Identity Aware Firewall
SUMMARY This topic describes overview of identity awareness via firewall and its component authentication table.
Overview of Identity Awareness via Firewall
What is an Identity? Why it is important?
Identity is foundational requirement for securing any network, application, device, and user access.
User identity (credentials, group information, IP address) and device information when collected through various sources helps fundamentally secure your network resources. Security Operations Centre (SOC) and Network Operations Centre (NOC) teams can use identity parameters to configure security policies. It provides right level of access to the authenticated users.
This helps your organization to mitigate major security threats by securing access to your resources (network components, applications) based on user names, roles, and groups.
- Benefits of Identity Aware Firewall
- How is Identity implemented at Juniper SRX firewall level?
- Choosing Between Identity Aware Firewall Components
Benefits of Identity Aware Firewall
-
Adds additional layer of security.
-
Helps identify the source (user or device) of the network traffic.
-
You can get visibility on users and devices that generates alerts, alarms and are exposed to security incidents.
-
Optimizes user experience by providing users streamlined and smooth access to the appropriate resources without compromising on network and application security.
How is Identity implemented at Juniper SRX firewall level?
All SRX Series firewall including (vSRX virtual firewall, and cSRX container firewall), or NFX devices obtain user information from various identity sources such as Active Directory, JIMS, Aruba Clearpass, and Unified Access Control (UAC). When the user information is obtained, the network administrator can deploy the device to receive data from the identity sources. SRX Series Service Gateways can create, manage, and refine firewall rules that are based on user identity rather than an IP address, query Juniper Identity Management Service, obtain the proper user identity information, and then enforce the appropriate security policy decisions to permit or deny access to protected corporate resources and the Internet.
Figure 1 depicts the flow of the identity source process, implemented by multiple
system components. Each component of the process has its own security infrastructure where
the authorization policies governing access to protected resources are defined
administratively. The succeeding tables describe the roles of these components and how
they communicate with one another.
|
Deployment Mode |
Identity Source |
Deployment Mode Details |
|---|---|---|
|
Active Directory as Identity Source |
Active Directory |
Simple configuration, and any identity manager outside of SRX is not required. |
|
Juniper Identity Management Service (JIMS) as Identity Manager |
Active Directory |
Higher scalability, and deployment flexibility. |
| Microsoft Azure | SRX Series firewall can support user identities configured in Azure. | |
| Okta | SRX series firewall can support user identities configured in Okta using JIMS. | |
| 3rd party Syslog generator | JIMS can gather syslog information generated by various third party sources for obtaining user information. | |
|
Aruba Clearpass as Identity Source |
Aruba Clearpass |
SRX Series firewall can obtain user information from Aruba Clearpass. |
|
UAC as Identity Source |
Unified Access Control |
SRX Series firewall can obtain user information configured on UAC. |
|
SRX Firewall Users |
Firewall Users |
The user information can be configured on a firewall authentication and can be maintained on a local server, or on an external server such as LDAP or radius server. |
Role of Identity Source and Identity Manager
| Identity Source |
An identity source can manage user or device information, roles and maintain user events. |
| Identity Manager |
Juniper Identity Management Service (JIMS) is an advanced user identity management system. JIMS connects and communicates to various identity sources shown in Figure 1 on behalf of SRX Series firewall. |
|
Deployment Mode |
Description |
Benefits of Deployment |
|---|---|---|
| Active Directory as Identity Source |
Active Directory as Identity Source gathers user and group information for authentication by reading domain controller event logs, probing domain PCs, and querying Lightweight Directory Access Protocol (LDAP) services within the configured Windows domain. |
Centralized Management: Centralizes user and group management within an organization, simplifying administration. Effective Authentication: Verifies user and computer identities, enhancing network security. Policy Enforcement: Allows administrators to enforce security policies using Group Policy Objects (GPOs). Dependencies: Relies on Active Directory infrastructure, which might not be preferred for all organizations. |
|
Juniper Identity Management Service (JIMS) |
Juniper Identity Management Service (JIMS) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Identity Source domains or syslog sources. For more information, see JIMS with SRX Series Firewall. |
Efficient Management: Simplifies end-user experience by automating the correlation between usernames, devices, and IP addresses. Load Reduction: Reduces load on the identity management system by acting as middleware between identity management and firewalls. Access Control: Allows policy control based on group memberships, enhancing security and access restrictions. Dependencies: Relies on a standalone Windows service, potentially adding a point of failure or dependency on the Windows environment. |
|
Aruba Clearpass as Identity Source |
SRX Series firewall and NFX Series devices, and Aruba ClearPass collaborate to protect your network resources by enforcing security at the user identity level based on their usernames or by the groups that they belong to and controlling user access to the Internet. |
Policy Management: Facilitates policy management for onboarding new devices and controlling access based on roles and device types. Granular Access Control: Enables granting access levels based on user roles, enhancing security and compliance. Dependencies: It requires integration with Aruba ClearPass, which may require additional configuration and setup. |
|
Unified Access Control (UAC) as Identity Source |
A Unified Access Control (UAC) uses IC Series UAC Appliances, Infranet Enforcers, and Infranet agents to protect your network by ensuring only valid users can access the resources. An IC Series appliance is a policy decision point in the network that uses authentication information and policy rules to determine whether or not to provide access to individual resources on the network. |
Simplified Configuration: Simplifies configuration by creating user information, groups, and policy rules in a centralized location. Enforced Security: Ensures only valid users can access network resources through IP-based policies. Dependencies: Requires the deployment of IC Series UAC Appliances, Infranet Enforcers, and Infranet agents, potentially adding complexity to the network. |
Choosing Between Identity Aware Firewall Components
Customers typically choose between identity aware firewall components based on their specific organizational needs, existing infrastructure, and security requirements:
Source of Identity
SRX Series firewall needs to connect with one of the identity sources or identity manager, described in Table-1.
Scaling
For the deployments with higher scaling requirements, Juniper Identity Management Service is recommended.
Users should evaluate their specific needs, consider the complexity of integration and maintenance, and choose the identity aware firewall component that aligns best with their organizational goals and security requirements.
Authentication Table
SUMMARY The topic describes authentication table, implementation, management, and state information.
- What is Authentication Table
- How Authentication Table is implemented
- State Information for Identity Source Authentication Table Entries
- How Authentication Tables are managed
- Identity Source Authentication Table Device Support
- Timeout
What is Authentication Table
The authentication table contains the IP address, username, and group mapping information that serves as the authentication source.
How Authentication Table is implemented
The user and group mapping information in the authentication table is obtained by user identity information. When Juniper Identity Management Service is deployed, the authentiction table is obtained by using IP query or batch-query.
The obtained information in the table is generated on the Routing Engine of the SRX Series firewall, or NFX devices which then pushes the authentication table to the Packet Forwarding Engine. Security policies use the information in the table to authenticate users and to provide access control for traffic through the firewall.
The priority option specifies the sequence in which user information
tables are checked. Using the lowest setting for the
Identity
Source specifies the highest priority, meaning that the Active Directory authentication
source is searched first.
State Information for Identity Source Authentication Table Entries
Identity Source authentication table entries can be in one of four states:
| Initial |
Specifies that IP address-to-user mapping information was obtained by reading domain controller event logs and an entry was added to the authentication table. Entries in this state are changed to valid when the table is pushed from the Routing Engine to the Packet Forwarding Engine. |
| Valid |
Specifies that a valid entry was obtained by reading domain controller event logs or that a valid response was received from a domain PC probe and the user is a valid domain user. |
| Invalid |
Specifies that an invalid response was received from a domain PC probe and the user is an invalid domain user. |
| Pending |
Specifies that a probe event generated an entry in the authentication table, but no probe response has been received from the domain PC. If a probe response is not received within 90 seconds, the entry is deleted from the table. |
How Authentication Tables are managed
Windows domain environments are constantly changing as users log in and log out of the network and as network administrators modify user group information. The Identity Source manages changes in the Windows domain and updates periodically. The authentication table is also updated to reflect the up-to-date relevant group information for all listed users.
Additionally, a probe function is provided to address changes that occur between reading event logs, or to address the case where event log information is lost. An on-demand probe is triggered when client traffic arrives at the firewall but a source IP address for that client cannot be found in the table. And at any point, manual probing is available to probe a specific IP address.
See Domain PC Probing.
Identity Source Authentication Table Device Support
Table 2 lists Identity Source authentication table device support that depends on the Junos OS release in your installation.
|
Devices |
Identity Source Authentication Table Entries |
Domains |
Controllers |
|---|---|---|---|
|
SRX300, SRX320 |
500 |
1 |
5 |
|
SRX340, SRX345, SRX380 |
1000 |
1 |
5 |
|
SRX1500, SRX1600, SRX2300 |
20,000 |
2 |
10 |
|
SRX4000 line |
50,000 |
2 |
10 |
|
SRX5000 line |
The user entries are as follows:
|
2 |
10 |
|
vSRX Virtual Firewall (2 vCPUs and 4 GB vRAM, 5 vCPUs and 8 GB vRAM ) |
5000 |
2 |
10 |
|
vSRX Virtual Firewall (9 vCPUs and 16 GB vRAM, 17 vCPUs and 32 GB vRAM ) |
10,000 |
2 |
10 |
|
NFX150 |
500 |
1 |
5 |
Timeout
When a user is no longer active, a timer is started for that user’s entry in the authentication table. When time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry.
We recommend that you disable timeouts when disabling on-demand probing in order to prevent someone from accessing the Internet without logging in again.