Restricted Access


Other than the usable “roles” that have resources assigned to them, create an additional “role” on the IC Series
device that has no resources assigned to it. This will be the “remediation role” to which the IDP Series device triggers
the IC Series device to switch when it signals to the IC Series device that an attack has occurred. As shown in Figure
10, once triggered, the IC Series device changes the current user and its original role to the remediation. You can
accomplish this by selecting the Replace user’s role with this one option, as shown in Figure 10.

16 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Configure the Sensor Event Policy


When performing this task, refer to Figure 10.
1. The Event option can be configured to switch or quarantine roles based on a specific sensor signal or event.
Juniper Networks recommends that administrators use the default any event and an appropriate severity filter
at least in the initial setup, as shown in the following figure.

Figure 10: Event Option—any IDP signal screen

2. Initially configure the count to 1. This invokes the role switching with one event. This can be modified once a
base has been configured and coordinated threat control has been operating for a period of time.
3. Configure the signal to replace the role for this session only. This assumes that the quarantine action will be
caught and investigated. If the event indeed occurred, the enterprise network has been protected. If the event
was benign and becomes a simple matter of educating the user, then this configuration will not prevent the user
from trying to access the network in the future.
4. Apply the rule to all appropriate roles (typically all roles).

Enable the IDP Series and IC Series Connection


After completing IC Series and the IDP Series configurations, return to the IC Series Sensor Configuration screen
and enable the IDP Series and IC Series device connection.

Copyright © 2010, Juniper Networks, Inc. 17


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Network and Security Device Integration with STRM Series


Another important task is to integrate events and flow information with the STRM Series for centralized monitoring
and reporting. Following are the major steps to attain integration.
• Adding sensor devices on the STRM Series
• Adding flow sources on the STRM Series
• Configuring NSM for log forwarding to the STRM Series
• Configuring IC Series device for log forwarding to the STRM Series
• Configuring Juniper Networks Junos® operating system for sending flow records to the STRM Series
Add Sensor Devices on the STRM Series
1. At the Administration Console, select CONFIG>SIM Configuration>Sensor Device.
2. Click Add. The following screen displays.

Figure 11: STRM Series sensor devices

Figure 12 illustrates a Network and Security Manager sample configuration. NSM is a predefined Device Support
Module (DSM), which means that the STRM Series will recognize the log formats that are sent.

Note: NSM is also given a credibility of 5. This number is a confidence level used to refine and consolidate the log
messages from all devices and sensors. The default is 5; the range is 1 through 10.

Figure 12: Protocol configuration parameters

Click Configure>SIM Configuration>Protocol Configuration to display the Network and Security Manager
configuration window. This configuration defines ports and the IP addresses that the STRM Series expects as source
addresses for this sensor’s log events (see Figure 13). The IP address matches the additional configuration under
sensors.
Figure 13 illustrates a Network and Security Manager sensor configuration example. The Sensor Device Type—
Network and Security Manager is predefined. The Credibility factor ranges from 1 to 10.

18 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Figure 13: Editing a sensor device

The IC Series sensor configuration is similar to the NSM configuration. When adding a device from the Sensor menu,
there is a predefined IC Series appliance. Its protocol and thus its fields are prescribed by the syslog specification.
Log events have a credibility of 5.

Figure 14: Configuring IC Series UAC Appliances

Copyright © 2010, Juniper Networks, Inc. 19


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Configure J-Flow on the STRM Series


You can configure flow collectors (J-Flow) from the Administrator Console. The configurations for Juniper Networks
routers display on two configuration screens. The flow sources are used to designate that this flow collector is
J-Flow, and shows the interface on which the STRM Series depends on to get flow reports and the UDP port that is
used in the messages.
Basically, Flow Source defines the flow type. In Juniper Networks Adaptive Threat Management Solutions, J-Flow
generated from Juniper Networks routers is being used. Flow Source Alias cross-references an IP address to the
Flow Source. Figure 15 illustrates a flow source configuration screen example.

Figure 15: Flow surce configuration

Configure NSM Log Export to the STRM Series


From the Action Manager, select the NSM configuration. Configure the address of the syslog server (STRM Series)
and the logging facility desired. Device log action defines the attack on a granular level and the severity that is
reported in syslog.

Figure 16: Device log action

20 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Configure IC Series Device for Log Forwarding to the STRM Series


To access the IC Series device’s syslog configuration, do the following:
1. Select Log>Monitoring>Events>Settings.
The syslog server configuration is located at the bottom of the screen, as shown in Figure 17. The configurable
parameters include the IP address of the STRM Series, the syslog facility setting, and the filter that allows the user
to set customizable messages.

Figure 17: IC Series UAC Appliances device syslog configuration

Send Flow Records to STRM Series from Junos OS Routers


The Junos OS configuration for J-Flow is as follows:

forwarding-options {
sampling {
input {
family inet {
rate 1;
run-length 1;
}
}
output {
cflowd 1.4.39.11 {
port 9995;
source-address 1.4.39.1;
version 5;

services {
flow-monitoring;

Troubleshoot STRM Series Connection


Similar to coordinated threat control, STRM Series connectivity is one of the primary reasons for errors. The
following tools—ping, traceroute, tcpdump and packet analyzing—are available for troubleshooting connectivity.

root@STRM /# tcpdump –s 0 –i <interface> host <dsm_ip> -w <filename>

Copyright © 2010, Juniper Networks, Inc. 21


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

The second critical reason for errors is the variance in ports used by various devices. Most devices use syslog
(514/tcp/udp). Naturally the ports and flows between the sensors and flow collectors must be opened by firewalls.
Confirm this in the firewall policies.

Troubleshooting Coordinated Threat Control


The majority of problems that occur while configuring CTS typically fall into three categories:
• Connectivity
• Policies and roles mapping
• Failure of logs to appear

Connectivity Issues
There are many tools for connectivity problems as one would expect from any sophisticated networking device—
pinging, traceroute, and packet tracing (using ethereal freeware on PCs and laptops, using tcpdump on IC Series and
IDP Series devices). All of these are available in one command form or another on Juniper Networks devices.

user@host> show services unified-access-control status


Host Address Port Interface State
dev106vm26 10.64.11.106 11123 ge-0/0/0.0 connected
dev107vm26 10.64.11.106 11123 ge-0/0/0.0 closed

The previous command displays the status of the connection between the SRX Series and the IC Series device, as
well as statistics to help debug connections to the IC Series device.

Policies and Roles Mapping


Initially, when a new role or resource access policy is defined on the UAC enforcement point, these commands will
be useful to understand which role has access to which resource and to verify that the Junos OS enforcer is actually
receiving the appropriate access policies for the roles defined.

root@J4350-C> show services unified-access-control authentication-table


Id Source IP Username Age Role identifier
15 10.16.2.9 localbob 0 0000000001.000005.0
Total: 1

The previous command displays a summary of the authentication table entries configured from the IC Series
appliance. Authentication tables store mappings between Junos OS traffic flows and UAC roles. The IC Series uses
the roles specified in the mappings to help determine the UAC policies to apply to the Junos OS flows.
The following command displays a summary of all UAC policies defined in the IC Series for this enforcer.

root@J4350-C> show services unified-access-control policies in detail.


Identifier: 1
Resource: 172.16.104.0/24:*
Action: allow
Apply: selected
Role identifier Role name
0000000001.000005.0 Users
Identifier: 2
Resource: *:*
Action: deny
Apply: all
Total: 2

22 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

The following command displays a summary of the authentication table entries configured from the IC Series
appliance. Authentication tables store mappings between Junos OS traffic flows and UAC roles.

user@host> show services unified-access-control authentication-table detail


Identifier: 1
authentication-table Source IP: 10.16.2.9
detail Username: localbob
Age: 0
Role identifier Role name
0000000001.000005.0 Users

Failure of Logs to Appear


Logs may not appear for several reasons due to the coordinated threat control mechanism malfunctioning. One may
find that the IDP Series device has not signaled as expected, or that it signaled but the IC Series device either did not
receive the signal or it did not switch users.

Loss of Signal or Signaling Event Steps


1. Confirm the connectivity between the IDP Series and IC Series devices (see the previous paragraph for tools).
2. With the Network and Security Manager, confirm that the attacks are configured in the IDP Series policies. Make
sure that the policy or policies contain the attacks that the enterprise wants to monitor.
3. Confirm that logging is enabled on the IDP Series policy. It is the trigger for the IDP Series to the IC Series
signaling.
4. Confirm that the proper addresses are configured on the IDP Series device. See the first IC Series configuring a
new sensor where “Addresses to be monitored” addresses are configured. The IDP Series will only signal on the
addresses that are configured in this screen (Configuration>Sensors).
Check the configured severity level (Configuration>Sensor>Sensor Events). Make certain that the severity level
encompasses the severity of the signal that is configured in the policy.

Summary
To effectively protect today’s enterprise, network administrators, IT managers, and network security specialists
must have insight into the multiple types and levels of evolving threats that impact the integral elements of
their networks—including perimeter, critical resources, and remote access. Juniper Networks Adaptive Threat
Management Solutions are dynamic and high-performance security solutions that adapt to changing risks. By
leveraging a cooperative system of tightly integrated security products, these solutions provide network-wide
visibility and control that adapt and secure the network against constantly evolving threats. By providing centralized
security management and enterprise-wide visibility and control with multi-layered security, these industry-leading
security solutions enable network administrators to protect their perimeter, critical resources, and remote access
by users and devices to prevent threats from compromising their organization’s revenue, reputation, and intellectual
property.
Insider threat protection is a critical part of Juniper Networks Adaptive Threat Management Solutions—enabling
enterprises to solve major security issues such as securing and authorizing LAN access, inspecting malicious traffic,
and protecting the enterprise from insider attacks. This solution leverages features built into Juniper Networks
products such as L3-7 access control and UTM on firewalls, intrusion prevention, and coordinated threat control
capabilities of the UAC solution and IDP Series, in addition to the centralized security management capabilities of
NSM and the STRM Series—all working together to provide network-wide protection. The implementation steps
described in this paper provide a highly adaptive solution that enables network and security administrators to truly
implement high-performance, comprehensive threat protection across their distributed enterprise.

Copyright © 2010, Juniper Networks, Inc. 23


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Appendix A: Layer 2 Enforcement


This section provides configuration instructions for providing Layer 2 enforcement using EX Series Ethernet Switches.
Juniper Networks Unified Access Control in combination with EX Series Ethernet Switches delivers a comprehensive
802.1X standards-based network access control solution that:
• Provides rich policy enforcement capabilities to protect the network from unauthenticated access, attacks, and
security breaches
• Uses the 802.1X standard to enforce port-level admission control
• Provides Layer 2-4 policy enforcement for more granular entitlement and network admission control
• Enforces user-based QoS policies that enable data, voice, and video traffic to be prioritized
• Mirrors user traffic to a central location for logging, monitoring, or threat detection by IPS products such as the
IDP Series platforms
• Works with IDP Series platforms to isolate, identify, and report threats down to the user or device level, applying
a suitable policy action against threatening users and/or devices (coordinated threat control)
• Delivers the benefits of a single vendor, including easier deployment and centralized support
To provide Layer 2 enforcement, you need to perform the following on the EX Series switches:
• Define the RADIUS server
• Configure 802.1X on each port of the switch
• Configure for guest VLAN
• Enable 802.1X authentication.
The following graphics represent screens displays from the Juniper Networks J-Web Software interface on the EX
Series switches.
• Define the RADIUS Server
Figure 18 illustrates how to define the RADIUS server.

Figure 18: Defining the RADIUS server screen

24 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Configure 802.1X on Each Port of the Switch


Figure 19 illustrates how to configure 802.1X on each port on the switch.

Figure 19: Screen for configuring 802.1X on each port of the switch

Configure for Guest VLAN


Figure 20 illustrates how to configure a guest VLAN.

Figure 20: Screen for configuring a guest VLAN

Copyright © 2010, Juniper Networks, Inc. 25


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Enable 802.1X Authentication


Figure 21 illustrates how to enable 802.1X authentication.

Figure 21: Screen enabling 802.1X authentication

Examples
Figure 21 illustrates a graphical example of EX 802.1X commands.

Figure 22: Sample EX Series 802.1X commands

26 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

Use UAC Manager in Network and Security Manager


The UAC Manager is a top-level module on the NSM Configure panel. The UAC Manager enables you to create and
view associations between IC Series UAC Appliances and UAC enforcement points in a network. You can choose
between IC Series views and enforcement point views. The IC Series view provides a list of enforcement points
associated with the IC Series and their location groups. You can associate or disassociate enforcement points from
a particular IC Series appliance. The Enforcement Point view provides a list of associated IC Series appliances and
their port details. You can use this feature to resolve configuration conflicts, and to enable or disable 802.1X ports on
enforcement points.

Figure 23: Screen used to select ports to enable .1X on device

Enable 802.1X via Network and Security Manager


With NSM you can do the following:
• Manage the Juniper enforcement point (EX Series switches and/or any Juniper firewall platform) and IDP Series
Intrusion Detection and Prevention Appliances
• Administer the complete Unified Access Control solution from a single management interface.
For example, the above figure shows the UAC Manager screen display in the NSM configure section.
To enable .1X ports on the enforcement points, perform the following steps:
1. In the NSM navigation tree, select UAC Manager > Enforcement Point. The Enforcement Point workspace
appears. The IC Series associated with an enforcement point and the .1X ports enabled for the enforcement
point display in the workspace.
2. Select the EX Series switch in which you need to enable .1X ports.
3. Click the Enable .1X on Port(s) button.
The Select ports to enable .1X dialog box displays a list of ports on which .1X can be enabled.
4. Select one or more ports from the list, and select one of the following supplicant modes:
-- Single secure—A single dedicated host is authenticated.
-- Multiple—Multiple hosts are individually authenticated.
-- Single—Only the first host is authenticated. All remaining hosts use the same authentication made by the
first host.

Copyright © 2010, Juniper Networks, Inc. 27


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

5. Select Enable re-authentication to allow re-authentication in case of authentication failures.


6. Specify the action to be taken in case of authentication failure:
-- Deny access—Denies access to the client.
-- Move to VLAN—Moves the client to VLANs available in the switch.
7. Select Run Update Device task to apply the device configuration.
8. Select Run Summarize Delta Config task to view the difference in the configuration.
9. Click OK to enable the .1X ports on the enforcement points.

Appendix B: Overlay Enforcement


This section covers the configuration of the IC Series and SRX Series in order to create overlay enforcement.

Junos OS Enforcer—SRX Series Services Gateway as an UAC Enforcement Point


An SRX Series services gateway can act as a UAC enforcement point in a UAC solution. Specifically, it acts as a Layer
3-4 enforcement point, controlling access by using IP-based policies pushed down from the UAC. When deployed as
part of a UAC solution, an SRX Series device is called a Junos OS Enforcer.
The infranet-controller, as listed in the following lines of code, refers to the IC Series Unified Access Control appliance.
To configure an SRX Series device to act as a Junos OS Enforcer, do the following:
Define the IC Series to which the SRX Series should connect:
1. Specify the IC Series host name.

edit services unified-access-control infranet-controller hostname

2. Specify the IC Series IP address.

edit services unified-access-control infranet-controller hostname address


ip-address

Specify the Junos OS interface to which the IC Series device should connect.

edit services unified-access-control infranet-controller hostname interface interface-name.

3. Specify the password that the SRX Series device should use to initiate secure communications with the
IC Series device.

edit services unified-access-control infranet-controller hostname password password

The following shows the complete syntax.

Syntax infranet-controller hostname {


address ip-address;
port port-number;
interface interface-name;
password password;
ca-profile ca-profile;
server-certificate-subject subject;
}
Hierarchy Level [edit services unified-access-control ]
Release Information Statement introduced in Release 9.4 of Junos OS

28 Copyright © 2010, Juniper Networks, Inc.


IMPLEMENTATION GUIDE - Secure Network Access Across the Distributed Enterprise

About Juniper Networks


Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network
infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and
applications over a single network. This fuels high-performance businesses. Additional information can be found at
www.juniper.net.

Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions,
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
authorized reseller.
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net

Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their respective
owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.

8010031-002-EN Oct 2010 Printed on recycled paper

29