Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Technical Overview

 

This section shows how the Juniper Connected Security building blocks work together to provide a comprehensive security solution for your enterprise.

Components of Juniper Connected Security Solution

Figure 1 shows a high-level workflow of how Policy Enforcer, Security Director, Sky Advanced Threat Prevention (Sky ATP), and Junos devices interact to provide a secure network deployment with Juniper Connected Security.

Figure 1: Juniper Connected Security Solution Components
Juniper Connected
Security Solution Components

EX Series switches deliver switching services in branch, campus, and data center networks. QFX Series switches are high-performance, low-latency, edge devices optimized for data center environments.

In the Juniper Connected Security solution, clients/endpoints are connected to EX Series and QFX Series switches with endpoint protection software. These switches provide access security and control.

SRX Series Services gateways provide security enforcement and deep inspection across all network layers and applications.

In the context of the Juniper Connected Security solution, SRX Series devices are deployed as perimeter firewalls connected to Sky ATP for anti-malware services.

Sky ATP identifies varying levels of risk, and provides a higher degree of accuracy in threat protection. It integrates with SRX Series gateways to deliver deep inspection, inline malware blocking, and actionable reporting.

Policy Enforcer uses information gathered and reported by Sky ATP to learn about the threats and rapidly respond to new threat conditions. With this information, Policy Enforcer can automatically update policies and deploy new enforcement to firewalls and switches, quarantining and tracking infected hosts to stop the progress of threats.

Policy Enforcer identifies an infected host by its IP and MAC address, allowing tracking and continued blocking of the host even if it moves to another switch or access point on the network.

With these components working together, threats are detected more quickly by leveraging threat intelligence from multiple sources (including third-party feeds). Network security can adapt dynamically to real-time threat information so that security policies are enforced consistently.

Juniper Connected Security Workflow Overview

The following examples provide a high-level workflow of how Juniper Connected Security components work together to detect and block an infected endpoint, track the infected endpoint, and automatically quarantine it or block it from accessing the Internet.

Infected Host Detection and Tracking

Let’s take a look at a typical enterprise with clients, endpoints, access switches, and wireless access points. When a client becomes compromised because of contact with an endpoint outside the corporate network, it becomes a threat to other hosts in the network. You must be able to control the infected host to ensure the problem doesn’t spread.

Figure 2 shows an infected host tracking workflow.

Figure 2: Juniper Connected Security Workflow - Detecting an Infected Endpoint
Juniper Connected
Security Workflow - Detecting an Infected Endpoint

This scenario involves the following steps:

  1. A user (192.168.10.1) in Campus C connects to a site on the Internet and downloads a file.

  2. The file is scanned at the perimeter firewall (SRX Series device).

  3. Based on user-defined policies, the firewall sends the file to an anti-malware service (Sky ATP) for analysis.

  4. Sky ATP detects that the file contains malware, identifies 192.168.10.1 as an infected host, and notifies the SRX device and Policy Enforcer.

  5. The firewall blocks the file, preventing it from being downloaded.

  6. Policy Enforcer identifies the IP address and MAC address of the host that downloaded the file and pushes a security policy onto the firewalls, and firewall filters onto the switches, to prevent further threats.

  7. The infected endpoint, connected to EX Series switch in Campus C, is quarantined.

The movement of infected endpoints and the resulting change in network IP addresses can easily evade security in perimeter-only protection architectures.

As the scenario continues, the infected host moves to a different location (Campus B) and receives a new IP address, as shown in Figure 3.

Figure 3: Tracking Infected Endpoint Movement
Tracking
Infected Endpoint Movement

Policy Enforcer keeps track of infected host movement and informs Sky ATP of the new MAC address-to-IP address binding. When the infected host moves to its new location (in Campus B), Policy Enforcer recognizes the host as a continuing threat and blocks it from the network.

Protection from Botnet C&C Attacks

When a host on the network tries to initiate contact with a possible command and control (C&C) server on the Internet, the SRX Series device can work with Sky ATP, Security Director, and Policy Enforcer to intercept the traffic and perform an enforcement action based on real-time intelligence feed information that identifies the C&C server IP address and URL.

Figure 4 shows an example of how the Juniper Connected Security solution provides protection from botnet C&C attacks.

Figure 4: Protection from Botnet C&C Attack
Protection
from Botnet C&C Attack

This scenario involves the following steps:

  1. A user downloads a file from the Internet.

  2. The SRX Series device receives the downloaded file and checks its security profile to see if any additional action must be performed. If required, it sends file to Sky ATP for malware inspection.

  3. The inspection determines this file is malware and informs Policy Enforcer of the results.

  4. An enforcement policy is automatically deployed to the SRX device and EX/QFX switches.

  5. The infected endpoint is quarantined.