Juniper Networks delivers multiple high-performance next-generation firewalls that provide granular control and visibility from client to cloud. For a threat-aware network, both control and visibility are fundamental pieces. Juniper provides additional security to combat known and unknown threats:
• Application identification
• User identification
• Protection from network and application exploits
• Malware detection and prevention
• URL filtering, including blocking malicious web sites
• Encrypted traffic analysis
Constant shifts in application use, user behavior, and network infrastructure have created a threat landscape that continues to expose organizations to an increasing attack surface. Users need access to a growing number of applications hosted in the cloud and that operate across different devices. While seamless access to these applications is critical for the end user, security must also be taken into account. Access should not increase the organization’s risk.
Additional security is needed to combat these threats while maintaining user access to new applications on different devices. Juniper Networks® SRX Series Services Gateways deliver integrated next-generation firewall (NGFW) protection services with application awareness, user identity, and content inspection. In addition to NGFW capabilities, the SRX Series devices also offer intrusion prevention, SSL inspection, URL filtering, and unknown threat detection, providing a single security platform that addresses a wide range of security requirements from a common architecture.
Architecture and Key Components
The SRX Series NGFW services architecture includes several key components that provide a powerful platform to protect enterprises and MSPs from constant cyber attacks.
User Identification and Access Control: User Firewall
User identity is a core requirement of next-generation firewalls that enables administrators to create security policies that reflect business needs rather than network requirements. This flexibility creates a powerful mechanism for defining, managing, and refining security policies by creating firewall rules based on user identity rather than IP address. Through Juniper’s User Firewall feature, an SRX Series device can associate network traffic with a specific user through integration with directory services such as Active Directory. Policies can be defined to allow application use based on individual users or user groups, enabling more powerful but much simpler security controls. Through User Firewall, security policies can be expressed in terms of groups, allowing security policies to continue functioning as users are added or deleted from groups. In addition, User Firewall provides visibility into application usage at the user level rather than IP address, providing powerful insights into application traffic traversing the network. Security administrators can reduce the threat footprint by adjusting security policies to align application usage with security and business practices.
Application Identification and Control: AppSecure
Applications are no longer tied to traditional port-based communications. New applications are designed to dynamically change ports and protocols. Some are designed to tunnel through commonly used services, such as HTTP web traffic. For the user, this means applications can be used from anywhere, at any time. For the enterprise, it means defending against a constantly changing threat landscape that directly targets applications and passes through traditional network-layer protections.
Juniper NGFW services offer a powerful security platform that is well equipped to meet this challenge. At the core lies AppSecure, which offers robust visibility and control over applications on the network.
AppSecure instantly recognizes applications and surfaces the application name, description of the service, and inherent level of risk, regardless of port, protocol, or encryption method.
Offering deep application visibility and control, AppSecure provides the context that links application use to a user, regardless of location and device. Furthermore, AppSecure understands application behaviors and identifies vulnerabilities, enabling administrators to block risky applications before they can do any damage. AppSecure helps reduce an application’s threat footprint by allowing the definition of granular security policies, such as the level of deep packet inspection required and which users or groups are allowed access.
Exploit Protection: Intrusion Detection and Prevention (IDP)
Juniper’s intrusion prevention system (IPS) is tightly integrated with Juniper SRX to mitigate network and application exploits and protect against a wide range of attacks. Juniper IDP constantly monitors for new exploits against recently discovered vulnerabilities, keeping network protection up to date against the latest cyber attacks, and stopping them at the exploit stage before they gain a foothold inside the network. IDP signatures can be enabled in detection-only mode or inline to directly block malicious traffic.
Real-Time Protection: SecIntel
SecIntel provides verified threat intelligence to all points of connection across the network to block malicious traffic, enabling a threat-aware network. To help reduce risk, SecIntel can be deployed on the SRX to block malicious traffic originating from malicious IP addresses and domains, without the need for deep packet inspection. SecIntel’s threat feeds are automated and constantly updated. Additionally, these feeds are scrubbed and verified by Juniper Threat Labs to maintain high detection efficacy and reduce false positives. SecIntel can help reduce the load on the network, while making it more intelligent.
Block Known Threats: Network Anti-Malware
Malicious files, including ransomware and adware, continue to proliferate from multiple attack vectors. These threats compromise network endpoints and make them vulnerable to data theft, including credentials and personally identifiable information (PII). Detecting and blocking malware and unwanted files at the network level before they make it onto an endpoint is critical to safeguarding users, applications, and infrastructure against attacks. Anti-malware protection combines cloud-based file reputation intelligence and malware signature with the SRX Series NGFW to deliver lightweight and fast security. The result is a highly effective perimeter defense against a multitude of known threats, which doesn’t slow down your users or your business.
Browsing Defense: Enhanced Web Filtering (EWF)
Users spend more than half of their time browsing the Internet and using web-based tools. It’s important that web traffic is both legitimate and safe. At the same time, certain web applications, such as online banking or healthcare, must remain private. EWF allows administrators to block unwanted URL categories, such as gambling and malware sites, and it enables selective decryption to keep business traffic safe from threats while users’ personal traffic can remain private. To reduce attacks, EWF contains more than 180 URL categories that can be used within security policies on the SRX.
Encrypted Protection: SSL Proxy
SSL has become the universal method for authenticating websites and encrypting traffic between Web clients and Web servers. However, because SSL content is encrypted, users can directly download malware on to their end clients. Since organizations have no visibility into SSL connections, they are blind to any threats that are transmitted over HTTPS into their corporate enterprise.
Juniper offers a powerful application-level SSL proxy that sits between client and server, intercepting encrypted traffic, terminating the session, and re-initiating the connection towards the end destination. It can be used as an SSL “forward” proxy that sits between users on the corporate LAN and their access to the Internet, protecting the end client. It also intercepts HTTPS traffic by acting as a gateway at the enterprise perimeter, where it terminates encrypted traffic before it enters the enterprise. At that point, unencrypted traffic is immediately inspected to determine compliance with security policy, as set by the security team. Traffic is then handled by proactive malware engines that will immediately block malware, thwarting any security breach.
For user privacy protection, the SSL Proxy can be configured with exemptions that prevent traffic between certain URLs from being decrypted. The exemptions can be set up based on user groups, URL categories, or custom categories.
Unknown Threats: Juniper Advanced Threat Prevention (ATP)
Juniper Advanced Threat Prevention (ATP) is Juniper’s threat intelligence hub and uses machine learning algorithms to provide complete advanced malware detection and prevention. ATP supports threat detection without breaking decryption and surfacing compromised devices. When integrated with SRX Series Services Gateways, Juniper ATP leverages a global threat database to deliver threat intelligence, dynamic malware analysis, encrypted traffic insights, and adaptive threat profiling. Juniper ATP is offered as a cloud-based service or as an on-prem appliance.
Juniper ATP protects against trojans, worms, ransomware, botnets, and IoT threats.
Features and Benefits
|Feature||Junos OS Version Required||Description||Benefits|
|Application identification||15.1X49-D200 or higher||Provides a sophisticated classification engine that accurately identifies applications regardless of port or protocol, including applications known for using evasive techniques to avoid identification.||Provides more granular control by identifying unique applications rather than IP addresses to enforce corporate security policies to match your specific business requirements.|
|Application analysis||15.1X49-D100 or higher||Provides detailed analysis of application volume and usage throughout the network based on bytes, packets, and sessions.||Enables tracking of application usage to identify high-risk applications and analyze traffic patterns to improve network management and control.|
|AppFirewall||18.2R1 or higher for Unified Policy usage||Enables tracking of application usage to identify high-risk applications and analyze traffic patterns to improve network management and control.||Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis.|
|AppQoS||18.2R1 or higher for use within Unified Policy||
Leverages Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs.
Allows users to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance.
|Advanced Policy-Based Routing (APBR)||15.1X49-D60 or higher||Classifies sessions based on applications and applies the configured rules to reroute the traffic.||
Provides the ability to route traffic over different WAN links and assign higher priority to business-critical applications.
|User Firewall||12.1X47-D10 or higher||Integrates with directory services such as Active Directory to create firewall policies that are associated with specific users or groups to enforce security protection.||
Enables more accurate and granular security policies through powerful but simplified security controls.
|SSL Proxy||15.1X49-D30 or higher||Sits between client and server, intercepting encrypted traffic, terminating the session, and re-initiating the connection towards the end destination, and can be used as an SSL “forward” proxy to protect the end-client.||Prevents users from directly downloading malware hidden within encrypted traffic on to their end clients.|
|Intrusion Prevention System (IPS)||15.1X49-D10 or higher||Offers comprehensive protection against a broad range of known security exploits in applications, databases, and operating systems.||Constantly monitors for new exploits against newly discovered vulnerabilities to ensure that network protection is up-to-date against the latest attack cyber methods.|
|Juniper Advanced Threat Prevention||15.1X49-D80 or higher||
Provides cloud-based service that performs sophisticated advanced malware detection through powerful machine learning algorithms to identify previously unseen security threats.
Accurately identifies unknown and never-before-seen malware that eludes conventional methods, ensuring complete protection.
|Security Intelligence (SecIntel)||15.1X49-D80 or higher||Generates threat feeds that include attacker IPs, C&C, GeoIP, infected hosts, and dynamic address groups.||Reduces risk by enabling Juniper switches, routers, and firewalls to identify and block potential threats.|
|Encrypted Traffic Insights||20.2R1 or higher||
Enables SRX Series firewalls to collect relevant SSL/TLS connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies on SRX Series firewalls can be used to block encrypted traffic identified as malicious.
|Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption.|
|Adaptive Threat Profiling||20.2R1 or higher||Allows organizations to leverage their existing infrastructure to create security intelligence feeds based on real-time events occurring on their network. These feeds, unique to each organization, can be configured based on security policies and utilized by other enforcement points on the network to detect threats and update their infrastructure in real-time, blocking potential attacks.||Improves threat response times by taking real-time threat information and pushing it out to all points across the network.|
15.1X49-D100 or higher (cloud-based)
18.4R1 or higher (on-box)
|Protects against malware, viruses, phishing attacks, intrusions, spam, and other threats through antivirus, antispam, and Web and content filtering||Implements real-time security defense that ensures businesses have up-to-date signatures that provide visibility into threats from all over the world.|
15.1X49-D40 or higher
|Provides web traffic categorizations that can be incorporated into application and security policy.||Prevents web-borne threats and unwanted browsing activity.|
15.1X49-D60 or higher
|Streamlines operations by centrally managing all NGFWs from a single pane of glass.||Simplifies complex security policy management and implementation through easy-to-use GUI, saving time and increasing productivity.|
Junos Space Security Director
Juniper Networks® Junos® Space Security Director is the central manager for all SRX Services Gateways. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcements across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to move quickly from “knowing” something is wrong to “doing” something to fix the problem.
Providing extensive scale, granular policy control, and policy breadth across the network, Security Director helps administrators manage all phases of the security policy lifecycle for stateful firewall and NGFW services through a centralized web-based interface. Security Director supports multiple types of environments and can be deployed on-premises or as-a-service.
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability.
For more details, please visit https://www.juniper.net/us/en/products.html.
About Juniper Networks
At Juniper Networks, we are dedicated to dramatically simplifying network operations and driving superior experiences for end users. Our solutions deliver industry-leading insight, automation, security and AI to drive real business results. We believe that powering connections will bring us closer together while empowering us all to solve the world’s greatest challenges of well-being, sustainability and equality.
1000623 - 006 - EN APRIL 2021