Jumpstart Juniper—Security
Fortify your network security with this Junos® operating system Jumpstart Juniper webinar.
High-performance, scalable, and intelligent network security solutions are a non-negotiable aspect of network management. Watch this installment of the Jumpstart Juniper series to gain valuable insight on Juniper Networks® SRX Series Firewalls, cloud-based advanced malware protection, and security management solutions.
Read, “Day One: Deploying Junos Timing and Synchronization.”
You’ll learn
How to protect your network with Junos OS security solutions, including stateful packet flow, security policies, virtual SRX, and AppSecure
How to use Juniper Connected Security
About Juniper Advanced Threat Protection cloud concepts and implementation
Who is this for?
Host
Transcript
0:00 even as wired and wireless devices sort the network Edge today's business critical Services require more
0:06 predictable reliable and measurable networks users demand a seamless personalized experience based on user
0:12 type and location it's no longer enough to Simply keep the network up and running it's about ensuring a great
0:19 experience across the network for every user and network device addressing problems before clients are even aware
0:25 of them how is this accomplished with an AI driven Enterprise only from juniper
0:30 Mist Juniper Mist transforms the network experience and simplifies operations with artificial intelligence while
0:37 delivering on strategic initiatives with virtual Bluetooth location-based services and Analytics now you can
0:44 report when users or devices are unhappy or analyze traffic patterns through a retail store alerting shoppers with
0:50 location-based special offers in real time all network data is ingested into the missed AI engine for continuous
0:57 learning and Improvement and Marvis the virtual Network assistant is the Alexa for it teams Marvis helps keep the
1:04 network running seamlessly and simplifies troubleshooting with recommended or self-driving actions across the WLAN Lan Wan and security
1:12 domains this is true AI driven Enterprise for Wired and wireless networks Juniper mist
1:19 is leading a new era of I.T that uses AI to save time and money deliver unprecedented scale and provide
1:26 unparalleled user experiences let us know when you have 15 minutes to learn more
1:33 welcome to jumpstart Juniper in this session we're going to talk about security and we're going to bring out
1:39 Juniper's connected security program that they've started a few years back
1:46 so let's go over some of the security challenges that we have today
1:52 we all know that security is very important we know that malware is
1:57 increasing we know that it's harder and harder to keep everything secure uh it's
2:04 getting faster to get into places and longer to find out that they got broken
2:10 into we also have at least 10 security systems in place in any location so it
2:19 used to be just a firewall and then they would put an IDP on there and now it's
2:26 just more and more devices get put in and we have to manage all of those
2:32 so there's a lot of stuff going into the clouds now we have to keep track of
2:37 what's in the cloud what's not in the cloud um we have to keep and that opens up our
2:44 um attack uh threshold too we have more places to attack so we need to be
2:49 careful with that and now all the malware not all of it but most of it's being encrypted and in
2:56 the future it'll become more and more encrypted so be unencrypting and looking
3:01 at things that are encrypted take more resources and takes more intelligence and so as we move forward we need to
3:08 have a plan on how we're going to attack all these different challenges that we
3:13 have it takes forever it seems like to
3:19 contain a breach here it says the average number of days just to detect that you've been broken into is 206 days
3:27 and then once you know that you've been broken into it takes about another 55 days to contain that breach
3:34 but those attackers only need once to get in to get what they need malware is
3:39 evolving um it used to be just that it would you'd go in and try to harass somebody
3:46 or try to be a nuisance but now it's being it's evolving to be
3:52 more elusive right it's being encrypted we're trying to figure out where data is
3:58 going it uses memory injection they use all sorts of things to try to hide
4:04 itself and to uh not get caught by malware detectors
4:10 so is this malware evolves we need to evolve with it with more software and
4:16 more more devices to try to stop it at the sources
4:22 fishing fishing is probably the number one way of getting malware into your
4:27 network fishing is where we s you get an email sent to you and it looks like something
4:34 that you might uh work with right phishing is a very pointed attack and
4:40 that attack says hey I know this guy likes bike riding so I'm gonna send him
4:46 uh emails from bicycle shops or from bicycle uh races or or whatever to make
4:54 it look like they are valid legit uh emails that this person would like to
4:59 have so we have to be very careful with that there's a lot of attacks now that look
5:06 like the email comes from the CEO or some uh manager higher up in the company
5:11 and so as soon as you get it you're like oh I better really look into that and figure out what's going on and we don't take the time to stop and think well
5:18 would the CEO really be emailing me about this or should I really be worried
5:24 about this maybe this isn't even part of my job why am I getting this email there's a lot of things there so we need
5:30 a one of the main things we can do with fishing is end user training there's
5:36 some programs out there and a lot of good programs uh that watch for this uh
5:42 are Juniper ATP cloud and on-premises devices also look for these uh these
5:50 fishing links that go around but one of the main things you need to do is you
5:55 got to be smart when you try to open up the email
6:02 apt advanced persistent threat now what this means is that the attack can be
6:09 Advanced right usually it's a highly skilled group that is doing these attacks maybe it's an actual state or
6:18 there's actual companies that are setting up saying hey look we'll sell our services to try to break into places for people
6:24 so we have this Advanced attack that's coming in when this attack comes in
6:29 usually that they're trying not to be noticed they're trying to slip under the radar get in and stay there as long as
6:37 possible maybe they're collecting data off your network maybe they're looking for something important maybe they're
6:44 trying to get ahead they know something's coming up and they're trying to get in before you lock down a lot of security because you have something new
6:50 coming up there's apt uh is a way is a
6:55 new form of threat that has been coming out for a few years now and we need to be ready for that and know that that
7:02 maybe they're just sitting on our Network they're not actually pulling any data down because it's waiting and they're looking for something but that
7:09 that threat is there and we're vulnerable to it one of the things we talked about how we
7:16 have at least 10 security devices in an Enterprise on that second slide and what
7:22 we really it's too complex it's trying to keep track of everything um a lot of these security devices don't
7:29 mesh together don't talk to each other very well and so what we have is we we get these
7:36 um silos of information that we go oh look there's something going on here but we can't tell all the other devices
7:42 about it all right well like why why can't we when one of the machines gets a
7:48 a virus on it and we detect a virus we should be able to say hey this virus
7:53 where did it come from if we know where it come from we should be able to tell the firewall until the firewall to block this file from ever coming through the
8:00 firewall again things like that right they're all isolated and all the devices
8:06 from different companies they use different threat scores right so you go oh well this is a five and this is a two
8:12 thousand and you're like well how does that correlate together and so there's a lot of manual uh ties in security still
8:20 trying to they come around and try to work together security used to be pretty easy right we
8:27 put up a perimeter and we'd guard the castle and once you got inside though
8:32 you were trusted and it was easy to go and this this model doesn't really work
8:37 anymore at all um I don't know that anybody promotes this model now we still want to have
8:44 that perimeter right having that perimeter is very important but we need to have more security down inside to get
8:52 that security inside a little bit more they came up with the defense in-depth
8:57 model this model is just a way an attack
9:02 happens and so if we know how the attack happens we can kind of guess and move
9:08 ahead of where the attackers are at to block and stop an attack so it's just a layered approach
9:16 um some of these are are not software or Hardware they're just teaching people to do the right things like we need to do
9:22 our patch management right there's how many attacks have there been that there's already a patch for it they just
9:29 didn't patch their computers so we need to be able to keep those in mind so these are things that we need to be
9:35 aware of so that we can work with to keep track of our networks and make them
9:40 a lot safer we can take this defense in-depth model and we can move it over
9:45 to the zero trust model and basically say hey look there's not a single machine in our entire network that we
9:52 trust we're going to verify and look at every file on every stream that comes
9:58 through to make sure there's no malware make sure there's nothing wrong in any of those streams
10:04 and the last idea here is this multi-cloud model this is where everybody is headed uh we might have
10:12 some local information at our at our Enterprise uh but we're gonna definitely
10:17 still have some Cloud information we're going to put stuff out uh in maybe even
10:22 multiple clouds right and we need to have security at each cloud and at our
10:28 home location that works together that knows about each other and can protect
10:35 our data no matter where it's at and where it's being accessed from users
10:40 want to access all their data from home they want to access it on the road they want to access so no matter where
10:46 they're at and we need to keep that data safe and secure and this multi-cloud model this end-to-end top to bottom
10:54 security is what Juniper connected security is all about all right the next agenda item is
11:01 security basics the Juniper connective security principles are very simple they are we
11:09 need to have a stronger security posture we need to be able to safeguard we need to have a better perimeter better
11:16 security inside the next one is we need to automate that security we can't manually do this we
11:23 can't have people manually going through logs trying to find things it has to be automated we have to have some type of a
11:30 process going on that's looking for threats that's finding threats and and stopping them in their tracks
11:37 or we're going to be behind the curve and we're going to lose we need to save the people to look for the real problems
11:43 that are coming up and not the the small every time there's something coming up kind of a problem
11:50 we need to have a comprehensive visibility if we don't know a problem is even there we're not going to do
11:56 anything about the problem and that's where most of us are at right we sat that number that 206 days to to even
12:03 know that there's a problem we need to be able to find those problems we need a better way to look at all of the network
12:09 information floating around and being able to analyze it and find out where the threats are at
12:15 we need to have a best-in-class secure networking we need devices we need
12:21 software that will work no matter what kind of a situation we're going to put
12:26 them in are we doing a multi-cloud where are we doing a data center uh what are
12:32 we doing we need to have the best options we can have right there and it does need to be multi-cloud ready
12:38 because we are at some point everybody's going to push some of their data off
12:44 into the cloud and we need to be able to secure that data with the same policies that we secure our local data with
12:50 and it needs to be open platform ready we can't lock vendors in uh with our
12:58 Security Solutions we need to be open and say hey look we can come and augment that and help you out with that or so
13:05 when something new comes down the road in the future it needs to be able to slide in and be able to work with all
13:10 the other security equipment we have to get rid of the silos and this is what Juniper connected security is all about
13:17 is getting rid of those silos keeping track of our data and having a
13:22 single security policy overall no matter if the data is local or if the data is
13:28 in a cloud somewhere we need to keep track of all of those one thing we need
13:33 to understand is that firewalls process traffic differently
13:39 so we have this packet base versus a session based processing now all Juno's devices use packet-based
13:48 uh processing even the the firewall but we can push that into what we call a
13:54 flow mode or a flow based process with sessions so in a packet-based processing
14:00 the packet comes in we evaluate basically where we're going to send it you know which interface are we going to
14:06 go out and we send it out and we don't worry about it we can put ACLS on that or firewall filters on that interface
14:13 and say hey look we don't want traffic coming from certain IP addresses certain types of traffic and we can block that
14:20 traffic as comes in or out an interface but we don't keep track of it besides that
14:25 now on session based processing the first packet that comes in is going to
14:31 create a flow and it'll actually create two flows it'll create a flow that goes through the the original Direction and
14:38 then it will create a flow ready for the return traffic to come back and that those two flows together create
14:45 what we call a session and that first packet triggers the session and then we will we'll let the
14:53 traffic come back and forth and we're going to talk more about how that works as we go along so packet mode processing
15:00 here we see how we have uh the the filters as it comes in we have a policer
15:08 and we have an input filter and then just before it leaves we have an output filter and then a shaper and those
15:14 filters on the input or the output we can manipulate and drop traffic or do
15:21 other things with traffic um we so anytime we're going to use this
15:27 packet-based processing we are not going to use the flow module and we can even create firewall filters to tell it to
15:34 bypass the flow module for certain types of traffic anyway the the packet mode processing is
15:40 very common it's what all the routers do here we see an example of stateless packet processing in the first example
15:48 we have a machine a packet going from a machine 10115 going to the machine 2030113.5
15:58 and because it's a stateless packet processing we're going to process each
16:03 packet as it comes through and so that packet gets sent through based upon our firewall filter but the next packet that
16:10 comes through which is the return packet so it's coming back from the
16:18 302.0.113.5 machine coming back the firewall filter doesn't allow that
16:24 packet to come back so it gets dropped and this is very different than the stateful packet processing that we've
16:31 talked about and we'll talk about more um is once in stateful once we have One
16:38 Direction allowed it will allow the return traffic automatically
16:43 in stateful security we have some features we need to go over the first thing is it's a zone-based security
16:50 system and in that zone based security system interfaces belong to a Zone and
16:56 so when in a packet comes in we're only going to look at the rules then the zone
17:01 that that interface is attached to and so this helps us you narrow down The
17:08 rules that are going to apply to the traffic that's coming in on that interface once it comes in we're going
17:13 to have go ahead and look at the source and destination IP the source and destination ports and the protocol and
17:20 we're going to take all that information the the interface the protocol and the source and destination information in
17:26 the header and we're going to decide whether we're going to let this traffic through with the policy and if we decide
17:33 to let it through we're going to go ahead and make a session and let the
17:39 traffic flow out but we'll also make a session and bring the traffic back in and so there's actually going to be two
17:45 flows one going out and one coming back in and so we don't have to worry about that traffic coming back in because that will
17:51 be taking care of automatically with our stateful firewall
17:57 stateful firewalls usually also have some Advanced features that go along with it and we have our UTM features and
18:06 this includes anti-virus um it includes categorizing uh websites
18:12 and being able to block different categories of websites we have IDP and
18:17 this looks for patterns within the the stream to see if they are detrimental to
18:23 our systems we have app secure app secure let us look inside the
18:30 application and make sure the application is doing what it's supposed to do SSL inspection lets us break open an SSL
18:38 encryption look inside of it and then put it all back together uh user policies and ATP Advanced threat
18:47 protection and all of these features we'll talk about here as we go through
18:52 these but these are some of the advanced features of the stateful security firewall
18:58 so we saw how we did stateless packet processing so let's look at how we do stateful packet processing
19:05 here we see we have a packet that comes in and it comes in from the 10115
19:10 machine there on the left and it goes into the firewall and it comes in on interface
19:17 g101 which is in the private Zone and so we're gonna go ahead and take all that
19:23 information and see if there's a session we agree that they were going to create a session so we're going to send this
19:29 traffic out and we're going to automatically create another flow as it comes back and those two flows together
19:37 create a session that allows traffic to flow out and back in through that firewall we don't have to worry about
19:43 the return traffic in a stateful packet processing because it already gets taken care of automatically so The Logical
19:50 packet flow through our SRX firewall is diagrammed below here in this slide and
19:58 this is a very important slide to know especially when troubleshooting if you know how this flow works you can find
20:04 out where your problem comes out a lot quicker and so as we see we have a packet that comes in on the left hand
20:10 side there and as that packet comes in it goes into a per packet policer then
20:16 it goes into a per packet filter that's those firewall filters we talked about and then we're gonna once we do that
20:23 we're going to push it up under the flow module and the first thing in the flow module it's going to say hey does this
20:28 match a session and if it's the first packet it doesn't match a session and so we're going to go
20:34 ahead and send it up to the first path and the first path we go through and we analyze the the packet and the header
20:40 and find out what it is we look to we run it through some screens really quick and screens are just a quick way to find
20:47 problems within that packet itself and we can then we go ahead and do the Nats
20:52 static Nat and destination that and then we go ahead and Route look do a
20:59 route look up and then once we have a route look up we know which interface we're going to leave out of and so then
21:05 we can look at zones and find the zone that we're working from so now we know the incoming interface we know the
21:10 outgoing interface so we know the incoming Zone and we know the outgoing Zone and so now we can go ahead and look
21:16 at our security policy so we look at a security policy in the context of our
21:22 Zone private to out to Zone public and our last slide or whatever the zones may be we're going to look up a policy in
21:29 there so once we look up a policy that policy is either going to say you know permit it or drop it and we're we'll do
21:37 that let's say we're going to permit it so we keep going and on and then we're going to do either the reverse static
21:43 Nat or the sourcenat then we're going to go ahead and look at our services and algs and this is all the advanced things
21:51 that we can do to the packet as it goes through the firewall happens in this last stage here and then once we do get
21:57 all that stuff figured out what we're going to do we're going to write this session down to the table and we write
22:02 the session down to the table and then we take that first packet that we just analyzed and we send it through
22:09 um that table that we just set up so again it's going to go through the screens the TCP then that the services
22:15 LG and go out now the next time the packet comes back from whatever machine
22:21 we talked to as it comes back here we are going to send it back through and
22:27 when it comes it'll say match session it'll say yes and then it'll just go through the fast path we already know
22:32 everything we're going to do this packet what the NAT translations would be what type of screens we want to look at what
22:39 options we need to work with and it'll just set that up automatically for us and then send that through and that's
22:45 what makes it so much quicker we get a lot of information on the first path in
22:51 our logs when we're troubleshooting but on the subsequent packets all we
22:56 basically get is information the packet came through we don't get all the details about the decisions that got
23:02 made because the decisions aren't being made anymore they're just being applied to the packages they come to on anything
23:08 that matches the session that's created so once we get that we go back to our
23:14 outgoing packet filter and then we have a packet shaper and then we send it out
23:19 onto the network and so this is how um our logical packet flow works again
23:25 this is a very important diagram and I would take time to make sure I understood this diagram as we go forward
23:33 so let's take a look at in a little example on how this packet flow works so I got a machine down here at 10 120.5
23:41 and it wants to send a packet up to 203.0.113.5
23:47 now we see we're in the private Zone on the left side and on the right side we're in the external Zone we actually
23:53 have two zones we have a public Zone down below but we're only really worried about the external Zone at this point and so we see we have our source address
24:01 we have our destination address we have a protocol that we're going to send it out on and we see it's the destinations
24:07 ports 443 so it should be https as a
24:12 protocol that we're going to send across and then we have a source port and the source Port is basically just a random
24:19 Port that's generated by the originating host the 10120.5 just to keep track of
24:26 all the conversations that it's going to have and so don't worry too much about that Source port number it's a it's a
24:32 randomly generated number from that host so we have this information so now what
24:37 do we do with this so let's go ahead and see what we're going to do with that so the first thing we're going to do is we say do we have any stateless processing
24:44 and we're going to say no we don't have any stateless processing and then we say does the the does this session exist on
24:50 the number two there no we don't have a session and so do we have any screens let's say we do not have any screens
24:58 and so at that point we're going to go through and do our destination that we don't have any destination that and then
25:05 we're going to look up a route table so over here on the left we have our forwarding table and we look up and say
25:10 how do we get to this IP address and oh we do have an entry in our forwarding
25:15 table and we're going to go out GE one zero zero to get to that um that that destination address and so
25:23 now we have the outgoing interface so now we know the zone that that's going to be in
25:31 once we know the Zone we can then go ahead and look up and find out if we
25:36 have any rules that apply to that and here we have a rule that says hey if the
25:42 source address is 10 1 0 0 16 the destination address is any it means
25:49 goes anywhere and the application is https we're going to permit that so we
25:55 do have a rule that's going to allow that so then what we're going to do is we're going to set up a flow that goes from
26:03 the internal side to the outside to the external side excuse me and you see that there the 10 120.5 going to
26:11 2030113 113.5 and then what we need to do is we need to have a return flow set
26:18 up so we create that automatically so you see that the source address is the
26:23 2030113.5 which is our external host coming back to our internal host
26:29 and so those two flows together equal a session and so now when any other
26:35 packets come in we will go ahead and basically just say yes there is a
26:40 session and we'll send the traffic through the fast path there and so that is an overview of how the packet creates
26:48 a flow and makes a path through the firewall to communicate with servers on
26:54 the other side all right the next section is how to
27:00 access the Juno security device there are many ways that we can work
27:06 with and configure and change and and operate the SRX device two of the main
27:13 ways though is the Juno CLI and the J web the Juno CLI is a text-based shell
27:20 command tool and we can either get into that through what we call the console
27:26 through a Serial cable or we can use some type of a protocol like telnet or
27:32 SSH to get into the device here we see we have some information about each one
27:39 of those and how you would be able to work with that when we when we work with
27:45 the SSH or telnet we have to tell the SRX to accept those
27:51 connections since it's a security device its main operation is to secure itself
27:58 and not to let anybody talk to it or or be able to break into it and so we have
28:03 to go in and actually set up information inside the device to allow us to communicate with that device
28:10 uh on the J web is the same way we have to turn that on and allow that access
28:16 but what the C what the J web is it's a graphical user interface through a a web
28:21 browser and it lets us use either HTTP or https to be able to configure modify
28:29 and operate the SRX device so to log into this device we're going
28:36 to go ahead and log in especially for the first time we've got to log in as root root is the only username that is
28:42 given by default uh ins to the Unix device which is the junos device so
28:48 we're going to go ahead and log in as root so if we see that we log in as root when we log in there we see that we have
28:55 that percent sign after the prompt there so we have root at router percent and
29:00 that percent sign lets us know that it is the shell prompt and so what that
29:05 means is that we're in the Unix Shell at this point not inside a junosa at this particular moment and we can also see
29:13 that there's a another way we can look at that uh these are the two different
29:18 ways depending on the version of code uh to see that shell prompt you're either going to have that percent sign or
29:25 you're going to have root at and then a colon um tilde and then a pound sign we're
29:32 gonna go ahead and either one of those if they pop up what we need to do is we need to actually get into uh the junos
29:40 command line structure which is we type in CLI to enter the Juno CLI and then
29:47 when we get there we see that we have the greater than sign at the end of The Prompt that shows that we are in the
29:54 junos operating system so a non-root user so once we have users
30:01 set up a non-root user when they log in will go ahead and go straight into junos
30:08 but anytime the root user logs in they log straight into the Unix shell and
30:14 then would have to run the CLI command to get into junos
30:21 the jweb login is very similar to any other login in a web page you go to the
30:28 IP address of the SRX and the J web will
30:34 come up and ask you to put in a username and password go ahead and put in that username and password click the login
30:41 the J web makes it nice because it is a graphical user interface it allows for
30:49 easy setup and maintenance of the SRX devices all that is required to access
30:54 the jweb is a web browser there's no additional software that you need to
31:00 have to be able to access apps so that makes that really nice uh the GUI provides access to some uh
31:08 Wizards to help you set up the device the right way and to follow along to get it started so a lot of times people who
31:16 are new to the SRX will use the J web uh because it's just a little bit more user
31:21 intuitive to figure out exactly what we need to do to get the device set up and make it work with the graphical user
31:28 interface we can go ahead and we can set up all of our security policies our vpns
31:33 our Nets anything that we might need to we can set up through that GUI we can
31:40 also get some real-time graphs and statistics and some reports and and some
31:45 of those don't come across as well in the text-based CLI as they do inside of
31:51 the GUI the GUI requires the configuration changes to be committed just like in the CLI so as we make
31:58 changes we can make some changes and then we got to go ahead and commit those so nothing goes live until we commit in
32:04 neither the CLI or the GUI the SRX comes with a default
32:10 configuration file this default configuration file helps you get up and
32:15 running for a a small location with this device and what this SRX configuration
32:23 file does is allow us to take one interface which is in the untrust zone and hook it out to an internet feed that
32:31 internet feed would need to have a DHCP service on it so that a IP address would
32:37 be sent down to the SRX so that it would function and then the other interfaces would all
32:44 be put into another VLAN and that VLAN also has a DHCP server built into the
32:50 SRX that feeds IP addresses out to all the devices hooked to it and in this way
32:55 you can hook up your SRX very quickly to be able to have internet access this way
33:02 it just helps facilitate your use with the SRX device having this default
33:08 configuration file the higher Sr and srx's need to be fully configured because they don't have a
33:15 default configuration file when they come in this demonstration you will be shown
33:23 how to configure vsrx to provide additional jweb access the vsrx will be
33:29 configured with 192.168 1.1 24 address and on the fxp0 port and the connecting
33:38 management device will have the same address with a DOT 10 so they're on the same network
33:47 this demo starts on the management desktop where we see that has the
33:52 192.168 1.10 address on the slash 24 Network
33:58 they want the vsrx to be part of now while we can initially try to
34:03 connect using SSH there is a default rule in junos that we cannot log in to
34:09 an SSH account with the root account from a you only can log in from the
34:15 console so if I try this SSH root at 192 168 1.1
34:26 we see that we have no connectivity at all so if we try to go over now to the web
34:32 and access it use so we'll go ahead and put the address in there
34:39 we'll see that we do not have access there either
34:46 so in order to fix this we'll have to get on the console onto the vsrx to do
34:52 some configuration this is the connection to the vsrx using the console we know it's a brand new
35:00 system because it says amnesiac keyword there meaning that it has never been
35:05 configured yet at this point we'll log in as root it's
35:10 the only valid login right now this drops us to the OS shell
35:15 and we put in some Linux commands if we want to from here we can type in CLI and get
35:23 into the junos operational mode and we can go to configure to get into our configuration mode so we can start
35:29 making changes now let's look at the default configuration here using the show
35:34 command and this came with the device the way it boots up here we see that we have the system hierarchy
35:42 here we'll scroll down we see the services and we see SSH
35:47 and web management http so we should be able to SSH and HTTP to
35:55 the device but as you can see under HTTP we have interface fxp 0.0 meaning that
36:03 we can only use web management on that interface the other thing to point out is SSH will
36:10 allow me to allow me to SSH from any non-root user account
36:16 but not through the root user I could configure that functionality if
36:21 I wanted to we scroll down and we see that there's a warning message here that the root
36:27 authentication needs to be set we can't commit without this mandatory statement to be included
36:33 and then we see in our security we see some screens options we see some policies here
36:40 from trust to Trust From Zone trust to untrust
36:45 this allows traffic to pass but looking further down we see that we
36:51 have no interfaces into those zones nor have the interfaces been configured
36:59 so at this point looking at f x p 0 here we don't even have an IP address on
37:04 there so we'll need to configure that so let's do set interface fxp 0.0 family
37:10 inet address 192.168 1.1 24.
37:16 now if this is new to you I'd recommend going to the jumpstart Juniper fundamentals course which will walk you
37:22 through some of this command line information on how to configure an interface of junos device
37:30 now the second thing we have to set is our password so we'll do set system root authentication plain text password hit
37:37 enter type in our super secret password Here and we can go ahead and do a commit check
37:44 just to make sure we have everything right and now it looks good so let's go ahead and do an actual commit here for
37:51 us we're now ready to test our configuration
37:57 returning to the management desktop we can refresh our screen and be presented
38:02 with the login page now so a login is root put in our password and click on the login button
38:10 and then we're presented with a basic savings screen because we know this is a
38:15 brand new configuration and it wants to help us walk us through this configuration to help us set it up
38:23 to get more information about this I recommend going back to the jumpstart Juniper fundamentals course video
38:30 we'll walk through this so now we'll go ahead and check the
38:36 connectivity back to SSH we go back and test that it looks like it's going to work but it won't let us in because the
38:44 root user cannot but any other user could log in with the SSH here at this
38:50 point in time our next agenda item is security policies
38:55 what is a security policy a security policy is just a collection of rules
39:02 that tell the SRX whether to allow traffic to pass through or to drop that
39:08 traffic and so as a trap as a packet comes in we need to have a rule that
39:13 gets applied to that to let this traffic through and so that's what a security policy does
39:20 so we have Zone security policies and a Zone security policy Works in a context
39:26 of a zone now we talked a little bit about these that zone is a collection of
39:32 interfaces that have the same security needs and so what we want to do is we're
39:38 going to have a set of rules for each context of security zones so if we only
39:44 have two zones we're going to have traffic that flows from you know like let's say the untrust to the trust we
39:52 have another set of rules and that set of rules would be from the trust to the
39:57 untrust so you're going to have to show make a set of rules for flow both
40:03 directions and depending on if you want traffic to start from either direction to come through the firewall if you
40:10 don't want traffic to ever come from the untrust we'll never have any rules from there because if there's no rules in a
40:16 certain context the SRX will drop all packets that come in from that zone
40:23 so here we see an example down below with the security policies inside of the
40:30 J web and we have a a security policy built in down here and if you look it
40:36 says it goes from the untrust zone to the trust Zone and it matches any
40:41 traffic it's any Source address any destination address in any service so
40:46 any port number going to any address coming from any address will match this
40:52 policy but then if you look over on the right there's a little red X there and
40:57 that little red X is saying we're going to drop the traffic so and this is a
41:03 good rule to have uh on your untrust now if there's no rules inside of a Zone
41:09 context the default is to drop all traffic but most people like to put a rule there just like you see here to
41:16 drop that traffic that comes across and then if you look down below you'll see that we have a CLI
41:23 um configuration of that same thing and we'll use those set commands to set that
41:28 set from Zone untrust and we go through and create the rest of that but that is
41:35 our security Zone just to show you how it gets configured
41:40 so let's just kind of take a look at this real quick and see how this would work in this example
41:46 so here you see that we have a couple of devices in the private Zone we have a
41:53 device out in the external Zone and one in the public Zone
41:59 host B is going to initiate an SSH session over to host D out in the
42:04 external Zone so the flow is going to be from Zone B to Zone d
42:10 there needs to be a security policy that permits this flow and so we're going to
42:16 add one there so basically we're going to say hey look we're going to put a security policy from the private Zone to
42:22 the external Zone if the source address is equal to host B and the destination
42:28 address is equal to host D and the application is SSH we're going to go
42:34 ahead and permit that traffic through our firewall so as that first packet comes through
42:41 our device it's going to find that rule and we're going to create a session we'll create two flows one flow going
42:48 from B to D and another flow going from B to B in our session table and then we
42:56 don't have to do any more calculations when that packet comes in will automatically work with that so now
43:03 since we have that reverse flow entered into our session table when that return
43:09 traffic comes from D and the SRX will say does this match a session it'll say yes it does and now we can send traffic
43:16 both directions through our device another type of policy is the global
43:22 security policy Global security policy does not use a Zone context it just uses
43:29 the source and destination addresses to decide whether it matches on traffic the
43:35 the global security policies run after the Zone security policy so if a packet
43:41 comes in on a certain Zone and leaves on a certain Zone if there's rules inside
43:46 that zone context it's going to go through all of those if it gets to the bottom and it doesn't match anything instead of just being thrown away it now
43:54 comes over and runs in the global security policy section and this is a great a great place to
44:00 have like a a cleanup rule where you're going to basically log all traffic that's dropped there and so now you
44:07 don't have to put a rule at the end of each context to do that you can just have one rule in your Global security
44:12 policies they can reduce the number of security contacts that you need to worry about
44:19 but they also can open up a few holes that you might not think about and we'll
44:24 go over an example here on the next slide uh but then here down below we have a j
44:31 web and a CLI uh version of the same policy where we're going to throw away
44:37 all the traffic that comes to the global security policies
44:44 so here in our example we have a few machines here we have a b c they're each
44:50 in a different Zone one A's in the HR Zone B is in the engineering Zone and C
44:55 is in the it Zone and what we want to do is we want to let them all have access out to the Internet so we're going to
45:01 make this Global security policy rule says if the source address equals host a
45:07 b or c and the destination address equals anything any then the application https will be
45:15 permitted through the firewall and this is all well and good and and this does save having a rule for each
45:22 one of these zones to do the same exact thing but the one thing you want to just make sure of is that because of source
45:30 address a cans talk to now B and C it's because they're part of destination
45:37 address any and so you need to be careful about how you build these rules
45:42 up because you might open up traffic flowing in a direction that you really didn't mean to when you have a global
45:49 security policy like that but they can be very useful in some instances
45:55 so there's a default security policy and normally that default security policy is
46:02 to deny all traffic and so as a firewall when you first turn it on and start to
46:07 run it what it wants to do is it wants to throw away anything that doesn't have a rule for which is what a firewall
46:14 wants to do it's a little different than a router a router wants to pass everything as it comes in and so there's
46:21 a little bit difference there you can change this default action though if you do a set default policy permit all at
46:28 the CLI you can get it to then allow all traffic okay now just be very careful
46:35 with that that's not the default policy and if you do turn that on you could get
46:41 some people into trouble if they don't understand how the firewall is functioning at the time some models have
46:48 a security policy built in with the factory default template and this template is to have a trust to trust
46:54 Zone permit all so if you're in the trust Zone you're going back to the trust Zone we're going to allow that traffic to go through another one is if
47:02 we're going from the trust zone out to the untrust zone out to the internet usually then we're going to allow that
47:07 to go through and but if anything coming from the internet back to the trust Zone from the untrust to the trust Zone we're
47:13 going to deny that a good command to keep track of is the show security policies command uh you can see here we
47:21 have the default policy denial and that'll help us keep track of what our firewall is set to so we don't get
47:28 ourselves into some trouble there okay so security policies are mainly there to affect Transit traffic this is traffic
47:35 that travels through our firewall and so we have different types of
47:40 policies we've talked about we have our Zone policies our Global policies and our default policy so as a packet comes
47:47 in we're going to say hey is this is there a match in the zone policies if
47:52 yes we're going to go ahead and execute that action and be done if we say no there is no rule inside of
48:00 the Zone context we're going to go down and see if there's a global policy if
48:05 there is a global policy we'll go ahead and execute that action and be done if there isn't a global policy there we're
48:12 going to go send it down to the default action so that's the way our security policies well let's just take a look at
48:19 our security policy components real quick we have our security policy
48:25 context which is a Zone where we need to specify a incoming Zone
48:31 and an outgoing Zone so we need to have those if we have a
48:36 global security policies we do not require that Global Zone context no matter whether it is a Zone security
48:43 policy or Global security policy there are some components with inside that policy and the first thing is we're
48:51 going to need to give it a name and we should give it a a name that describes what that policy is going to do allow
48:58 SSH allow HTTP what what is that policy going to do we should give it a unique
49:04 name that clarifies that then we're going to have match criteria
49:09 we're going to match on the source address the destination address and the application at a bare minimum to be able
49:15 to identify the traffic when it comes in and then once we have a match we need to
49:22 have different action criteria and the action can be permit deny or reject
49:28 so let's talk about our security object The Zone the zone is a collection of
49:35 interfaces our Network segments that have the same security requirements
49:41 let's say I have three different links out to three different isps I would put them in the same security Zone there's
49:49 no reason to have a security zone for iSpa one for ispb and one for ispc just
49:55 put them all in the same security Zone if you get too many zones there's so
50:01 many different contexts that you can have it is hard to keep track of all of them have enough security zones so that
50:08 you can differentiate your traffic the best way possible but don't go overboard
50:13 just to make a new zone so these zones they're the building blocks of our
50:18 security policies when we're gonna go when we're going to look we're going to find our incoming interface and our
50:24 outgoing interface and from that we know which zones we know our incoming Zone and our outgoing Zone and then we're
50:30 going to go look in that context from Zone a to Zone B we're going to look for a rule inside of there if we don't have
50:37 an interface in a Zone it is automatically placed into a system
50:42 defined Zone called the null Zone and the null Zone does not allow any traffic to pass on
50:51 that interface there are some exceptions we do have an fxp zero interface uh on of our devices
51:00 our cluster interfaces these do not need to be put into zones because they are
51:05 not part of the transit traffic that we would have
51:11 let's show you how to create a Zone the first thing we need to do is down at the bottom let's look at the CLI real quick
51:17 we can do set security zones security Zone public and that made the zone and
51:23 now we're going to go ahead and add an interface to a ge000. if we're on the J web we will go into
51:32 the zones and screens option under configuration and then we're going to go
51:38 ahead and name the Zone tell it what kind it is it's a security Zone
51:44 um and then we'll pick the interface that we want to have in that zone or interfaces and select those we have some
51:51 other tabs across the top that talk about host inbound traffic now this host
51:57 inbound traffic is traffic that is destined to the routing engine of the
52:03 device that you're working on and so this is only for management purposes to
52:08 have these on here but we can go into each Zone and say look if traffic is
52:13 coming into the from the zone to our device to the SRX we're only going to
52:18 allow certain protocols to get through and send to the routing engine so you
52:24 could add SSH there and then SSH as it comes in on that zone can get through
52:30 and go to the routing engine but what if we don't want to have telnet get through
52:36 we can just make sure telnet is not in that list and telnet cannot even make it
52:41 in to try so we could turn telnet on under system as and it would work but
52:48 yeah we could block it at the zone so if anybody tries to tone that to the IP address of any of the interfaces in that
52:54 zone we're just going to drop that traffic so here we have our protocols
52:59 and our services that might need to be allowed into our routing engine
53:05 we can also put this on it per interface so we can have certain uh protocols and
53:11 services allowed in on the Zone but then we can go one step further and each
53:17 interface in that zone we could also put a host inbound traffic uh for either
53:22 services or protocols to allow those in per interface and once we put them on an
53:28 interface then we ignore whatever's on the Zone if you have telnet on the zone and SSH on the interface all you're
53:36 going to be able to do is SSH because we're not going to allow we're not going to try and add those together it's only
53:41 whatever's on the interface is going to take precedence
53:46 all right so for these security policies we have the we have to match certain traffic and so we have criteria that we
53:54 can configure in there to look for different types of traffic so here we have Source addresses we can have an
54:00 individual address a range of addresses or an address set destination address right the same thing we have
54:07 applications and what an application is it's the port we're going to open up we're going to open up Port 80 for HTTP
54:13 or 443 for https that is the port that's going to be open
54:18 and those three are required we need to have those three set up for sure but
54:24 there's also some new ones that we can add as as the SRX has been evolving we
54:30 have Dynamic applications and what this does is this goes in into layer 7 and
54:36 actually verifies the application and you want this Dynamic application to look for those because what would happen
54:43 is people knew that Port 80 was open and they'd start to write all their code to
54:48 get their applications run on Port 80 because they knew that Port was open well maybe you want to make sure there's
54:55 only web traffic HTTP traffic flowing through Port 80. that's where we'd use a
55:00 dynamic application and we'd say hey look we want to open up Port 80 but we want to set we want to make sure it's
55:05 just HTTP flowing across port 80. and so then you can set you can add that to
55:11 your Dynamic applications for that there's also a URL categories and we can
55:17 add that if we want to and and then this is that categories like sports or
55:23 gambling and we can say look we don't want these in our in our offices because people are spending too much time on
55:29 those and not performing the tasks they need to do uh just helps you protect your resources and your time inside your
55:36 company so that's the the match criterias that we can have the next thing is the policy actions
55:43 right once we've matched the traffic we've talked about it we need to have a uh action and so permit allows the
55:51 traffic to flow through the firewall deny silently drops of traffic right we throw it away and nobody knows what
55:57 happened to it but reject drops the traffic and then it'll send a message back to the the machine the sending
56:05 machine to say hey look I'm just letting you know I threw away your packet and so uh this is not used very much it's great
56:12 for troubleshooting if things are dropping you're not sure what's going on you can add a reject into to look at
56:19 things uh but usually you'll put the deny back once everything's working the way you want to so nobody knows where
56:25 your firewalls are at for the most part you'll want to put deny as your action instead of reject optionally once you
56:32 permit or deny you can do other things like count log there's other options
56:37 that we can do once we have decided what we're going to do with that traffic we can also go and look at some of the
56:46 statistics graphically inside the J web of the drop traffic or the traffic going through
56:52 then down on the bottom we just have some CLI of how you would have entered each one of those so we have the then
56:57 permit then deny then reject on our CLI
57:02 so inside the J web here we have our security policy components so we have
57:08 our Zone context right you see that says from trust to untrust there's one rule we named it rule one you would want to
57:16 name that rule something more specific and then we see we go from Zone trust to
57:22 untrust down inside just to make sure that their Source addresses any destination addresses any
57:28 we're any we're going to use any Dynamic application and then our URL category is
57:34 none and so we're not going to look for any categories and our action is to permit because that's a little green
57:40 check box there and then we're going to log that traffic we're going to log once
57:46 there's the initial packet and we're going to log once we close the session for this conversation and again down
57:53 below We have basically just the CLI of the same thing that we have up there
57:58 inside the J web once we permit traffic to go through on a policy we can do
58:06 Advanced features on that here's a list of some of those one of them is a firewall authentication
58:13 now a firewall authentications is like when you go to a hotel and they ask you
58:19 to put in your room number and a name or something just to verify that you are part of that hotel and not just some
58:28 somebody trying to get onto their Wi-Fi system so the SRX will do that also another one
58:35 is SSL proxy I if we're going to examine the data and be able to do different
58:41 things with it we might we got to be able to get it out of the encrypted State most of the time and so uh the SRX
58:48 will do a SSL proxy to decrypt the traffic and then re-encrypt the traffic
58:53 so that it can analyze it in the clear state ATP cloud
59:00 uh is where we can hook in and find zero day uh malware where we can find
59:07 feeds and different things to help us secure our networks from the threats
59:12 that are out there IDP we have our intrusion detection and
59:18 prevention uh this is a great option to help
59:23 evaluate patterns within the traffic to find out if there are
59:29 issues with the code coming in and then UTM UTM covers four different
59:35 options uh anti-spam antivirus web filtering and content filtering
59:42 another one of the objects we had are zones and we now we have our addresses
59:49 the address is needed in our configuration we can't just put an IP
59:56 address in the policy we actually have to create an address object and then call that address object within the
1:00:03 policy itself and so here we see we have an address object it can be an ipv4 address it can
1:00:10 be an IPv6 address it can be represented by a DNS entry it can also have a prefix
1:00:19 or an IP range built into those and we'll take a look at that on the next slide here
1:00:25 but we have address objects and they can belong to either a zone or they can be a
1:00:32 global address object more and more everybody is starting to move their address objects into the global address
1:00:39 objects so we have one place where all the objects are held instead of holding
1:00:46 them in the inside the different zones it makes a little bit easier to read and understand in the configuration and it
1:00:54 can be used by all the security policies and not just the ones in the zone
1:01:00 context it's being asked about so here are these address object types here we
1:01:05 have our single ipv4 IPv6 address or we can do a prefix right you do a 10-8
1:01:13 um or we have a wild card address and the Wild Card address is kind of Handy if you've designed your network right
1:01:19 where we can say hey look we want to match on 192 168
1:01:25 and that we don't care what the third octet is but the fourth octet will be 12. and then you see the mask we put on
1:01:33 there is the 255 255 0-255. so any word that's zero we don't
1:01:39 care and wherever it's a 255 we do care and that's a bit wise match so you could
1:01:46 use different numbers than 0 and 255 depending on how you're going to design that
1:01:52 uh domain name address you can use the domain name instead of an IP address you
1:01:57 just have to make sure that the DNS server is configured within the SRX so
1:02:02 the SRX can go look that up and then address range and address ranges is an address one with the lower
1:02:09 and one with a higher address and we'll see some examples here so here's an IP address and here is uh
1:02:19 wildcard address and then we have our domain name address and a range address
1:02:25 example
1:02:31 so the global address book it just is a place to put all of our
1:02:37 address objects and so here's just an example of how we could configure that up here we have our address and I'd give
1:02:46 it a name FTP server and then we give it the IP address that we're we're going with there
1:02:53 um then we have another one address nms and we have another slash 32 address on
1:02:58 that now again uh we could put a name and maybe put uh you know uh DMZ Network
1:03:06 and have a slash 24 or slash 16 uh in
1:03:11 there as a prefix another object is our services now
1:03:16 Services is the same thing as an application we call it Services inside
1:03:21 the jweb but in the CLI it's called applications and what this is is just
1:03:27 the port you're going to open uh up on the firewall to to listen to or to send
1:03:33 traffic across so we can go ahead and we can create our
1:03:38 own or junos has a whole bunch of predefined applications if you want to
1:03:43 find those they're built into the J web but if you want to find them on the CLI you can do show configuration groups
1:03:49 Juno's default applications and it will give you an entire list of all the applications that you can use
1:03:56 automatically that are built into junos I said we could create a custom application so here's how you would do
1:04:03 that in the J web you would just go ahead and hit that plus once you're in the custom applications you give it a
1:04:10 name you'd use an ALG if you want to select the protocol select the
1:04:15 destination port and then there's a few other additional settings but those are the main settings that you need if you
1:04:21 want to do that and then down below We have basically the same thing set up with a CLI there so you can see how that
1:04:29 works down there with the CLI an application set is a group of
1:04:35 applications and this is great in in configuring and managing your firewalls
1:04:41 uh let's say we go ahead and we have some web servers and the web servers need to have HTTP https
1:04:48 uh maybe they need uh SSH um I don't know whatever applications
1:04:54 you might need for that you can just go ahead and you could make a web server
1:05:00 application and name it something like that and then you just add all those
1:05:06 applications to that and then whenever you build up a web server or need that
1:05:11 in there you just bring in put this one uh application in there but it holds the
1:05:17 three four five applications that you need for that just makes it a lot easier and a lot cleaner in your code as you're
1:05:25 configuring here we see we have a j web example and
1:05:30 then again down at the bottom we have a CLI example we want to take all these things we've
1:05:37 talked about and then we got to bring them together to actually make them work so to create a policy we need to define
1:05:43 the policy context which zone are we coming into and which zone are we going out to or are we going to make it a
1:05:49 global policy then we've got to give it a name again we want to make it a unique
1:05:56 name that is descriptive of what that policy is going to do and then we're going to Define our match
1:06:03 criteria we're going to do our source and destination addresses and any
1:06:08 application that we have or dynamic application that we have and then we
1:06:14 want to define the action are we going to permit that are we going to deny it
1:06:19 are we going to reject it do we have Advanced Services that we want to plug on yeah we want to permit this traffic
1:06:25 but we also want to put ATP Cloud onto that and and run that and so we need to
1:06:32 make sure we have all of our ideas together on how that's going to work so let's just take a look at the CLI
1:06:39 here and we have a policy here so here we have our Zone contacts Zone name to
1:06:45 Zone name right so that'd be like from trust to untrust um from internal to external whatever
1:06:51 you call your zones you next we have a policy name allow SSH allow HTTP uh
1:06:58 whatever that policy is going to be there for and then we have our match criteria here we have our source address
1:07:04 and then we have our address object address Dash name that has to be an address object that we already created
1:07:11 destination address again same thing we need to have a created object for that
1:07:17 and then an application in the application name and that also needs to be an object that's that'd be those
1:07:24 service objects or the application objects we then have our action that we need to
1:07:29 do here we're going to permit or deny that once we have gone through the context from the zone to Zone if we have
1:07:36 not matched we will go down to the global policy so here we're just showing you a global policy here too it also has
1:07:43 a name it has the the match criteria and in actions just the same as the zone to
1:07:50 Zone we just don't have the Zone context for the global policies the order that a policy runs in is
1:07:59 important uh if the very first policy that runs says uh you know Source any
1:08:05 destination any application any it doesn't matter what comes after that we we
1:08:10 um matched on every packet that's going to come through there and do the action whether it's permit or deny we're never
1:08:16 going to get to the rest of them because we we basically created a shadow uh over
1:08:22 that because we had our most open policy at the very beginning so you want to put
1:08:29 your the the policies uh that have the most specific criteria at the beginning
1:08:35 or at the up at the higher levels and then the ones with the most more generic
1:08:41 match criteria should be listed lower in the list so remember that as you create
1:08:47 new rules they usually get created at the end of the list and so if you have a
1:08:53 block every uh any any deny at the end your policy is going to get added
1:08:59 underneath of that so then you'll have to move that and move it into the right place and so here's just some policies
1:09:06 examples down here that we have inside the J web we can go and click on
1:09:14 the policy that we're looking at and we can go hit the move and we can say hey move this and we can move it
1:09:22 um above a rule below a rule wherever we might want to move that but we can move
1:09:27 those rules around the CLI also allows us to move the rules
1:09:33 around using the insert command here we have uh at the very beginning we have
1:09:38 insert policy rule one before rule two and that will move the policy before
1:09:44 rule two we can also deactivate different rules and just turn them off
1:09:50 they're still there this this is used for troubleshooting quite a bit you're like hey what if I get rid of this rule
1:09:56 let's get rid of it and see what happens and then oh nope that's not what our problem is let's go ahead and turn that
1:10:01 one back on so then you'd say activate rule two and then we can go ahead and we can copy
1:10:07 rules so we can do copy policy rule one to put policy rule three and then now we
1:10:14 have a whole nother section it's exactly the same as policy once we need to go in and make the changes we want but maybe
1:10:20 there's only one difference between the two so it's easier just to copy it than to try to remake it from scratch and
1:10:26 then you can also rename uh the policies if you want so we say rename rule one to
1:10:32 two policy to rule three that does not usually come into effect unless you
1:10:38 number your rules like is here uh then you might want to rename your rules
1:10:43 a newer option on the SRX is a unified security policy this unified security
1:10:50 policy just looks at security in those policies in a little bit different way
1:10:55 they expand the match criteria that we can have on a policy one of those
1:11:02 expansions is dynamic application where we dig into layer 7 to verify the
1:11:09 application that's actually running through there or even parts of an application that are running through
1:11:15 there uh another one is URL category that would replace the UTM web filtering
1:11:21 piece and these all become just part of the match criteria of our policies
1:11:28 so at what is application firewalling application firewalling allows us to
1:11:34 block traffic based upon the application so let's say you work in an office and
1:11:42 they allow you to look at Reddit but they don't want you to make comments on Reddit you can go ahead and actually say
1:11:49 hey look we're going to allow Reddit but we're not going to allow updates to Reddit and so you can and make policies
1:11:57 that go along those lines to block those to block people from making posts on the
1:12:03 reddit website and so we can dig in and look at even not just whether it's an
1:12:10 application or but what kind of what's the application doing to allow us to
1:12:16 quickly and precisely control the different types of traffic going through
1:12:22 our firewall this is all happens with our app ID module as it goes through and identifies
1:12:29 the applications that go in there and this is just more detailed information than you get from hey there's this port
1:12:37 that's open and it's supposed to be web traffic and so that's what should be running across there
1:12:43 foreign once we have that app ID we can then use
1:12:50 app firewall to block that traffic so how does that work
1:12:55 well first package comes in right is a sin packet and while it's sitting there
1:13:00 the the firewall says well I don't know what type of application this is so what we're going to do is we're going to
1:13:06 allow this packet through um based upon just the port number that it came across
1:13:12 and so we go okay and then the packet comes back and we look and we're like
1:13:18 yeah we're still not sure it's just still kind of setting up the conversation and then finally a packet
1:13:23 comes through and we go oh I know what app that is now and now we can go looking up the policy rules and see if
1:13:31 we have a policy for that application and we do have a policy and it's not supposed to go through so we go ahead
1:13:37 and close the session and stop the traffic from flowing through that
1:13:42 or we could have allowed the traffic to go through uh on that one and kept the
1:13:49 session going so this is just a really great way to really dig down deep inside
1:13:55 of your traffic and find out what's going across your network unified
1:14:01 security policy evaluation is a little different so we got to make sure we
1:14:06 understand how they work so before we had unified security policies so in
1:14:12 Juno's OS 18.1 or earlier we want did
1:14:17 um all the all the policies are processed sequentially we did all the Zone policies and then we did the global
1:14:24 policies and we've talked about that a in this course but now on 18.2 or later
1:14:29 it's still sequential but we have a few caveats that we need to talk about one
1:14:36 of those is we we were going to jump into the Zone security policies first just like we did before
1:14:42 but now what we're going to do is we're going to run all the non-dynamic application rules first it doesn't
1:14:50 matter which order they're in we're going to run them first in the order they're listed and then we're going to
1:14:56 run all the dynamic application policies that are configured in the order that
1:15:01 they're put in there so on the next slide we'll see how that works but then we jump into the global security
1:15:08 policies and we do the exact same thing so let's see how that kind of works
1:15:13 here we have policies one two three four five and six and you see that some of
1:15:19 them do not have a dynamic application right or they're set to none that is the
1:15:25 same thing to the SRX firewall so here we have our Dynamic app equals none no
1:15:31 Dynamic app configured now on policy three we do have a dynamic app configured and then policy four we have
1:15:38 a dynamic app configured five we do not have one configured and six we have one
1:15:44 set up for none so now look over on the left hand side there in the numbers in red that's the
1:15:52 order we're going to evaluate the packet that comes in this packet comes in we're going to look at policy one no it
1:15:58 doesn't match policy two no it doesn't match but we're not going to go to policy three we're going to go to policy
1:16:04 five because policy 5 is a non-dynamic application so and we're going to do all
1:16:11 the non-dynamic applications first like we said on the last slide so we do five six and then we jump back up and do
1:16:18 three four so we do all the non-dynamics in order and then all the Dynamics in
1:16:24 order and so this has caused a lot of headaches because people want to put a dynamic policy right at the beginning to
1:16:31 try it out and see how it works and they want to try and control it a little bit more and that's fine but you got to make
1:16:37 sure you understand what's going on on your firewall and so anyway and then we
1:16:42 go over to the global security policies on the other side and do the exact same thing we're going to run the the
1:16:48 non-dynamic ones first and then the dynamic applications once after that
1:16:54 the default security policy action with our unified security policies is that we need to take a couple packets
1:17:02 to determine which application there is we could have actually two policies that
1:17:08 match that traffic except for the dynamic application match so going back to our example of like
1:17:16 Reddit we could have two different uh policies one saying hey look I want you
1:17:21 to match on Reddit and one I want you to match on posting to Reddit and so you
1:17:26 could have two different actions based on those but everything else is exactly the same except for that last Dynamic
1:17:32 application and then we have a pre-id default policy
1:17:38 which is we're going to log this session so if we start one up and and and ha and
1:17:44 we're trying to figure out which application it is we're still going to log that and say that that actually came in and happened and then inside of that
1:17:52 default policy we can change the session timeout values for different types of
1:17:57 protocols and that's just saying hey how long are we going to wait until we know
1:18:03 what kind of application this is before we shut it down and and deny that
1:18:08 traffic so these are the options that we have with our default security policy
1:18:17 so we can change that pre-id default policy uh to say hey how long are we
1:18:24 going to keep these going before we decide we're going to just throw the traffic away
1:18:29 and so here you can see inside the global options inside the J web or down
1:18:34 in security policies we have our pre-id default policy we can tell what we want
1:18:40 to do look so we want to go four seconds for icmp and we want to do
1:18:48 um and then we want to log that if if when it does go through there and so if
1:18:54 we can't figure it out within those four times that four seconds then what we
1:18:59 want to do is we want to just drop that traffic and not have it go through so just as an overview on our SRX
1:19:08 devices they are a normal firewall but have a lot of additional services
1:19:15 that can run on them and there's some here we have the IPS we have content
1:19:21 filtering anti-virus anti-spam Nat web filtering application detection SSL
1:19:28 decryption and encryption malware protection user firewalling Advanced
1:19:34 threat prevention and ipsec vpns and then remember there's a SRX that can
1:19:40 scale to whatever need you might need it to scale to
1:19:48 all right we now have a security policy demo
1:19:54 this demo we're going to connect client 1 to client 2. currently there is no
1:20:00 access between the two and client one needs to be able to Ping it the SRX
1:20:06 Gateway and so we need to be able to Ping 10.1.1.1
1:20:14 client one also needs full access to all the applications between client 1 and
1:20:19 client 2 except for SSH so our goal is to configure this functionality on the
1:20:26 SRX so let's get started we're going to start our demo on client
1:20:31 one where we're going to test reachability to the to client 2 and to
1:20:36 the SRX so we ping client 2 10 1 2 10.
1:20:42 we're not there ping 10.1.1.1 we can't ping the SRX
1:20:49 so let's go over to the SRX and let's go ahead and look at interfaces
1:20:57 we see that we have our interfaces and they're configured right we do a run show interfaces
1:21:04 to make sure they're up and we see that that's up and working
1:21:10 let's look at two it's also up and working so that should be fine
1:21:16 so now let's try and pin client one from the SRX and see if that works run ping ten one one
1:21:23 a ten and we can't even ping that so traffic is not coming in or out of the
1:21:31 port so maybe we need to check to see if the port the interface is part of the zones
1:21:38 so we'll go down to check the zones under security zones we don't even have
1:21:43 any configuration there so we're gonna have to configure up the zones so those interfaces can get out of
1:21:50 the null Zone so now let's go ahead and do set security zones security Zone
1:21:58 Trust interface ge000.0
1:22:05 go ahead and add that since we're right here let's go ahead and add the other interface so set security Zone security
1:22:11 Zone untrust interfaces ge002.0
1:22:16 go ahead and commit that and so now let's see if we can ping our device now we go ahead and try and ping client one
1:22:23 and it does ping so that was our one first problem
1:22:29 so now let's see if our client can ping the SRX so we'll go back to the client
1:22:35 and the client still is not able to Ping so let's go back to the SRX
1:22:41 and remember that we need to allow exception traffic through the different zones we that by adding a host inbound
1:22:51 traffic to the zone so that that zone
1:22:56 will allow certain types of traffic to come in to the routing engine
1:23:01 and so we can go ahead and do set security zones
1:23:09 security zones Trust host inbound traffic
1:23:17 now that we could configure this at the Zone level or the interface level but we're just going to add at the Zone level so we'll add system services
1:23:25 and we look to see what we have there we have ping and it's there yep so we're gonna go ahead and add ping
1:23:32 there there's some other options there we could look at go ahead and commit that work and then we'll go back and see
1:23:39 if we can reach that and they can all right that's our first goal is all
1:23:46 done return back to the SRX when you need to
1:23:51 implement the next goal is to re to provide full access between client one
1:23:56 and client two only with the accession exception of SSH
1:24:02 to do that we're going to need a policy and that policy is going to require us to have zones address books and
1:24:09 applications all configured so we can set up this application this policy
1:24:14 so let's go ahead and take a look at our address books so we'll do show Security
1:24:20 address book we don't have any so we'll do set security address book
1:24:26 and our first address book we're going to put that in need it's going to need a name so we're going to give it the name
1:24:32 of trust since we're going to add it to that zone
1:24:37 and we'll hit type address and now we need to type a address in we're not
1:24:44 giving it need to give it a name which we could give it a name or here we're going to give it an IP address
1:24:49 and it'll match the underlying IP address now it's just easy to understand
1:24:56 and to troubleshoot you don't have to do it this way you could give it any kind of name you might want but it just gives
1:25:04 us an idea of what we could name it now that we have an address in there what we want to do is we want to add
1:25:10 that Trust address book to the trust zone so we're going to use the word attach and attach that to the trust Zone
1:25:19 so now we need to create another address book for client two and we could put it under the untro some but let's just see
1:25:25 how it would be under the global zone so we can see how that works so we type in GL hit Tab and it auto completes because
1:25:32 it's a pre-built name it's a built into junos and it'll treat all addresses as
1:25:39 anywhere so we're going to create it the same exact way so we type in address we give it a name we'll go ahead and just
1:25:45 type in client2 it has a name and then the IP address
1:25:54 there so we can do a show Security address books
1:25:59 we see that we have our two address books we have the Trust address book and the global address book and the Trust
1:26:06 address book is attached to Zone trust but the global address book is not attached to any Zone because it's global
1:26:14 now applications are already set up so we don't have to worry about those let's
1:26:19 go ahead and write our policy we're going to go ahead and change our hierarchy into the security policies so
1:26:25 we'll do edit security policies from Zone trust two Zone untrust and then
1:26:32 we'll give it a policy a name uh client to full access that'll be full access to
1:26:40 client two and go ahead we're gonna go now we're going to add our match
1:26:46 conditions set match Source address to a question mark we see all the options that we have we
1:26:54 have the 10 1 address that comes in this came from the Trust address book but we
1:26:59 also have client two shows up now client two is not in the trust Zone but since
1:27:07 we put it in the globalized host book it appears for us to appear in every Zone so you got to be a little bit more
1:27:13 careful when you choose your address books if you put everything into the global Zone
1:27:20 so we'll go ahead and add the 10 1 address destination address will now be
1:27:27 the client to you see it only the 10 1 doesn't show up because it's looking into the untrust zone to find that so
1:27:35 but client 2 shows up because it's still in the global Zone we'll go ahead and choose client two
1:27:42 and our application we go ahead and type that and we hit our question mark we get a lot of options to
1:27:50 choose from now we don't want to be able to type in all of them in but there's one called any that is all the
1:27:56 applications and that's what we want is that full access once that's done we're going to go ahead
1:28:02 and set the action of permit
1:28:08 and then we're going to show my work that I've done and look it looks good
1:28:14 we'll go ahead and commit that and let's see if our client can now
1:28:19 reach client two
1:28:24 let's first check to see if we can ping client two and yep we can pin client two
1:28:32 can I SSH to client to that's supposed to be prohibited we'll go ahead and type that in
1:28:40 yes we can SSH to client 2.
1:28:46 so that's not good we need to fix that problem but we got the first thing done so let's
1:28:52 go back over the SRX and fix that so we need to make a policy to block the
1:29:00 traffic for SRX between the two clients so we already have a policy giving you
1:29:07 the full access let's make a policy that rejects SSH so we go up a level
1:29:13 we'll say edit policy and block SSH
1:29:20 and now we need to set our match criteria and we'll mat put those
1:29:26 basically the same The Source address is client one the 10 address
1:29:33 and destination address will be the same client to and then our application
1:29:41 need to specifically have that one application I know all the built-in applications
1:29:47 start with Juno's Dash so I want to use one of the pre-built in applications
1:29:52 there's a lot of them built into there so I need to limit it down so I can find it so I'm going to type in s to see what
1:30:00 type of variation it might be I put the question mark on I look for junos dash
1:30:05 SSH that's fine we'll get out of there and finish that off and hit enter
1:30:14 then I'm going to set my action to deny so we can block that
1:30:22 then we go ahead and let's look at our work and make sure it looks like what we
1:30:28 want it to be it looks correct let's commit it and now let's see if it blocks our SSH
1:30:36 we try it and it still works it did not block it
1:30:42 so we can get back over to our SRX to see what happened there so we're going
1:30:48 to come back up so we can see all the policies within this Zone context
1:30:53 then we do a show and we see oh we have our full access is before our block SSH
1:31:03 so that policy starts at the top and evaluates down
1:31:09 and it stops when it finds the first match it found the first match with the application any
1:31:16 which includes SSH so what we need to do is move the block SSH before the client
1:31:23 so we can do that using the insert command so insert
1:31:28 say insert policy block SSH before
1:31:34 policy at client 2 full access
1:31:40 so once I've done that I can do show see that they're in the right order
1:31:46 so now it looks right we'll go commit it now let's go back and check out how that
1:31:52 works now let's check to see if that works and they cannot so we've accomplished all of our goals
1:31:58 our next agenda item is Juniper's connected security Juniper connected security is a group of
1:32:07 products from Juniper Networks that provides end-to-end top to bottom security protection across all of your
1:32:15 security needs from your local Cloud to your public Cloud to hybrid clouds so
1:32:23 that all your users no matter where they're at can be able to function and be able to get to the applications and
1:32:30 data that they need and have it secured from attacks from outside
1:32:35 the new model moving forward is to have single panes of glass that can show and
1:32:43 thwart attacks anywhere within your ecosystem of applications whether you're
1:32:50 hosting them or they're being hosted by an outside provider there's a few
1:32:55 principles with juniper connected security to help us understand where we're trying to go
1:33:02 and one of those is stronger security posture we want to be able to safeguard applications users and infrastructure no
1:33:11 matter where they're located at we also want to be able to automate Security in automating security there's
1:33:17 just becoming too many devices to do this by hand effectively we need to use
1:33:23 tools to be able to get in and make changes and to modify things to secure
1:33:28 up our Networks comprehensive visibility we need to be able to see what's going
1:33:34 on if we don't know there's an attack going on how do we protect against it so
1:33:39 we need to have that comprehensive visibility Best in Class secure networking that is
1:33:45 that end to end top to bottom no matter where it's located no matter what we have we're going to have a solution to
1:33:52 safeguard and protect that infrastructure multi-cloud ready we need to be able to
1:34:00 secure applications and data no matter how we design them and that includes our
1:34:08 public clouds our private clouds our hybrid clouds however we have our data and wherever it is we need to secure
1:34:14 that and we want to use an open platform we want to complement your existing
1:34:20 security that you already have and come in and be able to help make it better
1:34:25 the Juniper SRX series firewall is the heart of juniper connected security
1:34:31 it can block traffic it can allow traffic it can it can collect data and
1:34:38 send it up to other systems for analysis and to be able to work and to find
1:34:44 problems within that data structures there are many different firewalls
1:34:49 available and depending upon the speed and the performance that you need out of these firewalls and so there's
1:34:56 definitely one that would suit your needs so the Next Generation firewall make
1:35:02 sure that we can dive in a little bit into the layer 7 of those packets that are going in we want to be able to know
1:35:09 what application is going on whether we want that individual application to be
1:35:15 functioning on our Network or not we want to be able to block or allow those based upon the application
1:35:23 we will also want to prioritize traffic based upon the application that's being sent across and so we have app qos
1:35:32 we also have SSL proxy we need to be able to understand and see the data so
1:35:37 we need to unencrypt it and be able to analyze that data and make sure that it is safe for our users
1:35:44 and then we have IPS that can block security threats that are known we have
1:35:50 signatures that come out and we have a whole department that builds signatures for our IPS to block known threats in
1:35:58 our Network integrated user firewall is a very
1:36:03 important step in the Juniper connected security this allows us to have Security
1:36:09 based upon your username and who you are as you log into the network
1:36:15 this allows us to have have a set of rules and depending on how you log in
1:36:21 and who you log in as gives you access to the resources that you need and
1:36:26 blocks you from resources that you shouldn't have a need for was we see that down at the bottom we have the CEO
1:36:33 group and they don't have any apps that are blocked the next group sells they have YouTube blocked and point-to-point
1:36:40 blocked applications block and they have point-to-point applications blocked in
1:36:46 the finance group they have the point-to-point applications block but they have YouTube that's allowed so you
1:36:52 can see in each one of these instances that as we as we logged in and we were
1:36:58 associated with different groups within our uh structures of our security the
1:37:05 firewall can understand those and either allow or deny us access to resources
1:37:10 based upon our user login Jim's is a device that helps us hook to
1:37:17 active directory devices out there that will help bring the data into our SRX
1:37:23 devices this allows us to hook to more domains and bigger domain structures to
1:37:30 help us secure our data from by user just like in the
1:37:36 integrated user firewall it's just the next step in that evolution unified threat Management Services or
1:37:44 UTM is there's four different packages inside of UTM there's anti-malware
1:37:51 anti-spam content filtering and web filtering the anti-malware protects against you
1:37:58 know spyware Trojans viruses fishing and so we can try to block some
1:38:04 of that anti-spam allows us to drop emails that could hold uh some malicious
1:38:11 code in it content filtering filters out files based upon the type they are this is not
1:38:18 used too much anymore but it is there if you'd want to use it the last one is web filtering
1:38:24 in web filtering we can block malicious URLs but we can also block categories of
1:38:30 URLs to help with productivity in our companies
1:38:35 automation automation is a big step in the Juniper connected security we need
1:38:42 to be able to act quickly to thwart the attacks that are out there as you can see in this slide Juniper has
1:38:49 built junos upon a multi-layer structure for automation we can use many
1:38:59 different types of automation to go in and help us configure and control and
1:39:05 gather information about our SRX devices our and other Juno's devices that we
1:39:12 might have on our Networks so here we can see at the very top we have Python scripts we have ansible we
1:39:19 have our the salt automation package we have Ruby scripts we have the puppet
1:39:25 automation package the chef automation package and other applications that can
1:39:31 help us automate our Network needs another important part is Juno space
1:39:38 Juno space is a collection of applications that help us control our
1:39:44 Network the one we're really interested in is security director security director deploys an end-to-end
1:39:52 Security Services on all of our Network endpoints it can control all of our srx's and that
1:40:00 allows us to have a consistent security theme across our entire Enterprise so we
1:40:08 don't accidentally leave a hole in a firewall somewhere because we have it
1:40:13 all in one pane of glass that goes across and secures our entire network at one time
1:40:21 Juniper Advanced threat prevention ATP cloud is a very big component of juniper
1:40:30 connected security what this is is it's a component that
1:40:35 lives out in the cloud that we can attach back to either an SRX or to
1:40:41 policy enforcer which is a part of our Juno space and security director
1:40:47 and what this does is allows us to collect security feeds from the internet
1:40:52 and it also goes and lets us send information up to it so that it can try
1:40:59 to find out if there is malware within files that we send up to it
1:41:05 and this helps us so that we can have a zero day prevention of new malware and
1:41:12 allows us to block traffic and stop traffic from spreading we can even have
1:41:18 a juniper ATP Cloud help block hosts on our on our Network they get infected so
1:41:27 once we know that we might have an infected host we can go in and and have
1:41:32 that blocked so no traffic from that host can travel through the internet
1:41:38 oh if we go ahead with our policy enforcer we can go a step further and we
1:41:45 can push security down to our ex and qfx switches to block traffic from an
1:41:51 affected host at the nearest entry point into our Network so on this slide we
1:41:56 have the Juniper ATP Cloud user interface and you'll see that we have different
1:42:03 options in the back and we picked the email um attachments interface to take a look
1:42:10 at and we selected one of those and when we selected one of those we get information about that which host it
1:42:17 belong to and we also see that there's this Wanna Cry buyers found and uh we
1:42:23 can see that we blocked it and we can see which hosts are infected with it in
1:42:28 our Network and so it just helps you as an administrator be able to drill down
1:42:34 and find vulnerabilities that might be in your network
1:42:40 policy enforcer is an add-on to security director and what this does policy
1:42:46 enforcer allows us to look at layer 2 information on our Network and manage
1:42:52 and keep track of that and so we can take these layer 2 Mac addresses and map
1:42:57 them with the IP addresses and in doing that we can push information down to our
1:43:03 ex series which is in our qfx series switches and other third-party devices
1:43:09 to block the hosts right at the switch port and so we can put a filter right on
1:43:16 a switchboard and say look we're not going to listen to this Mac address and then we that Mac address can't talk on
1:43:23 the network at all so policy enforcer is a great add-on for security director to
1:43:29 keep the viruses or threats that you might have on your network isolated
1:43:34 where they're at another device that we have in our
1:43:40 Juniper connected security series is a juniper Advanced threat prevention on
1:43:45 premises now this does a lot of the same things that the Juniper ATP Cloud does
1:43:52 but this is an on-prem device so you don't have to send any files off of your
1:43:57 network it also allows us to work with third-party firewalls so we can we can
1:44:03 basically add almost any firewall that's out there to this setup and have it controlled and make rules to help block
1:44:11 and shape traffic going through our Network that could be infected it does all of a lot of the same things it has a
1:44:18 Sandbox so it can find zero day threats um it it can get feeds
1:44:24 um off of the network so we can do a lot of the same things here one of the
1:44:29 benefits is that it really looks for lateral propagation through your network too to see if there's things going
1:44:36 across your network inside your network that we could block and stop
1:44:42 Universal cure analytics if you don't know something's going wrong on your network you're not going to look for it
1:44:48 and Juniper secure analytics allows us to take feeds from every device on our
1:44:53 Network and correlate them and make rules and actionable decisions upon that
1:44:59 information for our Network and so this is a great way to collect all your data and be able
1:45:07 to view it understand the risks that are going on and see what's happening on your network that was an overview of our
1:45:14 Juniper connected security it it basically comprises of being a
1:45:21 little bit more intelligent and watching the different things on our Network so that we can anticipate and that we can
1:45:29 stop threats maybe even before they become threats on our Network and if
1:45:35 they do get on our Network be able to shut them down quickly and be able to alert people so that you can go and fix
1:45:42 the problems that are there we now have an ATP Cloud demo
1:45:48 all right let's go ahead and log into our security realm on the ATP cloud
1:45:54 once we get in here we'll see a dashboard that has interactive widgets to give us a lot of information about
1:46:00 what's going on but we want to talk about is the monitoring section here
1:46:05 we click on the monitoring section it automatically brings up the hosts and in this section you'll see a bunch of hosts
1:46:12 there and these hosts are devices that have incidents that have
1:46:19 happened to them and so you have the host identifier at the beginning which is just the IP address you can get it to
1:46:26 make it the name if you want but it's normally comes in the IP address unless you've added some things here the threat
1:46:33 level is 10 and 10 is bad we got high medium low and none and we see that
1:46:38 we're at Threat Level 10 which is the worst that it can be and we see that at 10 it is blocked it's
1:46:44 included in the infected host feed meaning we're going to block all traffic from that we see the last activity we
1:46:50 see the CNC hits the malware hits that's all been malware here on this one and we see the policy that's using is the user
1:46:57 the use configured policy the state of Investigation is open on all of these
1:47:02 and the source be came from a detection uh from the SRX for this device
1:47:09 so let's go back and we can select a host and we can go ahead and look at the
1:47:16 investigation status by default it goes into the open State and we can change that state of
1:47:23 Investigation under this menu here we have in progress once we start to work
1:47:28 on it and this helps us understand what we're doing and what we've accomplished and we can then know if other people are
1:47:36 there that we have grabbed this one and they're working on it we also have some other options here for resolved
1:47:44 we have the false positive fixed and ignored and this just helps us know
1:47:50 which one we are dealing with it takes any of the result ones takes it off the
1:47:57 infected host feed and lets traffic move again it just helps us know what is going on on our network over time as we
1:48:05 look at these if we click on a host we can open up the
1:48:12 host workspace and we get information about that individual host and what's going on with it we have this host
1:48:19 identifier and it allow tells us the IP address right now but if we have
1:48:24 different identification systems set up we can get a name from The Host assigned
1:48:32 to that um we can then come down and see we have the MAC address if we had policy enforce
1:48:38 it would show that and show us our Layer Two information we have our host status remember it's it's high Threat Level and
1:48:45 it's blocked we have our threat settings it's still open we've talked about that just a
1:48:50 little bit and then we have our policy override for the host so we can make and
1:48:56 change things there if we want to foreign
1:49:03 so then we scroll down we have our threat settings and on our thread settings we see over time how these
1:49:10 threats have come in we see we have one hit there another hit another hit and another hit and another hit and over
1:49:17 time the Threat Level went up on this device as we've done more work with this
1:49:23 malware and so it because it's red it shows that it's always been in the
1:49:29 infected host feed and blocked since that beginning but you can come down and see the actual hits and the information
1:49:35 about each one of those those hits for the malware let's go back to Monitor and
1:49:42 we'll click on the HTT file downloads and inside here we see all the files
1:49:47 that were downloaded in their Threat Level we have some at 10 some at one here on this chart
1:49:53 and we can look at each one of these files we can click on a file and find out information about that file here so
1:50:01 we'll click on one and we can see where the we can see the threat level up here
1:50:06 at the top we can see the top indicators while why it was uh Threat Level 10 and
1:50:12 we can see the prevalence and there we can see it's high and that it the unique users is 21. so 21 people have clicked
1:50:19 on this and it's so we want to make sure we we get on this really quick we see
1:50:26 what is going on here we see the general status we can see some additional information about this file
1:50:33 like the uh the file name what category it's in uh what platform it infects what
1:50:40 type of uh what type of malware it is we can also see the hash files that get
1:50:46 created from this and then down below we see the HTTP downloads and each machine that's
1:50:52 downloaded it and which device reported the download here we have bsrx1 reported
1:50:58 all of them in our lab set up here but we can go ahead and see all the hosts
1:51:04 that have downloaded this and then up at the top of some tabs one's behavioral analysis and this gives
1:51:11 us information about that file and the threat that it gives to us it gives us a
1:51:18 lot of detail here and so we can see in a little pie chart how the threats are broken up and we can scroll down a
1:51:24 little bit here and we can see those and we can see this very top one says it attempted to install new root
1:51:30 certificates to gain access well that's pretty bad to do that but it does have some other things that we did it checks
1:51:37 the host file and opens for reading and so it's not as bad as the first one so
1:51:42 it's a little less and then the memory contains social media addresses and then it reads itself so you gotta it goes
1:51:51 through and shows you exactly what's going on with this malware so that's a great thing we also have network
1:51:57 activity and we can see the contacted domains we can see the IP addresses and
1:52:03 we see DNS activity and then we can also look at this behavioral details and inside of here we
1:52:10 say look what it did it says it you know it started tried to run this exe file it did the ini file and it dropped this
1:52:17 temp couple temp files and then it started the CMD uh for a command line so
1:52:23 this is some bad stuff that it's doing so it just kind of shows us what's going on there we can also look at email
1:52:30 attachments we don't have any here but if email was going through and there's attachments we can also look at SMB file
1:52:37 downloads and we look at manual uploads and these manual uploads lets us upload a file and to have it check it for us
1:52:45 well we've reached the end of this course and we're so happy that you've taken time out of your busy schedule to
1:52:53 be with us to learn more about Juniper Networks and the junos operating system
1:52:58 we sure hope that you have found this very useful but you might be thinking well what's
1:53:04 next now that I'm done with this course attend another jumpstart Juniper class you can sign up at the URL on the screen
1:53:12 we have six courses right now that cover junos please watch for more jumpstart
1:53:18 Juniper videos coming soon another fantastic resource is the learning portal at juniper.net
1:53:25 there you'll find a lot of resources that can help you one of those is the Juniper open
1:53:31 learning Juniper open learning is for certification and to help people get
1:53:37 started with their certifications Juniper open learning has live seminars where you can ask experts questions
1:53:44 about the things you might need to know about the certifications they also have some online videos that
1:53:51 you can watch that go over the certification information and help you
1:53:57 learn the things that you need to know they also have practice tests you can
1:54:02 receive vouchers if you pass those practice tests to receive a discount on
1:54:08 your test that you need to take to become Juniper certified so make sure
1:54:13 you check out Juniper open learning another thing is the learning paths that you can find on the learning portal the
1:54:19 learning paths help you decide which track is best for you is it security as
1:54:25 a service provider Enterprise what things do you want to learn from Juniper
1:54:30 Networks On The Learning portal you'll also find all the on-demand courses from
1:54:37 the course development team from Juniper Networks they have many courses for you
1:54:42 to take on the different technologies that Juniper Network provides so that
1:54:47 you can learn and grow in the path that you want there's also a list of class schedules
1:54:54 for scheduled classes that are led by an instructor last of all is the all access
1:54:59 pass this all access pass allows you to take any course the Juniper has this all
1:55:06 access pass is a yearly subscription for you so that you can take as many classes
1:55:12 you'd like throughout the year it's a single price and it also comes with a
1:55:18 few perks and one of those perks is that you can take an actual class from one of
1:55:24 the class schedules so you can take the on-demand course and then you can actually take it from the
1:55:31 instructor so that really helps you be able to find the path that you want to
1:55:36 take Juniper Networks has created a certification path just for you
1:55:42 this certification path will help you distinguish yourself amongst your colleagues that you know how Juniper
1:55:50 Networks operates and how to design and maintain networks built by Juniper
1:55:57 Networks equipment there's four levels within the certification path that you can take
1:56:03 there's an associate level a specialist level a professional level and an expert level
1:56:08 at each one of these levels you get to show how much you know about Juniper
1:56:14 Networks operating system and devices each one of these certifications can run
1:56:21 within a different track Juniper Networks has seven tracks that you can pick from to show your
1:56:29 Proficiency in Juniper network devices and configurations
1:56:34 these tracks are service provider routing and switching Enterprise routing
1:56:39 and switching data center Juno security Cloud Automation and devops data center
1:56:45 Wan security design so there's a track for you to be able to
1:56:52 move forward and show that you are proficient with Juniper Networks devices
1:56:59 again for attending our jumpstart Juniper course today
