Module 05: Securing the Network

• Overview of network security and common vulnerabilities
• High-level design considerations and best practices

Evolution of Network Security

In the past, networks had defined boundaries. All devices on the network were considered to be ‘managed’. Bring your own device (BYOD) was not considered an option.

Modern networks account for unmanaged devices and remote users accessing the network via a VPN. Virtual machines and USB sticks are two new attack vectors which are hard to combat.

Assessing Security in Network Design

In the high level process ‘assess, requirements, scope, data analysis’, security should be considered even in the ‘assess’ stage.

The requirements include a security plan, a security policy, buy-in from the users of the network, and training. The scope includes customer assets, and the customers accessing the network. The data analysis stage will include detail on the security requirements, and the security risks and tradeoffs.

Juniper sponsored report on Efficacy of Emerging Network Security Technologies.

The Evolution of the Firewall

A traditional firewall protects the network at Layer 3, using static rules. It is not aware of sessions (Layer 5). A next generation firewall (NGFW) is aware of sessions and applications (Layers 5-7), but its rules are still static in nature. Customers are now demanding intelligent firewalls, which can implement the same rules as NGFW’s, but the rules are dynamic and evolve with evolving security threats.

Juniper Products

SRX Series Devices

Juniper SRX series devices combine traditional, NGFW and intelligence features.

Junos Space Security Director

Next generation network administration platform. Provides an overview of next generation networks to the administrator.

Junos Space Applications

• Network management platform, provides device discover, user access roles and tempaltes
• Service Now and Service Insight, provide failure monitoring and incident creation
• Network Director provides end system management, switch port management and bulk application of best practice configurations
• Connectivity Services Director provides the ability to quickly design and provision WAN services, such as MPLS, ATM, VPLS and Carrier Ethernet
• Policy Enforcer orchestrates policies from Sky ATP

Note that most of these features require additional licencing to operate.

Sky ATP

Juniper’s cloud service to inspect and report on malware. ATP uses sandboxing, machine learning and analysis to safely detect threats. ATP integrates with the SRX line of products to detect and prevent threats on the network.

ATP tricks the malware, running in the sandbox, into identifying itself and raising confidence in the identification. Actionable intelligence is pushed to the SRX devices so that customers can implement their own quarantine policies when infected clients are detected.

Policy Enforcer for Threat Remediation (Example)

For example; malware enters the network from an infected endpoint. The SRX forwards this malware to ATP. ATP delivers its verdict, and communicates this to Policy Enforcer. Policy Enforcer applies configuration changes to block the infected device from the network, both at the SRX device, and by MAC address at the local access switch. The end device is quarantined and unable to spread the malware further through the network.

Juniper Networks Secure Analytics

A JSA device collects, manages and reports on logs. It detects new threats on the network. It delivers network security reports on a defined schedule.

The JSA can be deployed as an event collector or a flow collector. They can be deployed either as physical devices or as VM’s.