table of contents - vmware · 2016-05-05 · launch junos space once firefox is launched, junos...
TRANSCRIPT
Table of ContentsLab Overview - HOL-PRT-1472 - Juniper Virtual Security Lab Overview.............................2
Lab Overview .......................................................................................................... 3Module 1 - Juniper Junos Space 101 (15 min) ................................................................... 9
Introduction to Space............................................................................................ 10Introduction to Virtual Director.............................................................................. 36Introduction to Security Director ........................................................................... 54
Module 2 - Managing Your Physical and Virtual Infrastructure with Juniper Junos Space(45 min) .......................................................................................................................... 75
Use Cases for Juniper Junos Space and Firefly Perimeter ......................................76Deploying Firefly Perimeter ................................................................................... 80Virtual Director - Greater Detail .......................................................................... 106Security Director - Greater Detail........................................................................ 111Why Juniper for Your Physical and Virtual Infrastructure .....................................153
Module 3 - Juniper DDoS Secure (45 min) ..................................................................... 155Introduction to Juniper DDoS Secure................................................................... 156Introduction to Juniper DDoS Secure UI............................................................... 159Configuration of Testing Environment ................................................................. 175Low and Slow Attack ........................................................................................... 182Why Juniper DDoS Secure ................................................................................... 197
HOL-PRT-1472
Page 1HOL-PRT-1472
Lab Overview - HOL-PRT-1472 - Juniper Virtual
Security Lab Overview
HOL-PRT-1472
Page 2HOL-PRT-1472
Lab OverviewSo you have decided to incorporate a cloud and/or virtualization into your business,utilizing it for bursting, development, testing, or even using it for productionapplications. Have you built security into your virtual data center? Are you concernedabout the DDoS attacks on your production applications? What about the ability toimplement network based AV, VPN, NAT, IPS, and routing into your virtual data center,establishing a secure and operable software defined datacenter that is able to expandand maintain security throughout it's entire lifecycle. What about having a DDoSappliance in a virtual format for ease of deployment for any tenant? Building thesetechnologies on the experience and confidence of Juniper Networks allows a solutionthat truly understands the functions and needs of networking and security for your truesoftware defined datacenter. Only Juniper can understand security from a networkstandpoint because we are truly a network and security company. This lab will show youjust a touch of our virtual security capabilities for your Enterprise or Service Providerenvironment. Understand that we have a full suite of virtualized security and networkproducts and tools that allow you to manage your physical and virtual data center.
Making Sure VMs are Running
Before starting with the lab, lets make sure that all of your virtual machines are up andrunning.
Launch Internet Explorer
From the Control Center desktop, please double click the Internet Explorer icon.
Log In To vSphere Web Client
The login page for VMware vSphere Web Client will automatically launch. Please enter inthe following credentials:
User name: root
Password: VMware1!
HOL-PRT-1472
Page 3HOL-PRT-1472
and click " Login "
Home Tab
Click the " Home " button.
HOL-PRT-1472
Page 4HOL-PRT-1472
VMs and Templates
Click the " VMs and Templates " icon.
Expand Datacenter Site A
Click the arrow to the left of " Datacenter Site A " so that we can verify that the VMs arerunning.
HOL-PRT-1472
Page 5HOL-PRT-1472
List of VMs
As you can see, the " DDoS Secure Virtual edition " is not running. This may not be thecase with your lab. Your lab may have all the VM's running ( see note below ) or otherVMs not running. This is why we are checking.
NOTE : Attacker 32 does NOT need to be started
HOL-PRT-1472
Page 6HOL-PRT-1472
Starting VMs
If any of the VMs are not running ( with the exception of Attacker 32 ), please right clickon the VM and select " Power On "
HOL-PRT-1472
Page 7HOL-PRT-1472
Proceed With Lab
Once you have verified that all the VMs ( with the exception of Attacker 32.. have Imentioned that already :) ), please proceed with the first Module.
Thank you!!!
HOL-PRT-1472
Page 8HOL-PRT-1472
Module 1 - Juniper JunosSpace 101 (15 min)
HOL-PRT-1472
Page 9HOL-PRT-1472
Introduction to SpaceJuniper Junos Space is a comprehensive Network Management Solution that simplifiesand automates management of Juniper's switching, routing, and security devices. JunosSpace consists of a network management platform for deep element and fault-management, configuration, accounting, performance, and security ( FCAPS ). FCAPSNetwork Management framework is created by ISO. FCAPS categorizes the workingobjectives of network management into five levels of management, plug-n-playmanagement applications for reducing costs and provisioning new services quickly, anda programmable SDK for network customization. With each of these componentsworking cohesively, Junos Space offers a unified network management andorchestration solution to help you more efficiently manage your network. In this lab, wewill be covering the Virtual Director and Security Director applications. There are otherapplications available for Junos Space, such as Network Director but as indicated, wewill not review at this time.
Two of my favorite parts of the Junos Space Appliance is that it is available in a hardwareand virtual appliance format. This gives you incredible flexibility in your data center andwe are all for that. My second favorite part is that both versions support multiple nodesand this in turn provides the scalability and availability that your managed networkrequires as you add more devices, services, and users. You see, Junos Space managesBOTH virtual and physical components in your data center, but more of that later.
Let's delve in to the Junos Space GUI.
Launch Firefox
On the Control Center box (the box you are logged in to) double click on the MozillaFirefox image on the desktop.
HOL-PRT-1472
Page 10HOL-PRT-1472
Launch Junos Space
Once Firefox is launched, Junos Space should be the homepage, but in case it is not,click on the "Junos Space Login" shortcut in the tool bar of the browser.
Accepting Website's Security Certificate
Note this is the Certificate message from Internet Explorer, it requires anacknowledgement but because we are using Firefox for this lab, we did not get one.
In case you are seeing a certificate error, please accept it ( although in my testing, I didnot but you never know :) ).
Logging into Junos Space
You will now see the Junos Space login.
To log into Juniper Junos Space, use the following login
HOL-PRT-1472
Page 11HOL-PRT-1472
Username: super
Password: VMware1!
When you have entered the credentials, please click "Log In".
Network Management Platform - Dashboard
Once you first log in to Junos Space, you will see the main dashboard for the product.When you select any applications ( Security Director, Virtual Director ) in the box abovethe task tree, a dashboard displays graphical data above devices, jobs, users,administration, and so on.
The dashboard provides a snapshot of the current status of objects managed andoperations performed within a Junos Space application. The Network ManagementPlatform dashboard ( as shown above ) displays the system health of your network andthe percentage of jobs run successfully and in progress.
The Network Management Platform dashboard contains gadgets ( graphs and charts )that display statistics that provide a quick view of system health. They include a gauge
HOL-PRT-1472
Page 12HOL-PRT-1472
for overall system condition and graphs that display the fabric load and active usershistory.
HOL-PRT-1472
Page 13HOL-PRT-1472
Move the Gadgets
Feel free to move and resize the gadgets.
If you click on the blue bar of each of the gadgets, you will see the cursor changes forminto an X, this means that it can be moved within the dashboard. Try it out!
All dashboard gadgets are visible for all users and are updated in real time.
HOL-PRT-1472
Page 14HOL-PRT-1472
Saving and Printing
If you right click on the "Job Information" gadget you will see that the images can besaved and/or printed.
More Detailed Information
Still within the "Job Information" gadget, if you double click on the Green "Success"section, it will bring you to greater detail such as the one shown above.
HOL-PRT-1472
Page 15HOL-PRT-1472
Job Management
When you click the green circle you were automatically taken to the listing of jobs. Nowthankful all my jobs are successful but you can imagine that jobs do fail for variousreasons and they would show up here as well.
Global Search
Junos Space has this great Global Search capability. You can see that the search bar isalways available no matter what screen you are on. You can use the feature to quicklylocate any object within Junos Space. Junos Space allows you to perform a full-textsearch operation for objects within the system. You can do searches on objectcategories such as device name, Juniper platform ( Junos OS, Junos ES, etc ), OS version,serial number, IP of physical and logical interface, name of physical and logicalinterface, MAC address, software, and many many more. The global search operationsupports query expressions. You can search for phrases and multiple terms. The defaultoperator for multiple terms is the OR operator.
HOL-PRT-1472
Page 16HOL-PRT-1472
Applications for Space
In this implementation of Space we have two additional applications installed. Byclicking on the down arrow as described in the picture above, you can see what isavailable. We will not go into these applications at this time but we wanted you to see aquick viewing. In this lab configuration we have installed Virtual Director and SecurityDirector. Service Now is part of the "default" Network Management Platform. ServiceNow is an automated troubleshooting capability that accelerates problem resolution byallowing you to open cases with Juniper Technical Support ( JTAC ) and include all relatedlogs and diagnostics. Junos Space Service Now also reduces the time to integrate newJuniper products or releases into the network by using customized scripts installed onthe Junos devices. Troubleshooting expertise is integrated into the products andtherefore outage time is reduced. It also helps to lower the learning curve foroperations personnel that are new to Juniper products.
No need to click any of the applications now, just click the arrow again.
HOL-PRT-1472
Page 17HOL-PRT-1472
Task Group (Workspaces)
Within each application ( in this case, Network Management Platform ) are the TaskGroups or also sometimes referred to as Workspaces. These task groups are part of thetask tree that is on the left side of the display. It is the navigation center for JunosSpace. Note that you can collapse the task tree by clicking on the Double Left arrowsbut we will not do this at this time. These arrows are highlighted in the above image.
Let's look at the Network Management Platform Task Groups.
HOL-PRT-1472
Page 18HOL-PRT-1472
Devices Task Group Expansion
Click the " + " to the left of the "Devices" Task Group.
HOL-PRT-1472
Page 19HOL-PRT-1472
Devices Task Group
As you can see there many options and Sub Task Groups available under "Devices". Letus spend some time in these options.
HOL-PRT-1472
Page 20HOL-PRT-1472
Devices "Dashboard"
By clicking the "Devices" Task Group, you will get a dashboard on the right.
A screen shot of the Devices Dashboard is above. Once again, these gadgets can bemoved and you drill down into them for greater detail. There are three options "DeviceCount by Platform", "Device Status", and "Device Count by OS". We have not deployedany devices at this time and therefore the gadgets have no data.
HOL-PRT-1472
Page 21HOL-PRT-1472
Options and Sub Task Groups
I have already expanded the additional Sub Task Groups in the image provided.
I will admit that the data is not fun to look at at this time because there are no devicesbut like I said previously, feel free to click through all the options and see the data thatis available.
For instance, I love the "secure console" option available from the "Devices" Task Group.
HOL-PRT-1472
Page 22HOL-PRT-1472
Device Templates Expansion
Click the " + " to the left of the "Device Templates" Task Group.
Device Templates
There are two options available under this Task Group, please select "definitions".
HOL-PRT-1472
Page 23HOL-PRT-1472
Definitions
Here you will see the default device templates that are provided with Junos SpaceNetwork Management. As you can see, they list the majority of the types of devicefamilies available from Juniper. Note that these are for the hardware devices that JunosSpace supports.
HOL-PRT-1472
Page 24HOL-PRT-1472
Select Default Syslog Config_Junos
If you can please select the "Default Syslog_Config_JUNOS" Device Template and selectthe the pencil icon.
Available Configuration Expansion
Click the " + " to the left of the "Configuration" folder in "Available Configuration".
HOL-PRT-1472
Page 25HOL-PRT-1472
Configuration
You will see that the template gives you a layout of the various options available. Thiswill provide ease in your configurations of the devices that you can deploy through JunosSpace.
HOL-PRT-1472
Page 26HOL-PRT-1472
CLI Configlets
This Task Group allows you to easily apply a configuration to a device. Configlets areconfiguration tools by Junos OS that enables you to apply configuration onto the deviceby reducing configuration complexity. Configlet is a configuration template which istransformed to CLI configuration string before being applied to a device. The dynamicelements (strings) in configuration templates are defined using template variable. Thesevariables act as an input to the process of transformation, to construct CLI configurationstring. These variables can contain anything: it can be the interface name, device name,description text or any such dynamic values.
Images and Scripts
Junos Space facilitates management of devices running Junos OS (Juniper OperatingSystem) by enabling you download a device image from Juniper's Software downloadsite to your local file system. You can then upload the device images and deploy thesedevice images onto a device or onto multiple devices of the same device familysimultaneously. After you upload a device image you can stage a device image on adevice, verify the checksum, and deploy the staged image whenever required. You canalso schedule the staging, deployment, and validation of device images.
You can also use Junos OS Scripts for configuration and diagnostic automation tools inorder to deploy, verify, enable, disable, remove, and execute scripts that have beendeployed to the devices.
Reports
The Reports Task Group is for... you guessed it... Reports. You can generate customizedreports for managing the resources on your network. You can use the reports to gatherdata related to the device inventory details, job execution details, and audit trails. Youfirst create a report definition to specify what information to retrieve from the JunosSpace inventory database. You then use this report definition to generate, export, and
HOL-PRT-1472
Page 27HOL-PRT-1472
print the reports. Junos Space does provide some pre-defined categories to create reportdefinitions. We will not be creating reports in this lab but feel free to speak with aJuniper Sales Rep for more information.
Network Monitoring
With the Network Monitoring task group, you can assess the performance of yournetwork, not only at a point in time but also over a period of time.
Click the "Network Monitoring" Task Group to see the dashboard.
HOL-PRT-1472
Page 28HOL-PRT-1472
Network Monitoring Dashboard
As you can see that the " Network Management " Dashboard gives you a view into the"Nodes with Outages", "Availability over the past 24 hours", "Notification", "ResourceGraphs", "KSC Reports", and "Quick Search". This dashboard provides great insight intoyour organization and quick searches against Node ID, Node Label like, TCP/IP address,Providing services ( ICMP or SNMP ).
Network Monitoring Expansion
Click on the " + " arrow to the left of the "Network Monitoring" Task Group.
HOL-PRT-1472
Page 29HOL-PRT-1472
Network Monitoring Task Group
By expanding the "Network Monitoring" Task Group, you can see that there are manyadditional options. Feel free to review the screens associated with the additional SubTask Groups.
Configuration Files
You can maintain copies of device configuration files are either running, candidate, orbackup configuration files. This assists with device configuration recovery andmaintaining consistency across multiple devices.
Jobs
The "Jobs" Task Group ironically monitors the progress of ongoing jobs. Crazy, I know! (Note that the "Jobs" Task Group should already be open ).
HOL-PRT-1472
Page 30HOL-PRT-1472
Once again we have an amazing dashboard with drill down capability. There are threedefault gadgets available on the dashboard. Feel free to once again move them withinthe screen and to drill down into the various details.
Users
This surprisingly is where you add, mange, and delete users. I know... crazy place to putthis right? Just Joshing....
The Users Task group is where you can add you users and to assign roles to the users.
Audit Logs
In the Audit Logs task group you can view and filter system audit logs including thosefor user login and logout, tracking device management tasks, and displaying servicesthat were provisioned on devices.
Click on the "Audit Logs" Task Group.
HOL-PRT-1472
Page 31HOL-PRT-1472
Audit Logs Task Group
The dashboard on the "Audit Logs" shows all statistics available from the audit log.
Click on the blue section of the statistics.
HOL-PRT-1472
Page 32HOL-PRT-1472
Login Data
In this case, I have only logged in as "super" but you can imagine that if there wereother logins, these would show up as well.
Please select the "IP Addresses" as identified in the image.
HOL-PRT-1472
Page 33HOL-PRT-1472
IP Address Data
Here you see the IP addresses from which I have been accessing Junos Space.
HOL-PRT-1472
Page 34HOL-PRT-1472
Administration
And lastly, Administration allows you to add network nodes, back up databases, managethe licenses and applications, or even troubleshoot. As you can see the administrativetasks are accomplished through this Task Group.
This concludes our introduction to Juniper's Junos Space. Our next chapter will go intodetail of the Virtual Director application.
#JuniperLab
#PewPew
HOL-PRT-1472
Page 35HOL-PRT-1472
Introduction to Virtual DirectorJunos Space Virtual Director is dedicated to provisioning, bootstrapping, monitoring, andlifecycle management of a variety of Juniper Virtual Appliances and related virtualsecurity solutions. Virtual DIrector can be used to deploy, manage, and monitorinstances of Firefly Perimeter ( more detail later ), which provides security andnetworking services at the perimeter in a virtualized private or public cloudenvironment. Virtual Director also registers each instance of Firefly Perimeter with theJunos Space Platform to allow other Junos Space applications, such as the SecurityDirector application, to configure security policies.
HOL-PRT-1472
Page 36HOL-PRT-1472
Virtual Director Topology
This above diagram shows where Virtual Director and Space sit in your virtualenvironment. As you can see, Virtual Director is used to support many of Juniper'svirtual appliances. Security Director is used to manage many of Juniper's physicalhardware devices.
Juniper's Junos Space ties directly into VMware's vCenter Server.
HOL-PRT-1472
Page 37HOL-PRT-1472
Loading Virtual Director
Virtual Director has already been installed into the Junos Space Network ManagementPlatform. In order to launch the application, select the down arrow to the right of"Network Management Platform" and select "Virtual Director".
HOL-PRT-1472
Page 38HOL-PRT-1472
Virtual Director Dashboard
Just like the dashboard in the "Network Management Platform", the "Virtual Director""Dashboard" gives you a synopsis of environment. At this time, this is a clean install. Wewill populate this information in later articles in this lab.
Take a note at how the "Summary" and "Deployment Alerts" looks at this time. As we domore activity in this lab, this information will change. Feel free to come back to thedashboard at any time.
HOL-PRT-1472
Page 39HOL-PRT-1472
Deployment Alerts
Like I stated, this is a fresh installation and currently none of the deployments havefailed, because we have not even tried. We will deploy later! This information shows onthe bottom of the "Virtual Director" "Dashboard". Personally, I think It is nice to have thisinformation for your data center in that single pane.
Design Task Group Expansion
Expand the "Design" Task Group. You will see there are three Sub Task Groups. Let uscheck them out.
Design Task Group
The "Design Task Group" has three Sub Task Groups
HOL-PRT-1472
Page 40HOL-PRT-1472
• Virtualization Providers• VM Image Files• Virtual Director Templates
Let's look at these individually.
Virtualization Providers
( 1 ) Please click on the "Virtualization Providers" Sub Task Group. We do not have any atthis time so let's connect one. We will only be connecting one but as you can tell, therecan be multiple "virtualization providers" added to the system allowing you to managedifferent systems or tenants.
( 2 ) Please click on the green " + " circle.
HOL-PRT-1472
Page 41HOL-PRT-1472
Defining Virtualization Provider
When the popup for "Define Virtualization Provider" appears, please provide thefollowing information :
Name : VMworld 2014 HoL
Network Address : 192.168.110.22
Administration Account Username : root
Password : VMware1!
VIrtualization Provider Type : [default]
Connection : [default]
and then click "Done".
HOL-PRT-1472
Page 42HOL-PRT-1472
New Virtualization Provider
Once the connection is made, you will now see the new virtualization provider that youcreated is added.
This connection is needed in order to deploy our Firefly Perimeter devices into ourvirtual data center for all types of customers.
VM Image Files
Please click on "VM Image Files".
HOL-PRT-1472
Page 43HOL-PRT-1472
Adding VM Image Files
You will see that we currently do not have any VM image files in the system at this time,but it is incredibly simple to add additional files into Virtual Director.
Please select the green " + " symbol.
Load OVA
The "Load OVA" screen will pop up.
Please click the "Browse" box.
HOL-PRT-1472
Page 44HOL-PRT-1472
Downloads Directory
Please make sure that you are in the "Downloads" directory if you are already not in thisdirectory.
Selecting OVA
The downloads folder appears.
Please select the "junos-vsrx-12.1X46-D10.2-domestic.ova" image file.
HOL-PRT-1472
Page 45HOL-PRT-1472
Click Open
Now that you have selected the image, please click "Open" in the bottom right corner.
Upload OVA
Once back at the "Load OVA" screen, click the "Upload" button.
Please Wait
While your file uploads :).
HOL-PRT-1472
Page 46HOL-PRT-1472
Success
#PewPew, the file has been uploaded.
Please click the "OK" button.
Updated VM Image Files
You will now see your image in the "VM Image Files" screen.
We will use this image for building our template and deploying the device.
HOL-PRT-1472
Page 47HOL-PRT-1472
Virtual Device Templates
The "Virtual Device Templates" Sub Task Group allows you to see your previouslycreated templates for deployment as well as to create new templates. Of course, wehave not created one but we will be doing this in the next article.
Manage Task Group Expansion
Click on the " + " symbol to the left of the "Manage" Task Group.
HOL-PRT-1472
Page 48HOL-PRT-1472
Manage Task Group
The "Manage" Task Group has two sub Task Groups. Feel free to review them but as youcan imagine, they are empty :).
Monitor Devices Task Group Expansion
Click on the " + " symbol to the left of the "Monitor Devices" Task Group.
HOL-PRT-1472
Page 49HOL-PRT-1472
VM Connection Status
Please click the "VM Connection Status" option.
Unmanaged Devices
As you can see, there is a Firefly Perimeter device listed. This Firefly Perimeter wasdeployed previously into the Juniper vPod.
I needed to make sure you had some items to review :).
HOL-PRT-1472
Page 50HOL-PRT-1472
Moving Columns
Notice that you can highlight a column and move it to your desired location on the barfor ease of management and viewing. Feel free to move a column to a new location byclicking on the column heading and dragging it to its new place.
Expanding Columns
Feel free to expand the columns to get greater detail. In this case, I have moved the IPAddress column wider. When you click on the line in between the columns, themovement symbol will appear.
HOL-PRT-1472
Page 51HOL-PRT-1472
Search Capabilities
You can imagine how many devices can appear in the screen. At times it may be goingoff the screen so the ability to search by "VM Name", "VM Status", "IP Address", and"Device Host Name" is in the top bar. Pretty handy huh?
Deployment Status Task Group
The "Deployment Status" Task group gives you a recap of all the request IDs that haveoccurred. For instance, you would see the request id for the power on and power off ofthe Firefly Perimeter Virtual Machines. It provides a summary of the succeeded andfailed tasks.
Application Settings Task Group
And the last Task Group within "Virtual Director"...
Click on "Application Settings". You will notice on the right the "Alert Settings" optioncomes up. This allows to set up email addresses for the alerts to be emailed to.
And this closes out the Task Groups for the "Virtual Director" application within JunosSpace. Let's look at how the Firefly Perimeters are managed next... so off to the nextarticle in this module where we go into detail of Security Director.
HOL-PRT-1472
Page 52HOL-PRT-1472
#JuniperLab
HOL-PRT-1472
Page 53HOL-PRT-1472
Introduction to Security DirectorSecurity Director is a Junos Space application that is a quick and easy approach you canuse to design your network security. With Security Director, you can create IPsec VPNs,firewall policies, NAT policies, and IPS configurations and push them to your securitydevices. These configurations use objects such as addresses, services, NAT pools,application signatures, policy profiles, VPN profiles, template definitions, and templates.These objects can be shared across multiple security configurations. You can createthese objects prior to creating security configurations.
Firewall policy, NAT policy, and IPS policy can be created and managed in a Tabular view.You can easily add new rules to the policies and choose to override policy-inheritedsettings by customizing the settings at a per-rule level. After you have added the rulesto the policy, you can reorder these rules based on priority or group these rules for easyidentification and modify them at a later time. A unified user interface approach forfirewall, NAT, and IPS policies helps you reduce the learning time required to createdifferent security configurations.
You can periodically download the latest version of application signatures and IPSsignatures from a URL provided by Juniper Networks. You can install these signatures onJuniper security devices. You can then use application signatures and IPS signatureswhen creating firewall policy configurations. Security Director also lets you create yourown customized signature sets. All application firewall and IPS configurations arepushed to the devices when the firewall policy in which they are used is pushed to thedevices.
When you finish creating and verifying your security configurations, you can publishthese configurations and keep them ready to be pushed to the security devices.Security Director helps you push all the security configurations to the devices all at onceby providing a single interface that is intuitive.
Pretty Cool Huh?
HOL-PRT-1472
Page 54HOL-PRT-1472
Launching Security Director
From the Applications left column,
( 1 ) Select the down arrow to the right of "Virtual Director" ( the last application wewere in )
( 2 ) and select "Security Director"
HOL-PRT-1472
Page 55HOL-PRT-1472
Security Director Dashboard
Here is a screen shot for the Task Groups that are available in the "Security Director"application. We will go into greater detail into these Task Groups after we do once lastcheck on the dashboard.
HOL-PRT-1472
Page 56HOL-PRT-1472
Security Director Dashboard Cont'd
From the "Security Director" dashboard you have the ability to
• Create, manage, and publish firewall policies• Create and manage IPS signatures, IPS signature sets, and IPS policies• Create, manage, and publish NAT policies• Create, manage, and publish VPNs
Firewall Policy Task Group Expansion
Click on the " + " symbol to the left of the "Firewall Policy" Task Group.
HOL-PRT-1472
Page 57HOL-PRT-1472
Firewall Policy Task Group
( 1 ) Click the "Firewall Policy" Task Group.
On the screen to the right, you will see two sections.
Policies ( 2 ) will show firewall rules that have been previously created.
The right pane ( 3 ) of the firewall policy Inventory Landing Page ( ILP ) divides the set ofrules into two rule bases. All zone-based rules are grouped under Zone and the SRXSeries All Devices rules are grouped under Global.
Security Director provides you with five types of firewall policies
• All devices : this policy enables rules to be enforced globally to all the devicesmanaged by Security Director
• Group : this type of policy is used when you want to update a specific firewallpolicy configuration to a large set of devices
• Device : this type of policy is used when you want to push a unique firewall policyconfiguration per device
• Device - Exception Policy : this type of firewall policy is created when a device isremoved from a group policy
• Global Policy : these rules are enforced regardless of ingress or egress zones;they are enforced on any device transit
Firewall Policy Sub Task Groups
As you can see, the "Firewall Policy" Task Group is where you can
HOL-PRT-1472
Page 58HOL-PRT-1472
• Create Policy• Publish Policy• Prioritize Policies• Manage Policy Locks
We have not created any policies yet but will in the subsequent articles.
IP Policy Task Group Expansion
Please click the " + " symbol to the left of the "IPS Policy" Task Group.
HOL-PRT-1472
Page 59HOL-PRT-1472
Sub Task Group Expansion
Please click the " + " symbol to the left of the "IPS Signature" Sub Task Group and
please click the " + " symbol to the left of the "IPS Signature-Set" Sub Task Group.
IPS Policy Task Group
IPS ( Intrusion Prevention ) is available as part of the overall functionality of thehardware devices. In future releases of Firefly Perimeter, this capability is included butagain, Junos Space is a tool for both hardware and software versions of Junos OSproducts.
You can use the IPS Policy Task Group to download and install the AppSecure signaturedatabase to security devices. You can automate the download and install process byscheduling the download and install tasks and configure there tasks to recur at specifictime intervals. This ensures that your signature database to up-to-date.
You can view the predefined IPS policy templates and create customized IPS policy-setsin this Task Group. You can also enable IPS Configuration is a firewall policy andprovisions IPS related configuration with firewall policy.
HOL-PRT-1472
Page 60HOL-PRT-1472
NAT Policy Task Group Expansion
Click on the " + " symbol to the left of the "NAT Policy" Task Group.
NAT Policy Task Group
Network Address Translation ( NAT ) is a form of network masquerading where you canhide devices between the zones or interfaces. A trust zone is a segment of the networkwhere security measures are applied. It is usually assigned to the internal LAN. Anuntrust zone is the Internet. NAT modifies the IP address of the packets moving betweenthe trust and untrust zones.
Junos Space Security Director supports three types of NAT ( IPv6 is supported ):
• Source NAT - translates the source IP address of a packet leaving the trust zone (outbound traffic ). It translates the traffic originating from the device in the trustzone. Using source NAT, an internal device can access the network by using the IPaddresses specified in the NAT policy.
• Destination NAT - translates the destination IP address of a packet entering thetrust zone ( inbound traffic ). It translates the traffic originating from a deviceoutside the trust zone. Using destination NAT, an external device can sendpackets to a hidden internal device.
• Static NAT - always translates a private IP address to the sale public IP address. Ittranslates traffic from both sides of the network ( both source and destination ).For example, a webserver with a private IP address can access the Internet usinga static, one-to-one address translation.
HOL-PRT-1472
Page 61HOL-PRT-1472
VPN Policy Task Group Expansion
Click on the " + " symbol to the left of the "VPN" Task Group.
VPN Policy Task Group
You can create site-to-site, hub-and-spoke, and full-mesh VPNs in the Task Group. If youwant to use a customer VPN profile, you must configure a VPN profile before creating aVPN.
You can configure the following parameters for an IPsec VPN
• Endpoints for a site-to-site VPN and full-mesh VPN• Spokes and hubs for a hub-and-spoke VPN• External Interface, Tunnel Zone, and Protected networks/zones for each device• Routing settings• VPN endpoint configuration
You can also customize endpoint-specific settings like VPN Name, IKE ID, and profile foreach tunnel.
After the VPN configuration is saved, you can provision this VPN on the security devices.
In Security Director, route-based VPNs support OSPF and RIP routing along with staticrouting.
Security Director supports dynamic routing in VPN addressing. Security Directorsimplifies VPN address management by enabling the administrator to export staticroutes to a remote site over a tunnel, allowing the static route networks to participate inthe VPN.
HOL-PRT-1472
Page 62HOL-PRT-1472
Listing of VPNs
If we had VPNs configured, you would see them in the left pane of the Tabular view.
Object Builder Task Group Expansion
Click on the " + " symbol to the left of the "Object Builder" Task Group.
Object Builder Task Group
You can use the Object Builder Task Group in Security Director to create objects used byfirewall policies, VPNs, and NAT policies. These objects are stored in the Junos Spacedatabase. You can reuse these objects with multiple security policies, VPNs, and NAT
HOL-PRT-1472
Page 63HOL-PRT-1472
policies. This approach makes the design of services more structured and avoids theneed to create the objects during the service design.
You can use the Object Builder Task Group to create, modify, clone, and delete thefollowing objects:
• Address and address groups• Services and service groups• Application signatures• Extranet Devices• NAT pools• Policy profiles• VPN profiles• Variables• Template and template definitions
HOL-PRT-1472
Page 64HOL-PRT-1472
Devices Task Group Expansion
Click on the " + " symbol to the left of the "Devices" Task Group.
Devices Task Group
The "Devices" Task Group lists the devices that have been discovered by Junos Space.This Task Group gives you greater flexibility into the view of your virtual datacenter andyour physical data center. Remember, this tool is for both virtual AND physical devices.It is a one stop shop. Pretty awesome huh?
HOL-PRT-1472
Page 65HOL-PRT-1472
Jobs Task Group
The "Jobs" Task Group gives you a full listing of the all the jobs transitioned through orfor Junos Space.
Please click on "Jobs" in order to bring the dashboard up.
Jobs Task Group Dashboard
Once again a dashboard is available to give us visibility in to the system.
Please double click on the "Add Application" job type.
HOL-PRT-1472
Page 66HOL-PRT-1472
Job Management
You can see the "Job Type" of "Add Application" is listed. This shows the install of theSecurity Director and Virtual Director application.
Security Director Devices Task Group
The "Security Director Devices" Task Group allows you to update the devices withfirewall policies, NAT policies, and VPN Configurations.
Downloads Task Group
The "Downloads" Task Group allows you to download AppFirewall and IPS Signatures.
HOL-PRT-1472
Page 67HOL-PRT-1472
While you are on this screen please click the " + " symbol to the left of "Downloads".
Downloads Task Group Dashboard
This particular dashboard provides you with a full listing of all of the AppFirewall and IPSSignature downloads. It is a great way of keeping track of all the updates that you havereceived and implemented within the system and the products.
HOL-PRT-1472
Page 68HOL-PRT-1472
Signature Database
Please click on the "Signature Database" Sub Task Group.
HOL-PRT-1472
Page 69HOL-PRT-1472
Signature Database Dashboard
The Signature Database page appears. You can see the active databases there weredownloaded earlier. At any time, Security Director will have only one active signaturedatabase.
You can see on the top of this screen there is an IPS Signature that can be installed onthe system.
Install Configuration
Please select the "Install Configuration" Sub Task Group.
HOL-PRT-1472
Page 70HOL-PRT-1472
Install Configuration Dashboard
We do not have Juniper SRX devices in the netwrok so we can not install theconfiguration at this time but you can see how the installation would occur from thisscreen, either at the present time or to be scheduled at a later time. You have thecontrol to determine when this would be done.
FYI, SRX Series Services Gateways are high-performance network security solutions forenterprises and service providers that pack high port density, advanced security, andflexible connectivity into easily managed platforms.
SRX Series Services Gateways deliver next-generation firewall protection withapplication awareness, intrusion prevention system (IPS), and extensive user role-basedcontrol options, plus best-in-class unified threat management (UTM) to protect andcontrol your business assets. Next-generation firewalls are able to perform full packetinspection and can apply security policies based on Layer 7 information. This meansthat you can create security policies based on the application running across yournetwork, the user who is receiving or sending network traffic, or the content that istraveling across your network to protect your environment against threats, manage theway your network bandwidth is allocated, and control who has access to what.
SRX Series gateways come in a broad range of models from all-in-one security andnetworking appliances optimized for the enterprise edge to highly scalable, high-performance chassis solutions optimized for service providers and large data centers. Allsolutions can be centrally managed using Junos Space Security Director, and additionalsecurity services are easily added to existing SRX Series platforms for a cost-effectivesolution.
HOL-PRT-1472
Page 71HOL-PRT-1472
Download Configuration
Select "Download Configuration" from the left hand bar.
Download Configuration Information
On this screen, you have the ability to download additional signature files that will beused with you virtual and hardware appliances.
So as I described earlier, if you wanted to update the signatures in your SRX devices,this would be accomplished here.
HOL-PRT-1472
Page 72HOL-PRT-1472
I am also happy to note that Firefly Perimeter x47 will include UTM and IPS capabilitiesand in turn, Security Director would be used to update the devices as well.
Audit Logs
Select the "Audit Logs" Task Group.
Audit Logs Dashboard
You will see the dashboard on the right hand side of the page. Feel free to drill down intothe various tasks for greater detail.
Please note that your image may look different with regard to the tasks that wereimplemented in the system.
HOL-PRT-1472
Page 73HOL-PRT-1472
This concludes the introduction to Security Director. Please proceed on to the nextmodule where you will learn more about Firefly Perimeters advanced security servicesand network capabilities.
#JuniperLab
HOL-PRT-1472
Page 74HOL-PRT-1472
Module 2 - Managing YourPhysical and VirtualInfrastructure with
Juniper Junos Space (45min)
HOL-PRT-1472
Page 75HOL-PRT-1472
Use Cases for Juniper Junos Space andFirefly PerimeterFor Service Providers ( SP ), the network is the money-maker. SP’s look to their networkto create innovative services that solve business problems and demonstrate the addedvalue they can bring to their customers. These services must always be available toensure end- subscriber satisfaction, and new services need to be offered frequently asdemands and technology change in order to obtain additional revenue streams.
For Enterprises, the network is both a strategic and critical corporate asset, where costshave to be controlled. Explosive demand for smart devices, social media applications,and mobility-based services has placed unprecedented pressure on network operatorswho must provide a compelling experience to increasingly demanding, tech savvyconsumers. The unrelenting expectations of highly secure and always-on connectivityand service, coupled with the growing use of cloud environments, make the networkincreasingly complex to manage and secure.
Juniper addresses these network challenges with Junos Space to help Service Providersand Enteprise customers maximize their network value and scale solutions, all whilereducing complexity. Junos Space is a critical component of Juniper’s SDN strategy as itprovides a centralized management plane for a single source of truth and a commonmanagement platform for managing and creating applications to meet your specificneeds.
HOL-PRT-1472
Page 76HOL-PRT-1472
Virtualization Use Case
As we will see in the following articles, Firefly Perimeter is the virtualized appliance withadvanced security and networking features based on Junos OS.
In addition to its advanced security services and network capabilities, Firefly Perimeteralso empowers network and security administrators to quickly provision and scalefirewall protection to meet dynamic demand using Junos Space Virtual Director. Whencombined with Junos Space Security Director, administrators can significantly improvesecurity policy configuration, management, and visibility of their virtual and non-virtualenvironments.
Firefly Perimeter provides:
• Stateful packet processing and application-layer gateway ALG features• Rich connectivity features based on a powerful Junos OS foundation, including
routing, NAT, and VPN• Granular security between zones, creating boundaries between organizations,
lines of business, and applications
Firefly Perimeter for Managed Security Service Providers(MSSP)
Firefly Perimeter enables Managed Security Service Providers ( MSSP ) to launch andactivate new services more quickly by decoupling security services from customerpremises ( CPE ) hardware. With Firefly Perimeter, MSSPs can migrate from the
HOL-PRT-1472
Page 77HOL-PRT-1472
monolithic architecture and design limitations of a physical firewall to diversified virtualfirewall implementations.
They can decentralize fault domains by deploying Firefly Perimeter VMs instead ofdedicating a physical firewall to each tenant/customer or sharing one physical firewallacross multiple tenants, reaping better returns on their investment. This reduces capitalexpenditure while aligning the billing with the actual usage.
Additionally, having a firewall in a VM mapped to a single customer allows MSSPs tocustomize policies and perform maintenance, which only impacts that single customerinstead of the traditional approach where numerous customers sharing the samephysical firewall are all impacted. Firefly Perimeter enables MSSPs to offer value-addedsecurity services such as managed firewall, MPLS, VPN, clean pipe, and secure VMhosting, with a deployment model that lowers time to revenue.
Clustering for Firefly Perimeter
And one of the coolest things that Firefly Perimeter supports is clustering.
Firefly Perimeter provides mission-critical reliability, supporting chassis clustering forboth active/active as well as active/passive modes. This support provides full statefulfailover for any connections being processed. In addition, it is possible for the clustermembers to span hypervisors. When Firefly Perimeter VMs are configured in a cluster,the VM synchronizes connection/session state and flow information, IPsec securityassociations, NAT traffic, address book information, configuration changes, and more. Asa result, not only is the session preserved during failover but security is kept intact. Inan unstable network, Firefly Perimeter also mitigates link flapping.
HOL-PRT-1472
Page 78HOL-PRT-1472
Physical Use Case
Like Junos Space works with virtual appliances, such as Firefly Perimeter, it also workswith the physical devices available from Juniper. Having the capability to manage bothyour physical and virtual data centers both as an Enterprise or as a Service Provider. It isall about ease and greater functionality on the tools provided to you. Saving time meanssaving money and Juniper's Junos Space does just that. What we will be covering in thislab is just the tip of the iceberg.
HOL-PRT-1472
Page 79HOL-PRT-1472
Deploying Firefly PerimeterAs discussed earlier, Firefly Perimeter is an amazing virtualized security and networkingtool that every Enterprise or Service Provider should have within their virtualized datacenter. There are many reasons why that is the case, the technology of course is one ofthe reasons but when you add the ease of deployment, configuration, and theautomation capabilities, you begin to understand the possibilites of your virtual datacenter, the growth and the future you can have.
Log In To Juniper Junos Space
In case you have been logged out, log back in to Junos Space with the followingcredentials:
Username : super
Password : VMware1!
Click "Log In".
HOL-PRT-1472
Page 80HOL-PRT-1472
Virtual Director
No matter what application is available when you log in, make sure you end up at"Virtual Director". To do this,
( 1 ) Click the down arrow for the applications
( 2 ) Select "Virtual Director"
Design Task Group Expansion
Please click the " + " symbol to the left of the "Design" Task Group.
HOL-PRT-1472
Page 81HOL-PRT-1472
Virtual Device Templates
Select "Virtual Device Templates".
Adding New Template
Click the green " + " circle in the dashboard.
Create Template Wizard
Fill in the following information in to the wizard.
HOL-PRT-1472
Page 82HOL-PRT-1472
Template Name : Firefly Perimeter
VM Image File : ( Click the down arrow ) Select the OVF file that we have already broughtin to the system - "junos-vsrx-12.1x46-D10.2-domestic,ovf".
HOL-PRT-1472
Page 83HOL-PRT-1472
Additional Information
Once the image is selected, the Product Type and Version are already loaded.
Click "Next".
HOL-PRT-1472
Page 84HOL-PRT-1472
Virtualization Host
For "Virtualization Host" click the down arrow and select the pre-loaded IP address (192.168.110. 2 ).
HOL-PRT-1472
Page 85HOL-PRT-1472
Data Center
For "Data Center" click the down arrow and select the pre-loaded Data Center (Datacenter Site A ).
HOL-PRT-1472
Page 86HOL-PRT-1472
Cluster / Host
For "Cluster/Host" click the down arrow and select the pre-loaded Data Center ( ClusterSite A ).
HOL-PRT-1472
Page 87HOL-PRT-1472
Resource Pool
For "Resource Pool" click the down arrow and select the pre-loaded Resource Pool ( None).
HOL-PRT-1472
Page 88HOL-PRT-1472
Data Store
( 1 ) For "Data Store" click the down arrow
( 2 ) select "ds-site-a-nfs1"
( 3 ) Once completed, select "Next".
HOL-PRT-1472
Page 89HOL-PRT-1472
Virtual Machine Configuration
In this screen, fill in the following information
Virtual Machine Name : Firefly_Perimeter
Keep the "Edit network mapping" as the default
Click "Next".
HOL-PRT-1472
Page 90HOL-PRT-1472
Device Boot Up Configuration
Fill out this screen with the following information
Create Root Password : VMware1!
Confirm Password : VMware1!
Hostname Pattern : Click the down arrow and select the " # ".
HOL-PRT-1472
Page 91HOL-PRT-1472
Additional Device Boot Up Configuration
Continue with the configuration of the "Device boot up configuration"
IP Assignment : [default]
Default Gateway : 192.168.120.1
Starting IP/Subnet : 192.168.120.70/24
Click "Next".
HOL-PRT-1472
Page 92HOL-PRT-1472
Final Review - General Information
Please review the information listed under "General Information".
If changes need to be made, select "Previous" to edit. If it looks correct, please proceedto the next step.
HOL-PRT-1472
Page 93HOL-PRT-1472
Final Review - Virtual Machine Host ConfigurationExpansion
Click the " + " symbol to the right of "Virtual machine host configuration".
HOL-PRT-1472
Page 94HOL-PRT-1472
Final Review - Virtual Machine Host Configuration
Review the configuration information for the "Virtual machine host configuration". Again,if changes need to be made, select "Previous" to edit. If it looks correct, please proceedto the next step.
HOL-PRT-1472
Page 95HOL-PRT-1472
Final Review - Virtual Machine Configuration Expansion
Click the " + " symbol to the right of "Virtual machine configuration".
HOL-PRT-1472
Page 96HOL-PRT-1472
Final Review - Virtual Machine Configuration
Review the configuration information for "Virtual Machine Configuration". If changesneed to be made, select "Previous" to edit.
If it looks correct, please proceed to the next step.
HOL-PRT-1472
Page 97HOL-PRT-1472
Final Review - Device Boot Up Configuration Expansion
Click the " + " symbol to the right of "Device boot up configuration".
HOL-PRT-1472
Page 98HOL-PRT-1472
Final Review - Device Boot Up Configuration
( 1 ) Review the "Device boot up configuration" data
( 2 ) When you feel the information is correct, click " Submit "
If it is not correct, guess what... click "Previous".
Added Virtual Device Template
You will now see the template listed in the dashboard for "Virtual Device Templates".
HOL-PRT-1472
Page 99HOL-PRT-1472
Deploying Template
( 1 ) Click the Firefly Perimeter template
( 2 ) Click the down arrow to the right of "Actions"
( 3 ) Select the "Deploy Template" option.
HOL-PRT-1472
Page 100HOL-PRT-1472
Number of Virtual Machines to Deploy
( 1 ) On the bottom of the "Deploy Virtual Machine" pop up, keep the default of " 1 " forthe "Number of Virtual Machines to Deploy"
( 2 ) Click "Deploy".
HOL-PRT-1472
Page 101HOL-PRT-1472
Status
A pop-up with the "Status" ID will appear
Click the "OK" button.
vSphere Web Client Tab
You should already have a vSphere Web Client tab available in the Firefox browser.
If not, use the shortcut in the menu.
HOL-PRT-1472
Page 102HOL-PRT-1472
vSphere Web Client Login
Use the following credentials to log in to the vSphere Web Client
User name : root
Password : VMware1!
Home Button
Click the "Home" button on the top menu bar.
HOL-PRT-1472
Page 103HOL-PRT-1472
VMs and Templates
Click on "VMs and Templates" in the Inventories section.
Datacenter Site A Expansion
Select the arrow to the left of the "Datacenter Site A".
Firefly_Perimeter1
And there it is, our Firefly Perimeter that we configured and deployed.. Yay!! Now wasn'tthat simple!!!
HOL-PRT-1472
Page 104HOL-PRT-1472
Imagine how easy it is to deploy these Firefly Perimeter virtual machines for multipletenants in your Enterprise or Service Providers.
This concludes this article, please proceed to the next article which will cover VirtualDirector in greater detail.
#JuniperLab
HOL-PRT-1472
Page 105HOL-PRT-1472
Virtual Director - Greater DetailWe have already spent some time talking about Virtual Director, but now that we havedeployed a Firefly Perimeter, lets look at the application with greater detail.
Junos Space Tab
In Internet Explorer, click the first tab which should be Junos Space.
If this tab is not available, use the shortcut in the menu bar.
Virtual Director Application
Make sure the "Virtual Director" application is loaded.
PS... if you are logged out of the system, the account information is
Username : super
Password : VMware1!
HOL-PRT-1472
Page 106HOL-PRT-1472
Virtual Director Dashboard
Please select the "Dashboard" in Virtual Director.
You will see on the right hand the "Number of Deployed Devices" and "Number of VirtualDirector Templates" now has been increased.
HOL-PRT-1472
Page 107HOL-PRT-1472
Deployed Devices Menu
Please click on the "Manage" > "Deployed Devices" option in the left menu.
Deployed Devices
You can now see the Firefly Perimeter that we have deployed.
Actions Available
( 1 ) Please click on the Firefly Perimeter device
( 2 ) Select the arrow to the right of "Actions"
You will see the you can "PowerOff Device(s)", "PowerOn Device(s)", "Reset Device(s)".
Yes, if you have other devices, you could power off/on multiple devices at once. Youhave the ability to control the device from Junos Space. Please note that this does not
HOL-PRT-1472
Page 108HOL-PRT-1472
take control away from the controls you have through the vSphere client, it just allowsyou to manage everything from one location.
VM Connection Status
Please select "VM Connection Status" under the "Monitor Devices" Task Group.
Virtual Machines
You will now see that both virtual machines are listed.
Remember that a Firefly Perimeter was deployed already.
HOL-PRT-1472
Page 109HOL-PRT-1472
Virtual Director vs Security Director
I just wanted to make it clear that once a virtual machine, like Firefly Perimeter, isbrought into Virtual Director you have controls over it but the configurations will bedone through Security Director. No matter what form the security device is in ( hardwarevs. virtual ) security policies will be done through Security Director. This concludes thisarticle. Let us now proceed to the next article which covers Security Director in greaterdetail.
#JuniperLab
HOL-PRT-1472
Page 110HOL-PRT-1472
Security Director - Greater DetailIn this part of the lab, we will go into greater detail and provide more hands oncapability for Security Director now that we have deployed a Firefly Perimeter virtualmachine from Virtual Director.
Launching Security Director
Click the arrow to the right of "Virtual Director" and select "Security Director".
Firewall Policy
Expand the "Firewall Policy" Task Group.
HOL-PRT-1472
Page 111HOL-PRT-1472
Creating the Global Policy
Click "Create Policy" Sub Task Group.
HOL-PRT-1472
Page 112HOL-PRT-1472
Name
Set up the following configurations:
(1) Type : [default]
(2) Name : HoL Policy
(3) Description : Creating firewall policy for VMworld
(4) Check Manage Zone Policy [default] - used to manage zone-based firewall rules
(5) Policy Priority : Medium [default]
(6) Precedence Value : keep default (value should be less the number of existing policiesof the same priority. The number of existing policies are displayed as part of thePrecedence field. For example, if the system has 4 policies with Low priority, 5 policieswith Medium priority, and 3 policies with High priority, you can set the precedence asfollows:
• low priority policies - 1 through 4• medium priority policies - 1 through 5• high priority policies - 1 through 3
(7) Profile : All Logging Enabled
Note that we created a Group vs. Device policy. In this case, since we have only onedevice, it may have been more appropriate but it is nice to see that you can createpolicies for many devices ... even if we don't have them in this simulation.
HOL-PRT-1472
Page 113HOL-PRT-1472
HOL-PRT-1472
Page 114HOL-PRT-1472
Create Policy
( 1 ) Select the "corp_fw1.juniper.net" listing under "Available"
( 2 ) Click the " -> " in the middle to move the selection to the "Selected" side
( 3 ) Click "Create".
Back to Firewall Policy
Just make sure that you are back on the "Firewall Policy" Task Group.
HOL-PRT-1472
Page 115HOL-PRT-1472
Policies
Under "HoL Policy" select the "corp_fw1.juniper.net".
On the right you will see where the rules are implemented.
Lock to Edit
Click the Lock symbol in the top bar so that policy can be edited ( we do want to makesure that others are not editing the policy at the same time ).
HOL-PRT-1472
Page 116HOL-PRT-1472
Create Device Rule
Click "Create Device Rule".
Going Green
Initially the rule will do green and change to white ( this is normal ).
HOL-PRT-1472
Page 117HOL-PRT-1472
Rule Name
Click on "Device Zone - 1" in order to get the option to change the name.
Change the Name
Change the rule name to "FW-HoL", and click "OK".
Source Trust Zone
A trust zone is a segment of the network where security measures are applied. It isusually assigned to the internal LAN. An untrust zone is the Internet.
HOL-PRT-1472
Page 118HOL-PRT-1472
By default, the Source zone is set to trust. The zones that appear in the list aredependent on the type of security policy that you choose to add rules to. When adding arule for a group policy, all the zones present on all devices are available for selection.
In this case we will keep "trust".
Source IP Address
Click the "Any" option under the Source Address. You will see the ability to Include orNegate IPv4 and/or IPv6 Addresses.
At this time, we will keep the default of "Any".
HOL-PRT-1472
Page 119HOL-PRT-1472
Destination Untrust Zone
Next is the opportunity to change the "Destination Trust Zone". If you click on "untrust"you once again see the options.
Let us keep the default of "untrust".
Destination Address
We will keep the default of "Any" for the Destination Address.
HOL-PRT-1472
Page 120HOL-PRT-1472
Service Options
If you click the "Any" option for Service you will see the Available services that we willtake actions against. Feel free to move the bar up and down to see all the services thatare available.
At this time, we will keep to "Any".
HOL-PRT-1472
Page 121HOL-PRT-1472
Action
You may need to move the screen to the right to see all the options.
As you see the default of "Deny", IPS is "Not applicable" because we are denying thetraffic, but please change the "Action" option to "Permit". To do this,
click on the "Action" to see the options and select "Permit".
Understand that as stated in previous modules, the IPS rules are published as part of theFirewall rules.
Permit Action
Now that we have changed the "Action" to "Permit", IPS is now Off. Note that in theFirefly Perimeter x 47 release, IPS wil be incorporated. Just think about the capability tohave IPS embedded capabilities in virtual machine.
HOL-PRT-1472
Page 122HOL-PRT-1472
Additional Actions
As you can see, there are additional options, including "Tunnel". By clicking on "Tunnel"you will see that there is the ability to implement a VPN tunnel.
AppFw
Next, click on the "AppFw" section.
AppFW - Disabled
Initially when you click on AppFW the capability is disabled.
Please click on "White List" to see the options.
Note that there is also the capability to select "Black List" as well.
HOL-PRT-1472
Page 123HOL-PRT-1472
This is one of my favorite parts of this configuration, that you can easily specify "WhiteList" or "Black List".
HOL-PRT-1472
Page 124HOL-PRT-1472
AppFW Enabled
( 1 ) Feel free to scroll the 36 pages or just the one :) of the Pre-defined Apps
( 2 ) Note that there are other options of "Pre-defined Group", "Customer Apps", or"Custom Group"
( 3) You can also search if need be.
( 4 ) Click "Cancel".
HOL-PRT-1472
Page 125HOL-PRT-1472
Validate
Please click "Validate" on the bottom of the screen.
No Validation Errors
You will see a pop up stating there are no Validation errors.
Save
Click "Save" please.
HOL-PRT-1472
Page 126HOL-PRT-1472
Publish Policy
Select the "Publish Policy" under the "Firewall Policy" Task Group.
Selecting Firewall Policy
Select the firewall policy that we just created.
Select Next
Please unselect the "Include IPS Policy" and Select "Next" on the bottom of the screen.
HOL-PRT-1472
Page 127HOL-PRT-1472
Affected Devices
Select the name of our firewall policy under "Affected Devices".
Select Publish
Select "Publish" on the bottom of the page.
Job Id
A "Publish Information" Job ID will appear.
Click "OK".
HOL-PRT-1472
Page 128HOL-PRT-1472
Jobs Management
Please select "Job Management" under the "Job" Task Group.
Success
View the Job Id that was provided and the successful publishing to the number ofdevices. YAY!!!
HOL-PRT-1472
Page 129HOL-PRT-1472
IPS Policy
As indicated, at this time of developing the lab, Firefly Perimeter does not support IPSand therefore we can not develop a policy. We could develop policies for other Juniperproducts like SRX but we are currently not using one in this lab. Firefly Perimeter willsupport IPS in the x47 version and at that time, you will use Junos Space to create thatpolicy.
NAT Configuration Information
Junos Space Security Director provides you with a workflow where you can create andapply NAT policies on devices in a network.
Security Director views each logical system as an other security devices and takesownership of the security configuration of the logical systems. In Security Director, eachlogical system is managed as a unique security devices.
HOL-PRT-1472
Page 130HOL-PRT-1472
NAT Policy
Please select "Create NAT Policy" under the "NAT Policy" Task Group.
Device NAT Policy
On the right side, a window will pop up will appear, at this time, we will create a"Device" rule
( 1 ) Select Device
( 2 ) Name : NAT_VMworld_2014
( 3 ) Description : NAT Policy for VMworld 2014
( 4 ) Click the down arrow next to Device and select "corp_fw1.juniper.net".
HOL-PRT-1472
Page 131HOL-PRT-1472
Select Create
On the bottom of the screen, click "Create".
Lock to Edit - NAT
You will automatically go to the creating page.
Click the "lock" symbol in order to lock the policy.
Create Source Rule
Click "Create Source Rule".
HOL-PRT-1472
Page 132HOL-PRT-1472
Renaming Device
Select "Device-1" and change the name to "NAT_2014"
Ingress Zones
You will see the same Trust Zones appears that we had available in the Firewall portion.
HOL-PRT-1472
Page 133HOL-PRT-1472
Interface Zones
At this time, we will be choosing the interfaces as the Zones. Please note that the FireflyPerimeter ( like all virtual machines ) can have up to 10 interfaces. This is eth0interface.
Please select "ge-0/0/0.0" and click the arrow to bring it to the selected side.
Select "Ok".
HOL-PRT-1472
Page 134HOL-PRT-1472
Egress Zones
( 1 ) Please click the "Egress Zones" in order to see our options
( 2 ) Click "Interface"
( 3 ) Select "ge-0/0/0.0"
( 4 ) Select the " -> " to move to selected
( 5 ) Click "Ok".
HOL-PRT-1472
Page 135HOL-PRT-1472
Translated Packet Source
Click the "No Translation" under "Translated Packet Source" in order to get the pop-up.
Please select the down arrow to get out options.
Translated Type
Select "Pool" as our "Translation Type".
HOL-PRT-1472
Page 136HOL-PRT-1472
New Source Pool
Please click the green " + " circle to the right of "Source Pool" in order to create a newsource pool for NAT.
Create Source NAT Pool
Please fill in the following information
Name : Source_NAT_2014
Description : Source NAT policy for VMworld 2014
We have no "Pool Address" so lets create one through this step.
Please click the green " + " circle to the right of "Pool Address".
Note that you can create the pool through the Object Builder Task Group".
HOL-PRT-1472
Page 137HOL-PRT-1472
Create Address Object
Let's create the Address Object Type. Please fill in the following information
Object Type : Address
Name : VMworld_2014
Type: ( Click the down arrow ) Range
NOTE
You may get an "Inactivity Timeout" so please make sure you click "Yes".
HOL-PRT-1472
Page 138HOL-PRT-1472
Address Object Information
Please fill in the following information
Object Type : Address
Name : VMworld_2014
Description : Addresses for VMworld 2014
Type: Range
Start IP : 192.168.120.200
End IP : 192.168.120.250
Click "Create".
HOL-PRT-1472
Page 139HOL-PRT-1472
Advanced Prpoerties
Click the arrow next to "Translation".
Select "Port/Range".
HOL-PRT-1472
Page 140HOL-PRT-1472
Advanced Properties Cont'd
Select the arrow next to "Address Pooling" and select "Paired".
Select the arrow next to "Port" and select "Any".
Click "Create".
Click OK
As you can see our configuration has been added.
Please click "Ok".
HOL-PRT-1472
Page 141HOL-PRT-1472
Validate
Please click "Validate".
No Validation Errors
You will see the "Information" screen on the right pop up showing that there are noValidation errors.
Click Save
Click "Save".
HOL-PRT-1472
Page 142HOL-PRT-1472
Object Builder Expansion
Please click the " + " symbol to the left of "Object Builder" Task Group.
Addresses
Please select the "Addresses" Sub Task Group.
HOL-PRT-1472
Page 143HOL-PRT-1472
Object Builder > Addresses
Note that we previously walked through these steps on the specific actions BUT we cancreate them before hand. As you can see our VMworld_2014 Addresses are listed. Forplanning purposes, you can easily create all your addresses before you start to createyour policies.
NAT Pools
Please select "NAT Pools" Sub Task Group.
Object Builder > NAT Pools
Once again, you have the opportunity to create your NAT pools for the tenants beforeyou build your NAT policy. Creating them in individual pieces will assist withmanagement of your pools.
HOL-PRT-1472
Page 144HOL-PRT-1472
VPN Expansion
Please click the " + " symbol to the left of the "VPN" Task Group.
Create VPN
Please select the "Create VPN" sub Task Group.
Route Based VPN
Please fill in the following information
Name : VPN_VMworld_2014
Description : VPN for the VMworld 2014
Tunnel Mode: Route Based
Notice the type of Route Based VPNs available:
HOL-PRT-1472
Page 145HOL-PRT-1472
• Site to Site• Full Mesh• Hub and Spoke
We will be keeping the default, "Site to Site" at this time.
HOL-PRT-1472
Page 146HOL-PRT-1472
Route Based VPN Profiles
Please click the down arrow to the right for "VPN Profile"
Notice the types that are available
• AggressiveModeProfile• MainModeProfile• RSAProfile
At this time, we will keep the default of "MainModeProfile".
HOL-PRT-1472
Page 147HOL-PRT-1472
Route Based VPN Profiles Cont'd
The "Preshared Key" is the last option for the VPN configuration. Note that you caneither have the key auto-generated or set up manually.
HOL-PRT-1472
Page 148HOL-PRT-1472
Policy Based VPN Profiles
Change the "Tunnel Mode" to "Policy Based" in order to see these options.
Notice the "Type" is still "Site to Site" and the "VPN Profile" is still "Aggressive ModeProfile", "MainModeProfile", "RSAProfile".
Please keep the default, "MainModeProfile".
Policy Based VPN Profiles Cont'd
Once again, we have the option to auto-generate or manually add the "Preshared Key".
HOL-PRT-1472
Page 149HOL-PRT-1472
Next
Please select "Next" at the bottom of the page.
VPN Wizard
Under the available side, please select "corp_fw1.juniper.net" and click "Add asEndpoint" in order to move it to the selected side.
HOL-PRT-1472
Page 150HOL-PRT-1472
Next
Please click "Next" on the bottom of the screen.
More Than One
Sorry but this is just a vPod and not set up in a real world scenario. Since we do nothave another endpoint, we can not continue on with configuration.
I wanted to make sure that you saw the steps that we would take to at least configureour side of the VPN connection.
Please click "OK".
Conclusion
At this time, this is the end of the specific configurations that we will be covering withinthis lab.
Please feel free to review the components of "Security Director" that we have notcovered in this article.
HOL-PRT-1472
Page 151HOL-PRT-1472
When done, please proceed to the next article where we discuss why Juniper for yourphysical and virtual infrastructure.
#JuniperLab
HOL-PRT-1472
Page 152HOL-PRT-1472
Why Juniper for Your Physical andVirtual InfrastructureNow that you have finalized the introduction of Juniper's Junos Space, by reviewing theNetwork Management Platform, Virtual Director, and Security Director, we just wantedto reiterate the importance and ease of the product. We believe in virtualization asmuch as you do but the infrastructure isn't always all virtualized. Simply put, if you canmanage your physical and virtual infrastructure from one interface, why would you notuse Juniper in your data center?
With Junos Space, you benefit from :
• Network-wide visibility and control• Quick scaling of operations and services• Rapid deployment of switching, routing, and security infrastructure• Total management of Juniper devices• Cross-Vendor event and performance management• Network intelligence for extending core platform capabilities• Fast problem identification and resolution• SDK and APIs for customization and integration• Reduced OpEx• Hot-pluggable/multi-tenant applications• Application fabric• Software image management• Configuration templates• Configuration file management
For companies that want to extract value from their network and deliver on solutionsthat truly work for their business, Junos Space is the platform of choice. You can createand deploy custom management applications using our programmable interface. JunosSpace improves network agility by providing a SDK toolkit and APIs both at the platformand application level for a complete customized solution so you can meet the specificneeds of your business or internal procedures.
Junos Space SDK includes the following components :
• Development tools : Junos Space Eclipse plug-in that allows wizard-based creationof different types of Junos Space applications, code generation, REST Explorer,automated build, deployment of applications for test and debug purposes, controlof device simulations on device simulator, and other tools.
• REST Web Services Interfaces : Interfaces to the core capabilities of the JunosSpace Platform, which are a part of the Junos Space network Managementplatform.
• Device and Environment Simulators : Device and element simulators providingthe ability to test applications against virtual Juniper devices.
HOL-PRT-1472
Page 153HOL-PRT-1472
• Performance, Analytics, Security, and Profiling tools : While the Junos Space SDKdoes not ship performance, analytics, security, or profiling tools, it is compatiblewith the most popular tools available today, such as VisualVM, JBoss Tools, etc.
It is also important to know that Juniper has the following products in virtual format :
• WebApp Secure• SA Series SSL VPN• Firefly Perimeter• Firefly Host• Secure Analytics• DDoS Secure• Junos Space• Security Director• Virtual Director• Network Director• Log Director• Contrail ( SDN )
Next Module
The next module in this lab covers Juniper DDoS Secure. We hope that you will continuethe lab to experience this awesome virtualized security product. If you are on twitterdon't forget to tweet your thoughts to @banksek or email her at [email protected] would love to know them.
#JuniperLab
#PewPew
HOL-PRT-1472
Page 154HOL-PRT-1472
Module 3 - Juniper DDoSSecure (45 min)
HOL-PRT-1472
Page 155HOL-PRT-1472
Introduction to Juniper DDoS SecureDDoS flood attacks are a major problem for online businesses. Juniper DDoS Secure cannullify these problems by continually monitoring and logging all in- and out-bound Webtraffic.
DDoS Secure uses its CHARM algorithm to learn which IP addresses can be trusted, andis able to respond intelligently and in real time by dropping suspect or noncompliantpackets as soon as the optimum performance from critical resources begins to degrade.
This heuristic and granular approach to DDoS mitigation guarantees availability forlegitimate users while blocking bad traffic, even under the most extreme attackconditions. This truly is my favorite part about DDoS. Traditionally, a DDoS outageoccurs when resources are unable to handle the volume of connection requests at aparticular point in time. This might be through an induced malicious attack using aBotnet for some financial, ideological, or political motive, or the result of a legitimate“flash-crowd” effect during peak traffic periods. To the end user, there is no realdifference—at best they experience degraded response times; at worst, it is a disruptionin the resource’s availability resulting in an outage with serious business impact.
Adding more horsepower to the server or increasing bandwidth connectivity can providesome insurance against a volumetric DDoS attack, but they are ultimately in-effectiveagainst today’s new breed of sophisticated DDoS threats. Simply throttling all traffic orblacklisting particular groups of IP addresses is also not a lasting solution, particularly asthese measures can impact legitimate users.
DDoS Secure software is different. Its innovative heuristic technology continuallymonitors and logs all inbound and outbound network traffic. Using its unique CHARMalgorithm DDoS Secure learns which clients pose a risk through their use of availableresources, and then intelligently responds in real time by disrupting an attack as soon asperformance of critical resources begins to degrade.
DDoS Secure is available in Virtual and Hardware appliance version.
Key Features of DDoS Secure
• Dynamic and self-learning• Effective against latest application layer, stealth, attack vectors• Ultra-low latency• Up to 40Gb/s throughput capacity• Fully IPv6 compliant• Plug & Play, simple to install and configure• Fully automated for the fastest response and the lowest cost of ownership• Bi-directional traffic analysis and inspection• Fail-safe and clustering options• SSL Inspection enables protection of HTTP and HTTPS applications
HOL-PRT-1472
Page 156HOL-PRT-1472
DDoS Secure Heuristic Mitigation in Action
The grey normal Internet traffic flows through the DDoS Secure device, while thesoftware analyses the type, origin, flow, data rate, sequencing, style and protocol beingutilized by all inbound and outbound traffic. The analysis is heuristic in nature andadjusts over time but is applied in real time with minimal latency.
The red DDoS attack traffic show the DDoS Secure appliance uses complex dataanalysis techniques to detect attacks and take the defensive measures and drop thetraffic.
Traffic Analysis
This diagram illustrates how all inbound traffic that is identified as normal ( good CHARMscore ) passes through the appliance without any change. All inbound traffic that isidentified as malicious ( bad CHARM score ) is discarded if the protected resourcecannot handle the load. There are no IP addresses to configure on the appliance'sInternet traffic interfaces, and the appliance may be installed without changing thenetwork configuration of any existing equipment. However, an IP address is required forthe secure control connection to the management PC. The management PC requires abrowser that supports HTML frames, JavaScript, and the HTTPS protocol, or,alternatively, an SSH client. The management PC is used to initially configure theappliance and then to report on the traffic statistics. During an attack, the applianceuses its built-in heuristic analysis to identify the most likely attackers within a fewmicroseconds of the beginning of an attack. The longer the appliance analyzes thetraffic, the better the heuristic analysis. Attacks are tracked on a per-incident basis foreasy reporting and analysis.
HOL-PRT-1472
Page 157HOL-PRT-1472
Lets continue on to the next chapter where we investigate the Juniper DDoS SecureUsers Interface ( UI ).
#JuniperLab
HOL-PRT-1472
Page 158HOL-PRT-1472
Introduction to Juniper DDoS Secure UIJuniper DDoS Secure is a fully automatic DDoS protection system used for websites andweb-connected e-commerce site. DDoS protects all TCP/IP protocols. In this article wewill cover the user interface ( UI ) of the DDoS Secure appliance. There is so much datato cover regarding this appliance but since we are in a lab scenario, we will not be ableto cover everything. We did want to make sure that you had time to review everythingthat is at your fingertips with this amazing product.
Launching Internet Explorer
Double Click the "Internet Explorer" icon on the Control Center desktop.
New Tab
Click on the box on the URL bar in order to bring up a new tab.
HOL-PRT-1472
Page 159HOL-PRT-1472
Launching DDoS Secure
Click the "DDoS Secure Login" shortcut on the tool bar.
HOL-PRT-1472
Page 160HOL-PRT-1472
Accept Certificate
You will more than likely get the above certificate error, click "Continue to this website(not recommended)"... yeah yeah I know it is not recommended but please do it anyway:)
HOL-PRT-1472
Page 161HOL-PRT-1472
Click "Login" Button
Click the "Login" button in the middle of the page please.
HOL-PRT-1472
Page 162HOL-PRT-1472
Log into DDoS Secure
To log into DDoS Secure, use the following credentials
Username: user
Password: password
Web Interface Layout
Above is a layout for the statistical display part of the user interface. Each individualsegment of the page is divided in to categories.
Options on the left pane are :
• Configuration/Logs - used to access the configuration and logs window.• Summary Dashboard - used to display the summary dashboard.• Menu Buttons - on the left pane of the page.
Options on the center pane are :
• Display Output• Configuration Input
Options on the right pane are :
• Operational Mode• Protected Info• Defense Status - when an item in defense status turns from black to red, then
DDoS secure is actively defending this situation.
HOL-PRT-1472
Page 163HOL-PRT-1472
• Additional Status
Options on the top center pane :
• Page Specific Action• View Filters - the view filter button is available from any page within the statistical
display section of DDoS Secure. Any value entered into the filter will be set untilthe filter is cleared, even when accessing another page within the DDoS securestatistical display section.
Summary Dashboard
Your login takes you directly to the real time dashboard for DDoS secure.
On the top is the "Traffic Monitor" section.
In the middle are "Load Status" and "Attack Status" graphs. Note that there is no trafficand attacks at this time but we will simulating two attacks in the future articles.
The bottom row has "Good Traffic", "Bad Traffic", and "Protected Performance". You morethan likely will see "Good Traffic" change over time.
HOL-PRT-1472
Page 164HOL-PRT-1472
The descriptions of the sections:
• Traffic Monitor—Displays the average speed of data processed, both inbound andoutbound, for the appliance, as well as the most active portals.
• Load Status— Displays how busy the DDoS Secure appliance engine is.• Attack Status— Displays how aggressively the DDoS Secure appliance is dropping
traffic to defend the appropriate resources.• Good Traffic—Displays the distribution of where good traffic is coming from.• Bad Traffic—Displays distribution of where bad traffic is coming from.• Protected Performance—Displays how busy a protected IP address is from an
aggregated CHARM perspective, and what the average traffic to and from the IPaddress is.
HOL-PRT-1472
Page 165HOL-PRT-1472
Traffic Monitor
The traffic monitor pane shows the peak traffic usage ( inbound and outbound ) over theselected period. Note that the default is 24 hours.
Highlighting Traffic
If you select the top "Appliance 192.168.120.11 inbound" you will see it highlighted inthe graph. Feel free to do this to the other three options available in the "Traffic Monitor"screen. Note that your "Traffic Monitor" pane may look different than the one shownabove.
HOL-PRT-1472
Page 166HOL-PRT-1472
Changing Time
As previously specified, you can change the time frame for your "Traffic Monitor" pane.In the top right, above the graph is a tab that allow you to change the time. Click thearrow to the right of "Last 24 Hours" to see the options.
HOL-PRT-1472
Page 167HOL-PRT-1472
Changing Viewing
Note that you can also changing what appliances/portals/IP are shown on the "TrafficMonitor" page as well by clicking the arrow to the right of "Viewing: global" on the topright.
Protected Performance
View the bottom right corner and you will see the "Protected_ App" and"Unprotected_App" portals. These portals we will be using in our testing in subsequent.You can see that the "Protected_App" is in defending mode and "Unprotected_App" is inlogging mode. This reports on how busy a protected IP address is from an aggregatedCHARM perspective, and what the average traffic to and from the IP is.
The DDoS Secure supports different components in one of two operational modes:
• Defending - if DDoS Secure appliance detects an undesirable packet, it logs theissue, and the packet is dropped.
• Logging - if DDoS Secure appliance detects an undesirable packet, it logs theissue, and the packet is passed.
Examples of different components are:
• Overall Protection - logging or defending• Portal Operation - logging or defending• Protected IP Address Operation - logging or defending• White-listed Client IP Address - logging• Black-listed Client IP Address - defending
HOL-PRT-1472
Page 168HOL-PRT-1472
If an activity uses components that contain a combination of defending and logging, theresultant operational mode will be logging. Thus, for a black-listed client IP address andan overall operation of defending, a portal operation of logging, and a protected IPaddress operation of defending, the client IP address is not dropped.
HOL-PRT-1472
Page 169HOL-PRT-1472
Left Taskbar
The left taskbar shows the menu buttons. These menu buttons gives you the moredetailed information of the traffic that is through the DDoS Secure. Feel free to selectthem individually for review but note that because we have limited traffic ( at this timeonly Juniper's Junos Space is on the network ), the information is limited. We will belooking at some of these menus in other articles.
Configuration/Logs
Please click the "Configuration/Logs" tab.
HOL-PRT-1472
Page 170HOL-PRT-1472
This pop out screen provides you with administrative tasks as well as additional data forthe configuration.
Second Tab
Please click the tab listed "Admin 192.168.120.11" that has popped up because youselected "Configuration/Logs".
Log File
The log file is the first screen that pops up showing everything that is occurring the thevirtual appliance. Information like logins ( GUI ) and Info messages are shown.
HOL-PRT-1472
Page 171HOL-PRT-1472
Configure Portals
Please click the "Configure Portals" option in the left pane menu.
Portals - Defending / Logging
As you will see from this screen, this is where I set up the configuration for the twoportals to be put into defending and logging mode. The "Protected_app" will bedefended and the "Unprotected_App" will be in logging mode.
HOL-PRT-1472
Page 172HOL-PRT-1472
Configure Interfaces
Please select "Configure Interfaces" from the left menu pane.
Network Modes
As you will see in the screen on the left, under the "Internet/Protected GlobalDefinitions", there are multiple ways to configure the DDoS Secure appliance. In ourcase we have it setup as an L3 ( Router ) because this scenario works best for the vPod.Note that the configurations for L2 ( Bridge ) and L2/L3 ( Split Network ) can also beconfigured.
As an FYI, DDoS Secure uses "Internet" and "Protected" to differentiate the side of theattackers ( Internet ) and the side of the applications ( Protected ).
Shutdown
Although we do NOT want you shutting down the DDoS Secure appliance, please notethat this is where you would do it.
Note that this option is available in the bottom of the left menu pane.
HOL-PRT-1472
Page 173HOL-PRT-1472
This concludes a quick look at the DDOS Secure User Interface. Please proceed to theconfiguration of the testing environment article.
#JuniperLab
HOL-PRT-1472
Page 174HOL-PRT-1472
Configuration of Testing EnvironmentIn this lab, we will be simulating a low and slow DDoS attack.
Low and Slow attacks use as you can imagine "Slow" traffic, making it appear morenotmal to an organization. The often go undetected because the do not violate anyspecific protocol, they do not match any specific signature. The end users will see lowreaction to the calls to the systems creating incredible performance impact.
vSphere Tab
Proceed back to the first tab in the Internet Explorer browser.
vSphere Web Client login
Log into the VMware vSphere Web Client with the following credentials
User name : root
Password : VMware1!
Click "Login"
HOL-PRT-1472
Page 175HOL-PRT-1472
Home
Click the "Home" button in the top blue bar.
VMs and Templates
Click the "VMs and Templates" icon in the Inventories pane.
HOL-PRT-1472
Page 176HOL-PRT-1472
Expand Datacenter
Click the arrow to the right of "Datacenter Site A".
VM's We Will Be Using
In our scenario we will be using the vm's highlighted.
Protected and Unprotected Applications
In our simulation we will have a "Protected Application" ( 2 Protected Application ) andan "Unprotected Application" ( 2 Unprotected Application ). These applications are onthe Protected side of the DDoS Secure.
HOL-PRT-1472
Page 177HOL-PRT-1472
Remember when we were in the DDoS Secure Dashboard and the "Protected_App" wasidentified as Defending and "Unprotected_App" was identified as Logging. As you canimagine the Protected Application will be protected by the Juniper DDoS Secure virtualedition appliance and the Unprotected Application will not.
Note that these two virtual machines are exactly the same. They are simulatedwebservers with databases.
HOL-PRT-1472
Page 178HOL-PRT-1472
Attacker
"Attacker 42" will simulate a low and slow attack.
Please note that this is a Linux box with customized scripts for their various attacks. Thisvirtual machine is on the Internet side of the DDoS Secure.
Attacker 42 has two interfaces specifically for the simulation.
HOL-PRT-1472
Page 179HOL-PRT-1472
Windows Box
The "base-w7-01a" box will be used to show the impact of the attack.
HOL-PRT-1472
Page 180HOL-PRT-1472
DDoS Secure Virtual Edition
Lastly our "DDoS Secure virtual edition" virtual application will send inline between theattackers and portals, collecting the data and doing it's thing.
Let us see it in action. Please proceed to the next article where we will simulate a lowand slow attack and show how Juniper DDoS Secure protects the protected site.
#JuniperLab
HOL-PRT-1472
Page 181HOL-PRT-1472
Low and Slow AttackAs mentioned previously a low and slow DDoS often become unnoticed by conventionaltools. In this low and slow DDoS attack simulation, we will show you how Juniper's DDoSSecure can easily "catch" the data and protect the "Protected Application". Application-layer attacks, often referred to as “low and slow” ( to describe the attacker’s goal ofstaying under threshold detection systems ), have exposed weaknesses in netflow andthreshold based detection techniques. RUDY ( R-U-Dead- Yet ) and Slow Loris are twotypes of application-layer attacks that target the HTTP protocol. The attacker seeks tolaunch a multitude of requests that are difficult to serve back to the requester, depletingapplication resources and quickly bringing the website down.
vSphere Web Client
Make sure you are still in the "vSphere Web Client" tab within Internet Explorer.
Launch Windows Console
Select "Open Console" for the "base-w7-01a" virtual machine.
Note that it will pop up in the next tab.
Logging into Windows VM
Use
password : VMware1!
HOL-PRT-1472
Page 182HOL-PRT-1472
click " -> " button to the right of the password
for the vmware account for the windows vm.
Launch Firefox
Double click the "Mozilla Firefox" icon on the desktop.
HOL-PRT-1472
Page 183HOL-PRT-1472
Launch Protected App
Please select the "Protected App" shortcut in the menu bar.
Protected App
Notice the image in the Protected App is the Juniper Networks image.
Firebug
You will see that we have added the additional tool Firebug into Firefox. This tool is usedto show how long it takes for the website to make it's calls once under attack.
Notice the time while the site is running cleanly. In this case, it is 421 ms ( note thatyour time may be different ).
HOL-PRT-1472
Page 184HOL-PRT-1472
New Tab
Please click the " + " symbol in order to bring up a second tab.
Launch Unprotected App
Please click the "Unprotected App" shortcut on the menu of Firefox.
HOL-PRT-1472
Page 185HOL-PRT-1472
Unprotected App
Notice that the image in Unprotected App site is tomato cart ( we wanted todifferentiate between them in case you got confused... I did at times : ) )
Firebug is also available on the bottom of the screen. Feel free to look at the time toload the unprotected site.
Back to vSphere Web Client
Please proceed back to the "vSphere Web Client" tab in Internet Explorer.
HOL-PRT-1472
Page 186HOL-PRT-1472
Launch Attacker 42
Please "Open Console" of "Attacker 42" by right clicking on "Attacker 42" virtualmachine.
Log into Attacker 42
Please log into the Attacker 42 with the following credentials
Attacker login : root
Password : Juniper1!
Ping Protected App
At the prompt, type
ping 192.168.130.77
HOL-PRT-1472
Page 187HOL-PRT-1472
This is the IP address of the Protected Application.
Exit Console
Select < Ctrl + Alt > to escape the window, please keep the ping going.
Proceed to DDoS Secure
Please click on the DDoS Secure tab in Internet Explorer.
HOL-PRT-1472
Page 188HOL-PRT-1472
Select ICMP Info
Please select "ICMP Info" on the left column.
ICMP Info
As you can see the Attacker 42 vm is pinging the Protected Application and the JuniperDDoS Secure appliance can see it.
Back to Attacker 42
Please proceed back to the "Attacker 42" tab in Internet Explorer.
HOL-PRT-1472
Page 189HOL-PRT-1472
Stop Ping
Stop the ping by entering < Ctrl + C > in the console.
Start Attack
at the command prompt, type
sh slow_query_attack.sh
Leave Attacker 42
As the message show, please hit < Ctrl + alt > to release the cursor.
HOL-PRT-1472
Page 190HOL-PRT-1472
DDoS Secure Dashboard
Please proceed to the DDoS Secure tab in Internet Explorer.
Traffic Numbers
You will see the numbers increase on the right hand side of the dashboard. Rememberthis is a low and slow attack and it will take some time for the attack to show and for thesite to be protected and it will take time for the sites to recover. It is a cool simulation sogive it time please.
HOL-PRT-1472
Page 191HOL-PRT-1472
Proceed to URL Info
Please proceed to the "URL Info" option in the left pane.
URL Info
You can see the top two lines show the Unprotected App and the Protected App.
This is a low and slow attack but you will see the number increasing. At this time, youwill see the pending numbers are approximately the same. Did you want me to remindyou that it is low and wait for it... slow... attack.
Pending Numbers
After some time, you will see the pending numbers start to have a huge differentiation!!!
Right now the unprotected app has 236 requests pending and the protected app has 53requests pending. Note that your numbers will be different.
HOL-PRT-1472
Page 192HOL-PRT-1472
Clearly the Juniper DDoS is protecting the protected app!!! But wait, we are not done...
Proceed to Windows VM
Please proceed to the "base-w7-01a" tab in Internet Explorer.
HOL-PRT-1472
Page 193HOL-PRT-1472
Reload Protected App
In Firefox
( 1 ) Reload the Protected App website by selecting the circle arrow.
( 2 ) You will notice that it launches in a specific amount of time. In this case, it is 46 ms.
Unprotected App
Please click the first tab to go the Unprotected App.
HOL-PRT-1472
Page 194HOL-PRT-1472
Reload Unprotected App
( 1 ) reload the Unprotected Application site by click the circle arrow
( 2 ) Notice the time it takes to load the site. In this case, 14.59s
Note that the longer you wait for the attack to progress, the longer the response timewill be. For instance, we have seen this take 200 s or even time out.
There is a big difference between 46 ms and 14.59 sec.
Juniper DDoS Secure protected our Protected App from the low and slow DDoS Attack.
Cool huh? I told you!!!
Final Thoughts
So what we just saw is a low and slow attack from our "Attacker 42" virtual machineagainst two seb servers. We saw the Juniper DDoS Secure automatically saw the attack
HOL-PRT-1472
Page 195HOL-PRT-1472
and protected the "Protected App" from the attack so that no impact was made to theend users. No configuration was needed on your part for this use case, DDoS Secure didit automatically!!
Please provide to the final article in this module, "Why Juniper DDoS Secure".
#JuniperLab
HOL-PRT-1472
Page 196HOL-PRT-1472
Why Juniper DDoS SecureI thought it was important to follow up regarding the Juniper DDoS Secure product.When I think about the capabilities inherit to the product such as CHARM, it is hard toignore why you should not be using DDoS. The first distributed denial of service (DDoS)attack occurred in 2000 and was used to take out Amazon, eBay, and a host of other e-commerce sites. The weapon used was a volumetric flood attack, and the attackersused a rudimentary botnet of multiple computers to flood the network with high volumetraffic that brought the e-commerce sites down, causing an estimated $1.7 billion incollective damages.
Since then, DDoS attacks have evolved from being a blunt weapon, using high volumeattacks to bring down Web servers, to highly sophisticated application-level attacksdesigned to zero in on strategic business resources. 2012 saw a series of attacksagainst the banking industry, some politically motivated and high profile, while othersinvolved financial theft and fraud. The e-commerce sectors were subject to attack aswell following the real world trends of major shopping holidays respectively.
2012 saw a sharp increase in Layer 7 DDoS attacks. What makes L7 attacks so stealthyis the fact that they masquerade as legitimate traffic to carry out the attack. A Layer 7or application-layer, attack exploits inherent flaws and vulnerabilities in applicationsoftware rather than using brute force to achieve desired results. The majority ofapplication-layer attacks target well-known applications such as HTTP, HTTPS, domainname system ( DNS ), and VoIP ( Session Initiation Protocol or SIP ). Much like volumetricattacks, L7 attacks require very little investment by attackers. It is more than possible tobring down major websites with a laptop and as few as 40 to 60 of the same request persecond ( aka PPS, or packets per second ). To give this some context, volumetric attackswill range from the low hundreds of thousands PPS to millions of PPS. Their appearanceof legitimacy ( adhering to protocol rules, with normal and complete TCP connections ) iswhat makes L7 attacks benign in appearance and exceedingly difficult to detect andmitigate.
What is at stake is costly service outages that can result in lost business and defectionof end customers, along with sometimes irreparable damage to brand and reputation. Inthe financial services industry, more likely than not it also involves theft of sensitivedata and financial fraud. In the education and healthcare sectors, a primary concern isaccess to student information, electronic medical records, and theft of sensitive datathat could result in huge lawsuits and terrible outcomes for individuals who have theirinformation stolen. A loss of availability for airline ticketing sites or e-commerce sites,large or small, could result in a loss of revenue and credibility. Inevitably, a DDoS attackis accompanied by financial losses that can be hard to recover from.
Junipers' DDoS Secure’s innovative design uses a “ closed loop ” process to look at thefull cycle of the packet coming in, the resource it is destined for, the resource’s ability toreturn the request in a timely manner, and finally the request being served back to therequester. DDoS Secure is self-learning and requires no tuning or thresholds to be set. It
HOL-PRT-1472
Page 197HOL-PRT-1472
monitors how the application responds and learns from each encounter. This innovativeheuristics-based approach enables the technology to determine both what normal trafficlooks like and what normal responses from an application look like. As new attacksoccur, DDoS Secure updates the algorithm to include the characteristics of the newattack, creating a highly intelligent DDoS defense system that incorporates dynamicupdates and removes confusion from attacks that may be occurring as the systemlearns the limitations of the application environment. In the case of a DNS amplificationattack, DDoS Secure applies intelligence about the behavior of the DNS resource to shutdown the attack before it can overwhelm and bring down the DNS server. DDoS Secure’sintelligence filters out repetitive requests to a DNS system for the same information,thereby averting a DNS amplification attack and protecting the unsuspecting targetfrom rogue requests impacting its availability.
In other words... the question becomes Why NOT Juniper DDoS Secure!!!
End of Lab
We wanted to thank you personally for taking the Juniper lab at the VMworld 2014Hands-on Lab.
If you have a twitter account, please tweet to @banksek or email her [email protected] and let her know your thought.
Have a great day!!
#JuniperLab
#PewPew
HOL-PRT-1472
Page 198HOL-PRT-1472
ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-PRT-1472
Version: 20150227-070315
HOL-PRT-1472
Page 199HOL-PRT-1472