Solution Brief

BUILDING A JUNIPER CONNECTED

SECURITY NETWORK FOR
HEALTHCARE
Detect, adapt, and enforce security policies faster with network-wide visibility,
orchestration, and control

Challenge The digital economy is transforming the healthcare market sector.

Enable digital transformation at The required pace of innovation is accelerating, patients have
healthcare firms by eliminating
threats coming from both inside
higher expectations than ever, and new competitors are emerging
and out. from nontraditional markets. At the same time, the healthcare
Solution
market has long been a favorite target of cyberattackers, and
The Juniper Connected Security despite firms’ best efforts, cybersecurity threats are rising and
solution, which includes SRX attacks are more successful than ever. Healthcare firms need a
Series Services Gateways for more effective, adaptable approach to detecting and stopping
branch and data center, vSRX
virtual firewall, Spotlight Secure
cyberthreats.
cloud service, Sky Advanced
Threat Prevention, and Junos
The Challenge
Space Security Director, provides Traditionally, network security has meant a strong perimeter defense. Firewalls
an open, scalable way to block sat at the boundary of the network, checking everything coming inside, while
threats at every step of the cyber everything on the inside of the network was trusted. That’s no longer enough.
kill chain. Advanced threats can bypass traditional perimeter security defenses, enter the
Benefits trusted network, and move about undetected. Employees’, contractors’, and
• Expand threat visibility and patients’ mobile devices can be infected when used on public or home networks,
enforcement capabilities across and that malware can be inadvertently unleashed inside the corporate network. The
the entire network infrastructure risk increases exponentially with the rise of the Healthcare Internet of Things. In the
• Provide flexibility and agility in data center, virtualization and cloud have brought new agility, but modern security
responding to threats
technologies have failed to keep pace with evolving threats. As a result, threats can
• Reduce time between threat
persist unseen inside the network, giving criminals time to carefully plan the theft
detection and enforcement
of high-value information, take medical intellectual property, commit fraud, destroy
• Simplify management with
a platform for creation, brand image, and disrupt revenue opportunities.
deployment, and replication of
Employees and contractors rely on regional and facility networks to access
common security policies across
a healthcare enterprise applications and other resources to do their jobs. Patients count on websites and
mobile apps to interact with their caregivers, insurance companies, and other
healthcare providers. Attackers commonly target facility resources and mobile
devices because these systems have access to business-critical applications, but it
can be very difficult for security administrators to control and monitor today’s highly
distributed environments for suspicious activities. Security pros need greater visibility
into business applications, whether they are in the data center or in the cloud. Data
privacy is critical to maintain competitive advantage and regulatory compliance, but
data sent to and from data centers over service provider networks or the public
Internet is at a great risk for eavesdropping, even if appropriately encrypted.

1
 Building a Juniper Connected Security Network for Healthcare

Data center networks are also prime targets for attackers, To thrive, security professionals can no longer view internal
as they run the core operations for healthcare firms and are networks as trusted and external networks as untrusted. In
home to the organization’s most valuable information and today’s cybersecurity threat landscape, all network traffic must
applications. In addition to data theft and destruction, a denial- be viewed as untrusted.
of-service (DoS) attack can overwhelm the data center network
and prevent workers and patients from accessing critical Juniper Networks Connected Security
resources and personal healthcare information. A DoS attack The Juniper Networks Connected Security solution creates a
can be just as damaging to business viability as the exfiltration holistic security ecosystem that enables healthcare firms to
of high-value data. react in near real time to current and evolving intelligence to
protect against unknown threats. Juniper Connected Security
delivers a zero trust model for information security.

Juniper Connected Security Network

Delivers Zero Trust Security Model

Perimeter
Secure Network

Simplified Security
Outside
(Untrusted) Policy

Block Lateral Threat

Propogation

Internal
(Untrusted)
Comprehensive Visibility

Figure 1: Juniper Connected Security is based on a zero trust security model.

Juniper Connected Security Network

Policy, Detection, and Enforcement

Dynamic and Adaptive

Policy Engines
Cloud-based
Threat Defense Policy
Bottoms Up and
Detection Top Down Approach
Enforcement • Leverage entire network and
ecosystem for threat intelligence
and detection
• Utilize any point of the network as
Your Enterprise
a point of enforcement
Network • Dynamically execute policy across
all network elements, including
Campus and Data Private third-party devices
Facility Center Cloud Public Cloud

Detection
Enforcement

Figure 2: Juniper Connected Security simplifies creating security policies, detecting threats, and enforcing policies.

2
 Building a Juniper Connected Security Network for Healthcare

With Juniper Connected Security, healthcare firms can Juniper Connected Security Networks
make the shift from a traditional, siloed approach to security Policy Create and centrally manage security through a user intent-
prevalent in healthcare today to viewing the network as a based system

single enforcement domain. Network policy, detection, and Detection Unify and rate intelligence from multiple sources
enforcement become more adaptable, and firms can stop Enforcement Enforce policy in near real time across the network, and
have the ability to adapt to network changes
threats with greater accuracy. Security administrators can create
and manage policies that are tightly aligned with business
policies, rather than micromanaging security for different VLANs
and security zones.

Internet Facility: Connectivity

Facility A • Facility is concerned

with providing
Firewall Policy
connectivity as well as
SRX Series
User security to client
devices in the
enterprise.
Facility B
• Attackers are
commonly targeting
SRX Series facility resources
User
because the attack
SRX Series landscape is larger,
Facility C resources are less
segmented, and they
Data Center have access to
SRX Series valuable systems.
User
Internal
LAN

User
Figure 3: Secure network services architecture supports healthcare branches.

Juniper Connected Security Protecting a Branch

Internet

Policy
Branch SRX Series Cluster Detect
Infected Hosts Third • Policy defined in Policy Engine
Party Feeds
- “Infected Hosts with
Threat_Level > 8 should be
Sky quarantined”
Core/ ATP
Distribution
SRX Policy Threat
Detection
Feeds
and Feeds • Sky Infected Host feed
SD Juniper Connected - Using third party (e.g.: Attivo, Vectra),
Access
Security Policy and
ND Engine
– SRX Series data to Sky
Switch ACLs

End Point Security

Enforcement
Partner Solutions • Access and aggregation switches
quarantine infected host
Remediation of Infection

Figure 4: Juniper Connected Security makes it easier to protect facilities with consistent security policies, threat detection, and enforcement.

3
 Building a Juniper Connected Security Network for Healthcare

With the Juniper Connected Security approach, threats can single, high-performance, cost-effective network device. SRX
be detected faster, even as they evolve, by leveraging threat Series gateways provide network connectivity to regional or
intelligence from multiplesources (including third-party feeds) branch locations using standards-based routing protocols. A
and tapping into the power of the cloud. Network security can small facility SRX Series gateway also provides switching to
adapt dynamically to real-time threat information so that security connect a small number of endpoints, while a large SRX Series
policies are enforced consistently, even in a nationwide healthcare gateway can provide WAN connectivity and switching for a
enterprise. The building blocks of a Juniper Connected Security regional office or campus.
network include advanced firewalls for the facility and data center,
SRX Series gateways also support full, standards-based IPsec
threat intelligence, orchestration, and cloud-based protection.
encryption to ensure the secure transport of business data
Securing Facility Networks in Healthcare across networks that are not managed, controlled, or secured by
the firm’s security administrators, whether the organization uses
Juniper Networks® SRX Series Services Gateways for the
a shared service provider network or the public Internet.
facility combine next-generation firewall and unified threat
management (UTM) services with routing and switching in a

Border Router Perimeter Firewall

Routers WAN

Internal
Network
DMZ
Switch

Switching Physical
Security Biz Apps and Online Banking DB

Bus App 1 SAP WWW Bus App 1 SAP WWW

VM VM VM VM VM VM

And vSRX Firewall per Application

DMZ
vSRX Firewall per Application

Virtual Virtual
Switch Switch
Virtualization Software e.g. vmware Virtualization Software e.g. vmware

Virtual
Security Physical Server Physical Server

Physical Network
Physical
Firewall/DS

Figure 5: Micro-segmentation allows zoning and segmentation created by SRX Series gateways (both virtual and physical).

Data Center Micro-Segmentation

Internet
Policy
• Policy defined in Policy Engine
Perimeter Data Center Third
- “IT Applications cannot access
SRX Series
Party Feeds
Cluster
Finance Applications even if they
vSRX vSRX
share same VLAN”
Sky - Traffic in and out of Infected
DMZ VLAN ATP
Internal vSRX Policy Applications should be logged
SRX Series IT Web Fin Web Threat Feeds
Cluster
vSRX vSRX
Juniper Connected
Detection
Security
MZ VLAN • Sky detection applicable for infected
Switch Policy Engine
ACLS applications scenario (#2 above)
IT App Fin App Security Groups
Provisions • IT Apps
vSRX • Fin Apps Enforcement
DB VLAN in Service
Chain SDN • VM related traffic controls enforced in
Controller vSRX
IT DB Fin DB
• Physical to physical traffic controls in
access/aggregation switches

Figure 6: Juniper simplifies extending security to every segment in the data center using micro-segmentation.

4
 Building a Juniper Connected Security Network for Healthcare

Securing Data Center Networks in Healthcare Next-Generation Firewall Services and

Through Micro-Segmentation Application Inspection
Healthcare firms of all sizes can defend their data centers with SRX Series gateways provide security enforcement and deep
Juniper’s portfolio of enterprise security solutions. SRX Series inspection across all network layers and applications. Users can
Services Gateways are a next-generation, anti-threat firewall be permitted or prohibited from accessing specific business
with advanced, integrated threat intelligence, delivered on the applications and Web applications, regardless of the network
industry’s most scalable and resilient platform. ports and protocols that are used to transmit the applications.
Deep inspection can be applied via intrusion prevention policies
SRX Series gateways set new benchmarks with 100GbE
for any traffic that is allowed to pass through the SRX Series,
interfaces, and also provide connectivity options for 1GbE,
so security administrators can ensure that the desired traffic
10GbE, and 40GbE. Express Path technology enables up to
running across an organization’s network is legitimate and is not
2 Tbps performance for the data center and with less than 7
being manipulated as an attack vector.
microseconds of throughput latency. All SRX Series gateways
can encrypt and decrypt traffic across shared and public WANs Application- and user-based firewall policies can be combined
using IPsec VPN, and can simultaneously support thousands of to ensure that specific users within a healthcare organization’s
VPN tunnels. In cloud and virtual environments, vSRX virtual network can only access the specific business applications that
firewall can be deployed to provide east-west separation for they are authorized to access. Antivirus, content filtering, and
traffic to meet requirements of micro-perimeterization and micro- antispam enforcements can be layered on top of these policies
segmentation, addressing today’s virtual workloads. The vSRX is to round out the full spectrum of application-based services
the industry’s fastest virtual security platform, providing scalable, that can be applied to network traffic running through the
secure protection for data centers and cloud. This level of firewall.
advanced security is extended to Docker Containers with Juniper
Enhanced Threat Intelligence and Spotlight
Networks cSRX container firewall and brings greater agility and Secure
elasticity to virtual infrastructure. The cSRX has a microservices
To enhance traffic visibility and provide an additional layer of
architecture that makes deployment throughout the network
protection against advanced persistent threats, SRX Series
easier without compromising performance.
gateways support IP address blocking via geo-IP and command-
Unified Security Enforcement on a Common and-control botnet feeds. This additional threat intelligence is
Platform delivered via Juniper Networks Spotlight Secure cloud service,
and is updated constantly to ensure that the threat data
SRX Series security capabilities are consistent whether the SRX
employed in the firewalls is accurate and fresh.
Series device is deployed as an appliance, a scalable chassis,
or virtually—and whether it is protecting traditional physical IP address threat data is applied within security policies quickly
architectures or virtual and cloud applications. Policies are and without requiring a commit of the configuration. This
enforced consistently to meet the needs of any healthcare means that the new threat data within firewall policies can be
organization of any shape or size. applied in less than 60 seconds after being updated within the
Spotlight Secure cloud service. A healthcare organization also
Separation of Control and Data Planes can automatically enforce and block IP addresses on SRX Series
High volumes of traffic and processor overutilization can cause firewalls from threat data that is created internally, or with data
a firewall to become unmanageable and block user access from a third-party threat feed. All of this threat data can be
to business resources if the firewall is designed with shared delivered and enforced on SRX Series firewalls within 60 seconds.
control and data planes. Juniper Networks Junos® operating
system, the foundational operating system of the SRX Series Juniper Sky Advanced Threat Prevention
gateway, is designed with the separation of control and data As malware attacks evolve and grow more insidious,
plane. When under a DoS attack, the SRX Series firewall conventional anti-malware products have difficulty defending
provides strict policing protection of the control plane so that against them. A good example of this is the recent increase
administrators can maintain management connectivity with the in ransomware attacking the healthcare market’s data. These
platform, while screens and additional mechanisms can be put attacks cripple the ability to do business by encrypting critical
into place to minimize the impact that a DoS attack might have data and offering to decrypt the data for a fee (ransom).
on the data plane.

5
 Building a Juniper Connected Security Network for Healthcare

Juniper Sky Advanced Threat Prevention keeps the network free Summary—Stop Threats Faster with Juniper
of these types of zero-day attacks and other unknown threats Security Solutions
by delivering superior cloud-based protection, scanning ingress
A Juniper Connected Security network can help security
and egress traffic for malware and indicators of compromise.
administrators in healthcare organizations stop threats faster
Juniper Sky ATP, which employs a pipeline of technologies in the and more accurately. It can also help them gain greater control
cloud to identify varying levels of risk, provides a higher degree over the applications and traffic on their regional, facility office,
of accuracy in threat protection. It integrates with SRX Series and data center networks while protecting business assets and
gateways to deliver deep inspection, inline malware blocking, and patient health information against increasingly sophisticated—
actionable reporting. and successful—cyberthreats.

Juniper Sky ATP’s identification technology uses a variety SRX Series Services Gateways deliver next-generation firewall
of techniques to quickly identify a threat and prevent an protection with application awareness, IPS, and user role-based
impending attack. These methods include: control options, plus best-in-class UTM to help protect and
control healthcare business assets. Healthcare firms can choose
• Rapid cache lookups to identify known files
from a broad range of models: from all-in-one security and
• Dynamic analysis that involves unique deception networking appliances, to highly scalable, high-performance
techniques applied in a sandbox to trick malware into chassis options, to virtual and cloud-based enforcement
activating and self-identifying platforms. Juniper’s security intelligence for SRX Series gateways
Additionally, machine-learning algorithms let Juniper Sky is designed to respond to a rapidly changing threat landscape,
Advanced Threat Prevention adapt to and identify new malware and as an open security intelligence solution, it is extensible
in an ever-changing threat landscape. based on business needs. Spotlight Secure delivers actionable
security intelligence that can be used in policy immediately.
Centralized and Orchestrated Policy Juniper Sky Advanced Threat Prevention integrates with SRX
Enforcement with Security Director Series firewalls for detection and enforcement, and provides
In today’s complex environment, if management solutions are dynamic, automated protection against known malware and
slow, unintuitive, or restricted in their level of granularity and advanced zero-day threats, resulting in instant threat response.
control, network security management can become overly time- Administrators can centrally manage all SRX Series gateways
consuming and prone to error. using Junos Space Security Director, and other security services
are easily added to existing SRX Series platforms for a cost-
Junos Space Security Director provides centralized and
effective and easily managed solution.
orchestrated security policy management through an intuitive,
web-based interface that offers enforcement across emerging Next Steps
and traditional risk vectors that healthcare organizations face To bring the power of a Juniper Connected Security network to
every day. As an application on the Juniper Networks Junos your firm, contact your Juniper representative, or go to https://
Space platform, Security Director provides extensive security www.juniper.net/us/en/solutions/security/.
scale, granular policy control, and policy breadth across the
network for every SRX Series physical and virtual device.
Security administrators can use Security Director to quickly
manage all phases of the security policy life cycle for stateful
firewall, threat intelligence from Spotlight Secure, unified
threat management (UTM), intrusion prevention system (IPS),
application-based firewall, IPsec VPN, and Network Address
Translation (NAT).

6
 Building a Juniper Connected Security Network for Healthcare

About Juniper Networks

Juniper Networks brings simplicity to networking with
products, solutions and services that connect the world.
Through engineering innovation, we remove the constraints
and complexities of networking in the cloud era to solve the
toughest challenges our customers and partners face daily. At
Juniper Networks, we believe that the network is a resource for
sharing knowledge and human advancement that changes the
world. We are committed to imagining groundbreaking ways to
deliver automated, scalable and secure networks to move at the
speed of business.

Corporate and Sales Headquarters APAC and EMEA Headquarters

Juniper Networks, Inc. Juniper Networks International B.V.
1133 Innovation Way Boeing Avenue 240
Sunnyvale, CA 94089 USA 1119 PZ Schiphol-Rijk
Phone: 888.JUNIPER (888.586.4737) Amsterdam, The Netherlands EXPLORE JUNIPER
or +1.408.745.2000 Phone: +31.0.207.125.700 Get the App.
Fax: +1.408.745.2100 Fax: +31.0.207.125.701
www.juniper.net

Copyright 2019 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the
United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks
assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

3510597-002-EN Mar 2019 7