juniperconnectedsecuritysolutionusing third ...€¦ · srx1500configuration...
TRANSCRIPT
Juniper Connected Security Solution UsingThird-Party Devices and Aruba ClearPass PolicyManager
Modified: 2019-05-09
Copyright © 2019, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registeredmarks, or registered service marks are the property of their respectiveowners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy ManagerCopyright © 2019 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2019, Juniper Networks, Inc.ii
Table of Contents
Chapter 1 Network Configuration Example - Juniper Connected Security UsingThird-Party Devices and Aruba ClearPass Policy Manager . . . . . . . . . . . . . . . 5
About This Network Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Use Case Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Coping with a Changing Threat Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Securing the Network with Juniper Connected Security Building Blocks . . . . . 6
Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Juniper Connected Security Workflow for Infected Host Detection and
Tracking with Third-Party Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example: Configuring Juniper Connected Security Using Third-Party Switches
and Aruba ClearPass Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Appendix: SRX Series Device and Cisco Catalyst Switch Configurations . . . . . . . 58
SRX1500 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Cisco Catalyst 6509 Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
iiiCopyright © 2019, Juniper Networks, Inc.
Copyright © 2019, Juniper Networks, Inc.iv
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
CHAPTER 1
Network Configuration Example - JuniperConnected Security Using Third-PartyDevices and Aruba ClearPass PolicyManager
• About This Network Configuration Example on page 5
• Use Case Overview on page 6
• Technical Overview on page 8
• Example: Configuring Juniper Connected Security Using Third-Party Switches and
Aruba ClearPass Policy Manager on page 10
• Appendix: SRX Series Device and Cisco Catalyst Switch Configurations on page 58
About This Network Configuration Example
This network configuration example (NCE) provides an overview and a step-by-step
example for configuring and deploying Juniper Networks’ connected security solution
using third-party switches and wireless access controllers with Aruba ClearPass Policy
Manager (CPPM) and 802.1X integration.
ThisNCEdefines JuniperConnectedSecuritydeployment for anenterpriseand illustrates
how Juniper Connected Security secures your network.
The instructions in this NCE describe configuration scenarios for traffic blocking, infected
host tracking, andmonitoring using Policy Enforcer, Sky Advanced Threat Prevention
(ATP), and Security Director. The instructions also describe how to configure the Aruba
ClearPass Connector, aWindows 7 supplicant, SRX Series devices (acting as firewalls),
and the Cisco Catalyst WS-C6509 switch.
This document is intended for security and IT engineers, as well as network architects
and system administrators.
RelatedDocumentation
Use Case Overview on page 6•
• Technical Overview on page 8
5Copyright © 2019, Juniper Networks, Inc.
Use Case Overview
• Coping with a Changing Threat Landscape on page 6
• Securing the Network with Juniper Connected Security Building Blocks on page 6
Coping with a Changing Threat Landscape
Copingwith today’s broad and evolving threat landscape requires threat intelligence and
immediate threat enforcement, as well as a method of providing a simpler policy
mechanism across multivendor security environments.
The paradigm is changing from traditional perimeter security defenses to end-to-end
security solutions that can deliver comprehensive yet coordinated protection by:
• Integrating and deploying advanced security features to protect systems and data
from spyware, viruses, malicious code, denial-of-service attacks, and so on.
• Enabling every part of the network to be both a detection and enforcement point, to
respond to suspicious activity anywhere in the network, which is the most effective
way to deal with threats and intruders.
• Closing the gap between threat intelligence and enforcement, because threat
intelligence loses most of its value if it is distributed too slowly, or if it does not reach
all of an enterprise’s enforcement points.
• Using policy automation to adapt and enforce policy in real time, improving both
compliance and business agility.
• Centralizing the security policy engine so that it can determine trust levels between
network segments by collecting real-time threat information and creating a unified
security policy, with distributed new policies implemented in real time from a central
location.
• Providing the centralizedmanagement capabilities critical for regulatory compliance,
reducing costs, and streamlining operations.
Securing the Network with Juniper Connected Security Building Blocks
The Juniper Connected Security solution provides end-to-end network visibility, allowing
enterprises to secure their entire network, both physical and virtual.
Juniper Connected Security solution is comprised of the following components:
• Threatdetectionengine—Cloud-basedSkyATPdetects knownandunknownmalware.
Known threats are detected by consolidating threat feed information from a variety
of sources—command and control (C&C) servers, GeoIP, and information acquired
from in-house log servers.
Unknown threats are identified using methods such as sandboxing, machine learning,
and threat deception.
• Centralized policy management—Junos Space Security Director, which also manages
SRX Series devices, provides amanagement interface for the Juniper Connected
Copyright © 2019, Juniper Networks, Inc.6
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Security solution called Policy Enforcer. Policy Enforcer communicates with Juniper
devices and third-party devices across the network, globally enforcing security policies
and consolidating threat intelligence from different sources. With monitoring
capabilities, it can also act as a sensor, providing visibility for intra- and inter-network
communications.
• Expansivepolicy enforcement—Inamultivendor enterprise, JuniperConnectedSecurity
enforces securityacross Juniperdevices, cloud-basedsolutions, and third-partydevices.
Bycommunicatingwithall enforcementpoints, JuniperConnectedSecurity canquickly
block or quarantine threats, preventing the spread of bi-lateral attacks within the
network.
• User intent-basedpolicies—JuniperConnectedSecurity supports thecreationofpolicies
according to logical business structures, such as: users, user groups, geographical
locations, sites, tenants, applications, or threat risks. This allows network devices
(switches, routers, firewalls, andother security devices) to share information, resources,
and when threats are detected, remediation actions within the network.
The Juniper Connected Security solution provides the following benefits:
• Provides dynamic, automated threat remediation—Juniper Connected Security
accurately detects knownand unknown threats and delivers the ability to rapidly block
or quarantine threats to prevent north-south or east-west threat propagation.
• Extends security to each layer of the network—Juniper Connected Security uses an
inside-out securitymodelbecause it leveragesanynetworkelementasanenforcement
pointandthendynamicallyenforcessecuritypolicywithsoftware-definedsegmentation
designed to provide robust security.
• Works within a multivendor ecosystem—Juniper Connected Security adopts an open,
multivendor ecosystem to detect and enforce security across Juniper products and
solutions. JuniperConnectedSecurity integrates third-party capabilities, enablingusers
to leverage existing, trusted threat feed sources to provide consistent, automated
defense across diverse environments. An open architecture and suite of APIs enable
you to select your preferred threat intelligence information sources and remediate
across amultivendor network infrastructure.
The Juniper Connected Security solution also enforces threat prevention policies on
third-party devices by integrating with 802.1X network access control (NAC) solutions
such as Cisco Identity Services Engine (ISE), Aruba ClearPass, and ForeScout
CounterACT. This provides a collaborative and comprehensive approach toward
complete network security.
• Provides centralized policy and security management—Juniper Connected Security
communicateswithnetworkelementsandsecurityproducts togloballyenforcesecurity
policies and enables security policy administration through a single pane of glass. This
reduces administrative overhead and facilitates a faster, more manageable approach
to security as the network grows .
RelatedDocumentation
Technical Overview on page 8•
7Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
• Example: Configuring Juniper Connected Security Using Third-Party Switches and
Aruba ClearPass Policy Manager on page 10
• Juniper Connected Security Solution for Juniper Networks Devices
Technical Overview
This section provides an overview of how the Juniper Connected Security building blocks
work together to provide a comprehensive security solution for your enterprise. Threats
are detectedmore quickly by leveraging threat intelligence frommultiple sources
(including third-party feeds). Network security canadapt dynamically to real-time threat
information so that security policies are enforced consistently.
In the JuniperConnectedSecurity solution,PolicyEnforcerorchestrates threat remediation
workflows based on threats detected by Juniper’s Sky ATP solution or custom threat
feeds, and enforces these policies on firewalls, in particular, SRX Series devices, and
switches such as EX Series and QFX Series devices. The Juniper Connected Security
solution also supports 802.1X-enabled third-party switches. Any switch that adheres to
RADIUS IETF attributes and supports RADIUS Change of Authorization (CoA)messages
is supported by Policy Enforcer for threat remediation.
Juniper Connected Security alters the security breach landscape considerably when a
Juniper-secured network is attacked. Consider the following use cases:
• Auser tries to downloada file that contains knownmalware. In this case, thedownload
is blocked by the SRX Series device, and the endpoint is not infected.
• A user tries to download a file that contains unknownmalware. In this case, the
download to the endpoint succeeds. However, once Sky ATP identifies the malware,
the infected endpoint is quarantined or blocked by the local access switch. This action
prevents malware from propagating to other endpoints on the network.
JuniperConnectedSecurityWorkflowfor InfectedHostDetectionandTrackingwithThird-PartySwitches
Let’s take a look at a typical enterprise with clients, endpoints, access switches, and
wireless access points. When an endpoint becomes compromised, it becomes a threat
to other hosts within the network. It is important to control the infected host to ensure
the problem doesn’t spread.
Figure 1 on page 9 shows an example of how Policy Enforcer quarantines infected hosts,
when the host is connected to a third-party switch.
Copyright © 2019, Juniper Networks, Inc.8
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Figure 1: Automated Threat Remediation on Third-Party Switches
EX Series/QFX Series Third Party Switches EX Series /Third Party
Switch
Sky ATP
g200
058
Aggregation Layer
RADIUSAccess Server
SRX Series
3
4
56
2
Policy Enforcer
PolicyController
ConnectorFramework
ConnectorAPI
FeedCollector
CloudFeed Server
RemoteFeed Server
Third PartySwitch
Connector
8
7
1
In this example, the endpoint is connected to a third-party switch. The switch has 802.1X
authentication enabled. The switch authenticates 802.1X requests through a RADIUS
server.
1. The endpoint authenticates to the network through 802.1X or through MAC-based
authentication and downloads a file from the Internet.
2. The perimeter firewall (SRX Series device) scans the file and, based on user-defined
policies, sends the file to Sky ATP for analysis.
3. Sky ATP detects that the file containsmalware, identifies the endpoint as an infected
host, and notifies the SRX Series device and Policy Enforcer.
4. Policy Enforcer downloads the infected host feed and enforces the threat prevention
policy using the third-party connector.
5. The connector uses an API to gather information about the endpoint (MAC address
as well as switch port it is connected to) from the RADIUS server. The connector then
uses the API to update the endpoint’s status on the RADIUS server from “healthy” to
“block” (or “quarantine”).
6. The RADIUS server enforces the appropriate profile and initiates CoAmessages to
the switch to terminate the session of the infected host.
7. The switch enforces the CoA instructions and blocks the infected host.
8. Policy Enforcer communicates the infected host’s details back to Sky ATP.
When the session of the authenticated endpoint is terminated, the endpoint attempts
to re-connect. Based on the enforcement policy configured on the RADIUS server, the
endpoint status changes to blocked state, or it can be assigned to a quarantine VLAN.
Once the threat has beenmitigated, the host’s status in Policy Enforcer changes from
blocked to allowed, the threat level lowers to 0, and the endpoint can connect to the
network again.
9Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
RelatedDocumentation
Use Case Overview on page 6•
• Example: Configuring Juniper Connected Security Using Third-Party Switches and
Aruba ClearPass Policy Manager on page 10
• Policy Enforcer
Example: Configuring Juniper Connected Security Using Third-Party Switches andAruba ClearPass Policy Manager
This configuration example provides step-by-step instructions to configure the Juniper
Connected Security solution and help simplify security policy creation, threat detection,
and policy enforcement across the network. This example includes a Cisco Catalyst
WS-C6509 switch as the third-party device, and uses Aruba ClearPass Policy Manager
for policy enforcement.
Requirements
This example uses the following hardware and software components:
• SRX1500 running Junos OS Release 15.1X49-D80 or later
• Cisco Catalyst WS-C6509, 12.2(33)SXI14
• Aruba ClearPass Policy Manager, 6.6.0.81015
• VMware ESXi server, and vSphere client
• Sky Advanced Threat Prevention (ATP)
• Junos Space Network Management Platform, Release 17.1 or later
• Junos Space Security Director, Release 17.1R1 or later
• Log Collector, Release 17.1R1 or later
• Policy Enforcer, Release 17.1R1 or later
• Policy Enforcer Patch for Security Director, Release 17.1R2
• VM runningWindows 7 with dual NICs
For a list of supported devices, please refer to the Policy Enforcer Release Notes.
NOTE: We recommend using the latest versions of Cisco IOS ED andMDreleases for Cisco switches, which support 802.1X, RADIUS CoA, RADIUSAccounting, and DHCP snooping features.
Overview and Topology
Figure 2 on page 11 shows the lab setup used for this network configuration example.
Copyright © 2019, Juniper Networks, Inc.10
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Figure 2: Juniper Connected Security Topology Using a Third-Party Switch and ArubaClearPass Policy Manager
g200
299
SRX1500
Cisco C6509
Firewall
Switch
Win7 Client (802.1X-enabled)192.168.11.13
VLAN13
VLAN14
VLAN10-QuarantineVLAN14-Finance
ge-0/0/2
ge-0/0/1
ge-0/0/0VLAN12
irb.14 - 192.168.11.1DHCP Server (.10-.20)
irb.12 - 192.168.10.1Logging Interfaceirb.13 - 192.168.231.1
10.13.107.186
10.13.107.168GigabitEthernet1/48
VLAN14-Finance00:50:56:a8:1c:ca
INTERNET
Sky ATP
LabManagement
10.13.107.163 (Management)192.168.10.4 (Logs)
Log Collector
10.13.107.167HP/Aruba ClearPass Policy Manager
10.13.107.164Policy Enforcer
10.13.107.161 (Junos Space Network Management)10.13.107.162 (Security Director UI)
Security Director
GigabitEthernet1/47
10.13.107.x
In this example, the endpoint is placed in the VLAN14-Finance group on the Cisco C6509
switch. The switch has802.1X authentication enabled onGigabit Ethernet interface 1/48,
and Aruba CCPM configured as its RADIUS server. The SRX device is configured with an
IRB interface that acts at the gateway for the endpoint.
The endpoint authenticates to the network using 802.1X. It becomes infected, andwhen
it tries to contact a C&C server, Sky ATP detects the infected endpoint. Policy Enforcer
downloads the infected host feed, and then enforces the infected host policy by advising
ArubaCPPMtoblock(orquarantine) theendpoint.ArubaCPPMsendsaRADIUSChange
of Authorization (CoA)message to the switch, telling it to terminate the session by
blocking the endpoint or quarantining it to VLAN 10.
ImplementationOverview
The following set of installation, configuration, and verification steps are required to
implement this example:
• Install and configure Junos Space and Security Director
• Install and configure the SRX Series device and Cisco Catalyst switch
• Download, deploy, and configure the Policy Enforcer virtual machine
• Connect Policy Enforcer to Security Director
• Obtain a Sky ATP license and create a Sky ATP cloudWeb portal account
• Install the root CA on the Sky ATP-supported SRX Series devices
11Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
• Download, deploy, and configure the Aruba ClearPass Policy Manager (CPPM) virtual
machine
• Configure the Policy Enforcer connector for third-party switches
• Configure theWindows 7 supplicant
• Configure Sky ATP with Juniper Connected Security
• Verify the enrollment of devices on Sky ATP
• Verify Juniper Connected Security functionality once the enrollment is successful
Install and Configure Junos Space and Security Director
Install Junos Space, Security Director, and Log Collector
Step-by-StepProcedure
To install Junos Space, Security Director, and Log Collector:
1. Download the Junos Space Network Management Platform image from
https://www.juniper.net/support/downloads/?p=space#sw.
2. Install Junos Space using the instructions at Junos Space Software, Release 17.1.
3. Install JunosSecurity Director using the instructions at JunosSpaceSecurityDirector,
Release 17.1.
4. Install LogCollector using the instructionsatSettingUpSecurityDirectorLogCollector.
Configure Networking
Step-by-StepProcedure
To configure networking for Junos Space and its components, perform the following
tasks:
1. Configure relevant routes, netmask, gateway,DNS, andNTPso that all components
except Log Collector can connect to the Internet.
2. Ensure all components are configured with the same time zone.
3. Ensure that SSH is enabled.
4. Ensure that Security Director can connect to the Sky ATP cloud server, Policy
Enforcer, and all devices.
Copyright © 2019, Juniper Networks, Inc.12
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Install the Required DMI Schemas on Security Director
Step-by-StepProcedure
Download and install the matching Junos OS schemas to manage SRX Series devices.
To download and install the correct schemas, perform the following task:
1. Install the DMI schemas for Junos OS Releases 15.1X49-D80 using the instructions
at Adding Missing DMI Schemas or Updating Outdated DMI Schemas in Junos Space
Network Management Platform
2. After the schemas are installed, set them as the default schema for each relevant
platform.
Install and Configure the SRX Series Device and Cisco Catalyst Switch
Configure SRX Series Device
Step-by-StepProcedure
Configure the SRX device(s) per your requirements. See “Appendix: SRX Series Device
and Cisco Catalyst Switch Configurations” on page 58 for details.
NOTE: For this example, configure the SRX device to act as a DHCP serverfor hosts in VLAN 14 (JNPR FINANCE VLAN).
Configure Cisco Catalyst Switch
Step-by-StepProcedure
Configure the switch per your requirements. See “Appendix: SRXSeries Device andCisco
Catalyst Switch Configurations” on page 58 for details.
Configure Networking
Step-by-StepProcedure
To configure basic networking on the devices, perform the following tasks:
Configure the necessary routing and DNS settings to enable Internet access, both
in-band and out-of-band.
1.
2. Ensure the SRX Series device has connectivity to Junos Space, Policy Enforcer, and
the Sky ATP cloud server.
Device Discovery in Junos Space
Step-by-StepProcedure
To add the SRX device to the Junos Space Network Management platform, perform the
following tasks:
1. In Junos Space, discover and import the SRX Series device.
13Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
2. In Security Director, assign, publish, and update any existing firewall policies to
ensure Security Director and the SRX device is in sync.
Download, Deploy, and Configure the Policy Enforcer Virtual Machine
Step-by-StepProcedure
To deploy and configure the Policy Enforcer virtualmachine, perform the following tasks:
1. Download the Policy Enforcer virtual machine image from
https://www.juniper.net/support/downloads/?p=sdpe to the management station
where the vSphere client is installed.
2. On the vSphere client, select File > Deploy OVF Template from themenu bar.
3. Click Browse to locate the OVA file that was downloaded.
4. Click Next and follow the instructions in the installation wizard.
5. Once the installation is complete, log in to the virtual machine using the following
credentials:
• User Name: root
• Password: abc123
6. Configure the network settings, NTP information, and customer information, and
complete the wizard.
NOTE: Formore detailed instructions, seeDeploying andConfiguring the
Policy Enforcer Virtual Machine.
Copyright © 2019, Juniper Networks, Inc.14
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Install Policy Enforcer Patch
Step-by-StepProcedure
If you are using Policy Enforcer Release 17.1R2, youmust install a software patch to
address some ClearPass issues.
NOTE: This patch is not needed for Release 17.1R1.
This patch is not needed for Release 17.2 and higher.
To install the Policy Enforcer patch:
1. Download the Policy-Enforcer-16.2R1-Patch.sh file from
https://www.juniper.net/support/downloads/?p=sdpe#sw and put it in the /tmp
folder of the Junos Space Network Management Platform server.
2. Log in to the Junos Space CLI using an SSH or console connection, and change
directory to the /tmp folder.
3. Change the permissions of the Policy-Enforcer-16.2R1-Patch.sh file so that anyone
can read, write, and execute the file using the following command:
chmod 777 Policy-Enforcer-16.2R1-Patch.sh
4. Execute the installation script using the following command:
sh Policy-Enforcer-16.2R1-Patch.sh
It might take fewminutes for the script to complete.
Connect Policy Enforcer to Security Director
Step-by-StepProcedure
Youmust identify the Policy Enforcer virtual machine in Security Director so that they
can communicate with each other. To do so, follow these steps:
1. Log in to Security Director and select Administration > PE Settings.
2. Enter the IP address of the Policy Enforcer virtual machine and the root password,
and clickOK.
3. Select Threat Prevention Type as Sky ATPwith PE.
NOTE: Do not run the wizard/guided setup at this point.
15Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Obtain a Sky ATP License and Create a Sky ATP CloudWeb Portal Account
Step-by-StepProcedure
To obtain a Sky ATP license and create a Sky ATP cloudWeb portal account, follow
these steps:
1. Sky ATPhas three service levels: free, basic, and premium. The free license provides
limited functionality and is included with the base software. To obtain and install
aSkyATPbasicorpremiumlicense, seeManagingtheSkyAdvancedThreatPrevention
License.
For more details on Sky ATP service levels and license types, see Sky Advanced
Threat Prevention License Types.
2. CreateaSkyATPcloudWebportal accountby clickinghttps://sky.junipersecurity.net
and filling in the required information.
Install the Root CA on the Sky ATP-Supported SRX Series Devices
NOTE: This section is required only if you are enabling HTTPS inspection aspart of amalware profile/threat prevention policy.
Generate Root CA Certificate Using Junos OS CLI or OpenSSL on a Linux Device
Step-by-StepProcedure
NOTE: Use only one of the these options.
To generate a root CA certificate using the Junos OS CLI on the SRX Series device:
1. Generate a PKI public or private key pair for a local digital certificate.
user@host> request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048type rsa
2. Using the key pair, define a self-signed certificate by providing FQDN and other
details.
user@host> request security pki local-certificate generate-self-signed certificate-idssl-inspect-cadomain-namedomain-namesubjectsubjectemailemail-idadd-ca-constraint
OR
Copyright © 2019, Juniper Networks, Inc.16
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Step-by-StepProcedure
To generate a root CA certificate using the OpenSSL on a Linux device:
1. Generate a PKI public or private key pair for a local digital certificate.
%openssl req-x509-nodes-sha256-days365-newkeyrsa:2048-keyoutssl-inspect-ca.key-out ssl-inspect-ca.crt
2. Copy the key pair onto the SRX Series device.
3. On the SRX Series device, import the key pair.
user@host> request security pki local-certificate load key ssl-inspect-ca.key filenamessl-inspect-ca.crt certificate-id ssl-inspect-ca
4. Apply the loaded certificate as root-ca in the SSL proxy profile.
user@host> set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca
Configure a CA Profile Group
Step-by-StepProcedure
To configure a CA profile group:
Create the CA profile.1.
user@host# set security pki ca-profile ssl-inspect-ca ca-identity ssl-inspect-causer@host# commit
2. Junos OS provides a default list of trusted CA certificates that you can load on your
system using the default command option.
user@host> request security pki ca-certificate ca-profile-group load ca-group-nameAll-Trusted-CA-Def filename default
Do you want to load this CA certificate ? [yes,no] (no) yes
Loading 155 certificates for group 'All-Trusted-CA-Def'.All-Trusted-CA-Def_1: Loading done.All-Trusted-CA-Def_2: Loading done.All-Trusted-CA-Def_3: Loading done.All-Trusted-CA-Def_4: Loading done.All-Trusted-CA-Def_5: Loading done....
3. Verify that the All-Trusted-CA-Def certificates are loaded.
user@host> show security pki ca-certificate brief
...Certificate identifier: All-Trusted-CA-Def_1...
17Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Import Root CA Certificate into a Browser
Step-by-StepProcedure
To export the root CA certificate:
On the SRX Series device, export the certificate to a .pem file.1.
user@host> request security pki local-certificate export certificate-id ssl-inspect-ca typepem filename /var/tmp/ssl-inspect-ca.pem
2. Transfer the .pem file to your Windows client.
NOTE: If you are using the Linux device with OpenSSL, the certificateis already available on the device and no action is required.
Copyright © 2019, Juniper Networks, Inc.18
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Step-by-StepProcedure
To import the certificate into a browser:
1. On theWindows client, instruct the browser to trust the CA root certificate.
Internet Explorer (version 8.0):
• From the Toolsmenu, choose Internet Options.
• On the Content tab, click Certificates.
• Select the Trusted Root Certification Authorities tab, and click Import.
• In the Certificate Importwizard, navigate to the required root CA certificate and
select it.
Firefox (version 39.0):
• From the Toolsmenu, chooseOptions.
• From the Advancedmenu, select the Certificates tab and click View Certificate.
• In the Certificate Managerwindow, select the Authorities tab and click Import.
• Navigate to the required root CA certificate and select it.
Google Chrome (version 45.0):
• From the Settingsmenu, choose ShowAdvanced Settings.
• From the Advancedmenu, select the Certificates tab and click View Certificate.
• Under HTTPS/SSL, clickManage Certificates.
• In the Certificatewindow, select Trusted Root Certification Authorities and click
Import.
• In the Certificate ImportWizard, navigate to the required root CA certificate and
select it.
For more details, see Configuring SSL Proxy.
OR
Step-by-StepProcedure
1. On the Linux device, import the certificate into the browser using the following
commands:
%sudo cp ssl-inspect-ca.crt /usr/local/share/ca-certificates/ ssl-inspect-ca.crt% sudo update-ca-certificates
Download,Deploy,andConfigure theArubaClearPassPolicyManager (CPPM)VirtualMachine
Step-by-StepProcedure
19Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Before you install Aruba CPPM version 6.6.0.81015 on a VMware ESXi server, complete
the following tasks:
1. Download and deploy the CPPMOVF file on a ESX (i) host.
2. Obtain a license key from an HP/Aruba representative.
3. CPPM requires a minimum of 80GB free disk space to operate; ensure enough disk
space is available. If possible, also add an additional 16 GB of VMmemory.
To install Aruba CPPM version 6.6.0.81015 on a VMware ESXi server:
1. Power on the VM and follow the instructions on the console.
2. Log in with the following credentials:
• User Name: appadmin
• Password: eTIPS123
3. Configure the network and system settings.
NOTE: The RADIUS configuration on the Cisco switch will be pointing tothe IP address of the CPPMmanagement port. Ensure that the devicescan reach each other.
4. Useabrowser toconnect to theCPPMmanagement IPaddress:https://CPPM_MGT_IP.
Copyright © 2019, Juniper Networks, Inc.20
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
5. Click ClearPass Policy Manager and enter the license key, agree to the terms and
conditions, and click Add License.
6. Log in to the system using user name admin and password eTIPS123.
7. Go to Administration > Server Manager > Server Configuration, and select the CPPM
server.
21Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
8. Select the Enable Insight and Enable as Insight Master check boxes, and click Save.
9. On the Service Parameters tab, select service RADIUS Server. Then select TRUE for
Log Accounting Interim-Update Packets, and click Save.
Copyright © 2019, Juniper Networks, Inc.22
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
10. Go to Configuration > Network > Devices and add the third-party switch details.
23Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
11. Go to Configuration > Identity > Local Users and create a new user, as follows:
• User Name: ccl
• Password: ccl123
• Role: Employee
• Enable User: Yes (check the box)
• Attribute: Department; Value: Finance
12. GotoAdministration>Dictionaries>Attributes, andaddanewattribute sdsnEpStatus.
Enter the details as shown below.
Copyright © 2019, Juniper Networks, Inc.24
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
13. Go to Configuration > Enforcement > Profiles, and create three enforcement profiles,
as follows:
a. Quarantine VLAN
• Name: JNPR SDSNQuarantine
• Type: RADIUS
• Action: Accept
• RADIUS Attributes: as shown below; use VLAN ID 10
b. Terminate Session
• Name: JNPR SDSN Terminate Session
• Type: RADIUS_CoA
• Action: Disconnect
• On the Attributes tab, select the IETF - Terminate-Session-IETF template.
25Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
c. Finance VLAN
• Name: JNPR FINANCE VLAN
• Type: RADIUS
• Action: Accept
• RADIUS Attributes: as shown below; use VLAN ID 14
Copyright © 2019, Juniper Networks, Inc.26
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
14. Go to Configuration > Enforcement > Policies, and create an enforcement policy, as
follows:
• Name: JNPR 802.1x Policy
• Enforcement Type: RADIUS
• Default Profile: Allow Access Profile
• Add Conditions as shown below.
27Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
15. Go to Configuration > Services, and create a new service, as follows:
• Name: JNPR 802.1XWired Access Service
• Type 802.1xWired
• Add other details as shown below.
Copyright © 2019, Juniper Networks, Inc.28
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
16. At thispoint, enable theWindowsSupplicant for802.1Xauthenticationontheendpoint.
Complete the tasks in the “Configure theWindows 7 Supplicant” on page 31 section,
then return here and continue to the next step.
NOTE:
• Ensure that a DHCP server is available to hosts in VLAN 14 (JNPRFINANCE VLAN). In this example, the SRX1500 device acts as a DHCPserver.
17. With the endpoint authenticated, open a new tab on same browser to connect to the
CPPMManagement IP address: https://CPPM-management-ip-address, and click
ClearPass Guest.
29Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
18. Go to Administration > API Services > API Clients, and create an API client using the
details shown below.
NOTE: Take note of theClient ID andClient Secret values, as youwill need
these when configuring the Policy Enforcer connector.
Copyright © 2019, Juniper Networks, Inc.30
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Configure the Policy Enforcer Connector for Third-Party Switches
Step-by-StepProcedure
Configure the Policy Enforcer connector.
1. Log in to Security Director and go to Administration > Policy Enforcer > Connectors,
and create a new connector, as follows:
• Connector for: Third Party Switch
• Name: ArubaCPPM
• Identify Server Type: HPClearPass
• IP Address: CPPMmanagement IP (10.13.107.167 in this example)
• Port: 443 (default)
• Client ID: Client ID createdwhile settingup theHPClearPassAPI client (sdsnclient
in this example)
• Client Secret: Client Secret string created while setting up the HP ClearPass API
client
A blue loading/wait circle indicates that creation of the connector is in progress.
Configure theWindows 7 Supplicant
Step-by-StepProcedure
Configure theWindows 7 Supplicant.
31Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
1. In the Services panel, ensure that theWired AutoConfig service is started.
2. On the Network Connections page, select the LAN connection and enable 802.1X
PEAP authentication, as shown below.
Copyright © 2019, Juniper Networks, Inc.32
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
33Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
3. Click Settings and clear the Validate server certificate check box, if set.
Copyright © 2019, Juniper Networks, Inc.34
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
4. Configure the user credentials settings. Clear the Automatically usemyWindows
logon name and password check box, as the user is configured locally in CPPM.
35Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
5. Back on the Authentication tab, select Additional Settings.
Copyright © 2019, Juniper Networks, Inc.36
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
6. Click Replace credentials and enter the user ID and password of the local user that
was added in CPPM (ccl/ccl123 in this example).
37Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
7. On the Cisco switch, verify that the endpoint (which is attached to interface
GigabitEthernet1/48) is identifiedandassigned to thecorrectVLAN(VLAN14-Finance
in this example).
8. InArubaCPPM,navigate toGuest>ActiveSessionsandverify theendpoint’s session
information appears.
Copyright © 2019, Juniper Networks, Inc.38
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Configure Juniper Connected Security with Sky ATP and Policy Enforcer
Step-by-StepProcedure
The tasks required to configure Juniper Connected Security include:
• Configure a secure fabric
• Define a site and add endpoints to it (switches and firewalls)
• Configure policy enforcement groups
• Create a threat prevention policy
• Apply the threat prevention policy to policy enforcement groups
When using Policy Enforcer for threat preventionwith Sky ATP, Guided Setup is themost
efficient way to complete the initial configuration, as follows:
1. In Security Director, go to Configure > Guided Setup > Sky ATPwith PE.
2. Click Start Setup and follow the wizard.
39Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
3. Createasecure fabric siteandadd theSRXdeviceandArubaCPPMasenforcement
points.
4. Create a policy enforcement group. Select Location from the drop-downmenu and
add the site configured above.
NOTE: In Release 17.1R1, only the Location type is supported.
Copyright © 2019, Juniper Networks, Inc.40
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
5. Add theSkyATP realmby providing the relevant details fromyour SkyATPaccount.
See “Obtain a Sky ATP License and Create a Sky ATP CloudWeb Portal Account”
on page 16.
6. Verify that the Sky ATP realm has been added.
The value 1 should appear in the Perimeter Firewall in Sites column, indicating that
Sky ATP has detected the SRX Series device.
41Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
NOTE: If the realm addition is not successful, it is likely due to aconnectivity issuewithSecurityDirector’s access to the Internet. Ensureall devices/components can reach the Internet and each other.
7. Create a threat prevention policy.
Copyright © 2019, Juniper Networks, Inc.42
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
8. Add a profile for HTTP file downloads.
Click Change and select the profile to indicate which file types need to be scanned
for threats. In the Device Profile area, expand the Realm, and select the desired
profile (default_profile, in this example).
43Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
9. Assign the threat prevention policy to the policy enforcement group by clicking
Assign to Groups.
10. Select the policy enforcement group, and clickOK.
Copyright © 2019, Juniper Networks, Inc.44
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
11. Thesystemperformsa ruleanalysis, andpreparesdeviceconfigurations that include
the threat prevention policies.
12. Once the analysis is complete, instruct the system to push the updated policy to
the SRX device by clicking the Update button.
45Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
13. When the push is complete, the Job Statewill show Success.
NOTE: If the update fails, try the following steps:
• ClickOK, then click Finish to complete the Guided Setup.
• Go to Devices > Security Devices and re-synchronize the SRX device.
• Go toConfigure> Threat Prevention>Policies, clickViewAnalysis, and
push the update again.
TIP: For further troubleshooting, go toMonitor > JobManagement.
Copyright © 2019, Juniper Networks, Inc.46
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
14. To see the configuration that was pushed to the SRX device, click View in the
Configuration column.
15. ClickOK, and click Finish to complete the Guided Setup.
47Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Verification
• Verify Sky ATP Device Enrollment on SRX Device on page 48
• Verify Sky ATP Device Enrollment in Sky ATP on page 48
• Verify Sky ATP Device Enrollment in Security Director on page 49
• Test Juniper ConnectedSecurity Functionality - Blocking InfectedEndpoint onpage49
• Test Juniper Connected Security Functionality - Quarantining Infected
Endpoint on page 54
Verify Sky ATP Device Enrollment on SRX Device
Purpose Verify that the SRX Series device is connected to, and enrolled with, the Sky ATP cloud
server.
Action On the SRX device, verify that a connection is established with Sky ATP.
user@host> show services advanced-anti-malware status
Server connection status:Server hostname: srxapi.us-west-2.sky.junipersecurity.net
Server port: 443 Control Plane: Connection time: 2017-08-15 17:43:36 EDT
Connection status: Connected Service Plane: fpc0 Connection active number: 4 Connection retry statistics: 1210
Meaning The output displays the Connection status as Connected. The Server hostname field
displays the Sky ATP cloud server hostname.
Verify Sky ATP Device Enrollment in Sky ATP
Purpose Verify that the SRX device and Policy Enforcer are enrolled with Sky ATP.
Copyright © 2019, Juniper Networks, Inc.48
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Action In Sky ATP, navigate to the Enrolled Devices page and verify that both elements have
been added.
Meaning The Host field displays entries for Policy Enforcer and the SRX device. You can click the
serial number for more details.
Verify Sky ATP Device Enrollment in Security Director
Purpose Verify that the SRX Series device is enrolled with Sky ATP in Security Director.
Action In Security Director, navigate to Devices > Secure Fabric.
Meaning The Enforcement Points field shows the SRX device, and the SKYATP Enroll Status field
shows theSkyATP realmnameandagreencheckmark, confirming thedevice is enrolled
with the Sky ATP realm.
Test Juniper Connected Security Functionality - Blocking Infected Endpoint
Purpose With the Juniper Connected Security solution configured, verify how it detects and reacts
to problems.
In the following scenario, the endpoint (192.168.11.13) on the LAN simulates a threat by
contacting a C&C server on the Internet. This event is determined to exceed the threat
prevention policy’s threat score threshold, and as a result the endpoint is blocked.
49Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Before simulating the attack, confirm the following steps:
• In Security Director, go to Policy Enforcer > Threat Prevention Policy and verify that the
C&C server and infected host profile actions are set to Drop connection silently.
• On the Cisco switch, confirm that the endpoint (192.168.11.13) is assigned to VLAN 14
(VLAN14-Finance).
Copyright © 2019, Juniper Networks, Inc.50
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
• Confirm, using continuous pings, that the endpoint can reach another host on the LAN
(192.168.11.1, the default gateway) and the Internet (8.8.8.8).
• In Aruba CPPM, go toMonitoring > LiveMonitoring > Access Tracker, and confirm that
the endpoint appears and is associated to the appropriate service. Note that the
enforcement profile is currently JNPR FINANCE VLAN.
Action In this scenario, the endpoint contacts (pings) the C&C server (in this example, a server
upstream from the SRX device with IP address 1.1.1.3).
The Juniper ConnectedSecurity solution elements then detect and react to the situation:
51Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
• Sky ATP analyzes the traffic; it exceeds the threat prevention policy’s threat score
threshold.
• Policy Enforcer communicateswith CPPM,which sends RADIUSCoAmessages to the
Cisco switch to terminate the endpoint's session.
• The SRX blocks the endpoint’s access to the Internet.
• The Cisco switch blocks the endpoint’s access to other points on the LAN.
On the Cisco switch, the console shows the RADIUS CoA disconnect message.
The switch’s show vlan output shows that the endpoint is no longer part of
VLAN14-Finance.
Copyright © 2019, Juniper Networks, Inc.52
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
In ArubaCPPM, on theMonitoring> LiveMonitoring>AccessTrackerpage, the endpoint’s
enforcementprofile is now JNPRSDSNTerminateSession. This profile sent thedisconnect
messages to the Cisco switch.
On the SRX device, the endpoint is identified as an infected host. The output shows that
theSkyATP infectedhost feedcontaining theendpoint’s IPaddresshasbeensuccessfully
downloaded, resulting in the SRX device taking an action to block Internet access for the
infected host.
In the Sky ATP portal, on theMonitor > Hosts page, the endpoint is identified as a
compromised host and has a status of Blocked.
53Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
Clicking on the endpoint’s IP address opens the Hosts page, which showsmore details
about the endpoint.
Test Juniper Connected Security Functionality - Quarantining Infected Endpoint
Purpose The following scenario is similar to the blocking scenario above, however this timewhen
theendpoint’s contactwith theC&Cserver is determined to exceed the threat prevention
policy’s threat score threshold, the endpoint is assigned to a quarantine VLAN.
Copyright © 2019, Juniper Networks, Inc.54
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
Before simulating the attack, perform or confirm the following steps:
• If you performed the endpoint blocking test above, release the infected host in either
the Sky ATP cloud portal or Security Director (Monitor > Threat Prevention > Host).
Ensure that LAN and Internet access are restored for the endpoint.
• In Security Director, go to Policy Enforcer > Threat Prevention Policy and edit the policy.
Change the infectedhostprofile action toQuarantineandadd theVLANnameVLAN10.
• On the Cisco switch, confirm that the endpoint (192.168.11.13) is assigned to VLAN 14
(VLAN14-Finance).
55Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
• Confirm that the endpoint can reach another host on the LAN (192.168.11.1) and the
Internet (8.8.8.8).
• In Aruba CPPM, go toMonitoring > LiveMonitoring > Access Tracker and confirm that
the endpoint is associated to the JNPR FINANCE VLAN enforcement profile.
Action Once again, the endpoint contacts (pings) the C&C server (1.1.1.3).
The JuniperConnectedSecurity solutionelementsagaindetect and react to the situation:
• Sky ATP analyzes the traffic; it exceeds the threat prevention policy’s threat score
threshold.
• Policy Enforcer communicateswith CPPM,which sends RADIUSCoAmessages to the
Cisco switch to terminate the endpoint's session.
Copyright © 2019, Juniper Networks, Inc.56
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
• The SRX blocks the endpoint’s access to the Internet.
• The Cisco switch blocks the endpoint’s access to other points on the LAN.
On theCisco switch, theconsole shows theRADIUSCoAdisconnectmessage. In addition,
the console shows the endpoint re-authenticating and being assigned to the quarantine
VLAN (10).
The switch’s show vlan output confirms that the endpoint is now assigned to
VLAN10-Quarantine.
57Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
In ArubaCPPM, on theMonitoring> LiveMonitoring>AccessTrackerpage, the endpoint’s
enforcement profile is now JNPR SDSNQuarantine. This profile sent the VLAN
re-assignment messages to the Cisco switch.
On the SRX device, the endpoint is identified as an infected host and the device has
blocked Internet access for the infected host.
RelatedDocumentation
Use Case Overview on page 6•
• Technical Overview on page 8
• Appendix: SRX Series Device and Cisco Catalyst Switch Configurations on page 58
Appendix: SRX Series Device and Cisco Catalyst Switch Configurations
Configuration files for the devices used to build this configuration example are provided
below.
NOTE: The following configurations below are captured from a labenvironment, and are provided for reference only. Actual configurationsmayvary based on the specific requirements of your environment.
Copyright © 2019, Juniper Networks, Inc.58
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
SRX1500 Configuration
The following sample shows the configuration for the SRX1500 device used in this
configuration example.
set version 15.1X49-D80.4set system host-name SRX1500-WFset system time-zone America/New_Yorkset system root-authentication encrypted-password "$ABC123"set system name-server 8.8.8.8set system services sshmax-sessions-per-connection 32set system services telnetset system services xnm-clear-textset system services netconf sshset system services dhcp-local-server groupwan-dhcp2 interface irb.14set system syslog user * any emergencyset system syslog host 192.168.10.4 structured-dataset system syslog file messages any anyset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system syslog file default-log-messages any infoset system syslog file default-log-messagesmatch "(requested 'commit'operation)|(requested 'commit synchronize' operation)|(copying configuration tojuniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRUinsertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(licensedelete)|(package-Xupdate)|(package-Xdelete)|(FRUOnline)|(FRUOffline)|(pluggedin)|(unplugged)|GRES"
set system syslog file default-log-messages structured-dataset systemmax-configurations-on-flash 5set system license autoupdate url https://ae1.juniper.net/junos/key_retrievalset system ntp server 203.0.113.1set services application-identificationset services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-caset services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-caset services ssl initiation profile aamw-ssl client-certificate aamw-srx-certset services ssl initiation profile aamw-ssl actions crl disableset services security-intelligence url https://10.13.107.164:443/api/v1/manifest.xmlset services security-intelligence authentication auth-tokenRL520JGQ1DJQQI0ZZN2DALB0I0DP7HCL
set services security-intelligence profile TP_CC category CCset services security-intelligence profile TP_CC rule Rule-1 match threat-level 1set services security-intelligence profile TP_CC rule Rule-1 match threat-level 2set services security-intelligence profile TP_CC rule Rule-1 then action permitset services security-intelligence profile TP_CC rule Rule-1 then logset services security-intelligence profile TP_CC rule Rule-2match threat-level 3set services security-intelligence profile TP_CC rule Rule-2match threat-level 4set services security-intelligence profile TP_CC rule Rule-2 then action permitset services security-intelligence profile TP_CC rule Rule-2 then logset services security-intelligence profile TP_CC rule Rule-3match threat-level 5set services security-intelligence profile TP_CC rule Rule-3match threat-level 6set services security-intelligence profile TP_CC rule Rule-3match threat-level 7set services security-intelligence profile TP_CC rule Rule-3match threat-level 8set services security-intelligence profile TP_CC rule Rule-3match threat-level 9set services security-intelligence profile TP_CC rule Rule-3match threat-level 10
59Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
set services security-intelligence profile TP_CC rule Rule-3 then action block dropset services security-intelligence profile TP_CC rule Rule-3 then logset services security-intelligence profile TP_Infected-Hosts category Infected-Hostssetservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level1
set servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level2
setservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level3
setservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level4
setservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level5
setservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level6
set services security-intelligenceprofileTP_Infected-Hosts ruleRule-1 thenactionpermitset services security-intelligence profile TP_Infected-Hosts rule Rule-1 then logset servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-2match threat-level7
set servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-2match threat-level8
set servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-2match threat-level9
set servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-2match threat-level10
set services security-intelligence profile TP_Infected-Hosts rule Rule-2 then action blockdrop
set services security-intelligence profile TP_Infected-Hosts rule Rule-2 then logset services security-intelligence policy TP CC TP_CCset services security-intelligence policy TP Infected-Hosts TP_Infected-Hostsset services advanced-anti-malware connection urlhttps://srxapi.us-west-2.sky.junipersecurity.net
set services advanced-anti-malware connection authentication tls-profile aamw-sslset services advanced-anti-malware policy TP http inspection-profile default_profileset services advanced-anti-malware policy TP http action blockset services advanced-anti-malware policy TP http notification logset services advanced-anti-malware policy TP verdict-threshold 5set services advanced-anti-malware policy TP fallback-options action permitset services advanced-anti-malware policy TP fallback-options notification logset services advanced-anti-malware policy TP default-notification logset services advanced-anti-malware policy TPwhitelist-notification logset services advanced-anti-malware policy TP blacklist-notification logset security logmode streamset security log format sd-syslogset security log source-address 192.168.10.1set security log stream TRAFFIC category allset security log stream TRAFFIC host 192.168.10.4set security log stream TRAFFIC host port 514set security pki ca-profile aamw-ca ca-identity deviceCAset security pki ca-profile aamw-ca enrollment urlhttp://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe
set security pki ca-profile aamw-ca revocation-check disableset security pki ca-profile aamw-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/deviceCA.crl
set security pki ca-profile aamw-secintel-ca ca-identity JUNIPER
Copyright © 2019, Juniper Networks, Inc.60
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
set security pki ca-profile aamw-secintel-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/current.crl
set security pki ca-profile aamw-cloud-ca ca-identity JUNIPER_CLOUDset security pki ca-profile aamw-cloud-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/cloudCA.crl
set security policies global policy PolicyEnforcer-Rule1-1 match source-address anyset security policies global policy PolicyEnforcer-Rule1-1 match destination-address anyset security policies global policy PolicyEnforcer-Rule1-1 match application anysetsecuritypoliciesglobalpolicyPolicyEnforcer-Rule1-1 thenpermitapplication-servicessecurity-intelligence-policy TP
setsecuritypoliciesglobalpolicyPolicyEnforcer-Rule1-1 thenpermitapplication-servicesadvanced-anti-malware-policy TP
set security policies global policy GlobalPermit match source-address anyset security policies global policy GlobalPermit match destination-address anyset security policies global policy GlobalPermit match application anyset security policies global policy GlobalPermit match from-zone anyset security policies global policy GlobalPermit match to-zone anyset security policies global policy GlobalPermit then permitset security policies global policy GlobalPermit then log session-initset security policies global policy GlobalPermit then log session-closeset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces irb.14set security zones security-zone trust interfaces irb.12set security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust host-inbound-traffic protocols allset security zones security-zone untrust interfaces irb.13set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/0 unit 0 family ethernet-switching vlanmembers VLAN12set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/1 unit 0 family ethernet-switching vlanmembers VLAN14set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode accessset interfaces ge-0/0/2 unit 0 family ethernet-switching vlanmembers VLAN13set interfaces fxp0 unit 0 family inet address 10.13.107.186/23set interfaces irb unit 12 family inet address 192.168.10.1/24set interfaces irb unit 13 family inet address 192.168.231.1/24set interfaces irb unit 14 family inet address 192.168.11.1/24set snmp trap-group space targets 10.13.107.162set routing-options static route 172.28.0.0/16 next-hop 10.13.106.1set routing-options static route 10.13.0.0/16 next-hop 10.13.106.1set routing-options static route 0.0.0.0/0 next-hop 192.168.231.10set routing-options static route 172.29.0.0/16 next-hop 10.13.106.1set routing-options static route 172.30.76.0/23 next-hop 10.13.106.1set routing-options static route 10.163.69.44/30 next-hop 10.13.106.1set protocols l2-learning global-mode switchingset access address-assignment pool wan-2 family inet network 192.168.11.1/24setaccessaddress-assignmentpoolwan-2family inet rangewan-2-range low192.168.11.10set access address-assignment pool wan-2 family inet rangewan-2-range high192.168.11.20
set access address-assignment pool wan-2 family inet dhcp-attributesmaximum-lease-time 86400
set access address-assignment pool wan-2 family inet dhcp-attributes name-server8.8.8.8
set access address-assignment poolwan-2 family inet dhcp-attributes router 192.168.11.1set vlans VLAN12 vlan-id 12
61Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
set vlans VLAN12 l3-interface irb.12set vlans VLAN13 vlan-id 13set vlans VLAN13 l3-interface irb.13set vlans VLAN14 vlan-id 14set vlans VLAN14 l3-interface irb.14
Cisco Catalyst 6509 Switch Configuration
The following sample shows the configuration for the Cisco Catalyst 6509 switch used
in this configuration example.
HIAGATE#HIAGATE#show runnBuilding configuration...Current configuration : 14664 bytes!! Last configuration change at 20:44:49 UTC Fri Aug 18 2017 by cisco! NVRAM config last updated at 20:33:43 UTC Fri Aug 18 2017 by cisco!upgrade fpd autoversion 12.2service timestamps debug uptimeservice timestamps log datetimeno service password-encryptionservice counters max age 10!hostname HIAGATE!boot-start-markerboot system flash disk0:s72033-advipservicesk9_wan-vz.122-33.SXI14.binboot-end-marker!logging buffered informational!aaa new-model!!aaa authentication dot1x default group radiusaaa authorization network default group radiusaaa accounting dot1x default start-stop group radiusaaa accounting system default start-stop group radius!aaa server radius dynamic-author client 10.13.107.167 server-key cisco123 port 3799 auth-type all!aaa session-id common!no ip domain-lookupip domain-name hiagate-sdsn.com!ip dhcp snoopingno ip bootp serverip ssh version 2ip scp server enableip device tracking!
Copyright © 2019, Juniper Networks, Inc.62
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager
dot1x system-auth-control!vlan 10 name VLAN10-Quarantine!vlan 14 name VLAN14-Finance!interface GigabitEthernet1/47 description SRX1500 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 14 switchport mode trunk!interface GigabitEthernet1/48 description ESXiServer switchport switchport mode access speed 1000 duplex full authentication host-mode multi-host authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 10 spanning-tree portfast edge!interface Vlan1 ip address 10.13.107.168 255.255.254.0!ip route 0.0.0.0 0.0.0.0 10.13.106.1!radius-server attribute 8 include-in-access-reqradius-server host 10.13.107.167 auth-port 1812 acct-port 1813 key cisco123radius-server vsa send accountingradius-server vsa send authentication!line con 0 exec-timeout 0 0 logging synchronousline vty 0 4 exec-timeout 0 0 logging synchronous transport input sshline vty 5 15!exception core-filentp authentication-key 1 md5 123310191B1B0916 7ntp trusted-key 1ntp source Loopback0ntp master 1!endHIAGATE#
63Copyright © 2019, Juniper Networks, Inc.
Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager
RelatedDocumentation
• Technical Overview on page 8
• Example: Configuring Juniper Connected Security Using Third-Party Switches and
Aruba ClearPass Policy Manager on page 10
Copyright © 2019, Juniper Networks, Inc.64
Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager