Help Center User GuideGetting StartedFAQsRelease Notes
User Guide
Getting Started
Release Notes

Benefits of Policy Enforcer

Most enterprise computer security revolves around creating a wall around the perimeter of an organization. See Figure 25.

Figure 25: Perimeter-Defined Security Model

Perimeter-Defined Security Model

With this perimeter oriented security, networks are built with an inherently trusted model where the applications or users connecting to a network (for example, VLAN) can fundamentally talk to each other and network security solutions like firewalls and Intrusion Prevention Systems (IPS) are deployed in the perimeter to provide security. Firewalls are often configured with all possible rules in an effort to prevent unknown malware, application and network attacks from penetrating the enterprise. This architecture is based on a model where it is assumed that “Everything already inside the network is fundamentally trusted” and “Everything outside the network is untrusted” so the perimeter is the location where all security controls are deployed.

This architecture is consistent across data centers, and campus and branch configurations. Unfortunately, there are flaws to this security architecture. They don’t help in protecting against internal threats. Despite the popularity of firewalls, the sophistication of applications and malware in recent years has found a way to circumvent perimeter defenses. Once inside the enterprise, these threats can easily spread; where someone’s infected laptop or desktop could make Enterprise networks a botnet army and become a source of internal and external attacks. Enterprises can protect against internal threats by deploying multiple layers of firewalls, but that requires careful planning since it is difficult to take all internal traffic through a separate layer of firewalls.

The security framework become a highly fragmented approach due to multiple administrators, management systems and reliance on a lot of manual coordination among different administrators and systems:

In contrast, Policy Enforcer and Software-Defined Secure Networks (SDSN), see Figure 26, simplifies network security by providing protection based on logical policies and not security devices. Policy Enforcer does provide perimeter security, but it’s no longer just protecting the inside from the outside. The fact that somebody is connected to the internal network does not mean that they can get unrestricted access to the network. This model is fundamentally more secure because even if one application on the network is compromised, companies can limit the spread of that infection/threat to other potentially more critical assets inside the network.

Figure 26: Policy Enforcer and Software-Defined Security Model

Policy Enforcer and Software-Defined
Security Model

Policy Enforcer is a model where the information security is controlled and managed by security software. New devices are automatically covered by security policies, instead of having to identify it’s IP address as with other models. Because it’s software-defined, environments can be moved without affecting security policies and controls already in place. Other advantages include:

User Intent-Based Policy

Generally speaking, with rule-based policies, you manage clients based on IP addresses. There may be one rule or many rules, with the ordering being important as the first rule that matches defines the traffic flow.

Policy Enforcer uses user intent-based policies. With user intent-based policies, you manage clients based on business objectives or user and group profiles. The following are two examples of a user intent policy:

Using user intent-based policies allows network devices (switches, routers, firewalls and other security devices) to share information, resources, and when threats are detected, remediation actions within the network.

Unlike rule-based policies, which can contain several rules, you can define only one set of parameters for each user intent-based policy defined on a device.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support