Lab Overview - HOL-PRT-1472 - Juniper Virtual Security Lab Overview
So you have decided to incorporate a cloud and/or virtualization into your business, utilizing it for bursting, development, testing, or even using it for production applications. Have you built security into your virtual data center? Are you concerned about the DDoS attacks on your production applications? What about the ability to implement network based AV, VPN, NAT, IPS, and routing into your virtual data center, establishing a secure and operable software defined datacenter that is able to expand and maintain security throughout it's entire lifecycle. What about having a DDoS appliance in a virtual format for ease of deployment for any tenant? Building these technologies on the experience and confidence of Juniper Networks allows a solution that truly understands the functions and needs of networking and security for your true software defined datacenter. Only Juniper can understand security from a network standpoint because we are truly a network and security company. This lab will show you just a touch of our virtual security capabilities for your Enterprise or Service Provider environment. Understand that we have a full suite of virtualized security and network products and tools that allow you to manage your physical and virtual data center.
Before starting with the lab, lets make sure that all of your virtual machines are up and running.
From the Control Center desktop, please double click the Internet Explorer icon.
The login page for VMware vSphere Web Client will automatically launch. Please enter in the following credentials:
User name: root
and click " Login "
Click the " Home " button.
Click the " VMs and Templates " icon.
Click the arrow to the left of " Datacenter Site A " so that we can verify that the VMs are running.
As you can see, the " DDoS Secure Virtual edition " is not running. This may not be the case with your lab. Your lab may have all the VM's running ( see note below ) or other VMs not running. This is why we are checking.
NOTE : Attacker 32 does NOT need to be started
If any of the VMs are not running ( with the exception of Attacker 32 ), please right click on the VM and select " Power On "
Once you have verified that all the VMs ( with the exception of Attacker 32.. have I mentioned that already :) ), please proceed with the first Module.
Module 1 - Juniper Junos Space 101 (15 min)
Juniper Junos Space is a comprehensive Network Management Solution that simplifies and automates management of Juniper's switching, routing, and security devices. Junos Space consists of a network management platform for deep element and fault-management, configuration, accounting, performance, and security ( FCAPS ). FCAPS Network Management framework is created by ISO. FCAPS categorizes the working objectives of network management into five levels of management, plug-n-play management applications for reducing costs and provisioning new services quickly, and a programmable SDK for network customization. With each of these components working cohesively, Junos Space offers a unified network management and orchestration solution to help you more efficiently manage your network. In this lab, we will be covering the Virtual Director and Security Director applications. There are other applications available for Junos Space, such as Network Director but as indicated, we will not review at this time.
Two of my favorite parts of the Junos Space Appliance is that it is available in a hardware and virtual appliance format. This gives you incredible flexibility in your data center and we are all for that. My second favorite part is that both versions support multiple nodes and this in turn provides the scalability and availability that your managed network requires as you add more devices, services, and users. You see, Junos Space manages BOTH virtual and physical components in your data center, but more of that later.
Let's delve in to the Junos Space GUI.
On the Control Center box (the box you are logged in to) double click on the Mozilla Firefox image on the desktop.
Once Firefox is launched, Junos Space should be the homepage, but in case it is not, click on the "Junos Space Login" shortcut in the tool bar of the browser.
Note this is the Certificate message from Internet Explorer, it requires an acknowledgement but because we are using Firefox for this lab, we did not get one.
In case you are seeing a certificate error, please accept it ( although in my testing, I did not but you never know :) ).
You will now see the Junos Space login.
To log into Juniper Junos Space, use the following login
When you have entered the credentials, please click "Log In".
Once you first log in to Junos Space, you will see the main dashboard for the product. When you select any applications ( Security Director, Virtual Director ) in the box above the task tree, a dashboard displays graphical data above devices, jobs, users, administration, and so on.
The dashboard provides a snapshot of the current status of objects managed and operations performed within a Junos Space application. The Network Management Platform dashboard ( as shown above ) displays the system health of your network and the percentage of jobs run successfully and in progress.
The Network Management Platform dashboard contains gadgets ( graphs and charts ) that display statistics that provide a quick view of system health. They include a gauge for overall system condition and graphs that display the fabric load and active users history.
Feel free to move and resize the gadgets.
If you click on the blue bar of each of the gadgets, you will see the cursor changes form into an X, this means that it can be moved within the dashboard. Try it out!
All dashboard gadgets are visible for all users and are updated in real time.
If you right click on the "Job Information" gadget you will see that the images can be saved and/or printed.
Still within the "Job Information" gadget, if you double click on the Green "Success" section, it will bring you to greater detail such as the one shown above.
When you click the green circle you were automatically taken to the listing of jobs. Now thankful all my jobs are successful but you can imagine that jobs do fail for various reasons and they would show up here as well.
Junos Space has this great Global Search capability. You can see that the search bar is always available no matter what screen you are on. You can use the feature to quickly locate any object within Junos Space. Junos Space allows you to perform a full-text search operation for objects within the system. You can do searches on object categories such as device name, Juniper platform ( Junos OS, Junos ES, etc ), OS version, serial number, IP of physical and logical interface, name of physical and logical interface, MAC address, software, and many many more. The global search operation supports query expressions. You can search for phrases and multiple terms. The default operator for multiple terms is the OR operator.
In this implementation of Space we have two additional applications installed. By clicking on the down arrow as described in the picture above, you can see what is available. We will not go into these applications at this time but we wanted you to see a quick viewing. In this lab configuration we have installed Virtual Director and Security Director. Service Now is part of the "default" Network Management Platform. Service Now is an automated troubleshooting capability that accelerates problem resolution by allowing you to open cases with Juniper Technical Support ( JTAC ) and include all related logs and diagnostics. Junos Space Service Now also reduces the time to integrate new Juniper products or releases into the network by using customized scripts installed on the Junos devices. Troubleshooting expertise is integrated into the products and therefore outage time is reduced. It also helps to lower the learning curve for operations personnel that are new to Juniper products.
No need to click any of the applications now, just click the arrow again.
Within each application ( in this case, Network Management Platform ) are the Task Groups or also sometimes referred to as Workspaces. These task groups are part of the task tree that is on the left side of the display. It is the navigation center for Junos Space. Note that you can collapse the task tree by clicking on the Double Left arrows but we will not do this at this time. These arrows are highlighted in the above image.
Let's look at the Network Management Platform Task Groups.
Click the " + " to the left of the "Devices" Task Group.
As you can see there many options and Sub Task Groups available under "Devices". Let us spend some time in these options.
By clicking the "Devices" Task Group, you will get a dashboard on the right.
A screen shot of the Devices Dashboard is above. Once again, these gadgets can be moved and you drill down into them for greater detail. There are three options "Device Count by Platform", "Device Status", and "Device Count by OS". We have not deployed any devices at this time and therefore the gadgets have no data.
I have already expanded the additional Sub Task Groups in the image provided.
I will admit that the data is not fun to look at at this time because there are no devices but like I said previously, feel free to click through all the options and see the data that is available.
For instance, I love the "secure console" option available from the "Devices" Task Group.
Click the " + " to the left of the "Device Templates" Task Group.
There are two options available under this Task Group, please select "definitions".
Here you will see the default device templates that are provided with Junos Space Network Management. As you can see, they list the majority of the types of device families available from Juniper. Note that these are for the hardware devices that Junos Space supports.
If you can please select the "Default Syslog_Config_JUNOS" Device Template and select the the pencil icon.
Click the " + " to the left of the "Configuration" folder in "Available Configuration".
You will see that the template gives you a layout of the various options available. This will provide ease in your configurations of the devices that you can deploy through Junos Space.
This Task Group allows you to easily apply a configuration to a device. Configlets are configuration tools by Junos OS that enables you to apply configuration onto the device by reducing configuration complexity. Configlet is a configuration template which is transformed to CLI configuration string before being applied to a device. The dynamic elements (strings) in configuration templates are defined using template variable. These variables act as an input to the process of transformation, to construct CLI configuration string. These variables can contain anything: it can be the interface name, device name, description text or any such dynamic values.
Junos Space facilitates management of devices running Junos OS (Juniper Operating System) by enabling you download a device image from Juniper's Software download site to your local file system. You can then upload the device images and deploy these device images onto a device or onto multiple devices of the same device family simultaneously. After you upload a device image you can stage a device image on a device, verify the checksum, and deploy the staged image whenever required. You can also schedule the staging, deployment, and validation of device images.
You can also use Junos OS Scripts for configuration and diagnostic automation tools in order to deploy, verify, enable, disable, remove, and execute scripts that have been deployed to the devices.
The Reports Task Group is for... you guessed it... Reports. You can generate customized reports for managing the resources on your network. You can use the reports to gather data related to the device inventory details, job execution details, and audit trails. You first create a report definition to specify what information to retrieve from the Junos Space inventory database. You then use this report definition to generate, export, and print the reports. Junos Space does provide some pre-defined categories to create report definitions. We will not be creating reports in this lab but feel free to speak with a Juniper Sales Rep for more information.
With the Network Monitoring task group, you can assess the performance of your network, not only at a point in time but also over a period of time.
Click the "Network Monitoring" Task Group to see the dashboard.
As you can see that the " Network Management " Dashboard gives you a view into the "Nodes with Outages", "Availability over the past 24 hours", "Notification", "Resource Graphs", "KSC Reports", and "Quick Search". This dashboard provides great insight into your organization and quick searches against Node ID, Node Label like, TCP/IP address, Providing services ( ICMP or SNMP ).
Click on the " + " arrow to the left of the "Network Monitoring" Task Group.
By expanding the "Network Monitoring" Task Group, you can see that there are many additional options. Feel free to review the screens associated with the additional Sub Task Groups.
You can maintain copies of device configuration files are either running, candidate, or backup configuration files. This assists with device configuration recovery and maintaining consistency across multiple devices.
The "Jobs" Task Group ironically monitors the progress of ongoing jobs. Crazy, I know! ( Note that the "Jobs" Task Group should already be open ).
Once again we have an amazing dashboard with drill down capability. There are three default gadgets available on the dashboard. Feel free to once again move them within the screen and to drill down into the various details.
This surprisingly is where you add, mange, and delete users. I know... crazy place to put this right? Just Joshing....
The Users Task group is where you can add you users and to assign roles to the users.
In the Audit Logs task group you can view and filter system audit logs including those for user login and logout, tracking device management tasks, and displaying services that were provisioned on devices.
Click on the "Audit Logs" Task Group.
The dashboard on the "Audit Logs" shows all statistics available from the audit log.
Click on the blue section of the statistics.
In this case, I have only logged in as "super" but you can imagine that if there were other logins, these would show up as well.
Please select the "IP Addresses" as identified in the image.
Here you see the IP addresses from which I have been accessing Junos Space.
And lastly, Administration allows you to add network nodes, back up databases, manage the licenses and applications, or even troubleshoot. As you can see the administrative tasks are accomplished through this Task Group.
This concludes our introduction to Juniper's Junos Space. Our next chapter will go into detail of the Virtual Director application.
Junos Space Virtual Director is dedicated to provisioning, bootstrapping, monitoring, and lifecycle management of a variety of Juniper Virtual Appliances and related virtual security solutions. Virtual DIrector can be used to deploy, manage, and monitor instances of Firefly Perimeter ( more detail later ), which provides security and networking services at the perimeter in a virtualized private or public cloud environment. Virtual Director also registers each instance of Firefly Perimeter with the Junos Space Platform to allow other Junos Space applications, such as the Security Director application, to configure security policies.
This above diagram shows where Virtual Director and Space sit in your virtual environment. As you can see, Virtual Director is used to support many of Juniper's virtual appliances. Security Director is used to manage many of Juniper's physical hardware devices.
Juniper's Junos Space ties directly into VMware's vCenter Server.
Virtual Director has already been installed into the Junos Space Network Management Platform. In order to launch the application, select the down arrow to the right of "Network Management Platform" and select "Virtual Director".
Just like the dashboard in the "Network Management Platform", the "Virtual Director" "Dashboard" gives you a synopsis of environment. At this time, this is a clean install. We will populate this information in later articles in this lab.
Take a note at how the "Summary" and "Deployment Alerts" looks at this time. As we do more activity in this lab, this information will change. Feel free to come back to the dashboard at any time.
Like I stated, this is a fresh installation and currently none of the deployments have failed, because we have not even tried. We will deploy later! This information shows on the bottom of the "Virtual Director" "Dashboard". Personally, I think It is nice to have this information for your data center in that single pane.
Expand the "Design" Task Group. You will see there are three Sub Task Groups. Let us check them out.
The "Design Task Group" has three Sub Task Groups
Let's look at these individually.
( 1 ) Please click on the "Virtualization Providers" Sub Task Group. We do not have any at this time so let's connect one. We will only be connecting one but as you can tell, there can be multiple "virtualization providers" added to the system allowing you to manage different systems or tenants.
( 2 ) Please click on the green " + " circle.
When the popup for "Define Virtualization Provider" appears, please provide the following information :
Name : VMworld 2014 HoL
Network Address : 192.168.110.22
Administration Account Username : root
Password : VMware1!
VIrtualization Provider Type : [default]
Connection : [default]
and then click "Done".
Once the connection is made, you will now see the new virtualization provider that you created is added.
This connection is needed in order to deploy our Firefly Perimeter devices into our virtual data center for all types of customers.
Please click on "VM Image Files".
You will see that we currently do not have any VM image files in the system at this time, but it is incredibly simple to add additional files into Virtual Director.
Please select the green " + " symbol.
The "Load OVA" screen will pop up.
Please click the "Browse" box.
Please make sure that you are in the "Downloads" directory if you are already not in this directory.
The downloads folder appears.
Please select the "junos-vsrx-12.1X46-D10.2-domestic.ova" image file.
Now that you have selected the image, please click "Open" in the bottom right corner.
Once back at the "Load OVA" screen, click the "Upload" button.
While your file uploads :).
#PewPew, the file has been uploaded.
Please click the "OK" button.
You will now see your image in the "VM Image Files" screen.
We will use this image for building our template and deploying the device.
The "Virtual Device Templates" Sub Task Group allows you to see your previously created templates for deployment as well as to create new templates. Of course, we have not created one but we will be doing this in the next article.
Click on the " + " symbol to the left of the "Manage" Task Group.
The "Manage" Task Group has two sub Task Groups. Feel free to review them but as you can imagine, they are empty :).
Click on the " + " symbol to the left of the "Monitor Devices" Task Group.
Please click the "VM Connection Status" option.
As you can see, there is a Firefly Perimeter device listed. This Firefly Perimeter was deployed previously into the Juniper vPod.
I needed to make sure you had some items to review :).
Notice that you can highlight a column and move it to your desired location on the bar for ease of management and viewing. Feel free to move a column to a new location by clicking on the column heading and dragging it to its new place.
Feel free to expand the columns to get greater detail. In this case, I have moved the IP Address column wider. When you click on the line in between the columns, the movement symbol will appear.
You can imagine how many devices can appear in the screen. At times it may be going off the screen so the ability to search by "VM Name", "VM Status", "IP Address", and "Device Host Name" is in the top bar. Pretty handy huh?
The "Deployment Status" Task group gives you a recap of all the request IDs that have occurred. For instance, you would see the request id for the power on and power off of the Firefly Perimeter Virtual Machines. It provides a summary of the succeeded and failed tasks.
And the last Task Group within "Virtual Director"...
Click on "Application Settings". You will notice on the right the "Alert Settings" option comes up. This allows to set up email addresses for the alerts to be emailed to.
And this closes out the Task Groups for the "Virtual Director" application within Junos Space. Let's look at how the Firefly Perimeters are managed next... so off to the next article in this module where we go into detail of Security Director.
Security Director is a Junos Space application that is a quick and easy approach you can use to design your network security. With Security Director, you can create IPsec VPNs, firewall policies, NAT policies, and IPS configurations and push them to your security devices. These configurations use objects such as addresses, services, NAT pools, application signatures, policy profiles, VPN profiles, template definitions, and templates. These objects can be shared across multiple security configurations. You can create these objects prior to creating security configurations.
Firewall policy, NAT policy, and IPS policy can be created and managed in a Tabular view. You can easily add new rules to the policies and choose to override policy-inherited settings by customizing the settings at a per-rule level. After you have added the rules to the policy, you can reorder these rules based on priority or group these rules for easy identification and modify them at a later time. A unified user interface approach for firewall, NAT, and IPS policies helps you reduce the learning time required to create different security configurations.
You can periodically download the latest version of application signatures and IPS signatures from a URL provided by Juniper Networks. You can install these signatures on Juniper security devices. You can then use application signatures and IPS signatures when creating firewall policy configurations. Security Director also lets you create your own customized signature sets. All application firewall and IPS configurations are pushed to the devices when the firewall policy in which they are used is pushed to the devices.
When you finish creating and verifying your security configurations, you can publish these configurations and keep them ready to be pushed to the security devices. Security Director helps you push all the security configurations to the devices all at once by providing a single interface that is intuitive.
Pretty Cool Huh?
From the Applications left column,
( 1 ) Select the down arrow to the right of "Virtual Director" ( the last application we were in )
( 2 ) and select "Security Director"
Here is a screen shot for the Task Groups that are available in the "Security Director" application. We will go into greater detail into these Task Groups after we do once last check on the dashboard.
From the "Security Director" dashboard you have the ability to
Click on the " + " symbol to the left of the "Firewall Policy" Task Group.
( 1 ) Click the "Firewall Policy" Task Group.
On the screen to the right, you will see two sections.
Policies ( 2 ) will show firewall rules that have been previously created.
The right pane ( 3 ) of the firewall policy Inventory Landing Page ( ILP ) divides the set of rules into two rule bases. All zone-based rules are grouped under Zone and the SRX Series All Devices rules are grouped under Global.
Security Director provides you with five types of firewall policies
As you can see, the "Firewall Policy" Task Group is where you can
We have not created any policies yet but will in the subsequent articles.
Please click the " + " symbol to the left of the "IPS Policy" Task Group.
Please click the " + " symbol to the left of the "IPS Signature" Sub Task Group and
please click the " + " symbol to the left of the "IPS Signature-Set" Sub Task Group.
IPS ( Intrusion Prevention ) is available as part of the overall functionality of the hardware devices. In future releases of Firefly Perimeter, this capability is included but again, Junos Space is a tool for both hardware and software versions of Junos OS products.
You can use the IPS Policy Task Group to download and install the AppSecure signature database to security devices. You can automate the download and install process by scheduling the download and install tasks and configure there tasks to recur at specific time intervals. This ensures that your signature database to up-to-date.
You can view the predefined IPS policy templates and create customized IPS policy-sets in this Task Group. You can also enable IPS Configuration is a firewall policy and provisions IPS related configuration with firewall policy.
Click on the " + " symbol to the left of the "NAT Policy" Task Group.
Network Address Translation ( NAT ) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP address of the packets moving between the trust and untrust zones.
Junos Space Security Director supports three types of NAT ( IPv6 is supported ):
Click on the " + " symbol to the left of the "VPN" Task Group.
You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the Task Group. If you want to use a customer VPN profile, you must configure a VPN profile before creating a VPN.
You can configure the following parameters for an IPsec VPN
You can also customize endpoint-specific settings like VPN Name, IKE ID, and profile for each tunnel.
After the VPN configuration is saved, you can provision this VPN on the security devices.
In Security Director, route-based VPNs support OSPF and RIP routing along with static routing.
Security Director supports dynamic routing in VPN addressing. Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN.
If we had VPNs configured, you would see them in the left pane of the Tabular view.
Click on the " + " symbol to the left of the "Object Builder" Task Group.
You can use the Object Builder Task Group in Security Director to create objects used by firewall policies, VPNs, and NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple security policies, VPNs, and NAT policies. This approach makes the design of services more structured and avoids the need to create the objects during the service design.
You can use the Object Builder Task Group to create, modify, clone, and delete the following objects:
Click on the " + " symbol to the left of the "Devices" Task Group.
The "Devices" Task Group lists the devices that have been discovered by Junos Space. This Task Group gives you greater flexibility into the view of your virtual datacenter and your physical data center. Remember, this tool is for both virtual AND physical devices. It is a one stop shop. Pretty awesome huh?
The "Jobs" Task Group gives you a full listing of the all the jobs transitioned through or for Junos Space.
Please click on "Jobs" in order to bring the dashboard up.
Once again a dashboard is available to give us visibility in to the system.
Please double click on the "Add Application" job type.
You can see the "Job Type" of "Add Application" is listed. This shows the install of the Security Director and Virtual Director application.
The "Security Director Devices" Task Group allows you to update the devices with firewall policies, NAT policies, and VPN Configurations.
The "Downloads" Task Group allows you to download AppFirewall and IPS Signatures.
While you are on this screen please click the " + " symbol to the left of "Downloads".
This particular dashboard provides you with a full listing of all of the AppFirewall and IPS Signature downloads. It is a great way of keeping track of all the updates that you have received and implemented within the system and the products.
Please click on the "Signature Database" Sub Task Group.
The Signature Database page appears. You can see the active databases there were downloaded earlier. At any time, Security Director will have only one active signature database.
You can see on the top of this screen there is an IPS Signature that can be installed on the system.
Please select the "Install Configuration" Sub Task Group.
We do not have Juniper SRX devices in the netwrok so we can not install the configuration at this time but you can see how the installation would occur from this screen, either at the present time or to be scheduled at a later time. You have the control to determine when this would be done.
FYI, SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers that pack high port density, advanced security, and flexible connectivity into easily managed platforms.
SRX Series Services Gateways deliver next-generation firewall protection with application awareness, intrusion prevention system (IPS), and extensive user role-based control options, plus best-in-class unified threat management (UTM) to protect and control your business assets. Next-generation firewalls are able to perform full packet inspection and can apply security policies based on Layer 7 information. This means that you can create security policies based on the application running across your network, the user who is receiving or sending network traffic, or the content that is traveling across your network to protect your environment against threats, manage the way your network bandwidth is allocated, and control who has access to what.
SRX Series gateways come in a broad range of models from all-in-one security and networking appliances optimized for the enterprise edge to highly scalable, high-performance chassis solutions optimized for service providers and large data centers. All solutions can be centrally managed using Junos Space Security Director, and additional security services are easily added to existing SRX Series platforms for a cost-effective solution.
Select "Download Configuration" from the left hand bar.
On this screen, you have the ability to download additional signature files that will be used with you virtual and hardware appliances.
So as I described earlier, if you wanted to update the signatures in your SRX devices, this would be accomplished here.
I am also happy to note that Firefly Perimeter x47 will include UTM and IPS capabilities and in turn, Security Director would be used to update the devices as well.
Select the "Audit Logs" Task Group.
You will see the dashboard on the right hand side of the page. Feel free to drill down into the various tasks for greater detail.
Please note that your image may look different with regard to the tasks that were implemented in the system.
This concludes the introduction to Security Director. Please proceed on to the next module where you will learn more about Firefly Perimeters advanced security services and network capabilities.
Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space (45 min)
For Service Providers ( SP ), the network is the money-maker. SP’s look to their network to create innovative services that solve business problems and demonstrate the added value they can bring to their customers. These services must always be available to ensure end- subscriber satisfaction, and new services need to be offered frequently as demands and technology change in order to obtain additional revenue streams.
For Enterprises, the network is both a strategic and critical corporate asset, where costs have to be controlled. Explosive demand for smart devices, social media applications, and mobility-based services has placed unprecedented pressure on network operators who must provide a compelling experience to increasingly demanding, tech savvy consumers. The unrelenting expectations of highly secure and always-on connectivity and service, coupled with the growing use of cloud environments, make the network increasingly complex to manage and secure.
Juniper addresses these network challenges with Junos Space to help Service Providers and Enteprise customers maximize their network value and scale solutions, all while reducing complexity. Junos Space is a critical component of Juniper’s SDN strategy as it provides a centralized management plane for a single source of truth and a common management platform for managing and creating applications to meet your specific needs.
As we will see in the following articles, Firefly Perimeter is the virtualized appliance with advanced security and networking features based on Junos OS.
In addition to its advanced security services and network capabilities, Firefly Perimeter also empowers network and security administrators to quickly provision and scale firewall protection to meet dynamic demand using Junos Space Virtual Director. When combined with Junos Space Security Director, administrators can significantly improve security policy configuration, management, and visibility of their virtual and non-virtual environments.
Firefly Perimeter provides:
Firefly Perimeter enables Managed Security Service Providers ( MSSP ) to launch and activate new services more quickly by decoupling security services from customer premises ( CPE ) hardware. With Firefly Perimeter, MSSPs can migrate from the monolithic architecture and design limitations of a physical firewall to diversified virtual firewall implementations.
They can decentralize fault domains by deploying Firefly Perimeter VMs instead of dedicating a physical firewall to each tenant/customer or sharing one physical firewall across multiple tenants, reaping better returns on their investment. This reduces capital expenditure while aligning the billing with the actual usage.
Additionally, having a firewall in a VM mapped to a single customer allows MSSPs to customize policies and perform maintenance, which only impacts that single customer instead of the traditional approach where numerous customers sharing the same physical firewall are all impacted. Firefly Perimeter enables MSSPs to offer value-added security services such as managed firewall, MPLS, VPN, clean pipe, and secure VM hosting, with a deployment model that lowers time to revenue.
And one of the coolest things that Firefly Perimeter supports is clustering.
Firefly Perimeter provides mission-critical reliability, supporting chassis clustering for both active/active as well as active/ passive modes. This support provides full stateful failover for any connections being processed. In addition, it is possible for the cluster members to span hypervisors. When Firefly Perimeter VMs are configured in a cluster, the VM synchronizes connection/session state and flow information, IPsec security associations, NAT traffic, address book information, configuration changes, and more. As a result, not only is the session preserved during failover but security is kept intact. In an unstable network, Firefly Perimeter also mitigates link flapping.
Like Junos Space works with virtual appliances, such as Firefly Perimeter, it also works with the physical devices available from Juniper. Having the capability to manage both your physical and virtual data centers both as an Enterprise or as a Service Provider. It is all about ease and greater functionality on the tools provided to you. Saving time means saving money and Juniper's Junos Space does just that. What we will be covering in this lab is just the tip of the iceberg.
As discussed earlier, Firefly Perimeter is an amazing virtualized security and networking tool that every Enterprise or Service Provider should have within their virtualized data center. There are many reasons why that is the case, the technology of course is one of the reasons but when you add the ease of deployment, configuration, and the automation capabilities, you begin to understand the possibilites of your virtual data center, the growth and the future you can have.
In case you have been logged out, log back in to Junos Space with the following credentials:
Username : super
Password : VMware1!
Click "Log In".
No matter what application is available when you log in, make sure you end up at "Virtual Director". To do this,
( 1 ) Click the down arrow for the applications
( 2 ) Select "Virtual Director"
Please click the " + " symbol to the left of the "Design" Task Group.
Select "Virtual Device Templates".
Click the green " + " circle in the dashboard.
Fill in the following information in to the wizard.
Template Name : Firefly Perimeter
VM Image File : ( Click the down arrow ) Select the OVF file that we have already brought in to the system - "junos-vsrx-12.1x46-D10.2-domestic,ovf".
Once the image is selected, the Product Type and Version are already loaded.
For "Virtualization Host" click the down arrow and select the pre-loaded IP address ( 192.168.110. 2 ).
For "Data Center" click the down arrow and select the pre-loaded Data Center ( Datacenter Site A ).
For "Cluster/Host" click the down arrow and select the pre-loaded Data Center ( Cluster Site A ).
For "Resource Pool" click the down arrow and select the pre-loaded Resource Pool ( None ).
( 1 ) For "Data Store" click the down arrow
( 2 ) select "ds-site-a-nfs1"
( 3 ) Once completed, select "Next".
In this screen, fill in the following information
Virtual Machine Name : Firefly_Perimeter
Keep the "Edit network mapping" as the default
Fill out this screen with the following information
Create Root Password : VMware1!
Confirm Password : VMware1!
Hostname Pattern : Click the down arrow and select the " # ".
Continue with the configuration of the "Device boot up configuration"
IP Assignment : [default]
Default Gateway : 192.168.120.1
Starting IP/Subnet : 192.168.120.70/24
Please review the information listed under "General Information".
If changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step.
Click the " + " symbol to the right of "Virtual machine host configuration".
Review the configuration information for the "Virtual machine host configuration". Again, if changes need to be made, select "Previous" to edit. If it looks correct, please proceed to the next step.
Click the " + " symbol to the right of "Virtual machine configuration".
Review the configuration information for "Virtual Machine Configuration". If changes need to be made, select "Previous" to edit.
If it looks correct, please proceed to the next step.
Click the " + " symbol to the right of "Device boot up configuration".
( 1 ) Review the "Device boot up configuration" data
( 2 ) When you feel the information is correct, click " Submit "
If it is not correct, guess what... click "Previous".
You will now see the template listed in the dashboard for "Virtual Device Templates".
( 1 ) Click the Firefly Perimeter template
( 2 ) Click the down arrow to the right of "Actions"
( 3 ) Select the "Deploy Template" option.
( 1 ) On the bottom of the "Deploy Virtual Machine" pop up, keep the default of " 1 " for the "Number of Virtual Machines to Deploy"
( 2 ) Click "Deploy".
A pop-up with the "Status" ID will appear
Click the "OK" button.
You should already have a vSphere Web Client tab available in the Firefox browser.
If not, use the shortcut in the menu.
Use the following credentials to log in to the vSphere Web Client
User name : root
Password : VMware1!
Click the "Home" button on the top menu bar.
Click on "VMs and Templates" in the Inventories section.
Select the arrow to the left of the "Datacenter Site A".
And there it is, our Firefly Perimeter that we configured and deployed.. Yay!! Now wasn't that simple!!!
Imagine how easy it is to deploy these Firefly Perimeter virtual machines for multiple tenants in your Enterprise or Service Providers.
This concludes this article, please proceed to the next article which will cover Virtual Director in greater detail.
We have already spent some time talking about Virtual Director, but now that we have deployed a Firefly Perimeter, lets look at the application with greater detail.
In Internet Explorer, click the first tab which should be Junos Space.
If this tab is not available, use the shortcut in the menu bar.
Make sure the "Virtual Director" application is loaded.
PS... if you are logged out of the system, the account information is
Username : super
Password : VMware1!
Please select the "Dashboard" in Virtual Director.
You will see on the right hand the "Number of Deployed Devices" and "Number of Virtual Director Templates" now has been increased.
Please click on the "Manage" > "Deployed Devices" option in the left menu.
You can now see the Firefly Perimeter that we have deployed.
( 1 ) Please click on the Firefly Perimeter device
( 2 ) Select the arrow to the right of "Actions"
You will see the you can "PowerOff Device(s)", "PowerOn Device(s)", "Reset Device(s)".
Yes, if you have other devices, you could power off/on multiple devices at once. You have the ability to control the device from Junos Space. Please note that this does not take control away from the controls you have through the vSphere client, it just allows you to manage everything from one location.
Please select "VM Connection Status" under the "Monitor Devices" Task Group.
You will now see that both virtual machines are listed.
Remember that a Firefly Perimeter was deployed already.
I just wanted to make it clear that once a virtual machine, like Firefly Perimeter, is brought into Virtual Director you have controls over it but the configurations will be done through Security Director. No matter what form the security device is in ( hardware vs. virtual ) security policies will be done through Security Director. This concludes this article. Let us now proceed to the next article which covers Security Director in greater detail.
In this part of the lab, we will go into greater detail and provide more hands on capability for Security Director now that we have deployed a Firefly Perimeter virtual machine from Virtual Director.
Click the arrow to the right of "Virtual Director" and select "Security Director".
Expand the "Firewall Policy" Task Group.
Click "Create Policy" Sub Task Group.
Set up the following configurations:
(1) Type : [default]
(2) Name : HoL Policy
(3) Description : Creating firewall policy for VMworld
(4) Check Manage Zone Policy [default] - used to manage zone-based firewall rules
(5) Policy Priority : Medium [default]
(6) Precedence Value : keep default (value should be less the number of existing policies of the same priority. The number of existing policies are displayed as part of the Precedence field. For example, if the system has 4 policies with Low priority, 5 policies with Medium priority, and 3 policies with High priority, you can set the precedence as follows:
(7) Profile : All Logging Enabled
Note that we created a Group vs. Device policy. In this case, since we have only one device, it may have been more appropriate but it is nice to see that you can create policies for many devices ... even if we don't have them in this simulation.
( 1 ) Select the "corp_fw1.juniper.net" listing under "Available"
( 2 ) Click the " -> " in the middle to move the selection to the "Selected" side
( 3 ) Click "Create".
Just make sure that you are back on the "Firewall Policy" Task Group.
Under "HoL Policy" select the "corp_fw1.juniper.net".
On the right you will see where the rules are implemented.
Click the Lock symbol in the top bar so that policy can be edited ( we do want to make sure that others are not editing the policy at the same time ).
Click "Create Device Rule".
Initially the rule will do green and change to white ( this is normal ).
Click on "Device Zone - 1" in order to get the option to change the name.
Change the rule name to "FW-HoL", and click "OK".
A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet.
By default, the Source zone is set to trust. The zones that appear in the list are dependent on the type of security policy that you choose to add rules to. When adding a rule for a group policy, all the zones present on all devices are available for selection.
In this case we will keep "trust".
Click the "Any" option under the Source Address. You will see the ability to Include or Negate IPv4 and/or IPv6 Addresses.
At this time, we will keep the default of "Any".
Next is the opportunity to change the "Destination Trust Zone". If you click on "untrust" you once again see the options.
Let us keep the default of "untrust".
We will keep the default of "Any" for the Destination Address.
If you click the "Any" option for Service you will see the Available services that we will take actions against. Feel free to move the bar up and down to see all the services that are available.
At this time, we will keep to "Any".
You may need to move the screen to the right to see all the options.
As you see the default of "Deny", IPS is "Not applicable" because we are denying the traffic, but please change the "Action" option to "Permit". To do this,
click on the "Action" to see the options and select "Permit".
Understand that as stated in previous modules, the IPS rules are published as part of the Firewall rules.
Now that we have changed the "Action" to "Permit", IPS is now Off. Note that in the Firefly Perimeter x 47 release, IPS wil be incorporated. Just think about the capability to have IPS embedded capabilities in virtual machine.
As you can see, there are additional options, including "Tunnel". By clicking on "Tunnel" you will see that there is the ability to implement a VPN tunnel.
Next, click on the "AppFw" section.
Initially when you click on AppFW the capability is disabled.
Please click on "White List" to see the options.
Note that there is also the capability to select "Black List" as well.
This is one of my favorite parts of this configuration, that you can easily specify "White List" or "Black List".
( 1 ) Feel free to scroll the 36 pages or just the one :) of the Pre-defined Apps
( 2 ) Note that there are other options of "Pre-defined Group", "Customer Apps", or "Custom Group"
( 3) You can also search if need be.
( 4 ) Click "Cancel".
Please click "Validate" on the bottom of the screen.
You will see a pop up stating there are no Validation errors.
Click "Save" please.
Select the "Publish Policy" under the "Firewall Policy" Task Group.
Select the firewall policy that we just created.
Please unselect the "Include IPS Policy" and Select "Next" on the bottom of the screen.
Select the name of our firewall policy under "Affected Devices".
Select "Publish" on the bottom of the page.
A "Publish Information" Job ID will appear.
Please select "Job Management" under the "Job" Task Group.
View the Job Id that was provided and the successful publishing to the number of devices. YAY!!!
As indicated, at this time of developing the lab, Firefly Perimeter does not support IPS and therefore we can not develop a policy. We could develop policies for other Juniper products like SRX but we are currently not using one in this lab. Firefly Perimeter will support IPS in the x47 version and at that time, you will use Junos Space to create that policy.
Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network.
Security Director views each logical system as an other security devices and takes ownership of the security configuration of the logical systems. In Security Director, each logical system is managed as a unique security devices.
Please select "Create NAT Policy" under the "NAT Policy" Task Group.
On the right side, a window will pop up will appear, at this time, we will create a "Device" rule
( 1 ) Select Device
( 2 ) Name : NAT_VMworld_2014
( 3 ) Description : NAT Policy for VMworld 2014
( 4 ) Click the down arrow next to Device and select "corp_fw1.juniper.net".
On the bottom of the screen, click "Create".
You will automatically go to the creating page.
Click the "lock" symbol in order to lock the policy.
Click "Create Source Rule".
Select "Device-1" and change the name to "NAT_2014"
You will see the same Trust Zones appears that we had available in the Firewall portion.
At this time, we will be choosing the interfaces as the Zones. Please note that the Firefly Perimeter ( like all virtual machines ) can have up to 10 interfaces. This is eth0 interface.
Please select "ge-0/0/0.0" and click the arrow to bring it to the selected side.
( 1 ) Please click the "Egress Zones" in order to see our options
( 2 ) Click "Interface"
( 3 ) Select "ge-0/0/0.0"
( 4 ) Select the " -> " to move to selected
( 5 ) Click "Ok".
Click the "No Translation" under "Translated Packet Source" in order to get the pop-up.
Please select the down arrow to get out options.
Select "Pool" as our "Translation Type".
Please click the green " + " circle to the right of "Source Pool" in order to create a new source pool for NAT.
Please fill in the following information
Name : Source_NAT_2014
Description : Source NAT policy for VMworld 2014
We have no "Pool Address" so lets create one through this step.
Please click the green " + " circle to the right of "Pool Address".
Note that you can create the pool through the Object Builder Task Group".
Let's create the Address Object Type. Please fill in the following information
Object Type : Address
Name : VMworld_2014
Type: ( Click the down arrow ) Range
You may get an "Inactivity Timeout" so please make sure you click "Yes".
Please fill in the following information
Object Type : Address
Name : VMworld_2014
Description : Addresses for VMworld 2014
Start IP : 192.168.120.200
End IP : 192.168.120.250
Click the arrow next to "Translation".
Select the arrow next to "Address Pooling" and select "Paired".
Select the arrow next to "Port" and select "Any".
As you can see our configuration has been added.
Please click "Ok".
Please click "Validate".
You will see the "Information" screen on the right pop up showing that there are no Validation errors.
Please click the " + " symbol to the left of "Object Builder" Task Group.
Please select the "Addresses" Sub Task Group.
Note that we previously walked through these steps on the specific actions BUT we can create them before hand. As you can see our VMworld_2014 Addresses are listed. For planning purposes, you can easily create all your addresses before you start to create your policies.
Please select "NAT Pools" Sub Task Group.
Once again, you have the opportunity to create your NAT pools for the tenants before you build your NAT policy. Creating them in individual pieces will assist with management of your pools.
Please click the " + " symbol to the left of the "VPN" Task Group.
Please select the "Create VPN" sub Task Group.
Please fill in the following information
Name : VPN_VMworld_2014
Description : VPN for the VMworld 2014
Tunnel Mode: Route Based
Notice the type of Route Based VPNs available:
We will be keeping the default, "Site to Site" at this time.
Please click the down arrow to the right for "VPN Profile"
Notice the types that are available
At this time, we will keep the default of "MainModeProfile".
The "Preshared Key" is the last option for the VPN configuration. Note that you can either have the key auto-generated or set up manually.
Change the "Tunnel Mode" to "Policy Based" in order to see these options.
Notice the "Type" is still "Site to Site" and the "VPN Profile" is still "Aggressive Mode Profile", "MainModeProfile", "RSAProfile".
Please keep the default, "MainModeProfile".
Once again, we have the option to auto-generate or manually add the "Preshared Key".
Please select "Next" at the bottom of the page.
Under the available side, please select "corp_fw1.juniper.net" and click "Add as Endpoint" in order to move it to the selected side.
Please click "Next" on the bottom of the screen.
Sorry but this is just a vPod and not set up in a real world scenario. Since we do not have another endpoint, we can not continue on with configuration.
I wanted to make sure that you saw the steps that we would take to at least configure our side of the VPN connection.
Please click "OK".
At this time, this is the end of the specific configurations that we will be covering within this lab.
Please feel free to review the components of "Security Director" that we have not covered in this article.
When done, please proceed to the next article where we discuss why Juniper for your physical and virtual infrastructure.
Now that you have finalized the introduction of Juniper's Junos Space, by reviewing the Network Management Platform, Virtual Director, and Security Director, we just wanted to reiterate the importance and ease of the product. We believe in virtualization as much as you do but the infrastructure isn't always all virtualized. Simply put, if you can manage your physical and virtual infrastructure from one interface, why would you not use Juniper in your data center?
With Junos Space, you benefit from :
For companies that want to extract value from their network and deliver on solutions that truly work for their business, Junos Space is the platform of choice. You can create and deploy custom management applications using our programmable interface. Junos Space improves network agility by providing a SDK toolkit and APIs both at the platform and application level for a complete customized solution so you can meet the specific needs of your business or internal procedures.
Junos Space SDK includes the following components :
It is also important to know that Juniper has the following products in virtual format :
The next module in this lab covers Juniper DDoS Secure. We hope that you will continue the lab to experience this awesome virtualized security product. If you are on twitter don't forget to tweet your thoughts to @banksek or email her at PewPew@juniper.net she would love to know them.
Module 3 - Juniper DDoS Secure (45 min)
DDoS flood attacks are a major problem for online businesses. Juniper DDoS Secure can nullify these problems by continually monitoring and logging all in- and out-bound Web traffic.
DDoS Secure uses its CHARM algorithm to learn which IP addresses can be trusted, and is able to respond intelligently and in real time by dropping suspect or noncompliant packets as soon as the optimum performance from critical resources begins to degrade.
This heuristic and granular approach to DDoS mitigation guarantees availability for legitimate users while blocking bad traffic, even under the most extreme attack conditions. This truly is my favorite part about DDoS. Traditionally, a DDoS outage occurs when resources are unable to handle the volume of connection requests at a particular point in time. This might be through an induced malicious attack using a Botnet for some financial, ideological, or political motive, or the result of a legitimate “flash-crowd” effect during peak traffic periods. To the end user, there is no real difference—at best they experience degraded response times; at worst, it is a disruption in the resource’s availability resulting in an outage with serious business impact.
Adding more horsepower to the server or increasing bandwidth connectivity can provide some insurance against a volumetric DDoS attack, but they are ultimately in-effective against today’s new breed of sophisticated DDoS threats. Simply throttling all traffic or blacklisting particular groups of IP addresses is also not a lasting solution, particularly as these measures can impact legitimate users.
DDoS Secure software is different. Its innovative heuristic technology continually monitors and logs all inbound and outbound network traffic. Using its unique CHARM algorithm DDoS Secure learns which clients pose a risk through their use of available resources, and then intelligently responds in real time by disrupting an attack as soon as performance of critical resources begins to degrade.
DDoS Secure is available in Virtual and Hardware appliance version.
Key Features of DDoS Secure
The grey normal Internet traffic flows through the DDoS Secure device, while the software analyses the type, origin, flow, data rate, sequencing, style and protocol being utilized by all inbound and outbound traffic. The analysis is heuristic in nature and adjusts over time but is applied in real time with minimal latency.
The red DDoS attack traffic show the DDoS Secure appliance uses complex data analysis techniques to detect attacks and take the defensive measures and drop the traffic.
Lets continue on to the next chapter where we investigate the Juniper DDoS Secure Users Interface ( UI ).
Juniper DDoS Secure is a fully automatic DDoS protection system used for websites and web-connected e-commerce site. DDoS protects all TCP/IP protocols. In this article we will cover the user interface ( UI ) of the DDoS Secure appliance. There is so much data to cover regarding this appliance but since we are in a lab scenario, we will not be able to cover everything. We did want to make sure that you had time to review everything that is at your fingertips with this amazing product.
Double Click the "Internet Explorer" icon on the Control Center desktop.
Click on the box on the URL bar in order to bring up a new tab.
Click the "DDoS Secure Login" shortcut on the tool bar.
You will more than likely get the above certificate error, click "Continue to this website (not recommended)"... yeah yeah I know it is not recommended but please do it anyway :)
Click the "Login" button in the middle of the page please.
To log into DDoS Secure, use the following credentials
Above is a layout for the statistical display part of the user interface. Each individual segment of the page is divided in to categories.
Options on the left pane are :
Options on the center pane are :
Options on the right pane are :
Options on the top center pane :
Your login takes you directly to the real time dashboard for DDoS secure.
On the top is the "Traffic Monitor" section.
In the middle are "Load Status" and "Attack Status" graphs. Note that there is no traffic and attacks at this time but we will simulating two attacks in the future articles.
The bottom row has "Good Traffic", "Bad Traffic", and "Protected Performance". You more than likely will see "Good Traffic" change over time.
The descriptions of the sections:
The traffic monitor pane shows the peak traffic usage ( inbound and outbound ) over the selected period. Note that the default is 24 hours.
If you select the top "Appliance 192.168.120.11 inbound" you will see it highlighted in the graph. Feel free to do this to the other three options available in the "Traffic Monitor" screen. Note that your "Traffic Monitor" pane may look different than the one shown above.
As previously specified, you can change the time frame for your "Traffic Monitor" pane. In the top right, above the graph is a tab that allow you to change the time. Click the arrow to the right of "Last 24 Hours" to see the options.
Note that you can also changing what appliances/portals/IP are shown on the "Traffic Monitor" page as well by clicking the arrow to the right of "Viewing: global" on the top right.
View the bottom right corner and you will see the "Protected_ App" and "Unprotected_App" portals. These portals we will be using in our testing in subsequent. You can see that the "Protected_App" is in defending mode and "Unprotected_App" is in logging mode. This reports on how busy a protected IP address is from an aggregated CHARM perspective, and what the average traffic to and from the IP is.
The DDoS Secure supports different components in one of two operational modes:
Examples of different components are:
If an activity uses components that contain a combination of defending and logging, the resultant operational mode will be logging. Thus, for a black-listed client IP address and an overall operation of defending, a portal operation of logging, and a protected IP address operation of defending, the client IP address is not dropped.
The left taskbar shows the menu buttons. These menu buttons gives you the more detailed information of the traffic that is through the DDoS Secure. Feel free to select them individually for review but note that because we have limited traffic ( at this time only Juniper's Junos Space is on the network ), the information is limited. We will be looking at some of these menus in other articles.
Please click the "Configuration/Logs" tab.
This pop out screen provides you with administrative tasks as well as additional data for the configuration.
Please click the tab listed "Admin 192.168.120.11" that has popped up because you selected "Configuration/Logs".
The log file is the first screen that pops up showing everything that is occurring the the virtual appliance. Information like logins ( GUI ) and Info messages are shown.
Please click the "Configure Portals" option in the left pane menu.
As you will see from this screen, this is where I set up the configuration for the two portals to be put into defending and logging mode. The "Protected_app" will be defended and the "Unprotected_App" will be in logging mode.
Please select "Configure Interfaces" from the left menu pane.
As you will see in the screen on the left, under the "Internet/Protected Global Definitions", there are multiple ways to configure the DDoS Secure appliance. In our case we have it setup as an L3 ( Router ) because this scenario works best for the vPod. Note that the configurations for L2 ( Bridge ) and L2/L3 ( Split Network ) can also be configured.
As an FYI, DDoS Secure uses "Internet" and "Protected" to differentiate the side of the attackers ( Internet ) and the side of the applications ( Protected ).
Although we do NOT want you shutting down the DDoS Secure appliance, please note that this is where you would do it.
Note that this option is available in the bottom of the left menu pane.
This concludes a quick look at the DDOS Secure User Interface. Please proceed to the configuration of the testing environment article.
In this lab, we will be simulating a low and slow DDoS attack.
Low and Slow attacks use as you can imagine "Slow" traffic, making it appear more notmal to an organization. The often go undetected because the do not violate any specific protocol, they do not match any specific signature. The end users will see low reaction to the calls to the systems creating incredible performance impact.
Proceed back to the first tab in the Internet Explorer browser.
Log into the VMware vSphere Web Client with the following credentials
User name : root
Password : VMware1!
Click the "Home" button in the top blue bar.
Click the "VMs and Templates" icon in the Inventories pane.
Click the arrow to the right of "Datacenter Site A".
In our scenario we will be using the vm's highlighted.
In our simulation we will have a "Protected Application" ( 2 Protected Application ) and an "Unprotected Application" ( 2 Unprotected Application ). These applications are on the Protected side of the DDoS Secure.
Remember when we were in the DDoS Secure Dashboard and the "Protected_App" was identified as Defending and "Unprotected_App" was identified as Logging. As you can imagine the Protected Application will be protected by the Juniper DDoS Secure virtual edition appliance and the Unprotected Application will not.
Note that these two virtual machines are exactly the same. They are simulated webservers with databases.
"Attacker 42" will simulate a low and slow attack.
Please note that this is a Linux box with customized scripts for their various attacks. This virtual machine is on the Internet side of the DDoS Secure.
Attacker 42 has two interfaces specifically for the simulation.
The "base-w7-01a" box will be used to show the impact of the attack.
Lastly our "DDoS Secure virtual edition" virtual application will send inline between the attackers and portals, collecting the data and doing it's thing.
Let us see it in action. Please proceed to the next article where we will simulate a low and slow attack and show how Juniper DDoS Secure protects the protected site.
As mentioned previously a low and slow DDoS often become unnoticed by conventional tools. In this low and slow DDoS attack simulation, we will show you how Juniper's DDoS Secure can easily "catch" the data and protect the "Protected Application". Application-layer attacks, often referred to as “low and slow” ( to describe the attacker’s goal of staying under threshold detection systems ), have exposed weaknesses in netflow and threshold based detection techniques. RUDY ( R-U-Dead- Yet ) and Slow Loris are two types of application-layer attacks that target the HTTP protocol. The attacker seeks to launch a multitude of requests that are difficult to serve back to the requester, depleting application resources and quickly bringing the website down.
Make sure you are still in the "vSphere Web Client" tab within Internet Explorer.
Select "Open Console" for the "base-w7-01a" virtual machine.
Note that it will pop up in the next tab.
password : VMware1!
click " -> " button to the right of the password
for the vmware account for the windows vm.
Double click the "Mozilla Firefox" icon on the desktop.
Please select the "Protected App" shortcut in the menu bar.
Notice the image in the Protected App is the Juniper Networks image.
You will see that we have added the additional tool Firebug into Firefox. This tool is used to show how long it takes for the website to make it's calls once under attack.
Notice the time while the site is running cleanly. In this case, it is 421 ms ( note that your time may be different ).
Please click the " + " symbol in order to bring up a second tab.
Please click the "Unprotected App" shortcut on the menu of Firefox.
Notice that the image in Unprotected App site is tomato cart ( we wanted to differentiate between them in case you got confused... I did at times : ) )
Firebug is also available on the bottom of the screen. Feel free to look at the time to load the unprotected site.
Please proceed back to the "vSphere Web Client" tab in Internet Explorer.
Please "Open Console" of "Attacker 42" by right clicking on "Attacker 42" virtual machine.
Please log into the Attacker 42 with the following credentials
Attacker login : root
Password : Juniper1!
At the prompt, type
This is the IP address of the Protected Application.
Select < Ctrl + Alt > to escape the window, please keep the ping going.
Please click on the DDoS Secure tab in Internet Explorer.
Please select "ICMP Info" on the left column.
As you can see the Attacker 42 vm is pinging the Protected Application and the Juniper DDoS Secure appliance can see it.
Please proceed back to the "Attacker 42" tab in Internet Explorer.
Stop the ping by entering < Ctrl + C > in the console.
at the command prompt, type
As the message show, please hit < Ctrl + alt > to release the cursor.
Please proceed to the DDoS Secure tab in Internet Explorer.
You will see the numbers increase on the right hand side of the dashboard. Remember this is a low and slow attack and it will take some time for the attack to show and for the site to be protected and it will take time for the sites to recover. It is a cool simulation so give it time please.
Please proceed to the "URL Info" option in the left pane.
You can see the top two lines show the Unprotected App and the Protected App.
This is a low and slow attack but you will see the number increasing. At this time, you will see the pending numbers are approximately the same. Did you want me to remind you that it is low and wait for it... slow... attack.
After some time, you will see the pending numbers start to have a huge differentiation !!!
Right now the unprotected app has 236 requests pending and the protected app has 53 requests pending. Note that your numbers will be different.
Clearly the Juniper DDoS is protecting the protected app!!! But wait, we are not done...
Please proceed to the "base-w7-01a" tab in Internet Explorer.
( 1 ) Reload the Protected App website by selecting the circle arrow.
( 2 ) You will notice that it launches in a specific amount of time. In this case, it is 46 ms.
Please click the first tab to go the Unprotected App.
( 1 ) reload the Unprotected Application site by click the circle arrow
( 2 ) Notice the time it takes to load the site. In this case, 14.59s
Note that the longer you wait for the attack to progress, the longer the response time will be. For instance, we have seen this take 200 s or even time out.
There is a big difference between 46 ms and 14.59 sec.
Juniper DDoS Secure protected our Protected App from the low and slow DDoS Attack.
Cool huh? I told you!!!
So what we just saw is a low and slow attack from our "Attacker 42" virtual machine against two seb servers. We saw the Juniper DDoS Secure automatically saw the attack and protected the "Protected App" from the attack so that no impact was made to the end users. No configuration was needed on your part for this use case, DDoS Secure did it automatically!!
Please provide to the final article in this module, "Why Juniper DDoS Secure".
I thought it was important to follow up regarding the Juniper DDoS Secure product. When I think about the capabilities inherit to the product such as CHARM, it is hard to ignore why you should not be using DDoS. The first distributed denial of service (DDoS) attack occurred in 2000 and was used to take out Amazon, eBay, and a host of other e-commerce sites. The weapon used was a volumetric flood attack, and the attackers used a rudimentary botnet of multiple computers to flood the network with high volume traffic that brought the e-commerce sites down, causing an estimated $1.7 billion in collective damages.
Since then, DDoS attacks have evolved from being a blunt weapon, using high volume attacks to bring down Web servers, to highly sophisticated application-level attacks designed to zero in on strategic business resources. 2012 saw a series of attacks against the banking industry, some politically motivated and high profile, while others involved financial theft and fraud. The e-commerce sectors were subject to attack as well following the real world trends of major shopping holidays respectively.
2012 saw a sharp increase in Layer 7 DDoS attacks. What makes L7 attacks so stealthy is the fact that they masquerade as legitimate traffic to carry out the attack. A Layer 7 or application-layer, attack exploits inherent flaws and vulnerabilities in application software rather than using brute force to achieve desired results. The majority of application-layer attacks target well-known applications such as HTTP, HTTPS, domain name system ( DNS ), and VoIP ( Session Initiation Protocol or SIP ). Much like volumetric attacks, L7 attacks require very little investment by attackers. It is more than possible to bring down major websites with a laptop and as few as 40 to 60 of the same request per second ( aka PPS, or packets per second ). To give this some context, volumetric attacks will range from the low hundreds of thousands PPS to millions of PPS. Their appearance of legitimacy ( adhering to protocol rules, with normal and complete TCP connections ) is what makes L7 attacks benign in appearance and exceedingly difficult to detect and mitigate.
What is at stake is costly service outages that can result in lost business and defection of end customers, along with sometimes irreparable damage to brand and reputation. In the financial services industry, more likely than not it also involves theft of sensitive data and financial fraud. In the education and healthcare sectors, a primary concern is access to student information, electronic medical records, and theft of sensitive data that could result in huge lawsuits and terrible outcomes for individuals who have their information stolen. A loss of availability for airline ticketing sites or e-commerce sites, large or small, could result in a loss of revenue and credibility. Inevitably, a DDoS attack is accompanied by financial losses that can be hard to recover from.
Junipers' DDoS Secure’s innovative design uses a “ closed loop ” process to look at the full cycle of the packet coming in, the resource it is destined for, the resource’s ability to return the request in a timely manner, and finally the request being served back to the requester. DDoS Secure is self-learning and requires no tuning or thresholds to be set. It monitors how the application responds and learns from each encounter. This innovative heuristics-based approach enables the technology to determine both what normal traffic looks like and what normal responses from an application look like. As new attacks occur, DDoS Secure updates the algorithm to include the characteristics of the new attack, creating a highly intelligent DDoS defense system that incorporates dynamic updates and removes confusion from attacks that may be occurring as the system learns the limitations of the application environment. In the case of a DNS amplification attack, DDoS Secure applies intelligence about the behavior of the DNS resource to shut down the attack before it can overwhelm and bring down the DNS server. DDoS Secure’s intelligence filters out repetitive requests to a DNS system for the same information, thereby averting a DNS amplification attack and protecting the unsuspecting target from rogue requests impacting its availability.
In other words... the question becomes Why NOT Juniper DDoS Secure!!!
We wanted to thank you personally for taking the Juniper lab at the VMworld 2014 Hands-on Lab.
If you have a twitter account, please tweet to @banksek or email her at PewPew@juniper.net and let her know your thought.
Have a great day!!
Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-PRT-1472