VMware Hands-on Labs - HOL-PRT-1472


Lab Overview - HOL-PRT-1472 - Juniper Virtual Security Lab Overview

Lab Overview


So you have decided to incorporate a cloud and/or virtualization into your business, utilizing it for bursting, development, testing, or even using it for production applications. Have you built security into your virtual data center? Are you concerned about the DDoS attacks on your production applications? What about the ability to implement network based AV, VPN, NAT, IPS, and routing into your virtual data center, establishing a secure and operable software defined datacenter that is able to expand and maintain security throughout it's entire lifecycle. What about having a DDoS appliance in a virtual format for ease of deployment for any tenant? Building these technologies on the experience and confidence of Juniper Networks allows a solution that truly understands the functions and needs of networking and security for your true software defined datacenter. Only Juniper can understand security from a network standpoint because we are truly a network and security company. This lab will show you just a touch of our virtual security capabilities for your Enterprise or Service Provider environment. Understand that we have a full suite of virtualized security and network products and tools that allow you to manage your physical and virtual data center.


 

Making Sure VMs are Running

Before starting with the lab, lets make sure that all of your virtual machines are up and running.

 

 

Launch Internet Explorer

 

From the Control Center desktop, please double click the Internet Explorer icon.

 

 

Log In To vSphere Web Client

 

The login page for VMware vSphere Web Client will automatically launch. Please enter in the following credentials:

User name: root

Password: VMware1!

and click " Login "

 

 

Home Tab

 

Click the " Home " button.

 

 

VMs and Templates

 

Click the " VMs and Templates " icon.

 

 

Expand Datacenter Site A

 

Click the arrow to the left of " Datacenter Site A " so that we can verify that the VMs are running.

 

 

List of VMs

 

As you can see, the " DDoS Secure Virtual edition " is not running. This may not be the case with your lab. Your lab may have all the VM's running ( see note below ) or other VMs not running. This is why we are checking.

NOTE : Attacker 32 does NOT need to be started

 

 

Starting VMs

 

If any of the VMs are not running ( with the exception of Attacker 32 ), please right click on the VM and select " Power On "

 

 

Proceed With Lab

 

Once you have verified that all the VMs ( with the exception of Attacker 32.. have I mentioned that already :) ), please proceed with the first Module.

Thank you!!!

 

Module 1 - Juniper Junos Space 101 (15 min)

Introduction to Space


Juniper Junos Space is a comprehensive Network Management Solution that simplifies and automates management of Juniper's switching, routing, and security devices. Junos Space consists of a network management platform for deep element and fault-management, configuration, accounting, performance, and security ( FCAPS ). FCAPS Network Management framework is created by ISO. FCAPS categorizes the working objectives of network management into five levels of management, plug-n-play management applications for reducing costs and provisioning new services quickly, and a programmable SDK for network customization. With each of these components working cohesively, Junos Space offers a unified network management and orchestration solution to help you more efficiently manage your network. In this lab, we will be covering the Virtual Director and Security Director applications. There are other applications available for Junos Space, such as Network Director but as indicated, we will not review at this time.

Two of my favorite parts of the Junos Space Appliance is that it is available in a hardware and virtual appliance format. This gives you incredible flexibility in your data center and we are all for that. My second favorite part is that both versions support multiple nodes and this in turn provides the scalability and availability that your managed network requires as you add more devices, services, and users. You see, Junos Space manages BOTH virtual and physical components in your data center, but more of that later.

Let's delve in to the Junos Space GUI.


 

Launch Firefox

 

On the Control Center box (the box you are logged in to) double click on the Mozilla Firefox image on the desktop.

 

 

Launch Junos Space

 

Once Firefox is launched, Junos Space should be the homepage, but in case it is not, click on the "Junos Space Login" shortcut in the tool bar of the browser.

 

 

Accepting Website's Security Certificate

 

Note this is the Certificate message from Internet Explorer, it requires an acknowledgement but because we are using Firefox for this lab, we did not get one.

In case you are seeing a certificate error, please accept it ( although in my testing, I did not but you never know :) ).

 

 

Logging into Junos Space

 

You will now see the Junos Space login.

To log into Juniper Junos Space, use the following login

Username: super

Password: VMware1!

When you have entered the credentials, please click "Log In".

 

 

Network Management Platform - Dashboard

 

Once you first log in to Junos Space, you will see the main dashboard for the product. When you select any applications ( Security Director, Virtual Director ) in the box above the task tree, a dashboard displays graphical data above devices, jobs, users, administration, and so on.

The dashboard provides a snapshot of the current status of objects managed and operations performed within a Junos Space application. The Network Management Platform dashboard ( as shown above ) displays the system health of your network and the percentage of jobs run successfully and in progress.

The Network Management Platform dashboard contains gadgets ( graphs and charts ) that display statistics that provide a quick view of system health. They include a gauge for overall system condition and graphs that display the fabric load and active users history.

 

 

Move the Gadgets

 

Feel free to move and resize the gadgets.

If you click on the blue bar of each of the gadgets, you will see the cursor changes form into an X, this means that it can be moved within the dashboard. Try it out!

All dashboard gadgets are visible for all users and are updated in real time.

 

 

Saving and Printing

 

If you right click on the "Job Information" gadget you will see that the images can be saved and/or printed.

 

 

More Detailed Information

 

Still within the "Job Information" gadget, if you double click on the Green "Success" section, it will bring you to greater detail such as the one shown above.

 

 

Job Management

 

When you click the green circle you were automatically taken to the listing of jobs. Now thankful all my jobs are successful but you can imagine that jobs do fail for various reasons and they would show up here as well.

 

 

Global Search

 

Junos Space has this great Global Search capability. You can see that the search bar is always available no matter what screen you are on. You can use the feature to quickly locate any object within Junos Space. Junos Space allows you to perform a full-text search operation for objects within the system. You can do searches on object categories such as device name, Juniper platform ( Junos OS, Junos ES, etc ), OS version, serial number, IP of physical and logical interface, name of physical and logical interface, MAC address, software, and many many more. The global search operation supports query expressions. You can search for phrases and multiple terms. The default operator for multiple terms is the OR operator.  

 

 

Applications for Space

 

In this implementation of Space we have two additional applications installed. By clicking on the down arrow as described in the picture above, you can see what is available. We will not go into these applications at this time but we wanted you to see a quick viewing. In this lab configuration we have installed Virtual Director and Security Director. Service Now is part of the "default" Network Management Platform. Service Now is an automated troubleshooting capability that accelerates problem resolution by allowing you to open cases with Juniper Technical Support ( JTAC ) and include all related logs and diagnostics. Junos Space Service Now also reduces the time to integrate new Juniper products or releases into the network by using customized scripts installed on the Junos devices. Troubleshooting expertise is integrated into the products and therefore outage time is reduced.  It also helps to lower the learning curve for operations personnel that are new to Juniper products.

No need to click any of the applications now, just click the arrow again.

 

 

Task Group (Workspaces)

 

Within each application ( in this case, Network Management Platform ) are the Task Groups or also sometimes referred to as Workspaces. These task groups are part of the task tree that is on the left side of the display. It is the navigation center for Junos Space. Note that you can collapse the task tree by clicking on the Double Left arrows but we will not do this at this time. These arrows are highlighted in the above image.

Let's look at the Network Management Platform Task Groups.

 

 

Devices Task Group Expansion

 

Click the " + " to the left of the "Devices" Task Group.   

 

 

Devices Task Group

 

As you can see there many options and Sub Task Groups available under "Devices". Let us spend some time in these options.

 

 

Devices "Dashboard"

 

By clicking the "Devices" Task Group, you will get a dashboard on the right.

A screen shot of the Devices Dashboard is above. Once again, these gadgets can be moved and you drill down into them for greater detail. There are three options "Device Count by Platform", "Device Status", and "Device Count by OS". We have not deployed any devices at this time and therefore the gadgets have no data.  

 

 

Options and Sub Task Groups

 

I have already expanded the additional Sub Task Groups in the image provided.

I will admit that the data is not fun to look at at this time because there are no devices but like I said previously, feel free to click through all the options and see the data that is available.

For instance, I love the "secure console" option available from the "Devices" Task Group.

 

 

Device Templates Expansion

 

Click the " + " to the left of the "Device Templates" Task Group.

 

 

Device Templates

 

There are two options available under this Task Group, please select "definitions".

 

 

Definitions

 

Here you will see the default device templates that are provided with Junos Space Network Management. As you can see, they list the majority of the types of device families available from Juniper. Note that these are for the hardware devices that Junos Space supports.

 

 

Select Default Syslog Config_Junos

 

If you can please select the "Default Syslog_Config_JUNOS" Device Template and select the the pencil icon.

 

 

Available Configuration Expansion

 

Click the " + " to the left of the "Configuration" folder in "Available Configuration".

 

 

Configuration

 

You will see that the template gives you a layout of the various options available. This will provide ease in your configurations of the devices that you can deploy through Junos Space.

 

 

CLI Configlets

 

This Task Group allows you to easily apply a configuration to a device. Configlets are configuration tools by Junos OS that enables you to apply configuration onto the device by reducing configuration complexity. Configlet is a configuration template which is transformed to CLI configuration string before being applied to a device. The dynamic elements (strings) in configuration templates are defined using template variable. These variables act as an input to the process of transformation, to construct CLI configuration string. These variables can contain anything: it can be the interface name, device name, description text or any such dynamic values.

 

 

Images and Scripts

 

Junos Space facilitates management of devices running Junos OS (Juniper Operating System) by enabling you download a device image from Juniper's Software download site to your local file system. You can then upload the device images and deploy these device images onto a device or onto multiple devices of the same device family simultaneously. After you upload a device image you can stage a device image on a device, verify the checksum, and deploy the staged image whenever required. You can also schedule the staging, deployment, and validation of device images.

You can also use Junos OS Scripts for configuration and diagnostic automation tools in order to deploy, verify, enable, disable, remove, and execute scripts that have been deployed to the devices.

 

 

Reports

 

The Reports Task Group is for... you guessed it... Reports. You can generate customized reports for managing the resources on your network. You can use the reports to gather data related to the device inventory details, job execution details, and audit trails. You first create a report definition to specify what information to retrieve from the Junos Space inventory database. You then use this report definition to generate, export, and print the reports. Junos Space does provide some pre-defined categories to create report definitions. We will not be creating reports in this lab but feel free to speak with a Juniper Sales Rep for more information.

 

 

Network Monitoring

 

With the Network Monitoring task group, you can assess the performance of your network, not only at a point in time but also over a period of time.

Click the "Network Monitoring" Task Group to see the dashboard.

 

 

Network Monitoring Dashboard

 

As you can see that the " Network Management " Dashboard gives you a view into the "Nodes with Outages", "Availability over the past 24 hours",  "Notification", "Resource Graphs", "KSC Reports", and "Quick Search". This dashboard provides great insight into your organization and quick searches against Node ID, Node Label like, TCP/IP address, Providing services ( ICMP or SNMP ).

 

 

Network Monitoring Expansion

 

Click on the " + " arrow to the left of the "Network Monitoring" Task Group.

 

 

Network Monitoring Task Group

 

By expanding the "Network Monitoring" Task Group, you can see that there are many additional options. Feel free to review the screens associated with the additional Sub Task Groups.

 

 

Configuration Files

 

You can maintain copies of device configuration files are either running, candidate, or backup configuration files. This assists with device configuration recovery and maintaining consistency across multiple devices.

 

 

Jobs

 

The "Jobs" Task Group ironically monitors the progress of ongoing jobs. Crazy, I know! ( Note that the "Jobs" Task Group should already be open ).

Once again we have an amazing dashboard with drill down capability. There are three default gadgets available on the dashboard. Feel free to once again move them within the screen and to drill down into the various details.

 

 

Users

 

This surprisingly is where you add, mange, and delete users. I know... crazy place to put this right? Just Joshing....

The Users Task group is where you can add you users and to assign roles to the users.

 

 

Audit Logs

 

In the Audit Logs task group you can view and filter system audit logs including those for user login and logout, tracking device management tasks, and displaying services that were provisioned on devices.

Click on the "Audit Logs" Task Group.

 

 

Audit Logs Task Group

 

The dashboard on the "Audit Logs" shows all statistics available from the audit log.

Click on the blue section of the statistics.

 

 

Login Data

 

In this case, I have only logged in as "super" but you can imagine that if there were other logins, these would show up as well.

Please select the "IP Addresses" as identified in the image.

 

 

IP Address Data

 

Here you see the IP addresses from which I have been accessing Junos Space.

 

 

Administration

 

And lastly, Administration allows you to add network nodes, back up databases, manage the licenses and applications, or even troubleshoot. As you can see the administrative tasks are accomplished through this Task Group.

This concludes our introduction to Juniper's Junos Space. Our next chapter will go into detail of the Virtual Director application.

#JuniperLab

#PewPew

 

Introduction to Virtual Director


Junos Space Virtual Director is dedicated to provisioning, bootstrapping, monitoring, and lifecycle management of a variety of Juniper Virtual Appliances and related virtual security solutions. Virtual DIrector can be used to deploy, manage, and monitor instances of Firefly Perimeter ( more detail later ), which provides security and networking services at the perimeter in a virtualized private or public cloud environment. Virtual Director also registers each instance of Firefly Perimeter with the Junos Space Platform to allow other Junos Space applications, such as the Security Director application, to configure security policies.


 

Virtual Director Topology

 

This above diagram shows where Virtual Director and Space sit in your virtual environment. As you can see, Virtual Director is used to support many of Juniper's virtual appliances. Security Director is used to manage many of Juniper's physical hardware devices.

 Juniper's Junos Space ties directly into VMware's vCenter Server.

 

 

Loading Virtual Director

 

Virtual Director has already been installed into the Junos Space Network Management Platform. In order to launch the application, select the down arrow to the right of "Network Management Platform" and select "Virtual Director".

 

 

Virtual Director Dashboard

 

Just like the dashboard in the "Network Management Platform", the "Virtual Director" "Dashboard" gives you a synopsis of environment. At this time, this is a clean install. We will populate this information in later articles in this lab.

Take a note at how the "Summary" and "Deployment Alerts" looks at this time. As we do more activity in this lab, this information will change. Feel free to come back to the dashboard at any time.

 

 

Deployment Alerts

 

Like I stated, this is a fresh installation and currently none of the deployments have failed, because we have not even tried. We will deploy later!  This information shows on the bottom of the "Virtual Director" "Dashboard". Personally, I think It is nice to have this information for your data center in that single pane.  

 

 

Design Task Group Expansion

 

Expand the "Design" Task Group. You will see there are three Sub Task Groups. Let us check them out.

 

 

Design Task Group

 

The "Design Task Group" has three Sub Task Groups

Let's look at these individually.

 

 

Virtualization Providers

 

( 1 ) Please click on the "Virtualization Providers" Sub Task Group. We do not have any at this time so let's connect one. We will only be connecting one but as you can tell, there can be multiple "virtualization providers" added to the system allowing you to manage different systems or tenants.

( 2 ) Please click on the green " + " circle.

 

 

Defining Virtualization Provider

 

When the popup for "Define Virtualization Provider" appears, please provide the following information :

Name : VMworld 2014 HoL

Network Address : 192.168.110.22

Administration Account Username : root

Password : VMware1!

VIrtualization Provider Type : [default]

Connection : [default]

and then click "Done".

 

 

New Virtualization Provider

 

Once the connection is made, you will now see the new virtualization provider that you created is added.

This connection is needed in order to deploy our Firefly Perimeter devices into our virtual data center for all types of customers.

 

 

VM Image Files

 

Please click on "VM Image Files".

 

 

Adding VM Image Files

 

You will see that we currently do not have any VM image files in the system at this time, but it is incredibly simple to add additional files into Virtual Director.

Please select the green " + " symbol.

 

 

Load OVA

 

The "Load OVA" screen will pop up.

Please click the "Browse" box.

 

 

Downloads Directory

 

Please make sure that you are in the "Downloads" directory if you are already not in this directory.

 

 

Selecting OVA

 

The downloads folder appears.

Please select the "junos-vsrx-12.1X46-D10.2-domestic.ova" image file.

 

 

Click Open

 

Now that you have selected the image, please click "Open" in the bottom right corner.

 

 

Upload OVA

 

Once back at the "Load OVA" screen, click the "Upload" button.

 

 

Please Wait

 

While your file uploads :).

 

 

Success

 

#PewPew, the file has been uploaded.

Please click the "OK" button.

 

 

Updated VM Image Files

 

You will now see your image in the "VM Image Files" screen.

We will use this image for building our template and deploying the device.

 

 

Virtual Device Templates

 

The "Virtual Device Templates" Sub Task Group allows you to see your previously created templates for deployment as well as to create new templates. Of course, we have not created one but we will be doing this in the next article.

 

 

Manage Task Group Expansion

 

Click on the " + " symbol to the left of the "Manage" Task Group.

 

 

Manage Task Group

 

The "Manage" Task Group has two sub Task Groups. Feel free to review them but as you can imagine, they are empty :).

 

 

Monitor Devices Task Group Expansion

 

Click on the " + " symbol to the left of the "Monitor Devices" Task Group.

 

 

VM Connection Status

 

Please click the "VM Connection Status" option.

 

 

Unmanaged Devices

 

As you can see, there is a Firefly Perimeter device listed. This Firefly Perimeter was deployed previously into the Juniper vPod.

I needed to make sure you had some items to review :).

 

 

Moving Columns

 

Notice that you can highlight a column and move it to your desired location on the bar for ease of management and viewing. Feel free to move a column to a new location by clicking on the column heading and dragging it to its new place.

 

 

Expanding Columns

 

Feel free to expand the columns to get greater detail. In this case, I have moved the IP Address column wider. When you click on the line in between the columns, the movement symbol will appear.

 

 

Search Capabilities

 

You can imagine how many devices can appear in the screen. At times it may be going off the screen so the ability to search by "VM Name", "VM Status", "IP Address", and "Device Host Name" is in the top bar. Pretty handy huh?

 

 

Deployment Status Task Group

 

The "Deployment Status" Task group gives you a recap of all the request IDs that have occurred. For instance, you would see the request id for the power on and power off of the Firefly Perimeter Virtual Machines. It provides a summary of the succeeded and failed tasks.

 

 

Application Settings Task Group

 

And the last Task Group within "Virtual Director"...

Click on "Application Settings". You will notice on the right the "Alert Settings" option comes up. This allows to set up email addresses for the alerts to be emailed to.

And this closes out the Task Groups for the "Virtual Director" application within Junos Space. Let's look at how the Firefly Perimeters are managed next... so off to the next article in this module where we go into detail of Security Director.

#JuniperLab

 

Introduction to Security Director


Security Director is a Junos Space application that is a quick and easy approach you can use to design your network security. With Security Director, you can create IPsec VPNs, firewall policies, NAT policies, and IPS configurations and push them to your security devices. These configurations use objects such as addresses, services, NAT pools, application signatures, policy profiles, VPN profiles, template definitions, and templates. These objects can be shared across multiple security configurations. You can create these objects prior to creating security configurations.

Firewall policy, NAT policy, and IPS policy can be created and managed in a Tabular view. You can easily add new rules to the policies and choose to override policy-inherited settings by customizing the settings at a per-rule level. After you have added the rules to the policy, you can reorder these rules based on priority or group these rules for easy identification and modify them at a later time. A unified user interface approach for firewall, NAT, and IPS policies helps you reduce the learning time required to create different security configurations.

You can periodically download the latest version of application signatures and IPS signatures from a URL provided by Juniper Networks. You can install these signatures on Juniper security devices. You can then use application signatures and IPS signatures when creating firewall policy configurations. Security Director also lets you create your own customized signature sets. All application firewall and IPS configurations are pushed to the devices when the firewall policy in which they are used is pushed to the devices.

When you finish creating and verifying your security configurations, you can publish these configurations and keep them ready to be pushed to the security devices. Security Director helps you push all the security configurations to the devices all at once by providing a single interface that is intuitive.

Pretty Cool Huh?


 

Launching Security Director

 

From the Applications left column,

( 1 ) Select the down arrow to the right of "Virtual Director" ( the last application we were in )

( 2 )  and select "Security Director"

 

 

Security Director Dashboard

 

Here is a screen shot for the Task Groups that are available in the "Security Director" application. We will go into greater detail into these Task Groups after we do once last check on the dashboard.

 

 

Security Director Dashboard Cont'd

 

From the "Security Director" dashboard you have the ability to

 

 

Firewall Policy Task Group Expansion

 

Click on the " +  " symbol to the left of the "Firewall Policy" Task Group.

 

 

Firewall Policy Task Group

 

( 1 ) Click the "Firewall Policy" Task Group.

On the screen to the right, you will see two sections.

Policies ( 2 ) will show firewall rules that have been previously created.  

The right pane ( 3 ) of the firewall policy Inventory Landing Page ( ILP ) divides the set of rules into two rule bases. All zone-based rules are grouped under Zone and the SRX Series All Devices rules are grouped under Global.

Security Director provides you with five types of firewall policies

 

 

Firewall Policy Sub Task Groups

 

As you can see, the "Firewall Policy" Task Group is where you can

We have not created any policies yet but will in the subsequent articles.

 

 

IP Policy Task Group Expansion

 

Please click the " + " symbol to the left of the "IPS Policy" Task Group.

 

 

Sub Task Group Expansion

 

Please click the " + " symbol to the left of the "IPS Signature" Sub Task Group and

please click the " + " symbol to the left of the "IPS Signature-Set" Sub Task Group.

 

 

IPS Policy Task Group

 

IPS ( Intrusion Prevention ) is available as part of the overall functionality of the hardware devices. In future releases of Firefly Perimeter, this capability is included but again, Junos Space is a tool for both hardware and software versions of Junos OS products.

You can use the IPS Policy Task Group to download and install the AppSecure signature database to security devices. You can automate the download and install process by scheduling the download and install tasks and configure there tasks to recur at specific time intervals. This ensures that your signature database to up-to-date.

You can view the predefined IPS policy templates and create customized IPS policy-sets in this Task Group. You can also enable IPS Configuration is a firewall policy and provisions IPS related configuration with firewall policy.

 

 

NAT Policy Task Group Expansion

 

Click on the " + " symbol to the left of the "NAT Policy" Task Group.

 

 

NAT Policy Task Group

 

Network Address Translation ( NAT ) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP address of the packets moving between the trust and untrust zones.

Junos Space Security Director supports three types of NAT ( IPv6 is supported ):

 

 

VPN Policy Task Group Expansion

 

Click on the " + " symbol to the left of the "VPN" Task Group.

 

 

VPN Policy Task Group

 

You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the Task Group. If you want to use a customer VPN profile, you must configure a VPN profile before creating a VPN.

You can configure the following parameters for an IPsec VPN

You can also customize endpoint-specific settings like VPN Name, IKE ID, and profile for each tunnel.

After the VPN configuration is saved, you can provision this VPN on the security devices.

In Security Director, route-based VPNs support OSPF and RIP routing along with static routing.

Security Director supports dynamic routing in VPN addressing. Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN.

 

 

Listing of VPNs

 

If we had VPNs configured, you would see them in the left pane of the Tabular view.

 

 

Object Builder Task Group Expansion

 

Click on the " + " symbol to the left of the "Object Builder" Task Group.

 

 

Object Builder Task Group

 

You can use the Object Builder Task Group in Security Director to create objects used by firewall policies, VPNs, and NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple security policies, VPNs, and NAT policies. This approach makes the design of services more structured and avoids the need to create the objects during the service design.

You can use the Object Builder Task Group to create, modify, clone, and delete the following objects:

 

 

Devices Task Group Expansion

 

Click on the " + " symbol to the left of the "Devices" Task Group.

 

 

Devices Task Group

 

The "Devices" Task Group lists the devices that have been discovered by Junos Space. This Task Group gives you greater flexibility into the view of your virtual datacenter and your physical data center. Remember, this tool is for both virtual AND physical devices. It is a one stop shop. Pretty awesome huh?

 

 

Jobs Task Group

 

The "Jobs" Task Group gives you a full listing of the all the jobs transitioned through or for Junos Space.

Please click on "Jobs" in order to bring the dashboard up.

 

 

Jobs Task Group Dashboard

 

Once again a dashboard is available to give us visibility in to the system.

Please double click on the "Add Application" job type.

 

 

Job Management

 

You can see the "Job Type" of "Add Application" is listed. This shows the install of the Security Director and Virtual Director application.

 

 

Security Director Devices Task Group

 

The "Security Director Devices" Task Group allows you to update the devices with firewall policies, NAT policies, and VPN Configurations.

 

 

Downloads Task Group

 

The "Downloads" Task Group allows you to download AppFirewall and IPS Signatures.

While you are on this screen please click the " + " symbol to the left of "Downloads".

 

 

Downloads Task Group Dashboard

 

This particular dashboard provides you with a full listing of all of the AppFirewall and IPS Signature downloads. It is a great way of keeping track of all the updates that you have received and implemented within the system and the products.

 

 

Signature Database

 

Please click on the "Signature Database" Sub Task Group.

 

 

Signature Database Dashboard

 

The Signature Database page appears. You can see the active databases there were downloaded earlier. At any time, Security Director will have only one active signature database.

You can see on the top of this screen there is an IPS Signature that can be installed on the system.

 

 

Install Configuration

 

Please select the "Install Configuration" Sub Task Group.

 

 

Install Configuration Dashboard

 

We do not have Juniper SRX devices in the netwrok so we can not install the configuration at this time but you can see how the installation would occur from this screen, either at the present time or to be scheduled at a later time. You have the control to determine when this would be done.

FYI, SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that pack high port density, advanced security, and flexible connectivity into easily managed platforms.

SRX Series Services Gateways deliver next-generation firewall protection with application awareness, intrusion prevention system (IPS), and extensive user role-based control options, plus best-in-class unified threat management (UTM) to protect and control your business assets. Next-generation firewalls are able to perform full packet inspection and can apply security policies based on Layer 7 information. This means that you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, or the content that is traveling across your network to protect your environment against threats, manage the way your network bandwidth is allocated, and control who has access to what.

SRX Series gateways come in a broad range of models from all-in-one security and networking appliances optimized for the enterprise edge to highly scalable, high-performance chassis solutions optimized for service providers and large data centers. All solutions can be centrally managed using Junos Space Security Director, and additional security services are easily added to existing SRX Series platforms for a cost-effective solution.

 

 

Download Configuration

 

Select "Download Configuration" from the left hand bar.

 

 

Download Configuration Information

 

On this screen, you have the ability to download additional signature files that will be used with you virtual and hardware appliances.

So as I described earlier, if you wanted to update the signatures in your SRX devices, this would be accomplished here.

I am also happy to note that Firefly Perimeter x47 will include UTM and IPS capabilities and in turn, Security Director would be used to update the devices as well.

 

 

Audit Logs

 

Select the "Audit Logs" Task Group.

 

 

Audit Logs Dashboard

 

You will see the dashboard on the right hand side of the page. Feel free to drill down into the various tasks for greater detail.

Please note that your image may look different with regard to the tasks that were implemented in the system.

This concludes the introduction to Security Director. Please proceed on to the next module where you will learn more about Firefly Perimeters advanced security services and network capabilities.

#JuniperLab

 

Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space (45 min)

Use Cases for Juniper Junos Space and Firefly Perimeter


For Service Providers ( SP ), the network is the money-maker. SP’s look to their network to create innovative services that solve business problems and demonstrate the added value they can bring to their customers. These services must always be available to ensure end- subscriber satisfaction, and new services need to be offered frequently as demands and technology change in order to obtain additional revenue streams.

For Enterprises, the network is both a strategic and critical corporate asset, where costs have to be controlled. Explosive demand for smart devices, social media applications, and mobility-based services has placed unprecedented pressure on network operators who must provide a compelling experience to increasingly demanding, tech savvy consumers. The unrelenting expectations of highly secure and always-on connectivity and service, coupled with the growing use of cloud environments, make the network increasingly complex to manage and secure.

Juniper addresses these network challenges with Junos Space to help Service Providers and Enteprise customers maximize their network value and scale solutions, all while reducing complexity. Junos Space is a critical component of Juniper’s SDN strategy as it provides a centralized management plane for a single source of truth and a common management platform for managing and creating applications to meet your specific needs.


 

Virtualization Use Case

 

As we will see in the following articles, Firefly Perimeter is the virtualized appliance with advanced security and networking features based on Junos OS.

In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments.

Firefly Perimeter provides:

 

 

Firefly Perimeter for Managed Security Service Providers (MSSP)

Firefly Perimeter enables Managed Security Service Providers ( MSSP ) to launch and activate new services more quickly by decoupling security services from customer premises ( CPE ) hardware. With Firefly Perimeter, MSSPs can migrate from the monolithic architecture and design limitations of a physical firewall to diversified virtual firewall implementations.

They can decentralize fault domains by deploying Firefly Perimeter VMs instead of dedicating a physical firewall to each tenant/customer or sharing one physical firewall across multiple tenants, reaping better returns on their investment. This reduces capital expenditure while aligning the billing with the actual usage.

Additionally, having a firewall in a VM mapped to a single customer allows MSSPs to customize policies and perform maintenance, which only impacts that single customer instead of the traditional approach where numerous customers sharing the same physical firewall are all impacted. Firefly Perimeter enables MSSPs to offer value-added security services such as managed firewall, MPLS, VPN, clean pipe, and secure VM hosting, with a deployment model that lowers time to revenue.

 

 

Clustering for Firefly Perimeter

 

And one of the coolest things that Firefly Perimeter supports is clustering.

Firefly Perimeter provides mission-critical reliability, supporting chassis clustering for both active/active as well as active/
passive modes. This support provides full stateful failover for
 any connections being processed. In addition, it is possible for 
the cluster members to span hypervisors. When Firefly Perimeter VMs are configured in a cluster, the VM synchronizes connection/session state and flow information, IPsec security associations, NAT traffic, address book information, configuration changes, and more. As a result, not only is the session preserved during failover but security is kept intact. In an unstable network, Firefly Perimeter also mitigates link flapping.

 

 

Physical Use Case

 

Like Junos Space works with virtual appliances, such as Firefly Perimeter, it also works with the physical devices available from Juniper. Having the capability to manage both your physical and virtual data centers both as an Enterprise or as a Service Provider. It is all about ease and greater functionality on the tools provided to you. Saving time means saving money and Juniper's Junos Space does just that. What we will be covering in this lab is just the tip of the iceberg.

 

Deploying Firefly Perimeter


As discussed earlier, Firefly Perimeter is an amazing virtualized security and networking tool that every Enterprise or Service Provider should have within their virtualized data center. There are many reasons why that is the case, the technology of course is one of the reasons but when you add the ease of deployment, configuration, and the automation capabilities, you begin to understand the possibilites of your virtual data center, the growth and the future you can have.


 

Log In To Juniper Junos Space

 

In case you have been logged out, log back in to Junos Space with the following credentials:

Username : super

Password : VMware1!

Click "Log In".

 

 

Virtual Director

 

No matter what application is available when you log in, make sure you end up at "Virtual Director". To do this,

( 1 ) Click the down arrow for the applications

( 2 ) Select "Virtual Director"

 

 

Design Task Group Expansion

 

Please click the " + " symbol to the left of the "Design" Task Group.

 

 

Virtual Device Templates

 

Select "Virtual Device Templates".

 

 

Adding New Template

 

Click the green " + " circle in the dashboard.

 

 

Create Template Wizard

 

Fill in the following information in to the wizard.

Template Name : Firefly Perimeter

VM Image File : ( Click the down arrow ) Select the OVF file that we have already brought in to the system - "junos-vsrx-12.1x46-D10.2-domestic,ovf".

 

 

Additional Information

 

Once the image is selected, the Product Type and Version are already loaded.

Click "Next".

 

 

Virtualization Host

 

For "Virtualization Host" click the down arrow and select the pre-loaded IP address ( 192.168.110. 2 ).

 

 

Data Center

 

For "Data Center" click the down arrow and select the pre-loaded Data Center ( Datacenter Site A ).

 

 

Cluster / Host

 

For "Cluster/Host" click the down arrow and select the pre-loaded Data Center ( Cluster Site A ).

 

 

Resource Pool

 

For "Resource Pool" click the down arrow and select the pre-loaded Resource Pool ( None ).

 

 

Data Store

 

( 1 ) For "Data Store" click the down arrow  

( 2 ) select "ds-site-a-nfs1"

( 3 ) Once completed, select "Next".

 

 

Virtual Machine Configuration

 

In this screen, fill in the following information

Virtual Machine Name : Firefly_Perimeter

Keep the "Edit network mapping" as the default

Click "Next".

 

 

Device Boot Up Configuration

 

Fill out this screen with the following information

Create Root Password : VMware1!

Confirm Password : VMware1!

Hostname Pattern : Click the down arrow and select the " # ".

 

 

Additional Device Boot Up Configuration

 

Continue with the configuration of the "Device boot up configuration"

IP Assignment : [default]

Default Gateway : 192.168.120.1

Starting IP/Subnet : 192.168.120.70/24

Click "Next".

 

 

Final Review - General Information

 

Please review the information listed under "General Information".

If changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step.

 

 

Final Review - Virtual Machine Host Configuration Expansion

 

Click the " + " symbol to the right of "Virtual machine host configuration".

 

 

Final Review - Virtual Machine Host Configuration

 

Review the configuration information for the "Virtual machine host configuration". Again, if changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step.

 

 

Final Review - Virtual Machine Configuration Expansion

 

Click the " + " symbol to the right of "Virtual machine configuration".

 

 

Final Review - Virtual Machine Configuration

 

Review the configuration information for "Virtual Machine Configuration". If changes need to be made, select "Previous" to edit.

If it looks correct, please proceed to the next step.

 

 

Final Review - Device Boot Up Configuration Expansion

 

Click the " + " symbol to the right of "Device boot up configuration".

 

 

Final Review - Device Boot Up Configuration

 

( 1 ) Review the "Device boot up configuration" data

( 2 ) When you feel the information is correct, click " Submit "

If it is not correct, guess what... click "Previous".

 

 

Added Virtual Device Template

 

You will now see the template listed in the dashboard for "Virtual Device Templates".

 

 

Deploying Template

 

( 1 ) Click the Firefly Perimeter template

( 2 ) Click the down arrow to the right of "Actions"

( 3 ) Select the "Deploy Template" option.

 

 

Number of Virtual Machines to Deploy

 

( 1 ) On the bottom of the "Deploy Virtual Machine" pop up, keep the default of " 1 " for the "Number of Virtual Machines to Deploy"

( 2 ) Click "Deploy".

 

 

Status

 

A pop-up with the "Status" ID will appear

Click the "OK" button.

 

 

vSphere Web Client Tab

 

You should already have a vSphere Web Client tab available in the Firefox browser.

If not, use the shortcut in the menu.

 

 

vSphere Web Client Login

 

Use the following credentials to log in to the vSphere Web Client

User name : root

Password : VMware1!

 

 

Home Button

 

Click the "Home" button on the top menu bar.

 

 

VMs and Templates

 

Click on "VMs and Templates" in the Inventories section.

 

 

Datacenter Site A Expansion

 

Select the arrow to the left of the "Datacenter Site A".

 

 

Firefly_Perimeter1

 

And there it is, our Firefly Perimeter that we configured and deployed.. Yay!! Now wasn't that simple!!!

Imagine how easy it is to deploy these Firefly Perimeter virtual machines for multiple tenants in your Enterprise or Service Providers.

This concludes this article, please proceed to the next article which will cover Virtual Director in greater detail.

#JuniperLab

 

Virtual Director - Greater Detail


We have already spent some time talking about Virtual Director, but now that we have deployed a Firefly Perimeter, lets look at the application with greater detail.


 

Junos Space Tab

 

In Internet Explorer, click the first tab which should be Junos Space.

If this tab is not available, use the shortcut in the menu bar.

 

 

Virtual Director Application

 

Make sure the "Virtual Director" application is loaded.

PS... if you are logged out of the system, the account information is

Username : super

Password : VMware1!

 

 

Virtual Director Dashboard

 

Please select the "Dashboard" in Virtual Director.

You will see on the right hand the "Number of Deployed Devices" and "Number of Virtual Director Templates" now has been increased.

 

 

Deployed Devices Menu

 

Please click on the "Manage" > "Deployed Devices" option in the left menu.

 

 

Deployed Devices

 

You can now see the Firefly Perimeter that we have deployed.

 

 

Actions Available

 

( 1 ) Please click on the Firefly Perimeter device

( 2 ) Select the arrow to the right of "Actions"

You will see the you can "PowerOff Device(s)", "PowerOn Device(s)", "Reset Device(s)".

Yes, if you have other devices, you could power off/on multiple devices at once. You have the ability to control the device from Junos Space. Please note that this does not take control away from the controls you have through the vSphere client, it just allows you to manage everything from one location.

 

 

VM Connection Status

 

Please select "VM Connection Status" under the "Monitor Devices" Task Group.

 

 

Virtual Machines

 

You will now see that both virtual machines are listed.

Remember that a Firefly Perimeter was deployed already.

 

 

Virtual Director vs Security Director

I just wanted to make it clear that once a virtual machine, like Firefly Perimeter, is brought into Virtual Director you have controls over it but the configurations will be done through Security Director. No matter what form the security device is in ( hardware vs. virtual ) security policies will be done through Security Director. This concludes this article. Let us now proceed to the next article which covers Security Director in greater detail.

#JuniperLab

 

Security Director - Greater Detail


In this part of the lab, we will go into greater detail and provide more hands on capability for Security Director now that we have deployed a Firefly Perimeter virtual machine from Virtual Director.


 

Launching Security Director

 

Click the arrow to the right of "Virtual Director" and select "Security Director".

 

 

Firewall Policy

 

Expand the "Firewall Policy" Task Group.

 

 

Creating the Global Policy

 

Click "Create Policy" Sub Task Group.

 

 

Name

 

Set up the following configurations:

(1) Type : [default]

(2) Name : HoL Policy

(3) Description : Creating firewall policy for VMworld

(4) Check Manage Zone Policy [default] - used to manage zone-based firewall rules

(5) Policy Priority : Medium [default]

(6) Precedence Value : keep default (value should be less the number of existing policies of the same priority. The number of existing policies are displayed as part of the Precedence field. For example, if the system has 4 policies with Low priority, 5 policies with Medium priority, and 3 policies with High priority, you can set the precedence as follows:

(7) Profile : All Logging Enabled

Note that we created a Group vs. Device policy. In this case, since we have only one device, it may have been more appropriate but it is nice to see that you can create policies for many devices ... even if we don't have them in this simulation.

 

 

Create Policy

 

( 1 ) Select the "corp_fw1.juniper.net" listing under "Available"

( 2 ) Click the " -> " in the middle to move the selection to the  "Selected" side

( 3 ) Click "Create".

 

 

Back to Firewall Policy

 

Just make sure that you are back on the "Firewall Policy" Task Group.

 

 

Policies

 

Under "HoL Policy" select the "corp_fw1.juniper.net".

On the right you will see where the rules are implemented.

 

 

Lock to Edit

 

Click the Lock symbol in the top bar so that policy can be edited ( we do want to make sure that others are not editing the policy at the same time ).

 

 

Create Device Rule

 

Click "Create Device Rule".

 

 

Going Green

 

Initially the rule will do green and change to white ( this is normal ).

 

 

Rule Name

 

Click on "Device Zone - 1" in order to get the option to change the name.

 

 

Change the Name

 

Change the rule name to "FW-HoL", and click "OK".

 

 

Source Trust Zone

 

A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet.

By default, the Source zone is set to trust. The zones that appear in the list are dependent on the type of security policy that you choose to add rules to. When adding a rule for a group policy, all the zones present on all devices are available for selection.

In this case we will keep "trust".

 

 

Source IP Address

 

Click the "Any" option under the Source Address. You will see the ability to Include or Negate IPv4 and/or IPv6 Addresses.

At this time, we will keep the default of "Any".

 

 

Destination Untrust Zone

 

Next is the opportunity to change the "Destination Trust Zone". If you click on "untrust" you once again see the options.

Let us keep the default of "untrust".

 

 

Destination Address

 

We will keep the default of "Any" for the Destination Address.

 

 

Service Options

 

If you click the "Any" option for Service you will see the Available services that we will take actions against. Feel free to move the bar up and down to see all the services that are available.

At this time, we will keep to "Any".

 

 

Action

 

You may need to move the screen to the right to see all the options.

As you see the default of "Deny", IPS is  "Not applicable" because we are denying the traffic, but please change the "Action" option to "Permit". To do this,

click on the "Action" to see the options and select "Permit".

Understand that as stated in previous modules, the IPS rules are published as part of the Firewall rules.

 

 

Permit Action

 

Now that we have changed the "Action" to "Permit", IPS is now Off. Note that in the Firefly Perimeter x 47 release, IPS wil be incorporated. Just think about the capability to have IPS embedded capabilities in virtual machine.

 

 

Additional Actions

 

As you can see, there are additional options, including "Tunnel". By clicking on "Tunnel" you will see that there is the ability to implement a VPN tunnel.

 

 

AppFw

 

Next, click on the "AppFw" section.

 

 

AppFW - Disabled

 

Initially when you click on AppFW the capability is disabled.

Please click on "White List" to see the options.

Note that there is also the capability to select "Black List" as well.

This is one of my favorite parts of this configuration, that you can easily specify "White List" or "Black List".

 

 

AppFW Enabled

 

( 1 ) Feel free to scroll the 36 pages or just the one :) of the Pre-defined Apps

( 2 ) Note that there are other options of "Pre-defined Group", "Customer Apps", or "Custom Group"

( 3) You can also search if need be.

( 4 ) Click "Cancel".

 

 

Validate

 

Please click "Validate" on the bottom of the screen.

 

 

No Validation Errors

 

You will see a pop up stating there are no Validation errors.

 

 

Save

 

Click "Save" please.

 

 

Publish Policy

 

Select the "Publish Policy" under the "Firewall Policy" Task Group.

 

 

Selecting Firewall Policy

 

Select the firewall policy that we just created.

 

 

Select Next

 

Please unselect the "Include IPS Policy" and Select "Next" on the bottom of the screen.

 

 

Affected Devices

 

Select the name of our firewall policy under "Affected Devices".

 

 

Select Publish

 

Select "Publish" on the bottom of the page.

 

 

Job Id

 

A "Publish Information" Job ID will appear.

Click  "OK".

 

 

Jobs Management

 

Please select "Job Management" under the "Job" Task Group.

 

 

Success

 

View the Job Id that was provided and the successful publishing to the number of devices.  YAY!!!

 

 

IPS Policy

 

As indicated, at this time of developing the lab, Firefly Perimeter does not support IPS and therefore we can not develop a policy. We could develop policies for other Juniper products like SRX but we are currently not using one in this lab. Firefly Perimeter will support IPS in the x47 version and at that time, you will use Junos Space to create that policy.

 

 

NAT Configuration Information

Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network.

Security Director views each logical system as an other security devices and takes ownership of the security configuration of the logical systems. In Security Director, each logical system is managed as a unique security devices.

 

 

NAT Policy

 

Please select "Create NAT Policy" under the "NAT Policy" Task Group.

 

 

Device NAT Policy

 

On the right side, a window will pop up will appear, at this time, we will create a "Device" rule

( 1 ) Select Device

( 2 ) Name : NAT_VMworld_2014

( 3 ) Description : NAT Policy for VMworld 2014

( 4 ) Click the down arrow next to Device and select "corp_fw1.juniper.net".

 

 

Select Create

 

On the bottom of the screen, click "Create".

 

 

Lock to Edit - NAT

 

You will automatically go to the creating page.

Click the "lock" symbol in order to lock the policy.

 

 

Create Source Rule

 

Click "Create Source Rule".

 

 

Renaming Device

 

Select "Device-1" and change the name to "NAT_2014"

 

 

Ingress Zones

 

You will see the same Trust Zones appears that we had available in the Firewall portion.

 

 

Interface Zones

 

At this time, we will be choosing the interfaces as the Zones. Please note that the Firefly Perimeter ( like all virtual machines ) can have up to 10 interfaces. This is eth0 interface.

Please select "ge-0/0/0.0" and click the arrow to bring it to the selected side.

Select "Ok".

 

 

Egress Zones

 

( 1 ) Please click the "Egress Zones" in order to see our options

( 2 ) Click "Interface"

( 3 ) Select "ge-0/0/0.0"

( 4 ) Select the " -> " to move to selected

( 5 ) Click "Ok".

 

 

Translated Packet Source

 

Click the "No Translation" under "Translated Packet Source" in order to get the pop-up.

Please select the down arrow to get out options.

 

 

Translated Type

 

Select "Pool" as our "Translation Type".

 

 

New Source Pool

 

Please click the green " + " circle to the right of "Source Pool" in order to create a new source pool for NAT.

 

 

Create Source NAT Pool

 

Please fill in the following information

Name : Source_NAT_2014

Description : Source NAT policy for VMworld 2014

We have no "Pool Address" so lets create one through this step.

Please click the green " + " circle to the right of "Pool Address".

Note that you can create the pool through the  Object Builder Task Group".

 

 

Create Address Object

 

Let's create the Address Object Type. Please fill in the following information

Object Type : Address

Name : VMworld_2014

Type: ( Click the down arrow ) Range

 

 

NOTE

 

You may get an "Inactivity Timeout" so please make sure you click "Yes".

 

 

Address Object Information

 

Please fill in the following information

Object Type : Address

Name : VMworld_2014

Description : Addresses for VMworld 2014

Type: Range

Start IP : 192.168.120.200

End IP : 192.168.120.250

Click "Create".

 

 

Advanced Prpoerties

 

Click the arrow next to "Translation".

Select "Port/Range".

 

 

Advanced Properties Cont'd

 

Select the arrow next to "Address Pooling" and select "Paired".

Select the arrow next to "Port" and select "Any".

Click "Create".

 

 

Click OK

 

As you can see our configuration has been added.

Please click "Ok".

 

 

Validate

 

Please click "Validate".

 

 

No Validation Errors

 

You will see the "Information" screen on the right pop up showing that there are no Validation errors.

 

 

Click Save

 

Click  "Save".

 

 

Object Builder Expansion

 

Please click the " + " symbol to the left of "Object Builder" Task Group.

 

 

Addresses

 

Please select the "Addresses" Sub Task Group.

 

 

Object Builder > Addresses

 

Note that we previously walked through these steps on the specific actions BUT we can create them before hand. As you can see our VMworld_2014 Addresses are listed. For planning purposes, you can easily create all your addresses before you start to create your policies.

 

 

NAT Pools

 

Please select "NAT Pools" Sub Task Group.

 

 

Object Builder > NAT Pools

 

Once again, you have the opportunity to create your NAT pools for the tenants before you build your NAT policy. Creating them in individual pieces will assist with management of your pools.

 

 

VPN Expansion

 

Please click the " + " symbol to the left of the "VPN" Task Group.

 

 

Create VPN

 

Please select the "Create VPN" sub Task Group.

 

 

Route Based VPN

 

Please fill in the following information

Name : VPN_VMworld_2014

Description : VPN for the VMworld 2014

Tunnel Mode: Route Based

Notice the type of Route Based VPNs available:

We will be keeping the default, "Site to Site" at this time.

 

 

Route Based VPN Profiles

 

Please click the down arrow to the right for "VPN Profile"

Notice the types that are available

At this time, we will keep the default of "MainModeProfile".

 

 

Route Based VPN Profiles Cont'd

 

The "Preshared Key" is the last option for the VPN configuration. Note that you can either have the key auto-generated or set up manually.

 

 

Policy Based VPN Profiles

 

Change the "Tunnel Mode" to "Policy Based" in order to see these options.

Notice the "Type" is still "Site to Site" and the "VPN Profile" is still "Aggressive Mode Profile", "MainModeProfile", "RSAProfile".

Please keep the default, "MainModeProfile".

 

 

Policy Based VPN Profiles Cont'd

 

Once again, we have the option to auto-generate or manually add the "Preshared Key".

 

 

Next

 

Please select "Next" at the bottom of the page.

 

 

VPN Wizard

 

Under the available side, please select "corp_fw1.juniper.net" and click "Add as Endpoint" in order to move it to the selected side.

 

 

Next

 

Please click "Next" on the bottom of the screen.

 

 

More Than One

 

Sorry but this is just a vPod and not set up in a real world scenario. Since we do not have another endpoint, we can not continue on with configuration.

I wanted to make sure that you saw the steps that we would take to at least configure our side of the VPN connection.

Please click "OK".

 

 

Conclusion

At this time, this is the end of the specific configurations that we will be covering within this lab.

Please feel free to review the components of "Security Director" that we have not covered in this article.

When done, please proceed to the next article where we discuss why Juniper for your physical and virtual infrastructure.

#JuniperLab

 

Why Juniper for Your Physical and Virtual Infrastructure


Now that you have finalized the introduction of Juniper's Junos Space, by reviewing the Network Management Platform, Virtual Director, and Security Director, we just wanted to reiterate the importance and ease of the product. We believe in virtualization as much as you do but the infrastructure isn't always all virtualized. Simply put, if you can manage your physical and virtual infrastructure from one interface, why would you not use Juniper in your data center?

With Junos Space, you benefit from :

For companies that want to extract value from their network
 and deliver on solutions that truly work for their business, Junos Space is the platform of choice. You can create and deploy custom management applications using our programmable interface. Junos Space improves network agility by providing a SDK toolkit and APIs both at the platform and application level for a complete customized solution so you can meet the specific needs of your business or internal procedures.

Junos Space SDK includes the following components :

It is also important to know that Juniper has the following products in virtual format :


 

Next Module

The next module in this lab covers Juniper DDoS Secure. We hope that you will continue the lab to experience this awesome virtualized security product. If you are on twitter don't forget to tweet your thoughts to @banksek or email her at PewPew@juniper.net she would love to know them.

#JuniperLab

#PewPew

 

Module 3 - Juniper DDoS Secure (45 min)

Introduction to Juniper DDoS Secure


DDoS flood attacks are a major problem for online businesses. Juniper DDoS Secure can nullify these problems by continually monitoring and logging all in- and out-bound Web traffic.

DDoS Secure uses its CHARM algorithm to learn which IP addresses can be trusted, and is able to respond intelligently and in real time by dropping suspect or noncompliant packets as soon as the optimum performance from critical resources begins to degrade.

This heuristic and granular approach to DDoS mitigation guarantees availability for legitimate users while blocking bad traffic, even under the most extreme attack conditions. This truly is my favorite part about DDoS. Traditionally, a DDoS outage occurs when resources are unable to handle the volume
 of connection requests at a particular point in time. This might be through an induced malicious attack using a Botnet for some financial, ideological, or political motive, or the result of a legitimate “flash-crowd” effect during peak traffic periods. To the end user, there is no real difference—at best they experience degraded response times; at worst, it is a disruption in the resource’s availability resulting in an outage with serious business impact.

Adding more horsepower to the server or increasing bandwidth connectivity can provide some insurance against a volumetric DDoS attack, but they are ultimately in-effective against today’s new breed of sophisticated DDoS threats. Simply throttling all traffic or blacklisting particular groups of IP addresses is also not a lasting solution, particularly as these measures can impact legitimate users.

DDoS Secure software is different. Its innovative heuristic technology continually monitors and logs all inbound and outbound network traffic. Using its unique CHARM algorithm DDoS Secure learns which clients pose a risk through their use of available resources, and then intelligently responds in real time by disrupting an attack as soon as performance of critical resources begins to degrade.

DDoS Secure is available in Virtual and Hardware appliance version.

Key Features of DDoS Secure


 

DDoS Secure Heuristic Mitigation in Action

 

The grey normal Internet traffic flows through the DDoS Secure device, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal latency.

The red DDoS attack traffic show the DDoS Secure appliance uses complex data analysis techniques to detect attacks and take the defensive measures and drop the traffic.

 

 

Traffic Analysis

 

This diagram illustrates how all inbound traffic that is identified as normal ( good CHARM score ) passes through the appliance without any change. All inbound traffic that is identified as malicious ( bad CHARM score ) is discarded if the protected resource cannot handle the load. There are no IP addresses to configure on the appliance's Internet traffic interfaces, and the appliance may be installed without changing the network configuration of any existing equipment. However, an IP address is required for the secure control connection to the management PC. The management PC requires a browser that supports HTML frames, JavaScript, and the HTTPS protocol, or, alternatively, an SSH client. The management PC is used to initially configure the appliance and then to report on the traffic statistics. During an attack, the appliance uses its built-in heuristic analysis to identify the most likely attackers within a few microseconds of the beginning of an attack. The longer the appliance analyzes the traffic, the better the heuristic analysis. Attacks are tracked on a per-incident basis for easy reporting and analysis.

Lets continue on to the next chapter where we investigate the Juniper DDoS Secure Users Interface ( UI ).

#JuniperLab

 

Introduction to Juniper DDoS Secure UI


Juniper DDoS Secure is a fully automatic DDoS protection system used for websites and web-connected e-commerce site. DDoS protects all TCP/IP protocols. In this article we will cover the user interface ( UI ) of the DDoS Secure appliance. There is so much data to cover regarding this appliance but since we are in a lab scenario, we will not be able to cover everything. We did want to make sure that you had time to review everything that is at your fingertips with this amazing product.


 

Launching Internet Explorer

 

Double Click the "Internet Explorer" icon on the Control Center desktop.

 

 

New Tab

 

Click on the box on the URL bar in order to bring up a new tab.

 

 

Launching DDoS Secure

 

Click the "DDoS Secure Login" shortcut on the tool bar.

 

 

Accept Certificate

 

You will more than likely get the above certificate error, click "Continue to this website (not recommended)"... yeah yeah I know it is not recommended but please do it anyway :)

 

 

Click "Login" Button

 

Click the "Login" button in the middle of the page please.

 

 

Log into DDoS Secure

 

To log into DDoS Secure, use the following credentials

Username: user

Password: password

 

 

Web Interface Layout

 

Above is a layout for the statistical display part of the user interface. Each individual segment of the page is divided in to categories.

Options on the left pane are :

Options on the center pane are :

Options on the right pane are :

Options on the top center pane :

 

 

Summary Dashboard

 

Your login takes you directly to the real time dashboard for DDoS secure.

On the top is the "Traffic Monitor" section.

In the middle are "Load Status" and "Attack Status" graphs. Note that there is no traffic and attacks at this time but we will simulating two attacks in the future articles.

The bottom row has "Good Traffic", "Bad Traffic", and "Protected Performance". You more than likely will see "Good Traffic" change over time.

The descriptions of the sections:

 

 

Traffic Monitor

 

The traffic monitor pane shows the peak traffic usage ( inbound and outbound ) over the selected period. Note that the default is 24 hours.

 

 

Highlighting Traffic

 

If you select the top "Appliance 192.168.120.11 inbound" you will see it highlighted in the graph. Feel free to do this to the other three options available in the "Traffic Monitor" screen. Note that your "Traffic Monitor" pane may look different than the one shown above.

 

 

Changing Time

 

As previously specified, you can change the time frame for your "Traffic Monitor" pane. In the top right, above the graph is a tab that allow you to change the time. Click the arrow to the right of "Last 24 Hours" to see the options.

 

 

Changing Viewing

 

Note that you can also changing what appliances/portals/IP are shown on the "Traffic Monitor" page as well by clicking the arrow to the right of "Viewing: global" on the top right.

 

 

Protected Performance

 

View the bottom right corner and you will see the "Protected_ App" and "Unprotected_App" portals. These portals we will be using in our testing in subsequent. You can see that the "Protected_App" is in defending mode and "Unprotected_App" is in logging mode. This reports on how busy a protected IP address is from an aggregated CHARM perspective, and what the average traffic to and from the IP is.

The DDoS Secure supports different components in one of two operational modes:

Examples of different components are:

If an activity uses components that contain a combination of defending and logging, the resultant operational mode will be logging. Thus, for a black-listed client IP address and an overall operation of defending, a portal operation of logging, and a protected IP address operation of defending, the client IP address is not dropped.

 

 

Left Taskbar

 

The left taskbar shows the menu buttons. These menu buttons gives you the more detailed information of the traffic that is through the DDoS Secure. Feel free to select them individually for review but note that because we have limited traffic ( at this time only Juniper's Junos Space is on the network ), the information is limited. We will be looking at some of these menus in other articles.

 

 

Configuration/Logs

 

Please click the "Configuration/Logs" tab.

This pop out screen provides you with administrative tasks as well as additional data for the configuration.

 

 

Second Tab

 

Please click the tab listed "Admin 192.168.120.11" that has popped up because you selected "Configuration/Logs".

 

 

Log File

 

The log file is the first screen that pops up showing everything that is occurring the the virtual appliance. Information like logins ( GUI ) and Info messages are shown.

 

 

Configure Portals

 

Please click the "Configure Portals" option in the left pane menu.

 

 

Portals - Defending / Logging

 

As you will see from this screen, this is where I set up the configuration for the two portals to be put into defending and logging mode. The "Protected_app" will be defended and the "Unprotected_App" will be in logging mode.

 

 

Configure Interfaces

 

Please select "Configure Interfaces" from the left menu pane.

 

 

Network Modes

 

As you will see in the screen on the left, under the "Internet/Protected Global Definitions", there are multiple ways to configure the DDoS Secure appliance. In our case we have it setup as an L3 ( Router ) because this scenario works best for the vPod. Note that the configurations for L2 ( Bridge ) and L2/L3 ( Split Network ) can also be configured.

As an FYI, DDoS Secure uses "Internet" and "Protected" to differentiate the side of the attackers ( Internet ) and the side of the applications ( Protected ).

 

 

Shutdown

 

Although we do NOT want you shutting down the DDoS Secure appliance, please note that this is where you would do it.

Note that this option is available in the bottom of the left menu pane.

This concludes a quick look at the DDOS Secure User Interface. Please proceed to the configuration of the testing environment article.

#JuniperLab

 

Configuration of Testing Environment


In this lab, we will be simulating a low and slow DDoS attack.

Low and Slow attacks use as you can imagine "Slow" traffic, making it appear more notmal to an organization. The often go undetected because the do not violate any specific protocol, they do not match any specific signature. The end users will see low reaction to the calls to the systems creating incredible performance impact.


 

vSphere Tab

 

Proceed back to the first tab in the Internet Explorer browser.

 

 

vSphere Web Client login

 

Log into the VMware vSphere Web Client with the following credentials

User name : root

Password : VMware1!

Click "Login"

 

 

Home

 

Click the "Home" button in the top blue bar.

 

 

VMs and Templates

 

Click the "VMs and Templates" icon in the Inventories pane.

 

 

Expand Datacenter

 

Click the arrow to the right of "Datacenter Site A".

 

 

VM's We Will Be Using

 

In our scenario we will be using the vm's highlighted.

 

 

Protected and Unprotected Applications

 

In our simulation we will have a "Protected Application" ( 2 Protected Application ) and an "Unprotected Application" ( 2 Unprotected Application ). These applications are on the Protected side of the DDoS Secure.

Remember when we were in the DDoS Secure Dashboard and the "Protected_App" was identified as Defending and "Unprotected_App" was identified as Logging. As you can imagine the Protected Application will be protected by the Juniper DDoS Secure virtual edition appliance and the Unprotected Application will not.

Note that these two virtual machines are exactly the same. They are simulated webservers with databases.

 

 

Attacker

 

"Attacker 42" will simulate a low and slow attack.

Please note that this is a Linux box with customized scripts for their various attacks. This virtual machine is on the Internet side of the DDoS Secure.

Attacker 42 has two interfaces specifically for the simulation.

 

 

Windows Box

 

The "base-w7-01a" box will be used to show the impact of the attack.

 

 

DDoS Secure Virtual Edition

 

Lastly our "DDoS Secure virtual edition" virtual application will send inline between the attackers and portals, collecting the data and doing it's thing.

Let us see it in action. Please proceed to the next article where we will simulate a low and slow attack and show how Juniper DDoS Secure protects the protected site.

#JuniperLab

 

Low and Slow Attack


As mentioned previously a low and slow DDoS often become unnoticed by conventional tools. In this low and slow DDoS attack simulation, we will show you how Juniper's DDoS Secure can easily "catch" the data and protect the "Protected Application". Application-layer attacks, often referred to as “low and slow” ( to describe the attacker’s goal of staying under threshold detection systems ), have exposed weaknesses in netflow and threshold based detection techniques. RUDY ( R-U-Dead- Yet ) and Slow Loris are two types of application-layer attacks that target the HTTP protocol. The attacker seeks to launch a multitude of requests that are difficult to serve back to the requester, depleting application resources and quickly bringing the website down.


 

vSphere Web Client

 

Make sure you are still in the "vSphere Web Client" tab within Internet Explorer.

 

 

Launch Windows Console

 

Select "Open Console" for the "base-w7-01a" virtual machine.

Note that it will pop up in the next tab.

 

 

Logging into Windows VM

 

Use

password : VMware1!

click " -> " button to the right of the password

for the vmware account for the windows vm.

 

 

Launch Firefox

 

Double click the "Mozilla Firefox" icon on the desktop.

 

 

Launch Protected App

 

Please select the "Protected App" shortcut in the menu bar.

 

 

Protected App

 

Notice the image in the Protected App is the Juniper Networks image.

 

 

Firebug

 

You will see that we have added the additional tool Firebug into Firefox. This tool is used to show how long it takes for the website to make it's calls once under attack.

Notice the time while the site is running cleanly. In this case, it is 421 ms ( note that your time may be different ).

 

 

New Tab

 

Please click the " + " symbol in order to bring up a second tab.

 

 

Launch Unprotected App

 

Please click the "Unprotected App" shortcut on the menu of Firefox.

 

 

Unprotected App

 

Notice that the image in Unprotected App site is tomato cart ( we wanted to differentiate between them in case you got confused... I did at times : ) )

Firebug is also available on the bottom of the screen. Feel free to look at the time to load the unprotected site.

 

 

Back to vSphere Web Client

 

Please proceed back to the "vSphere Web Client" tab in Internet Explorer.

 

 

Launch Attacker 42

 

Please "Open Console" of "Attacker 42" by right clicking on "Attacker 42" virtual machine.

 

 

Log into Attacker 42

 

Please log into the Attacker 42 with the following credentials

Attacker login : root

Password : Juniper1!

 

 

Ping Protected App

 

At the prompt, type

ping 192.168.130.77

This is the IP address of the Protected Application.

 

 

Exit Console

 

Select < Ctrl + Alt > to escape the window, please keep the ping going.

 

 

Proceed to DDoS Secure

 

Please click on the DDoS Secure tab in Internet Explorer.

 

 

Select ICMP Info

 

Please select "ICMP Info" on the left column.

 

 

ICMP Info

 

As you can see the Attacker 42 vm is pinging the Protected Application and the Juniper DDoS Secure appliance can see it.

 

 

Back to Attacker 42

 

Please proceed back to the "Attacker 42" tab in Internet Explorer.

 

 

Stop Ping

 

Stop the ping by entering < Ctrl + C > in the console.

 

 

Start Attack

 

at the command prompt, type

sh slow_query_attack.sh

 

 

Leave Attacker 42

 

As the message show, please hit < Ctrl + alt > to release the cursor.

 

 

DDoS Secure Dashboard

 

Please proceed to the DDoS Secure tab in Internet Explorer.

 

 

Traffic Numbers

 

You will see the numbers increase on the right hand side of the dashboard. Remember this is a low and slow attack and it will take some time for the attack to show and for the site to be protected and it will take time for the sites to recover. It is a cool simulation so give it time please.

 

 

Proceed to URL Info

 

Please proceed to the "URL Info" option in the left pane.

 

 

URL Info

 

You can see the top two lines show the Unprotected App and the Protected App.

This is a low and slow attack but you will see the number increasing. At this time, you will see the pending numbers are approximately the same. Did you want me to remind you that it is low and wait for it... slow... attack.

 

 

Pending Numbers

 

After some time, you will see the pending numbers start to have a huge differentiation !!!

Right now the unprotected app has 236 requests pending and the protected app has 53 requests pending. Note that your numbers will be different.

Clearly the Juniper DDoS is protecting the protected app!!! But wait, we are not done...

 

 

Proceed to Windows VM

 

Please proceed to the "base-w7-01a" tab in Internet Explorer.

 

 

Reload Protected App

 

In Firefox

( 1 ) Reload the Protected App website by selecting the circle arrow.

( 2 ) You will notice that it launches in a specific amount of time. In this case, it is 46 ms.

 

 

Unprotected App

 

Please click the first tab to go the Unprotected App.

 

 

Reload Unprotected App

 

( 1 ) reload the Unprotected Application site by click the circle arrow

( 2 ) Notice the time it takes to load the site. In this case, 14.59s

Note that the longer you wait for the attack to progress, the longer the response time will be. For instance, we have seen this take 200 s or even time out.

There is a big difference between 46 ms and 14.59 sec.

Juniper DDoS Secure protected our Protected App from the low and slow DDoS Attack.

Cool huh? I told you!!!

 

 

Final Thoughts

 

So what we just saw is a low and slow attack from our "Attacker 42" virtual machine against two seb servers. We saw the Juniper DDoS Secure automatically saw the attack and protected the "Protected App" from the attack so that no impact was made to the end users. No configuration was needed on your part for this use case, DDoS Secure did it automatically!!

Please provide to the final article in this module, "Why Juniper DDoS Secure".

#JuniperLab

 

Why Juniper DDoS Secure


I thought it was important to follow up regarding the Juniper DDoS Secure product. When I think about the capabilities inherit to the product such as CHARM, it is hard to ignore why you should not be using DDoS. The first distributed denial of service (DDoS) attack occurred in 2000 and was used to take out Amazon, eBay, and a host of other e-commerce sites. The weapon used was a volumetric flood attack, and the attackers used a rudimentary botnet of multiple computers to flood the network with high volume traffic that brought the e-commerce sites down, causing an estimated $1.7 billion in collective damages.

Since then, DDoS attacks have evolved from being a blunt weapon, using high volume attacks to bring down Web servers, to highly sophisticated application-level attacks designed to zero in on strategic business resources. 2012 saw a series of attacks against the banking industry, some politically motivated and high profile, while others involved financial theft and fraud. The e-commerce sectors were subject to attack as well following the real world trends of  major shopping holidays respectively.

2012 saw a sharp increase in Layer 7 DDoS attacks. What makes L7 attacks so stealthy is the fact that they
 masquerade as legitimate traffic to carry out the attack. A Layer 7 or application-layer, attack exploits inherent flaws
 and vulnerabilities in application software rather than using brute force to achieve desired results. The majority of application-layer attacks target well-known applications such as HTTP, HTTPS, domain name system ( DNS ), and VoIP ( Session Initiation Protocol or SIP ). Much like volumetric attacks, L7 attacks require very little investment by attackers. It is more than possible to bring down major websites with a laptop and as few as 40 to 60 of the same request per second ( aka PPS, or packets per second ). To give this some context, volumetric attacks will range from the low hundreds of thousands PPS to millions of PPS. Their appearance of legitimacy ( adhering to protocol rules, with normal and complete TCP connections ) is what makes L7 attacks benign in appearance and exceedingly difficult to detect and mitigate.

What is at stake is costly service outages that can result in lost business and defection of end customers, along with sometimes irreparable damage to brand and reputation. In the financial services industry, more likely than not it also involves theft of sensitive data and financial fraud. In the education and healthcare sectors, a primary concern is access to student information, electronic medical records, and theft of sensitive data that could result in huge lawsuits and terrible outcomes for individuals who have their information stolen. A loss of availability for airline ticketing sites or e-commerce sites, large or small, could result in a loss of revenue and credibility. Inevitably, a DDoS attack is accompanied by financial losses that can be hard to recover from.

Junipers' DDoS Secure’s innovative design uses a “ closed loop ” process to look at the full cycle of the packet coming in, the resource it is destined for, the resource’s ability to return the request in a timely manner, and finally the request being served back to the requester. DDoS Secure is self-learning and requires no tuning or thresholds to be set. It monitors how the application responds and learns from each encounter. This innovative heuristics-based approach enables the technology to determine both what normal traffic looks like and what normal responses from an application look like. As new attacks occur, DDoS Secure updates the algorithm to 
include the characteristics of the new attack, creating a highly intelligent DDoS defense system that incorporates dynamic updates and removes confusion from attacks that may be occurring as the system learns the limitations of the application environment. In the case of a DNS amplification attack, DDoS Secure applies intelligence about the behavior of the DNS resource to shut down the attack before it can overwhelm and bring down the DNS server. DDoS Secure’s intelligence filters out repetitive requests to a DNS system for the same information, thereby averting a DNS amplification attack and protecting the unsuspecting target from rogue requests impacting its availability.

In other words... the question becomes Why NOT Juniper DDoS Secure!!!


 

End of Lab

We wanted to thank you personally for taking the Juniper lab at the VMworld 2014 Hands-on Lab.

If you have a twitter account, please tweet to @banksek or email her at PewPew@juniper.net and let her know your thought.

Have a great day!!

#JuniperLab

#PewPew

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-PRT-1472

Version: 20150226-113657