2
Security Design provides an innovative method to model
network security between network domains by providing security
architects with a solution that is easy to use and easy to deploy.
The application automates security design through a familiar
web-based interface with design and deployment workflows, and
facilitates rapid deployment of thousands of security devices to
branch locations securely and efficiently.
Unlike solutions that require highly skilled onsite network
security architects at each branch location, multi-domain
security architecture can be designed once in the corporate
office, then distributed and applied to each branch network via
several convenient and secure methods. Using Security Design,
IT departments can automate the translation of business policy
requirements into the network infrastructure, reducing the
complexity while increasing consistency and reliability.
Junos Space
Security Design is a software application that is built on the Junos
Space network application platform, and it leverages all Junos
Space platform capabilities. The premise of Security Design is
to provide the security architect with an environment in which
it is easy to design, configure and deploy required security rules.
It provides sophisticated, end-to-end visibility to the network
topology, drag-and-drop policy associations between network
resources, wizards to configure and provision VPN and device
configurations, and convenient and secure deployment options.
Junos Space is underpinned by a programmable application
environment, a powerful runtime environment, and a Web 2.0 GUI.
Figure 2: Security Design is an application on Junos Space platform
Architecture and Key Components
Security Design represents several innovations including topology
based policy definition to model security devices once and have
the configuration ready to push to thousands of devices, policy
abstraction to create a logical security topology, and patent
pending security domains to allow common security restrictions to
be applied to a grouping of distributed network resources. These
innovations are embodied in the following components:
• Object builder, to create applications, domains, and addresses.
• Security whiteboard, to design the network security topology,
establish policies, and create VPN configurations.
• Rapid deployment, to specify branch settings, and create and
distribute the configuration profiles.
Features and Benefits
Security whiteboard and object builder are the two workspaces
included to facilitate the architecture design and the device
configurations. Functionality to trace and control the progress is
provided by the job management feature of Security Design.
Figure 3: Security whiteboard and network topology
Security Whiteboard
Security whiteboard consists of three sub-functions—security
topology, security policy, and IPsec VPN configurations. Using
topology view of the whiteboard the user can create and manage
network objects of a targeted network domain. Each object allows
the user to view its specific properties and thus make further
adjustments. When specific topology information is not available,
the architect can simply import the new topology from a comma-
separated values (CSV) file that can be created using other design
tools. The objects within the security whiteboard workspace include
applications, security domains, and addresses that can be created
and managed using the object builder feature of Security Design.
Security policies that control the traffic between security domains
are applied to the topology using GUI tools provided in the
workspace. For example, the user can simply establish a policy
association between two security domains by dragging a line
from the toolset. Then, the details of the policy and the traffic
rules are created graphically in a dialog box related to this policy
association. In the next step, the architect decides whether to
provision the security policy immediately or schedule it for a later
date to finally complete policy implementation between the
required security domains.