How it Works
Juniper Networks
Loading...
V10000
User Manual
12 pgs441.6 Kb0
Table of contents
Loading...

Juniper Networks V10000 User Manual

IMPLEMENTATION GUIDE
JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS/ WEBSENSE V10000
SRX Series Configuration to Enable Security Solutions with TRITON
Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided herein. Third par ty produc t descriptions and related technical details provided in this document are for information purposes only and such products are not supported by Juniper Networks. All information provided in this guide is provided “as is”, with all faults, and without warranty of any kind, either expressed or implied or statutory. Juniper Networks and its suppliers hereby disclaim all warranties related to this guide and the information contained herein, whether expressed or implied of statutor y including, without limitation, those of merchantability, fitness for a particular purpose and noninfringement, or arising from a course of dealing, usage, or trade practice.
Copyright © 2010, Juniper Networks, Inc. 1
IMPLEMENTATION GUIDE -Juniper Networks SRX Series Services Gateways/Websense V10000
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Protocol Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Implementation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
SRX Series Configuration Using Junos Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
SRX Series Configuration Step by Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table of Figures
Figure 1: Reference network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Figure 2: User traffic allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 3: User traffic blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 4: Example implementation network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Copyright © 2010, Juniper Networks, Inc.
IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000

Introduction

A powerful new paradigm of Internet-enabled relationships is transforming businesses across the globe. Companies
that embrace “Web 2.0” technologies empower effective and lasting connections with employees, customers,
and partners. These are powerful tools that can create and sustain competitive advantage—but the underlying
technologies can also expose the business to complex and dynamic new risks. Juniper Networks® SRX Series Services
Gateways, combined with Websense’s V10000 Web Security Gateways, help companies enjoy the benefits of Web 2.0
solutions while mitigating the associated security challenges with power, speed, and flexibility.

Scope

This document is targeted at system engineers, network administrators, and other technical audiences interested in
designing and implementing Juniper Networks SRX Series Services Gateways with Websense TRITON V10000 Web
Security Gateway appliances.

Design Considerations

Figure 1 illustrates a common network design solution using the SRX Series and V10000 appliances. The SRX Series is
responsible for redirecting specific traffic from the User LAN --for example, HTTP/HTTPS --to the V10000 appliances.
The network administrator configures the TRITON V10000 appliances to provide multi-vector inbound and outbound
real-time content inspection to protect against malware and sensitive data loss. The policy-based user interface
increases user productivity by basing privileges on user or group identity in your corporate user directory. The V10000
proxies user traffic to the Internet. When the user traffic is unauthorized based on protocol or dynamic website policy,
the user’s browser is redirected to the “Block Page” served by the V10000.
The enterprise network includes the SRX Series and the Websense TRITON V10000 appliances in the “management”
segment of the network, and the enterprise users are identified in the “User LAN” segment of the network. This
deployment architecture leverages the flexibility of the SRX Series to securely separate the user traffic from the
network administration of the SRX Series and the Websense security appliances.
For the one V10000 appliance solution, three physical
INTERNET
ports are ut ilized : “C”, “P1,” and “N.” The “C” port of the
appliance is the man agement port through which the
administrator manages the appliance. Th e “C” port is also
the destinat ion for the “Block Page” redirection. The “P1”
port is the proxy port of the V10000 that prov ides the
SRX
Series
L2 Switch
Websense
V10000
V10000
real-time malware and dynamic website classification. The
SRX Series connects the V10000 to both the user LAN an d
the Internet. The “N” port is used to provide application
and Web protocol-specific b locking and bandwidth
throttling. Over 120 Web protocols are recognized by
protocol “fingerprint” (this permits the identification
of applications such as Skype, BitTorrent, and Yahoo
USER LAN
Chat.) Malware “pho ne-home” communications are
also recognized and denied access to the Internet. To
implement this capability, a layer 2 switch is needed to
L2 Switch
mirror user traffic. When the P1 port allows user traffic,
the V10000 establishes a new traffic flow (proxy) v ia

Figure 1: Reference network

the same P1 port. When traffic is not permitted, the
V10000 issues a redirect message via the P1 port to the
user browser. T he user browser is redirected to a “Bloc k Page” that is served by the V10000 at the C por t. These two
scenarios are illustrated in the following ladd er diagrams.
Copyright © 2010, Juniper Networks, Inc. 3
IMPLEMENTATION GUIDE -Juniper Networks SRX Series Services Gateways/Websense V10000
Figure 2 illustrates the ladder diagram for user traffic allowed by the Websense V10000. The V10000 proxies the traffic
between the user and the Internet via the V10000 P1 port. The proxied traffic is indicated by the separate dark gray and
light gray traffic flows.
SRX Series
Websense V10000
P1
User attempts to
access a URL
SRX Series redirects
trac to V10000
SRX Series routes
trac to the
URL and performs
NAT if necessary
V10000 policy allows trac, establishes new trac flow (proxy) to the URL
V10000 proxies the end-to-end trac flow to the target URL

Figure 2: User traffic allowed

Figure 3 illustrates the ladder diagram for user traffic that is blocked and redirected by the V10000.
SRX Series
INTERNET
User attempts to
access a URL
User browser
redirected to
V10000 C port
User sees
“blocked page”
on browser
SRX Series redirects
trac to V10000
On a policy violation, the V10000 blocks trac and redirects the user's Web browser

Figure 3: User traffic blocked

Websense V10000
P1 C
4 Copyright © 2010, Juniper Networks, Inc.
Loading...
+ 8 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use