Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All


    Junos Space Security Director is one of the Junos Space management applications and helps organizations improve the reach, ease, and accuracy of security policy administration with a scalable, GUI-based management tool. It automates security provisioning through one centralized Web-based interface to help administrators manage all phases of the security policy life cycle more quickly and intuitively, from policy creation to remediation. Security Director provides the following management efficiencies:

    1. Scale security policy across multiple Juniper Networks SRX Series Services Gateways, or manage multiple logical system (LSYS) instances on a single SRX Series device.
    2. Centrally configure and manage application security (for example, AppSecure), firewall, VPN, IPS, and NAT security policy through one scalable management interface.
    3. Define and enforce policies for controlling usage of specific applications such as Facebook, instant messaging, and embedded social networking widgets through included AppFW management.
    4. Reuse security policies within Junos Space Security Director for improved security enforcement accuracy, consistency, and compliance.
    5. Build the infrastructure for further management innovation across the network through open and secure Junos Space Network Management Platform integration.

    When you finish creating and verifying your security configurations, you can publish these configurations and keep them ready to be pushed to the security devices. Security Director helps you deploy all the security configurations to the devices all at once by providing a single interface that is intuitive. You can select all security devices that you are using on the network and push all security configurations to these devices.

    The Security Director application is divided into seven workspaces, which include Object Builder, Firewall Policy, NAT Policy, VPN, Downloads, IPS Management, and Security Director Devices.

    • Object Builder—Workspace to create objects used for firewall policy, NAT policy, and VPN configurations.
    • Firewall Policy— Workspace to create and publish firewall policies on supported devices.
    • NAT Policy—Workspace to create and publish NAT policies on supported devices.
    • VPN—Workspace to create site-to-site, hub-and-spoke, and full-mesh IPsec VPNs.
    • Downloads—Workspace to download and install signatures.
    • IPS Management—Workspace to create and manage IPS signatures, signature sets, and IPS policies.
    • Security Director Devices— Workspace to update the configurations on the devices.

    Discovery and Basic Configuration Using Security Director

    Discovery is the process of finding a device and then synchronizing the device inventory and configuration with the Junos Space database. To use device discovery, Junos Space must be able to connect to the device.

    Note: When you initiate discovery on a device, Junos Space automatically enables SSH and the NETCONF protocol over SSH by pushing the following commands to the device:

    • set system services ssh protocol-version v2
    • set system services netconf ssh

    To discover network devices, Junos Space uses the SSH and SNMP protocols. Device authentication is handled through administrator login SSH v2 credentials and SNMP v1/v2c settings, which are part of the device discovery configuration. You can specify a single IP address, a DNS hostname, an IP range, or an IP subnet to discover devices on a network. During discovery, Junos Space connects to the physical device and retrieves the active configuration and the status information of the device. To connect with and configure devices, Junos Space uses Juniper Network’s Device Management Interface (DMI), which is an extension to the NETCONF network configuration protocol. When discovery succeeds, Junos Space creates an object in the Junos Space database to represent the physical device and maintains a connection between the object and the physical device so their information is linked.

    Once you have added the device, you might a get mismatched DMI version (Figure 1). DMI version mismatch requires that the DMI be updated to ensure that the management schema is compatible between Junos Space and the managed devices.

    Figure 1: DMI Mismatch

    DMI Mismatch

    Resolving DMI Mismatch

    To resolve DMI mismatch issues on Junos Space, navigate to the Network Management Platform, click DMI Schema under Administration, click Update Schema, and select either Archive or Repository. An Archive schema is one already installed on the network management platform. A Repository schema must be downloaded to the network management platform. Repository details (URL, authentication) must be provided as shown in Figure 2. To retrieve from the repository, provide your Juniper Networks customer or partner account username and password. Test the connection before saving it. This will show recommended schemas for your device which will resolve the mismatch version of schemas.

    Figure 2: DMI Schema Repository Requires Authentication

    DMI Schema Repository Requires Authentication

    Once devices are discovered, navigate to the Security Director’s Device pane. Here, you can see the status of security devices on the network. To sync the device settings with Junos Space and Security Director, right-click a security device and click Update. This will import the configuration from the security device and sync the configuration with the Security Director database.

    Note: To create zones on Juniper Networks security devices, use the Network Management Platform. As of the current version of Security Director (13.1P1.14 as of test completion), zone creation is not supported within Security Director. This might be fixed in future versions of Security Director.

    The configuration of security devices appears in the directory hierarchy. Figure 3 shows the creation of security zones from within the Network Management Platform.

    Figure 3: Security Zone Creation

    Security Zone Creation

    Object Builder (Using Security Director)

    Use the Object Builder workspace in Security Director to create objects used by firewall, VPN, and NAT policies. These objects are stored in the Junos Space database. You can reuse these objects with multiple security policies, VPNs, and NAT policies across an entire device or network footprint. This approach makes the design of services more structured and avoids the need to create the objects during the service design. You can use the Object Builder workspace to create, modify, clone, and delete the following objects:

    • Addresses and address groups
    • Services and service groups
    • Application signatures
    • Extranet devices
    • NAT pools
    • Policy profiles
    • VPN profiles
    • Variables
    • Template and template definitions

    Figure 4 is an example of address object creation using Security Director. Custom services, NAT pools, devices, and so on can be created in a similar fashion. To create an object, follow these basic steps:

    1. Go to the Object Builder under Security Director.
    2. Go to Addresses.
    3. Click on the Plus sign to create a new address on the right side.
    4. Click on the Pen side to modify an existing address.

    Figure 4: Address Object Creation

    Address Object Creation

    Note: New address objects can also be created under Firewall Policy.

    Creating Firewall Policy Using Security Director

    Security Director provides you with the following types of firewall policies:

    • All Devices—Predefined firewall policy that is available with Security Director. You can add pre-rules and post-rules. When all the device policy configuration information is updated on the devices, the rules are updated in the following order:
      • All devices pre-rules
      • Group pre-rules
      • Device-specific rules
      • Group post-rules
      • All devices post-rules

      An All Devices policy enables rules to be enforced globally to all the devices managed by Security Director.

    • Group—Type of firewall policy that is shared with multiple devices. This type of policy is used when you want to update a specific firewall policy configuration to a large set of devices. You can create group pre-rules, group post-rules, and device rules for a group policy. When a group firewall policy is updated on the devices, the rules are updated in the following order:
      • Group pre-rules
      • Device-specific rules
      • Group post-rules
    • Device Policy—Type of firewall policy that is created per device. This type of policy is used when you want to push a unique firewall policy configuration per device. You can create device rules for a device firewall policy.
    • Device-Exception Policy—Type of firewall policy that is created when a device is removed from a group policy.
    • Global Policy—Global Policy Rules are enforced regardless of ingress or egress zones; they are enforced on any device transit. Any objects defined in the Global Policy Rules must be defined in the global address book.

    The basic settings of a firewall policy are obtained from the policy profile in Security Director. The basic settings include log options, firewall authentication schemes, and traffic redirection options.

    All device pre-rules and post-rules are applicable to all security devices. Once pre-rules are published, these rules are applied to all managed security devices. Security Policy post-rules are published to the security device and can be used to overwrite device-specific post-rules already deployed on the security device.

    The general steps that must be followed to create a new security policy are:

    1. Under Firewall policy, click to create a new policy.
    2. Create the policy created for a device or a group
    3. Once the policy is created, assign the policy to the device.
    4. Click on Create.

    The new policy created is displayed in the right pane. An option is also included to save the policy and validate the configuration (ensure that the configuration does not contain errors). After policy creation, you need to publish or publish and update the policy to the security device.

    • Publish policy will push the policy to the Junos Space database. This will also validate the configuration.
    • Publish and update will push the policy to the security device. This is often preferred as a means of provisioning multiple devices during short maintenance windows as this feature publishes the device to the Junos Space database, validates that the configuration will have no errors, and then updates the managed security devices with the new configuration.

    Figure 5 shows an example of policy creation after importing a configuration from a managed security device. The steps that were followed in this example are:

    1. Navigate to the Firewall policy under Security Director.
    2. The right pane shows a list of policy name and all existing policies.
    3. Click on Lock to lock the policy. (Policy must be locked to edit.)
    4. Click on the plus (+) sign to add a new rule or the (-) sign to delete an existing rule. In this example, we are adding a new rule (Test-1). Click the +sign.

      Figure 5: New Rule Created (Test-1)

      New Rule Created (Test-1)
    5. While modifying the address, select an address from the existing address book or click on the plus (+) sign to add a new address.

      Figure 6: Add New Source Address to Rule

      Add New Source Address to Rule
    6. Once you create the rule, use the up or down arrow to move the rules up or down.
    7. Click Save to save the configuration to the Security Director database.
    8. To verify the configuration, click Validate.

    Creating NAT Policy Using Security Director

    Network Address Translation (NAT) is a form of network masquerading that replaces private IP addresses (or addresses you wish to hide from public routing) with other addresses (most often a public, routable IP address). NAT can also be used to provide public access to private resources in the data center by translating a public IP (an incoming HTTP GET to a Web server, for instance) to a private IP address. In Junos OS security devices, NAT is largely zone-based. A trust zone is a segment of the network where security measures are applied (sometimes referred to the “inside” of the network). It is usually assigned to the internal LAN. An untrust zone is most often facing the Internet (can also be facing any insecure network such as a partner or customer). NAT modifies the IP addresses of the packets moving between these security zones.

    Junos Space Security Director supports three types of NAT:

    • Source NAT—Translates the source IP address of a packet leaving the trust zone (outbound traffic). It translates the traffic originating from the device in the trust zone. Using source NAT, an internal device can access the network by using the IP addresses specified in the NAT policy.
    • Destination NAT—Translates the destination IP address of a packet entering the trust zone (inbound traffic). It translates the traffic originating from a device outside the trust zone. Using destination NAT, an external device can send packets to a hidden internal device.
    • Static NAT—Always translates a private IP address to the same public IP address. It translates traffic from both sides of the network (both source and destination). For example, a Web server with a private IP address can access the Internet using a static, one-to-one address translation.

    Junos Space Security Director provides you with a workflow where you can create and apply NAT policies on devices in a network. To create a NAT policy:

    1. Select Security Director > NAT Policy.
    2. Click Create NAT Policy from the left pane. You can create a group policy or a device policy.
    3. To create a group policy, enter name of the group policy, a description, and the assigned device for which policies have been configured.

    You can also search for the devices by entering the device name, device IP address, or device tag in the Search field in the Select Devices section. The above steps can also be used to create device NAT policies. The Validate button will check the NAT policies for errors. If any errors are found during the validation, a red warning icon is shown for the policy or policies containing errors. In the case of NAT policies, incomplete rules and duplicate rule names should flag as errors during validation. Please note that an existing policy must be locked before any changes can be attempted. NAT policies can also be rearranged (moved up or down) using the arrow keys.

    Once you define a NAT policy, it must be published.

    To publish a NAT policy:

    1. Select Security Director > NAT Policy.
    2. Right-click the policy on the right side that you want to publish and click Assign devices.
    3. Select Schedule at a later time check box if you want to schedule and publish the configuration later.
    4. Click Next.
    5. To preview the configuration changes that will be pushed to the device, click View Configuration in XML format > XML configuration tab.
    6. Click Close.
    7. Click Publish if you want to only publish the configuration.
    8. Click Publish and Update if you want to publish and update the devices with the configuration.

    You can view any job under Jobs for the status. Figure 7 shows two NAT policies configured on the selected firewall.

    Figure 7: Example NAT Policies in Security Director

    Example NAT Policies in Security Director

    Jobs Workspace in Security Director

    The Jobs workspace lets you monitor the status of all jobs that have been run in all Junos Space applications. A job is a user-initiated action that is performed on a Junos Space Network Management Platform object, such as a device, service, or customer. All scheduled jobs can be monitored.

    Typical jobs in Junos Space Network Management Platform include device discovery, deploying services, pre-staging devices, and performing functional and configuration audits. Jobs can be scheduled to occur immediately or in the future. For all jobs scheduled in Junos Space Network Management Platform, you can view job status from the Jobs workspace. Junos Space Network Management Platform maintains a history of job status for all scheduled jobs. When a job is scheduled from a workspace, Junos Space Network Management Platform assigns a job ID that serves to identify the job (along with the job type) in the Manage Jobs inventory page.

    You can perform the following tasks from the Jobs workspace:

    • View status of all scheduled, running, canceled, and completed jobs.
    • Retrieve details about the execution of a specific job.
    • View statistics about average execution times for jobs, types of jobs that are run, and success rate
    • Cancel a scheduled job or in-progress job (when the job has stalled and is preventing other jobs from starting).
    • Archive old jobs and purge them from the Junos Space Network Management Platform database.

    Audit Logs in Security Director

    Audit logs provide a record of Junos Space Network Management Platform login history and user-initiated tasks that are performed from the user interface. From the Audit Logs workspace, you can monitor user login/logout activity over time, track device management tasks, view services that were provisioned on devices, and so forth. Junos Space Network Management Platform audit logging does not record non-user initiated activities, such as device-driven activities, and is not designed for debugging purposes. User-initiated changes made from the Junos Space CLI are logged but are not recorded in audit logs.

    Administrators can sort and filter on audit logs to determine which users performed what actions on what objects at what time. For example, an Audit Log administrator can use audit log filtering to track the user accounts that were added on a specific date, track configuration changes across a particular type of device, view services that were provisioned on specific devices, or monitor user login/logout activity over time. To use the audit log service to monitor user requests and track changes initiated by users, you must be assigned the Audit Log Administrator role.

    Over time, the Audit Log Administrator will archive a large volume of Junos Space Network Management Platform log entries. Such log entries might or might not be reviewed, but they must be retained for a period of time. The Archive Purge feature helps you manage your Junos Space Network Management Platform log volume, allowing you to archive log files and then purge those log files from the Junos Space Network Management Platform database. For each Archive Purge operation, the archived log files are saved in a single file, in CSV format. The audit logs can be saved to a local server (the server that functions as the active node in the Junos Space Network Management Platform fabric), or a remote network host or media. When you archive data to a local server, the archived log files are saved to the default directory /var/lib/mysql/archive.

    The Audit Logs Export feature enables you to download audit logs in CSV format so that you can view the audit logs in a separate application or save them on another machine for further use, without purging them from the system.

    Published: 2015-04-20