Juniper SPACE SECURITY DESIGN User manual

Brand: Juniper

Model: SPACE SECURITY DESIGN

Type: User manual

DATASHEET

Product Description

Juniper Networks

Junos

Space Security Design is a state-of-the-art, scalable enterprise

solution designed to automate the visualization, configuration, and deployment of the

security architecture of a multi-domain network.

Large-scale network security implementations often increase operational complexity

and cause configuration errors leading to heightened security risk. Considering the critical

elements of a network security deployment as topology visualization, business policy

management, VPN implementation, as well as provisioning, distribution and application

of required configurations require a holistic, smart, and automated design approach.

Grappling with compliance requirements and the need to reduce administrative costs,

IT departments can translate business policies easily and quickly into the network

infrastructure with minimal manual intervention using Security Design. Benefiting from

a platform-wide consistent visual interface, Security Design features a sophisticated yet

simple web based design environment.

JUNOS SPACE SECURITY DESIGN

Product Overview

In properly designed networks, security is

an integral attribute of the system. When

security is treated as an aerthought, or

developed independent of the overall

design requirements, it is oen costly,

inﬂexible, and risky.

Enterprises are mostly driven by

time-to-market pressures and oen

deploy systems before achieving

appropriate levels of quality and

security. Consequences can impact

overall deployment schedules, increase

complexity, and even delay proﬁtability.

Junos Space Security Design helps

integrate a secure network design

workﬂow into your branch deployment

solution. The result is faster time

to market, reduced security risk,

centralized, consistent conﬁguration of

the network, and overall lower cost of

maintenance.

London

SRX240

Branch

SRX3400

San Francisco

SRX240

allowed

HTTPS

MS-SQL

RADIUS

denied

HTTP

Internet

TELNET

SSH

allowed

SNMP

SSH

Security Design

running on

Junos Space

Figure 1: Typical topology for headquarters to branch security

Security Design provides an innovative method to model

network security between network domains by providing security

architects with a solution that is easy to use and easy to deploy.

The application automates security design through a familiar

web-based interface with design and deployment workflows, and

facilitates rapid deployment of thousands of security devices to

branch locations securely and efficiently.

Unlike solutions that require highly skilled onsite network

security architects at each branch location, multi-domain

security architecture can be designed once in the corporate

office, then distributed and applied to each branch network via

several convenient and secure methods. Using Security Design,

IT departments can automate the translation of business policy

requirements into the network infrastructure, reducing the

complexity while increasing consistency and reliability.

Junos Space

Security Design is a software application that is built on the Junos

Space network application platform, and it leverages all Junos

Space platform capabilities. The premise of Security Design is

to provide the security architect with an environment in which

it is easy to design, configure and deploy required security rules.

It provides sophisticated, end-to-end visibility to the network

topology, drag-and-drop policy associations between network

resources, wizards to configure and provision VPN and device

configurations, and convenient and secure deployment options.

Junos Space is underpinned by a programmable application

environment, a powerful runtime environment, and a Web 2.0 GUI.

Figure 2: Security Design is an application on Junos Space platform

Architecture and Key Components

Security Design represents several innovations including topology

based policy definition to model security devices once and have

the configuration ready to push to thousands of devices, policy

abstraction to create a logical security topology, and patent

pending security domains to allow common security restrictions to

be applied to a grouping of distributed network resources. These

innovations are embodied in the following components:

• Object builder, to create applications, domains, and addresses.

• Security whiteboard, to design the network security topology,

establish policies, and create VPN configurations.

• Rapid deployment, to specify branch settings, and create and

distribute the configuration profiles.

Features and Beneﬁts

Security whiteboard and object builder are the two workspaces

included to facilitate the architecture design and the device

configurations. Functionality to trace and control the progress is

provided by the job management feature of Security Design.

Figure 3: Security whiteboard and network topology

Security Whiteboard

Security whiteboard consists of three sub-functions—security

topology, security policy, and IPsec VPN configurations. Using

topology view of the whiteboard the user can create and manage

network objects of a targeted network domain. Each object allows

the user to view its specific properties and thus make further

adjustments. When specific topology information is not available,

the architect can simply import the new topology from a comma-

separated values (CSV) file that can be created using other design

tools. The objects within the security whiteboard workspace include

applications, security domains, and addresses that can be created

and managed using the object builder feature of Security Design.

Security policies that control the traffic between security domains

are applied to the topology using GUI tools provided in the

workspace. For example, the user can simply establish a policy

association between two security domains by dragging a line

from the toolset. Then, the details of the policy and the traffic

rules are created graphically in a dialog box related to this policy

association. In the next step, the architect decides whether to

provision the security policy immediately or schedule it for a later

date to finally complete policy implementation between the

required security domains.

Figure 4: Creating a policy using security whiteboard

IPsec VPN is the last of the Security Whiteboard functions

enabling configuration of thousands of VPNs in hub spoke, full

mesh, or site-site, and the monitoring and troubleshooting of

these tunnels:

A sophisticated VPN configuration wizard simplifies an otherwise

complex VPN setup, reducing it to a few simple steps.

1. Define VPN properties as name, VPN type, profile, and the

tunnel IP subnet.

2. Specify the endpoints of the tunnel on the topology diagram.

3. Provision the VPN configuration to the network resources.

Object Builder

Object builder is a multi-tenant workspace that contains standard

network objects and enables the addition of new devices. Similar

to the security whiteboard workspace, network resources as

applications, security domains, and addresses are displayed

graphically. A set of predefined, common applications such as

FTP, telnet, SSH, SMTP, netbios-session, and many others are

shipped with Security Design. If a new application is needed, the

user can conveniently provide the details using object builder, and

it will simply add the application to the Junos Space database.

Figure 5: Adding devices using object builder

Rapid Deployment

Junos Space provides a rapid deployment workﬂow that is common

to all Junos Space applications. Similar to the other workspaces

in Security Design, rapid deployment follows a familiar convention

to present an overview of the devices that are maintained in Junos

Space, available to deploy, and can be added to the topology as

required. Introduction of new devices to the network infrastructure,

including the required security policy conﬁguration, is as simple as

creating a conﬁguration ﬁle, known as conﬁglet, and applying it to the

network device in the branch location.

Central management and simple provisioning capabilities of rapid

deployment enable network operators to deploy and provision

new devices with minimal manual intervention.

Features and Beneﬁts

Table 1: Junos Space Security Design features and beneﬁts

FEATURE BENEFIT

Web-based Interface • Junos Space applications are web-based and provide a simple to use but sophisticated browser interface with

familiar design tools.

• Users can focus on their task, better apply their knowledge, interact within a familiar environment, and challenge

their creativity as they design. The consistent interface among applications, whether it is a Juniper or a third-party

application, lets users accomplish tasks with greater productivity.

Application within the Junos

Space family

• As a member of the Junos Space family, Security Design provides the user with a common Web interface

thataccesses an expanded Junos Space feature set.

• Rapid deployment is an example of a feature shared among all Junos Space applications.

Granular device conﬁguration • Anywhere in the workﬂow, each object provides a rich set of property information that is either gathered from the

Junos Platform or created as a part of the design process.

• In-depth property information helps the architect make accurate design decisions.

Policy life cycle management • Provides orchestration of policy design, conﬁguration, and granular visibility of policies.

• Beneﬁting from the policy abstraction layer handling thousands of devices provides the operator with ecient ways

to optimize policies, clean up unused rules, and design and enforce policy compliance mandates.

• Eliminates rule-by-rule policy deﬁnitions beneﬁting from the abstraction layer and promotes accuracy, simpicity and

faster time to deployment.

IPsec VPN conﬁguration wizard • IPsec VPN wizard as a component of whiteboard helps the user design and provision, otherwise complex VPN

conﬁgurations easily.

• Enables conﬁguration of thousands of VPNs in hub spoke, full mesh, or site-site topologies.

• Provides monitoring and troubleshooting of these VPN tunnels.

1000332-001-EN Sept 2010

NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other

countries. All other trademarks, service marks, registered marks, or registered service marks are the property of

their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper

Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

Printed on recycled paper

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

FEATURE BENEFIT

Network topology visualization • Calculates the path between endpoints and determine which policy enforcement point will be impacted.

• Allows the user to design the security policy and let the system intelligently establish which device gets aected.

Job management • Tasks such as VPN deployment or policy application can be provisioned either immediately or at a scheduled date

and time.

• Provides the ﬂexibility of deciding when to deploy a particular function and monitoring its progress.

• Facilitates additional control over the readiness and deployment schedule.

Rapid deployment wizard • Facilitates network device management, e.g. when a new device is introduced to the network, it must be conﬁgured

and required security policies applied.

• Using this wizard accessed from within the Security Design workspace, the required conﬁguration ﬁle can be created

and distributed to the branch location conveniently.

• Application of conﬁguration does not require an onsite security architect and, when applied, the device is simply

commissioned to the network with a preset conﬁguration.

• Accelerates the deployment of a network device with controlled conﬁguration settings.

• Greatly reduces or eliminates the risk of security conﬁguration errors.

Speciﬁcations

Client Browser Support

Supported browsers include Firefox 3.0, Internet Explorer 7.0, and

above.

VMware Version

Junos Space works with VMware vSphere 4.0 and above.

Juniper Platforms

Security Design runs on Juniper Networks devices running

Junos OS 9.0 and later releases.

Junos Space Appliance

Security Design runs on the Junos Space appliance.

Juniper Networks Services and Support

Juniper Networks is the leader in performance-enabling services

and support, which are designed to accelerate, extend, and

optimize your high-performance network. Our services allow

you to bring revenue-generating capabilities online faster so

you can realize bigger productivity gains and faster rollouts of

new business models and ventures. At the same time, Juniper

Networks ensures operational excellence by optimizing your

network to maintain required levels of performance, reliability, and

availability. For more details, please visit www.juniper.net/us/en/

products-services.

Ordering Information

When ordering Junos Space Security Design two items are

required: the Junos Space plaform—physical or a virtual appliance

for VMWare environment—and a Junos Space Security Design

application license. The SKUs are as follows:

MODEL NUMBER DESCRIPTION

SPC1500-A-BSE Junos Space JA1500 Appliance

SPC-VA-BSE Junos Space Virtual Appliance for VMWare

environment

SPC-SECDGN-FWVPN Add Junos Space Security Design application

- soware license

For further information on Junos Space Platform please refer to:

www.juniper.net/us/en/products-services/software/junos-

platform/junos-space/platform.

About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance

networking. Juniper offers a high-performance network

infrastructure that creates a responsive and trusted environment

for accelerating the deployment of services and applications

over a single network. This fuels high-performance businesses.

Additional information can be found at www.juniper.net.

Table 1: Junos Space Security Design Features and Beneﬁts (continued)

Juniper SPACE SECURITY DESIGN User manual

Juniper SPACE SECURITY DESIGN User manual

Juniper SPACE SECURITY DESIGN User manual

Related papers

Other documents