application and identity-based data center security policies

IMPLEMENTATION GUIDE

Copyright © 2009, Juniper Networks, Inc. 1

APPLICATION AND IDENTITY-BASED SECURITY POLICIES IN THE CLOUD READY DATA CENTER

Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided herein. Third party product descriptions and related technical details provided in this document are for information purposes only and such products are not supported by Juniper Networks. All information provided in this guide is provided “as is”, with all faults, and without warranty of any kind, either expressed or implied or statutory. Juniper Networks and its suppliers hereby disclaim all warranties related to this guide and the information contained herein, whether expressed or implied of statutory including, without limitation, those of merchantability, fitness for a particular purpose and noninfringement, or arising from a course of dealing, usage, or trade practice.

2 Copyright © 2009, Juniper Networks, Inc.

IMPLEMENTATION GUIDE - Application and Identity-Based Security Policies in the Cloud ready Data Center

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Application Fluency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Identity-Based Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Unified Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Features and Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Application Volume Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Enable AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

View Predefined AVT Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Application-Based Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Create Application-Based Policies from the APE Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Create Application-Based Policies from the Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Application Rate-Limiting Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Identity-Based Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configure User Role-Based Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

STRM Series AVT Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Application Volume Tracking Custom Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Appendix A—Graphical Representation of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Top 10 Applications by Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Top 10 Application Categories by Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Top 5 Applications by Volume over Time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Top 5 Application Categories by Volume over Time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Top 5 Source by Volume over Time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Top 5 Destinations by Volume over Time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21



Table of Figures

Figure 1: Application and user visibility with enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 2: Typical campus, branch office, data center network configuration with Juniper devices . . . . . . . . . . . . . . . . . 5

Figure 3: Enabling AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 4: AVT reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 5: Create application-based policies from APE rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 6: Create application-based policies from the Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 7: Select the appropriate IPS policy screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 8: Select multiple applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 9: Create flexibility in the policy construct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 10: Identity-based policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 11: Configure user role-based policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 12: Select the IC Series device and the user roles that will be used in the policy screen . . . . . . . . . . . . . . . . . . . 15

Figure 13: User-based policy for UAC demo contractor role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 14: Configure the AVT DSM in the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 15: AVT custom report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 16: STRM Series AVT report, example #1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 17: STRM Series AVT report, example #2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 18: Top 10 applications by volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 19: Top 10 application categories by volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 20: Top 5 applications by volume over time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 21: Top 5 application categories by volume over time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 22: Top 5 source by volume over time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Figure 23: Top 5 destinations by volume over time (last hour) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20



Introduction

Organizations are enabling their data centers to be “cloud ready” to take advantage of the efficiency and elasticity

of cloud computing. More than ever, both public and private sector organizations are relying heavily on data center

infrastructure to store their operating and intellectual data, track business transactions, and comply with regulatory

mandates. The emergence of new applications that use technologies such as virtualization, Web 2.0, and service-

oriented architecture (SOA) allows organizations to communicate, collaborate, and operate their data centers

with far better efficiency. Extending these and other corporate applications to the cloud offers further benefits by

offering greater business agility, making the cloud an attractive option for most organizations.

However, many modern applications also employ advanced features like non-standard or dynamic ports and

encryption, while others function with commonly trusted services such as Web, Domain Name System (DNS), or

email—allowing these applications and trusted services to unintentionally bypass traditional network security

measures. Although there is business value in authorizing access to these applications and services within the data

center, they can introduce a host of risks that include the loss of intellectual property, compliance failure, data

leakage, and new threat propagation vectors. Moreover, well organized and financially motivated cyber criminals

are increasingly viewing cloud data centers as their most attractive exploit targets. Traditional network security

measures of defining policies based on ports and protocols are no longer sufficient in addressing the security

requirements of these modern, cloud-enabled data centers.

Many enterprise back-office applications, for example customer relationship management (CRM), supply chain

management (SCM), or enterprise resource planning (ERP), employ the use of SOA mashup architectures or

Web 2.0 technologies, allowing for the seamless integration of data to improve overall business processes. These

applications represent perfect examples of the collaborative nature of this architecture to deliver a quality end user

experience, while also demonstrating the inherent weakness in traditional security measures which are based on

policing ports and protocols. Organizations need greater visibility and control over their network resources, binding

applications with user identities to better gauge what applications are running across their networks, which users

are using them, and how best to mitigate risks.

Figure 1: Application and user visibility with enforcement

IT and security managers are advised to revisit their policy and enforcement design approaches, best practices, and

technologies in order to meet these requirements for the cloud-ready data center. Some of the key attributes to

consider while designing security solutions for a cloud environment are:

• Application fluency—accurately identifying and supporting policy definitions based on applications

• Identity-based protection—creating identity-based policies and supporting enforcement based on user roles

• Unified management and monitoring—enabling a network security environment that is easy to provision,

configure, and manage through a single management system, as well as collecting, analyzing, monitoring, and

correlating log and flow data from the data center infrastructure to identify and escalate threats automatically.

IPAddr

Size

SAP

Data

Joe

Port

Protocol

Discrete Data Analysis

Business Analysis

Deep PacketIntelligence

What application?What user?

User location?User device?



Scope

This paper highlights the evolution of Juniper Networks data center security solutions to incorporate application

and identity-based policies and enforcement, and it emphasizes best practices for centralized management and

integration among additional Juniper Networks devices.

This paper also describes how enterprise data center customers can create an application and identity-aware

security policy enforcement solution by implementing such products as Juniper Networks® STRM Series Security

Threat Response Managers, Juniper Networks Unified Access Control, and Juniper Networks IDP Series Intrusion

Detection and Prevention Appliances, combined with Network and Security Manager to manage the solution. This

document assumes that the reader has a basic understanding of these products

NOTE: This implementation guide does not cover basic setup details for any Juniper Networks product or solution

highlighted. Please refer to the specific product user guides for installation and configuration instructions.

Target Audience

This guide is intended for the following network and security professionals.

• Enterprise security architects

• Security engineers

• Network architects

Design Considerations

This section covers the key design considerations for application and identity-based security policy enforcement,

which is an integral part of Juniper Networks Data Center Infrastructure Solutions. For further details regarding these

solutions, refer to the Data Center Security Solutions Brochure.

Most branch offices and campuses connect directly to headquarters through either a private WAN link, a VPN over

the Internet, or they choose to deploy VPN over a private WAN link. In addition, as more and more branch offices

connect directly to the Internet to leverage fast and inexpensive broadband connections, they demand a new set of

security features that can protect them from internal threats. Note that most employees (workers) who access their

corporate data center via the Internet are concentrated within the branch and campus environment.

Figure 2: Typical campus, branch office, data center network configuration with Juniper devices

REMOTE USER

HQ/CAMPUSBRANCH OFFICE

SRX Series

NSMxpress

STRM Series

M Series

ISG Series SA Series

IC Series

AAA Identity Store

IDP Series

SRX5000Line

IC Series

EX4200

NOC

DATA CENTER

Products:UAC, IDP Series, EX4200, SRX Series,M Series, STRM Series, NSM

INTERNET



Figure 2 depicts a sample reference network showing Juniper Networks security devices such as:

• Juniper Networks EX Series Ethernet Switches

• Juniper Networks IC Series Unified Access Control Appliances

• Juniper Networks IDP Series Intrusion Detection and Prevention Appliances

• Juniper Networks ISG Series Integrated Security Gateways

• Juniper Networks Network and Security Manager

• Juniper Networks Odyssey Access Client

• Juniper Networks SRX Series Services Gateways

• Juniper Networks STRM Series Security Threat Response Managers

Figure 2 above illustrates the need for application and identity-based policies and enforcement in the data center.

(See Table 1 for requirements and recommended devices.) This sample reference network consists of a small data

center that connects to the Internet, a large campus location, and a branch location.

As illustrated in Figure 2, Juniper Networks ISG Series Integrated Security Gateways provide firewall protection at the

network perimeter. IDP Series Intrusion Detection and Prevention Appliances and Unified Access Control sit behind

the ISG Series gateways. EX Series Ethernet Switches sit behind the IDP Series connecting to the rest of the LAN

network. The standalone IDP series appliance is configured to be in transparent mode in this solution, as it will act

as an enforcement point for our application and identity policies.

In transparent mode, the IDP Series is in the path of network traffic. You connect the device traffic interfaces to

network devices such as firewalls or switches. The virtual router receives traffic from an input port of a traffic

interface pair. For Layer 3 traffic, IDP Series appliances inspect and process it according to your security policy rules,

taking action against threats and forwarding safe traffic through the output port of the traffic interface pair. For

Layer 2 connections, administrators can choose to drop them or pass them through the device without inspection.

You do not need to configure other network devices to be aware of the IDP Series appliance.

Management products which connect to the management subnet network to monitor and manage the various

devices include Juniper Networks STRM Series Security Threat Response Managers and Juniper Networks Network

and Security Manager.

In Figure 2, the process demonstrates that a user within the branch office, using a laptop, attempts to log onto the

corporate network via the Internet. The user attempts to access applications that reside in the data center and is

required to log in through the IC Series via Juniper Networks Odyssey Access Client. However, prior to gaining full

access to the desired applications, the user’s security posture is validated against corporate security policies via the

Host Checker which is built into the OAC.

With the IC Series’ internal RADIUS server, you can provision 802.1X authentication for endpoints. Layer

2 authentication and enforcement controls network access policies at the edge of the network using an

802.1X-enabled switch or access point such as an EX Series switch. An IDP Series device provides application-based

policy enforcement, while the IC Series UAC appliance provides authentication. A user who does not meet security

criteria (as shown in Figure 2) is denied access because user credentials do not meet the corporation’s required

security criteria. In cases where an authenticated user violates AUP (Acceptable Use Policy), the IDP Series in the

data center can act as a policy violation detection and policy enforcement point, while reporting all activity in real

time to STRM Series devices.

Juniper Networks SSG Series Secure Services Gateways and SRX Series devices can also provide Unified Access

Control enforcement (dynamic access control policies based on user identity and endpoint integrity) by validating

user identity, endpoint identity, and network location, thereby enabling administrators to enforce an access control

policy on a heterogeneous switch and wireless infrastructure. The enterprise denies users access to the network

until their user credentials and endpoint integrity status has been validated.

NOTE: This document focuses on application and identity-based policy definitions and enforcement that can be

performed using IDP Series standalone appliances that are running IDP Series software 5.0 version or later.

Table 1 lists the requirements and recommended devices that define application and identity-based protection in

today’s data center. To effectively and efficiently monitor and control threats originating from trusted LAN users,

the enterprise needs to provide preventative and proactive security features such as authorized secure LAN access,

traffic inspection, and coordinated threat control (CTC) functioning throughout the entire distributed enterprise

network. Traffic originating from the Internet that is destined for the data center must be inspected for threats as



well. In addition, allowing LAN access devices to integrate with a centralized security management system that

provides visibility and control, such as the STRM Series and Network and Security Manager, is crucial to successfully

mitigate insider threats. The following sections cover STRM Series Security Threat Response Managers in detail.

Table 1: Requirements and Recommended Devices

REQUIREMENTS RECOMMENDED DEVICES

Authorized LAN access • EX Series Ethernet Switches

• SRX Series Services Gateways

• IC Series Unified Access Control Appliances

Application and identity-based policy and enforcement, traffic

Inspection for threat prevention and detection, and CTC

• IDP Series

• IC Series Unified Access Control Appliances

Centralized security management, visibility, and control • NSM

• STRM Series

Implementation

Juniper’s data center security solution is comprised of these major components.

• Application fluency

• Identity-based protection

• Unified management and monitoring

Application Fluency

Data center security solutions are based on application categorizations and customer application security

enhancements. The traditional method of defining port numbers no longer represents basic application security

characteristics. What’s required is a new breed of security policy definitions and enforcement tools that can fluently

identify application instances, application transactions, and application actions without relying on TCP/IP header

information. The ability to identify an application based on internal characteristics is absolutely critical; without

this ability, it is not possible to provide the security protection that regulations dictate and business processes

demand. Adopting these new security technologies will make it much easier to define technical security policies

in compliance with business processes by identifying methods and actions allowed within certain application

instances—a much more precise and surgical approach than generically implementing broad controls that impact

all applications. Additionally, such solutions provide visibility into the application infrastructure, making it possible

to determine application usage profiles and other valuable application-level information.

Identity-Based Protection

Aligning user identification with access to applications has become a critical component when defining access

policies for critical data center resources. Security enforcement has evolved to a more identity-centric application

protection methodology based on user roles and contemporary states to make educated access decisions.

Unified Management and Monitoring

Data center infrastructure security solution components should integrate with an enterprise’s centralized security

management solution to streamline policy management and reduce the potential for errors. A critical requirement

of any security solution that spans the entire enterprise is that it must provide a network-wide perspective of all

security events occurring across all locations at any point in time. Moreover, all aspects of the solution should be

managed centrally, and events/logs from multiple devices in the path of traffic (switches, routers, firewalls, intrusion

prevention systems) should be managed and correlated to gain a realistic perspective of security attacks. Further,

saving the events/logs for forensic analysis is also a critical requirement.

• Network and Security Manager provides a centralized configuration management and policy deployment

capability. NSM can be used to collect logs from security devices and forward them to the STRM Series.

• STRM Series Security Threat Response Managers integrate and correlate logs from all network and security

devices for centralized monitoring and reporting.

• Events can be correlated in real time, thus detecting fraudulent user activity early in the process.

• Based on the event and flow information, patterns can be generated to form baselines, and alarms can be

triggered based on anomalies and deviations.

• Profiling can be conducted.



Features and Configuration Guidelines

Juniper’s data center security solutions are a set of dynamic controls which, through cooperation and policy, enable

data center operators to offer more services while maintaining a high assurance level that services are protected

and available.

Application Volume Tracking

The application identification feature enables the intrusion prevention system (IPS) engine to detect applications

running on standard or nonstandard ports. Port independent application identification enhances both security and

manageability by eliminating manual and comprehensive configuration of application-port mapping for the service

objects used in the rulebase and application policy enforcement (APE) rules.

The application identification feature uses application signatures provided by the Juniper Security Center team

(J-Security Center) to identify the session application. J-Security Center continually updates signatures and develops

new ones as necessary. When the application identification feature identifies a new application, it caches the result

(the destination address, port, protocol, and service) to reduce processing required for subsequent sessions.

When the IPS engine processes security policy rules, it examines the session beginning with the first packet to

determine a match. To match service or application, the IPS engine first tries to match the session against the

application identification cache to determine the application. If the session does not match the application

identification cache, the IPS engine processes the session against the application signatures to determine the

application. If the IPS engine is still unable to determine the application, it uses the standard application protocol

and port.

Application volume tracking (AVT) is now supported by NSM to provide application usage per user. AVT uses

application identification and the Profiler to collect application statistics aggregated at 15-minute and 1-hour intervals.

The AVT database stores up to four sets of each interval at a time (four 15-minute intervals and four 1-hour intervals).

Enable AVT

Application volume tracking reports can be used to understand network performance and to gain insight into the

types of applications and servers that experience heavy demands. This kind of information is critical for network

planners and security administrators when they want to create network usage and security policies for the

enterprise. Apart from these predefined reports, NSM provides the flexibility to build custom reports with the AVT

data that is collected on the NSM from IDP Series devices.

To enable AVT:

1. Add and import the standalone IDP Series into the NSM server.

2. After configuring an initial IPS policy, enable IPS profiling and AVT.

3. Update the IDP Series device with these configuration changes.

NOTE: AVT is enabled by default.

Figure 3 shows an example of AVT enabled.



Figure 3: Enabling AVT

View Predefined AVT Reports

To view predefined reports:

1. In the NSM navigation tree, select Investigate > Report Manager.

2. Expand one of the following report nodes related to IPS events:

• Deep inspection (DI)/IPS reports

• Profiler

• AVT

3. Click the name of the report to display its contents.

Figure 4 shows an example of the AVT report screen. Table 2 lists and describes all of the six predefined reports. See

Appendix A which provides graphical representations for all six predefined reports.

Figure 4: AVT reports



Table 2: Six Predefined AVT Reports

REPORTS DESCRIPTION

Top 10 Applications by Volume 10 applications with the highest volume in bytes in the past 24

hours.

Top 10 Application Categories by Volume 10 application categories with the highest volume in bytes in the

past 24 hours.

Top 5 Applications by Volume over Time (last hour) Five applications with the highest volume in bytes in the past hour.

Top 5 Application Categories by Volume over Time

(last hour)

Five application categories with the highest volume in bytes in the

past hour.

Top 5 Source by Volume over Time (last hour) Five source IP addresses with the highest volume in bytes in the

past hour.

Top 5 Destinations by Volume over Time (last hour) Five destination IP addresses with the highest volume in bytes in the

past hour.

Time (last hour) Volume in bytes in the past hour

Application-Based Policy

Application policy enforcement (APE) is a new rulebase integrated into the IDP Series platform where an

administrator can specify policies targeted specifically at applications. One can define various options, such as

dropping the connection, rate limiting, or Differentiated Services (DiffServ) marking for the application itself.

Administrators can also combine application characteristics and signatures to accurately identify application traffic.

The APE rulebase leverages the application identification feature (described earlier in this document) that allows

you to manage network traffic based on application. APE rules match source-destination-application criteria.

NOTE: APE rules do not use attack objects.

You can configure rule actions to meet application policy enforcement objectives. For example, to use an IDP Series

appliance such as an application firewall, you can specify drop or close actions. With this type of rule in place,

matching traffic is terminated at the IDP Series.

To set a limit on available bandwidth for disfavored applications or limit the use of certain applications by specific

users, you can specify a rate-limiting threshold. When the threshold is reached, the IDP Series starts dropping

matching traffic.

To support deployments that require network devices to implement quality-of-service (QoS) guarantees, you

can specify a DiffServ marker action. The IPS engine applies the DiffServ code point (DSCP) marker to matching

applications or user roles.

Any traffic not terminated by APE rules can be inspected subsequently by the IPS rulebase and other rulebases.

From a network and security operations perspective, APE rulebase features and components should allow data

center operators to write policies and rules based on applications. In addition, operators should not be required to

know application-to-port correlations, they should not be forced to scan a wide range of ports and traffic, and they

should not be required to take on steep learning curves (functionality should be transparent to administrators).

There are two ways to create the APE rulebase—an administrator can directly create these policies from the APE

rulebase or from the Profiler.

Create Application-Based Policies from the APE Rulebase

To create application-based policies from the APE rulebase:

1. Navigate to the IPS policy and select APE rulebase tab.

2. Right click and create a new APE rule base.



Figure 5: Create application-based policies from APE rulebase

Create Application-Based Policies from the Profiler

Often security and network engineers prefer to understand their current network usage before they create security

policies in their network. Favoring this preference, the ability to create policies via the Application Profiler is

extremely convenient.

To create application-based policies from the Profiler:

1. In the NSM Navigation tree, go to Investigate -> Security Monitor -> Profiler -> Application Profiler tab.

2. From the data, right click and select the row that is of interest to you based on either the src ip, dst ip or the

application.

Figure 6: Create application-based policies from the Profiler

3. Select the specific IPS policy that you want to add to this new APE rule.



Figure 7: Select the appropriate IPS policy screen

As shown in Figure 8 you have the flexibility of selecting multiple applications from the drop down menu located at

the bottom of the New Application Rules window.

Figure 8: Select multiple applications

Also, in the policy construct there is flexibility in taking a variety of actions, such as closing the client connection or

server connection, rate-limiting, or setting the DSCP marking on particular policy matches. This flexibility is a handy

tool for network and security administrators.



Figure 9: APE rule base with configurable actions

As an example, Figure 9 shows how to enforce a corporate network usage policy by leveraging the APE rulebase on

the IDP Series.

• Rule 1 allows connections for FTP and HTTP from data center to WAN edge security zones.

• Rule 2 does rate limiting at 1mbps/2mbps (client-to-server and server-to-client) for the Yahoo messenger

application from inside to the outside zone.

• Rule 3 drops all peer-to-peer and file sharing applications.

• Rule 4 allows DNS from any zone to the DMZ zone.

• Rule 5 as a default denies all other traffic.

Application Rate-Limiting Feature

Application rate limiting enables you to rate-limit traffic for a particular application. You can configure different rate-

limit values for either the client-to-server or server-to-client side traffic connections. Application rate-limiting rules

are configured in the APE rule base. This action is particularly useful in an academic setting where being politically

correct is important to a university’s reputation. Enforcing rate limiting can allow access to most applications

in university dormitories but can throttle access to some applications such as P2P by creating a negative end

user experience. This strategy makes better use of available bandwidth by reserving more bandwidth for critical

applications such as downloading curriculums and tests without adding more bandwidth.

Identity-Based Policy

IDP Series standalone platforms running 5.0 or later can communicate with IC Series devices and get information on

various roles, users mapped to a particular role, and their IP addresses. This information, combined with the ability to

identify applications in a port agnostic way, offers an extremely powerful and intuitive method for configuring policies.

Administrators can simply configure policies on the basis of “who is allowed what applications” without specifying

IP addresses or ports. Role-based policies can be configured in both the APE rulebase as well as the IPS rulebase.



Figure 10: Identity-based policy

You can leverage the role-based policy feature and the APE rulebase to enforce your company’s new policy.

Configure User Role-Based Policies

To configure user role-based policies:

1. Deploy a UAC solution for user access to your corporate network. Refer to Unified Access Control (UAC) 3.1 for the

implementation details and Unified Access Control Deployment Scenarios Guide Release 3.1.

2. Use the IC Series administration console to map different users to various roles.

3. Configure communication between the IC Series and IDP Series so that you can use the IPS role-based policy

feature, i.e., add the standalone IDP Series as an enforcer in the UAC solution.

Figure 11: Configure user role-based policies

Figure 11 shows the workflow in which an IDP Series acts as a UAC enforcer.

CAMPUS DATA CENTER

IC SeriesUAC Appliance

IDP Series



1. After selecting the IC Configuration tab, open the UAC Navigation tree.

2. Under the Infranet Enforcers, add the IDP Series serial number and enter the administrator credentials.

Figure 12: Select the IC Series device and the user roles that will be used in the policy screen

Role-based policies are created by adding “user roles” to the APE rules.

1. To add user role information to the policy, right click the user role. You are prompted to select the IC Series device

which will be used to acquire role information.

2. After selecting the appropriate IC Series device, you can select the user roles that you want to apply to that

particular rule.

As shown in Figure 13, we have taken the APE rulebase policies that were previously configured in the application-

based policy section and applied user role information to the first rule which allows HTTP and FTP from the lab

zone to the data center, but only for users that belong to the user group “UAC Demo Contractor.” As you can see,

identity information that is subscribed from the IC Series device can be used to define identity-based policies to a

very granular level.

Figure 13: User-based policy for UAC demo contractor role



STRM Series AVT Reports

STRM Series Security Threat Response Managers (2009.1 and later) have new functionality which is capable of

extracting AVT records from the NSM Profiler Database (profilerDb). When AVT is integrated with the UAC solution,

this integration acts as a means to report application usage on a per-user basis. This technique is extremely useful

for network planners, as it allows them to understand network usage by various user groups that also are using data

center infrastructure.

For the AVT reporting to function properly, STRM Series devices should have the appropriate device-specific module

(DSM) installed to parse the AVT data that is being sent from NSM. Figure 14 depicts how an administrator can

verify the existence of the AVT DSM in STRM Series devices. For detailed steps on how to integrate the STRM Series

and NSM for AVT reports, please refer to the STRM Series Security Threat Response Managers site.

Figure 14: Configure the AVT DSM in the STRM Series

Application Volume Tracking Custom Report

Figure 15: AVT custom report



The following figures are examples of AVT reports via the STRM Series.

Figure 16: STRM Series AVT report, example #1

In figure 16, you can see a snapshot of an AVT report in the STRM Series, along with all of the applications that are

identified by application identification functionality.

Figure 17: STRM Series AVT report, example #2

In Figure 17, you can see the six source IP addresses that are contributing to the small and midsize business (SMB) data.

Summary

Organizations rely heavily on data center resources to manage and operate their businesses. Extending these

resources to the cloud can bring about significant economic and organizational benefits, but it can also expose a

business to a host of risks and threats unless security policies and practices are modernized to accommodate the

“cloud ready” data center. Traditional network security approaches based on defining policies around ports and

protocols are no longer sufficient in delivering the level of visibility and control over network resources required

by today’s enterprises. Juniper Networks data center security solutions overcome these traditional limitations

by incorporating application fluency and identity-based protection with unified management and network-wide

monitoring, enabling the data center to become “cloud ready”.



Appendix A—Graphical Representation of Reports

The following screens represent the six predefined reports by category.

Top 10 Applications by Volume

Figure 18: Top 10 applications by volume

Top 10 Application Categories by Volume

Figure 19: Top 10 application categories by volume



Top 5 Applications by Volume over Time (last hour)

Figure 20: Top 5 applications by volume over time (last hour)

Top 5 Application Categories by Volume over Time (last hour)

Figure 21: Top 5 application categories by volume over time (last hour)



Top 5 Source by Volume over Time (last hour)

Figure 22: Top 5 source by volume over time (last hour)

Top 5 Destinations by Volume over Time (last hour)

Figure 23: Top 5 destinations by volume over time (last hour)



8010052-001-EN Oct 2009

Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Printed on recycled paper

About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network

infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and

applications over a single network. This fuels high-performance businesses. Additional information can be found at

www.juniper.net.

application and identity-based data center security policies

Technology