Creating a Policy Enforcer Connector for Public and Private Clouds
Before You Begin
For Amazon Web Services (AWS) connector:
Create access key and password for your AWS account. This will be a unique username and password for your Amazon account required to create a connector. See Managing Access Keys for Your AWS Account.
Create Virtual Private Clouds(VPC) for the required region. See Getting Started With Amazon VPC.
Instantiate the vSRX instance in the required VPC and set the tag identifier, for example AWS_SDSN_VSRX. This tag identifier must match with the vSRX instance tag key in AWS.
Create a Security Group in AWS required to create a threat prevention policy for the AWS connector.
Deploy workloads in the required VPC and set the resource tags to the workloads.
For Microsoft Azure connector:
Get started with Microsoft Azure. See Getting Started With Microsoft Azure.
Create tenant ID for you Azure account. See Managing Access Keys for Your Microsoft Azure Account.
Perform the following actions to configure connectors for the public and private clouds.
To configure threat remediation for a public or private cloud, you must install and register the threat remediation plug-in with Policy Enforcer as follows:
Field |
Description |
|---|---|
General |
|
Name |
Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum. |
Description |
Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators. |
Connector Type |
Select Amazon Web Services, Contrail, or Microsoft Azure from the list to connect to your secure fabric and create policies for this network. |
IP Address/URL |
Enter the IP (IPv4 or IPv6) address or URL of AWS, Contrail, or Microsoft Azure. For AWS, this field is set to www.aws.amazon.com, by default. This is where all VPCs are located. You cannot edit this field. For Microsoft Azure, this field is set to management.azure.com, by default. This is where all virtual networks are located. You cannot edit this field. |
Port |
For AWS and Microsoft Azure connectors, the port is set to 443 by default and you cannot edit this field. For Contrail connector, provide the port number as 8081. |
Username |
Enter the username of the server for the selected connector type. For AWS, enter the generated access key for your Amazon account. This is not same as your Amazon account username. |
Password |
Enter the password for the selected connector type. For AWS, enter your secret password generated along with your access key. This is not same password as your amazon account. |
Subscription ID (only for Microsoft Azure connector) |
Enter the Azure subscription ID available per tenant basis. |
Tenant ID (only for Microsoft Azure connector) |
Enter the Microsoft Azure tenant ID. |
Network Details |
|
Connector Type: AWS Virtual Private Clouds |
One or more virtual networks under the AWS account are discovered. They are called virtual private cloud (VPC). Only VPCs having vSRX instances deployed are managed. The VPCs are region specific. Select a region from the Region list and the corresponding VPCs are listed. By default, the VPCs for the first available region are listed. Security Director suggests a default Secure Fabric site name for the VPC, in the <connector name>_<vpc name>_site format. Click the Secure Fabric site name to edit it. When you edit the name, you will also see the other Secure Fabric sites that do not have any switches or connectors assigned to them. You can also assign these Secure Fabric sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the Secure Fabric site name is reverted to its previous name. You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one option. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further. You can get a detailed view of the VPC by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details. Note:
You can perform search on VPCs. Search is not supported for the site names. |
Connector Type: Microsoft Azure Virtual Networks |
One or more virtual networks under the Microsoft Azure account are discovered. These virtual networks are based on the Azure subscription per tenant basis. A tenant can have more than one subscription and a single subscription can contain one or more virtual networks. Security Director suggests a default site name for the project, in the <connector name>_<virtual network name>_site format. Click the site name to edit it. When you edit the site name, you will also see the other sites that do not have any switches or connectors assigned to them. You can also assign these sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the site name is reverted to its previous name. You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one of the two options. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further. You can get a detailed view of the virtual network by hovering over the name and clicking the Detailed View icon. |
Connector Type: Contrail Project |
Tenant information determined from the Contrail connector is listed. Security Director suggests a default site name for the project, in the <connector name>_<project name>_site format. Click the site name to edit it. When you edit the site name, you will also see the other sites that do not have any switches or connectors assigned to them. You can also assign these sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the site name is reverted to its previous name. You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one of the two options. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further. You can get a detailed view of the project by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details. Note:
You can perform search on Project names. Search is not supported for the site names. |
Subnets |
The subnet information for Contrail, Microsoft Azure, and AWS is determined from the respective systems. For AWS and Microsoft Azure, subnets are the availability zones and for Contrail, subnets are virtual networks. You can create Policy Enforcement Groups for one or more of the subnets, if threat remediation is selected. Subnets for AWS, Microsoft Azure, and Contrail are allocated to be within the tenant IP Address Management (IPAM) scheme. |
Configuration |
|
Configuration |
Metadata Specifies the resource tag information and the resource tag values that you have determined from the projects or VPC. The tag information appears only if the Next Generation Firewall option is enabled. For AWS and Microsoft Azure connector, the resource tag values are fetched from AWS and Microsoft Azure for all the endpoints and then mapped them to the Security Director generated metadata names. Based on the resource tag name, Security Director checks if a metadata with the same resource tag name is already available. If available, it automatically maps the resource tag name to its metadata. If there is no match found, Security Director suggests a new metadata name for the corresponding tag. The suggested metadata name is same as the resource tag name. You can also edit the suggested metadata name and customize the resource tag name. However, in the Generated MetaData Name column, you cannot use the following predefined metadata names:
If you provide these names, an appropriate error message is shown to choose a different name. Select the Map option to map the resource tag to the generated Security Director Metadata while creating the connector instance. If the Map option is not selected, the connector instance is created for a project or VPC without any resource tags. For example, if you have multiple resource tags for a project, you can choose one or more resource tags to map to the corresponding generated metadata, by selecting the Import option. The project or VPC with the selected resource tags are created when the connector instance is created. Mapping of Contrail, Microsoft Azure, and AWS connector resource tags to Security Director metadata enables you to create the next generation firewall policy definitions for the source and destination rules, based on the metadata expressions. Policy Enforcer dynamically determines the matching VM instances in AWS, Microsoft Azure, or Contrail connector to the metadata expressions and pushes the IP address content as dynamic address groups to the enforcement points in the tenant specific vSRX firewall instance. In the Configuration Value column, provide any additional information required for this particular connector connection. For example, if the connector type is ForeScout CounterACT, you are required to provide the WebAPI username and password. Similarly for other connectors if the additional configuration parameters are required, they are listed in this column. After the successful completion, the subnet you have created is mapped to that particular connector instance. For AWS and Microsoft Azure, provide the following configuration parameters:
For Contrail, provide the following configuration parameters:
|
For AWS, Microsoft Azure, and Contrail connectors, the site association is achieved in the Connectors page itself.
When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.
If the mode in PE Setting page is Juniper Connected Security with ATP Cloud, then you must create ATP Cloud realm and assign the sites associated with the VPC or Project to the realm. Otherwise the vSRX instances in the VPC or Project does not download the dynamic address group objects, that is the list of workloads in the VPC or Project that match a policy metadata expression.
Threat Remediation Workflow
Once you create an AWS, Microsoft Azure, or a Contrail connector with Threat Remediation option, a site is created in the Secure Fabric page.
Perform the following actions for threat remediation:
Select Configure > Threat Prevention > ATP Cloud Realms.
Select the associated Secure Fabric sites to the respective VPC, virtual networks, or Project that is successfully added. Add the secure fabric site to a Juniper ATP Cloud realm and enrol the vSRX devices to the Juniper ATP Cloud. Enroll devices by clicking Add Devices in the list view once the realm is created.
Select Configure > Shared Objects > Policy Enforcement Groups.
Click the add icon to create a new policy enforcement group. You will see a list of all subnets that you have created in a VPC or virtual network. Select the required subnets for this VPC or a virtual network and create a policy enforcement group. Associate this policy enforcement group to threat remediation policy.
Select Configure > Threat Prevention > Policies.
Click the add icon to create a new threat prevention policy. Add the threat prevention policy, including profiles for one or more threat types. The security group that you had selected during connector configuration is used when the host gets infected within a corresponding VPC or a virtual network.
Next Generation Firewall Workflow
When you create an AWS, Microsoft Azure, or a contrail connector with Next Generation Firewall option, it means that for a particular VPC or a virtual network, Layer 7 firewall policy is enabled. Perform the following actions to enable next generation firewall:
Select Configure > Firewall Policy.
Select the policy for which you want to define rules and click Add Rule.
The Create Rules page appears.
In the General tab, enter the name of the rule and description of the rule
In the Source tab, click Select for the Address(es) field to select the source address.
The Source Address page appears.
In the Address Selection field, click By Metadata Filter option.
In the Metadata Provider field, select PE as a provider from the list.
In the Metadata Filter field, all the generated metadatas during the connector configuration are listed. Using these metadatas, create a required metadata expression. For example, Application = Web and Tier = App.
In the Matched Addresses field, addresses matching the selected metadata are listed. This address is used as a source address. For every metadata expression, a unique dynamic address group (DAG) is created.
Click Ok and complete configuring other parameters for the rule.
Publish and update the configuration immediately or schedule it later.