This section provides an overview of how the Juniper Connected Security building blocks work together to provide a comprehensive security solution for your enterprise. Threats are detected more quickly by leveraging threat intelligence from multiple sources (including third-party feeds). Network security can adapt dynamically to real-time threat information so that security policies are enforced consistently.
In the Juniper Connected Security solution, Policy Enforcer orchestrates threat remediation workflows based on threats detected by Juniper’s Sky ATP solution or custom threat feeds, and enforces these policies on firewalls, in particular, SRX Series devices, and switches such as EX Series and QFX Series devices. The Juniper Connected Security solution also supports 802.1X-enabled third-party switches. Any switch that adheres to RADIUS IETF attributes and supports RADIUS Change of Authorization (CoA) messages is supported by Policy Enforcer for threat remediation.
Juniper Connected Security alters the security breach landscape considerably when a Juniper-secured network is attacked. Consider the following use cases:
A user tries to download a file that contains known malware. In this case, the download is blocked by the SRX Series device, and the endpoint is not infected.
A user tries to download a file that contains unknown malware. In this case, the download to the endpoint succeeds. However, once Sky ATP identifies the malware, the infected endpoint is quarantined or blocked by the local access switch. This action prevents malware from propagating to other endpoints on the network.
Juniper Connected Security Workflow for Infected Host Detection and Tracking with Third-Party Switches
Let’s take a look at a typical enterprise with clients, endpoints, access switches, and wireless access points. When an endpoint becomes compromised, it becomes a threat to other hosts within the network. It is important to control the infected host to ensure the problem doesn’t spread.
Figure 1 shows an example of how Policy Enforcer quarantines infected hosts, when the host is connected to a third-party switch.
In this example, the endpoint is connected to a third-party switch. The switch has 802.1X authentication enabled. The switch authenticates 802.1X requests through a RADIUS server.
The endpoint authenticates to the network through 802.1X or through MAC-based authentication and downloads a file from the Internet.
The perimeter firewall (SRX Series device) scans the file and, based on user-defined policies, sends the file to Sky ATP for analysis.
Sky ATP detects that the file contains malware, identifies the endpoint as an infected host, and notifies the SRX Series device and Policy Enforcer.
Policy Enforcer downloads the infected host feed and enforces the threat prevention policy using the third-party connector.
The connector uses an API to gather information about the endpoint (MAC address as well as switch port it is connected to) from the RADIUS server. The connector then uses the API to update the endpoint’s status on the RADIUS server from “healthy” to “block” (or “quarantine”).
The RADIUS server enforces the appropriate profile and initiates CoA messages to the switch to terminate the session of the infected host.
The switch enforces the CoA instructions and blocks the infected host.
Policy Enforcer communicates the infected host’s details back to Sky ATP.
When the session of the authenticated endpoint is terminated, the endpoint attempts to re-connect. Based on the enforcement policy configured on the RADIUS server, the endpoint status changes to blocked state, or it can be assigned to a quarantine VLAN.
Once the threat has been mitigated, the host’s status in Policy Enforcer changes from blocked to allowed, the threat level lowers to 0, and the endpoint can connect to the network again.