Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Security Policy Overview

Juniper Security Director Cloud provides the ability to create, modify, and delete security policy and associate the devices with a security policy. Security policies provide security functionality by enforcing rules on traffic that passes through a device. Traffic is permitted or denied based on the action defined in the security policy rules. A security policy rule controls transit traffic within a context that is derived out of the end-points defined in the rule. Rule-based security policies can incorporate both transport layer (Layer 4) and application layer (Layer 7) security constructs in a single rule. The choice of sequence and the assignment happens implicitly based on the endpoints in the rule definition. Security rules consist of source and destination endpoints, IP addresses, user identity, URL categories, services, and applications.

Note:

If a device (CPE or next-generation security) is running Junos OS Release 18.2R1 or later, a security policy acts as a unified security policy. In a unified security policy, dynamic application can be used as a match condition along with the existing match conditions. Therefore, a separate application security is not configured on the device to allow or block traffic to an application.

A security policy provides the following features:

  • Permit, reject, deny, redirect, or tunnel the traffic based on the application in use.
  • Identifies not only HTTP but also any application running on top of it, enabling you to properly enforce policies. For example, an application security rule could block HTTP traffic from Facebook but allow Web access to HTTP traffic from Microsoft Outlook.
  • Advanced security protection by specifying one or more of the following:
    • Intrusion prevention system (IPS) profile
    • Content security profile
    • SSL proxy profile

Rules are categorized as zone-based rules and global rules.

  • Zone-based-rules are the rules with zones as source and destination endpoints. The parameters that you can define for zone-based rules are listed in Table 1.
  • Global rules gives the flexibility to perform action on the traffic without any zone restrictions. Table 1 lists the parameters for global rules.
    Table 1: Parameters for Zone-based and Global rules
    Sources Destinations Applications/Services Action Advanced Security Options Supported Options

    Zone

    Addresses

    Identity

    Zone

    Addresses

    URL Categories

    Applications

    Services

    Permit

    Deny

    Reject

    Redirect

    Tunnel

    IPS Profile

    Content Security Profile

    SSL Proxy Profile

    Schedules

    Logging

    Rule Options

Security Policy and Rule Order Overview

Security policies and rules execute in the order of their appearance. You must be aware of the following:

  • Security policies and the rules within a security policy are applied from top to bottom. For example, a security policy P1 has two rules Rule-a and Rule-b. Security policy P2 has two rules Rule-a and Rule-b. The security policy P1 has sequence number 1 and the security policy P2 has sequence number 2. After deploying, the security polices and rules are applied in the following sequence:

    1. P1 Rule-a

    2. P1 Rule-b

    3. P2 Rule-a

    4. P2 Rule-b

  • Newly created security policies and rules go to the end of the list.

  • You can change the order of security policies and rules. See Reorder a Security Policy and Reorder a Security Policy Rule for details.

  • The last security policy in the policy list is the default policy, which has the default action of denying all traffic.

  • A security policy rule can mask another security policy rule.