Security Integration Management Using NSM Overview
True security integration occurs when you can control every security device on your network and see every security event in real-time from one location. In NSM, this location is the NSM GUI, a graphical user interface that contains a virtual representation of every security device on your network. The idea behind this virtual-physical abstraction is that you can access your entire network from one location—use this console to view your network, the devices running on it, the policies controlling access to it, and the traffic that is flowing through it.
The following topics are the security integration management features of NSM:
You can create and manage device configurations for security devices or systems. NSM provides support for ScreenOS configuration commands, so you can retain complete control over your devices when using system-level management features like VPNs.
With NSM, you can use domains to segment your network functionally or geographically to define specific network areas that multiple administrators can manage easily.
A domain logically groups devices, their policies, and their access privileges. Use a single domain for small networks with a few security administrators, or use multiple domains for enterprise networks to separate large, geographically distant or functionally distinct systems, control administrative access to individual systems, or obfuscate systems for service provider deployments.
With multiple domains, you can create objects, policies, and templates in the global domain, and then create subdomains that automatically inherit these definitions from the global domain.
Control access to management with NSM—define strategic roles for your administrators, delegate management tasks, and enhance existing permission structures with new task-based functionality.
Use NSM to create a security environment that reflects your current offline administrator roles and responsibilities. Because management is centralized, it’s easy to configure multiple administrators for multiple domains. By specifying the exact tasks your NSM administrators can perform within a domain, you minimize the probability of errors and security violations, and enable a clear audit trail for every management event.
Initially, when you log in to NSM as the super administrator, you have full access to all functionality within the global domain. From the global domain, you can add the following NSM administrators, configure their roles, and specify the subdomains to which they have access:
Activities and Roles—An activity is a predefined task performed in the NSM system, and a role is a collection of activities that defines an administrative function. Use activities to create custom roles for your NSM administrators.
Administrators—An administrator is a user of NSM or IDP; each administrator has a specific level of permissions. Create multiple administrators with specific roles to control access to the devices in each domain.
Default Roles—Use the predefined roles System Administrator, Read-Only System Administrator, Domain Administrator, Read-Only Domain Administrator, IDP Administrator, or Read-Only IDP Administrator to quickly create permissions for your administrators.
Centralized Device Configuration
No network is too large—because you manage your security devices from one location, you can use the following system management mechanisms to help you quickly and efficiently create or modify multiple device configurations at one time:
Templates—A template is a predefined device configuration that helps you reuse specific information. Create a device template that defines specific configuration values, and then apply that template to devices to quickly configure multiple devices at one time. For more flexibility, you can combine and apply multiple device templates to a single device configuration (63 maximum). In addition, you can make global-domain templates available for reference in subdomains.
Shared Objects—An object is an NSM definition that is valid in the global domain and all subdomains. Any object created in the global domain is a shared object that is shared by all subdomains; the subdomain automatically inherits any shared objects defined in the global domain. You will not see global objects in the Object Manager of a subdomain. Although, you can use the objects when selecting objects in a policy.
The global domain is a good location for security devices and systems that are used throughout your organization, address book entries for commonly used network components, or other frequently used objects. A subdomain, alternatively, enables you to separate firewalls, systems, and address objects from the global domain and other subdomains, creating a private area to which you can restrict access.
Grouping—A group is a collection of similar devices or objects. Use device groups and object groups to update multiple devices simultaneously, simplify rule creation and deployment, and enable group-specific reporting. You can even link groups using Group Expressions to create a custom group.
If you have existing security devices deployed on your network or are using a previous Juniper Networks management system, you can use the NSM migration tools to quickly import your existing security devices and their configurations, address books, service objects, policies, VPNs, and administrator privileges. As NSM imports your existing device configurations, it automatically creates your virtual network based on the configuration information.
You can import device configurations directly from your security device, or from your Juniper Networks Global PRO or Global PRO Express system. Import all your security devices at one time, or, if your network is large, import one domain at a time. When importing from Global PRO or Global PRO Express, NSM automatically transfers your existing domain structure.
For details on migrating from a previous management system, see the NSM Migration Guide.