Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enforce Policies and Configure Endpoint Security with Junos OS Enforcer

In a Unified Access Control (UAC) environment, after an SRX Series Firewall becomes Junos OS Enforcer, the SRX Series Firewall allows or denies traffic based on Junos OS security policy. Infranet agent runs on the endpoints to secure traffic by checking UAC Host Checker policies. Based on the Host Checker compliance results, Junos OS Enforcer allows or denies the endpoint access.

Understanding Junos OS Enforcer Policy Enforcement

Once the SRX Series Firewall has successfully established itself as the Junos OS Enforcer, it secures traffic as follows:

  1. First, the Junos OS Enforcer uses the appropriate Junos OS security policy to process the traffic. A security policy uses criteria such as the traffic’s source IP address or the time of day that the traffic was received to determine whether or not the traffic should be allowed to pass.

  2. Once it determines that the traffic may pass based on the Junos OS security policy, the Junos OS Enforcer maps the traffic flow to an authentication table entry. The Junos OS Enforcer uses the source IP address of the first packet in the flow to create the mapping.

    An authentication table entry contains the source IP address and user role(s) of a user who has already successfully established a UAC session. A user role identifies a group of users based on criteria such as type (for instance, “Engineering” or “Marketing”) or status (for instance, “Antivirus Running”). The Junos OS Enforcer determines whether to allow or deny the traffic to pass based on the authentication results stored in the appropriate authentication table entry.

    The IC Series UAC Appliance pushes authentication table entries to the Junos OS Enforcer when the devices first connect to one another and, as necessary, throughout the session. For example, the IC Series appliance might push updated authentication table entries to the Junos OS Enforcer when the user’s computer becomes noncompliant with endpoint security policies, when you change the configuration of a user’s role, or when you disable all user accounts on the IC Series appliance in response to a security problem such as a virus on the network.

    If the Junos OS Enforcer drops a packet because of a missing authentication table entry, the device sends a message to the IC Series appliance, which in turn may provision a new authentication table entry and send it to the Junos OS Enforcer. This process is called dynamic authentication table provisioning.

  3. Once it determines that the traffic may pass based on the authentication table entries, the Junos OS Enforcer maps the flow to a resource. The Junos OS Enforcer uses the destination IP address specified in the flow to create the mapping. Then the device uses that resource as well as the user role specified in the authentication table entry to map the flow to a resource access policy.

    A resource access policy specifies a particular resource to which you want to control access based on user role. For instance, you might create a resource access policy that allows only users who are members of the Engineering and Antivirus Running user roles access to the Engineering-Only server. Or you might create a resource access policy that allows members of the No Antivirus Running user role access to the Remediation server on which antivirus software is available for download.

    The IC Series appliance pushes resource access policies to the Junos OS Enforcer when the devices first connect to one another and when you modify your resource access policy configurations on the IC Series appliance.

    If the Junos OS Enforcer drops the packet because of a “deny” policy, the Junos OS Enforcer sends a message to the IC Series appliance, which in turn sends a message to the endpoint’s Odyssey Access Client (if available). (The IC Series appliance does not send “deny” messages to the agentless client.)

  4. Once it determines that the traffic may pass based on the resource access policies, the Junos OS Enforcer processes the traffic using the remaining application services defined in the Junos OS policy. The Junos OS Enforcer runs the remaining services in the following order: Intrusion Detection and Prevention (IDP), URL filtering, and Application Layer Gateways (ALGs).

Configuring Junos OS Enforcer Failover Options (CLI Procedure)

Before you begin:

  1. Enable UAC through the relevant Junos OS security policies.

  2. Configure the SRX Series Firewall as a Junos OS Enforcer. During the configuration, define a cluster of IC Series appliances to which the Junos OS Enforcer should connect. See Enabling UAC in a Junos OS Environment (CLI Procedure).

To configure IC Series UAC Appliance failover processing, you must configure the Junos OS Enforcer to connect to a cluster of IC Series appliances. The Junos OS Enforcer communicates with one of these IC Series appliances at a time and uses the others for failover processing.

To configure failover processing:

  1. Specify how often (in seconds) the Junos OS Enforcer should expect a heartbeat signal from the IC Series appliance indicating an active connection:

  2. Specify the interval (in seconds) at which the Junos OS Enforcer should consider the current connection timed out:

    Note:

    Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series Firewall will be effective only after the next reconnection of the SRX Series Firewall with the IC Series appliance.

  3. Specify how the Junos OS Enforcer should handle all current and subsequent traffic sessions when its connection to an IC Series appliance cluster times out:

Testing Junos OS Enforcer Policy Access Decisions Using Test-Only Mode (CLI Procedure)

Before you begin:

  1. Enable UAC through the relevant Junos OS security policies. See Enabling UAC in a Junos OS Environment (CLI Procedure)

  2. Configure the SRX Series Firewalls as a Junos OS Enforcer. See Configuring Communications Between the Junos OS Enforcer and the IC Series UAC Appliance (CLI Procedure).

  3. If you are connecting to a cluster of IC Series UAC Appliances, enable failover options. See Configuring Junos OS Enforcer Failover Options (CLI Procedure).

When configured in test-only mode, the SRX Series Firewall enables all UAC traffic to go through regardless of the UAC policy settings. The device logs the UAC policy’s access decisions without enforcing them so you can test the implementation without impeding traffic.

To activate or deactivate test-only mode, enter the following configuration statement:

Verifying Junos OS Enforcer Policy Enforcement

Displaying IC Series UAC Appliance Authentication Table Entries from the Junos OS Enforcer

Purpose

Display a summary of the authentication table entries configured from the IC Series UAC Appliance.

Action

Enter the show services unified-access-control authentication-table CLI command.

Displaying IC Series UAC Appliance Resource Access Policies from the Junos OS Enforcer

Purpose

Display a summary of UAC resource access policies configured from the IC Series UAC Appliance.

Action

Enter the show services unified-access-control policies CLI command.

Understanding Endpoint Security Using the Infranet Agent with the Junos OS Enforcer

An Infranet agent helps you secure traffic on your network starting with the endpoints that initiate communications as follows:

  1. The Infranet agent, which runs directly on the endpoint, checks that the endpoint is compliant with your Unified Access Control (UAC) Host Checker policies. You can use a wide variety of criteria within a UAC Host Checker policy to determine compliance. For example, you can configure the Host Checker policy to confirm that the endpoint is running antivirus software or a firewall or that the endpoint is not running specific types of malware or processes.

  2. The Infranet agent transmits the compliance information to the Junos OS Enforcer.

  3. The Junos OS Enforcer allows or denies the endpoint access to the resources on your network based on the Host Checker compliance results.

Because the Infranet agent runs directly on the endpoint, you can use the Infranet agent to check the endpoint for security compliance at any time. For instance, when a user tries to sign into the IC Series UAC Appliance, you can require the Infranet agent to send compliance results immediately—the user will not even see the sign-in page until the Infranet agent returns positive compliance results to the IC Series appliance. You can also configure the Infranet agent to check for compliance after the user signs in or periodically during the user session.

If the endpoints running the Infranet agent have appropriate access, they will automatically send their compliance results to the IC Series appliance, and the IC Series appliance will update the authentication table entries accordingly and push them to the Junos OS Enforcer. The Junos OS Enforcer supports connections with the Odyssey Access Client and “agentless” Infranet agents.

Configuring Endpoint Security Using the Infranet Agent with the Junos OS Enforcer

To integrate the Infranet agent into a Junos OS-UAC deployment, no special configuration is required on the Junos OS Enforcer. You simply need to create security policies enabling access to the appropriate endpoints as you would for any other Junos OS-UAC deployment.