You are on page 1of 177

JNCIS-SEC Study Guide

JNCIS-SEC Study Guide Worldwide Education Services Worldwide Education Services 1194 North Mathilda Avenue Sunnyvale, CA 94089

Worldwide Education Services

Worldwide Education Services

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA

408-745-2000

www.juniper.net

JNCIS-SEC Study Guide Worldwide Education Services Worldwide Education Services 1194 North Mathilda Avenue Sunnyvale, CA 94089

This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

JNCIS-SEC Study Guide. Copyright © 2010, Juniper Networks, Inc. All rights reserved. Printed in USA. The information in this document is current as of the date listed above.

The information in this document has been carefully verified and is believed to be accurate for software Release 10.1R1.8. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. YEAR 2000 NOTICE

Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

Contents

Chapter 1:

Chapter 2:

Introduction to Junos Security Platforms

Zones

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.1-1

.2-1

Chapter 3:

. Security Policies

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.3-1

Chapter 4:

Chapter 5:

Firewall User Authentication

SCREEN

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.4-1

.5-1

Chapter 6:

Network Address Translation

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.6-1

Chapter 7:

Chapter 8:

IPsec VPNs

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. Introduction to Intrusion Detection and Prevention

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.7-1

.8-1

Chapter 9:

High Availability Clustering

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.9-1

Overview

Welcome to the JNCIS-SEC Study Guide. The purpose of this guide is to help you prepare for your JN0-331 exam and achieve your JNCIS-SEC credential. The contents of this document are based on the Junos for Security Platforms course. This study guide covers the configuration, operation, and implementation of SRX Series Services Gateways in a typical network environment. Key topics within this study guide include security technologies such as security zones, security policies, intrusion detection and prevention (IDP), Network Address Translation (NAT), and high availability clusters, as well as details pertaining to basic implementation, configuration, and management.

Agenda

Chapter 1:

Introduction to Junos Security Platforms

Chapter 2:

Zones

Chapter 3:

Security Policies

Chapter 4:

Firewall User Authentication

Chapter 5:

SCREEN Options

Chapter 6:

Network Address Translation

Chapter 7:

IPsec VPNs

Chapter 8:

Introduction to Intrusion Detection and Prevention

Chapter 9:

High Availability Clustering

Document Conventions

CLI and GUI Text

Frequently throughout this study guide, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table.

Style

Description

Usage Example

Franklin

Gothic

Normal text.

Most of what you read in the Student Guide.

Courier

New

Console text:

Screen captures Noncommand-related syntax GUI text elements:

• Menu names Text field entry

commit complete

Exiting configuration mode

Select File > Open, and then click Configuration.conf in the Filename text box.

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often this will be shown in the context of where you must enter it. We use bold style to distinguish text that is input versus text that is simply displayed.

Style

Description No distinguishing variant.

Usage Example

Normal CLI

Normal GUI

Physical interface:fxp0, Enabled

View configuration history by clicking Configuration > History.

CLI Input

Text that you must enter.

lab@San_Jose> show route

GUI Input

Select File > Save, and enter config.ini in the Filename field.

Defined and Undefined Syntax Variables

Finally, this study guide distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these

styles can be combined with the input style as well.

Style

Description

Usage Example

CLI

Text where variable value is already

policy my-peers

Variable

assigned.

GUI

Click on my-peers in the dialog.

variable

CLI

Text where the variable’s value is

Type set policy

Undefined

the user’s discretion and text where

from the value the user must input.

policy-name.

GUI

Undefined

the variable’s value might differ

ping 10.0.x.y

Select File > Save, and enter filename in the Filename field.

Additional Information

Education Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to:

http://www.juniper.net/training/education/.

About This Publication

The JNCIS-SEC Study Guide was developed and tested using software Release 10.1R1.8. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors.

This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to training@juniper.net.

Technical Publications

You can print technical manuals and release notes directly from the Internet in a variety of formats:

Go to http://www.juniper.net/techpubs/.

Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.

Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/ support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

JNCIS-SEC Study Guide Chapter 1: Introduction to Junos Security Platforms This Chapter Discusses: • Traditional routing

JNCIS-SEC Study Guide

JNCIS-SEC Study Guide Chapter 1: Introduction to Junos Security Platforms This Chapter Discusses: • Traditional routing

Chapter 1: Introduction to Junos Security Platforms

This Chapter Discusses:

Traditional routing and security implementations;

Current trends in internetworking;

SRX Series Services Gateways;

The Junos operating system for the SRX Series; and

Physical and logical packet flow through SRX Series devices.

Built to Forward Packets

The primary responsibility of a router is to forward packets using Layer 3 IP addresses found in an IP packet header. To forward packets, the router must have a path determination mechanism. This mechanism could be statically assigned routes, routing protocols, or policy-based routing.

Packet Processing Is Stateless

Traditionally, routers process packets in a stateless fashion. Routers do not keep track of bidirectional sessions; they forward each packet individually based on the packet header.

Separate Broadcast Domains and Provide WAN Connectivity

Routers were originally used to separate broadcast domains. With the introduction of advanced switching technologies and the birth of virtual LAN (VLAN) standards, broadcast domains can also be separated using switches. That capability, however, does not address inter-VLAN connectivity, which still necessitates the use of routers for forwarding traffic between VLANs. Furthermore, routers provide WAN connectivity at the network edge.

JNCIS-SEC Study Guide

Layer 3 Packet Forwarding

JNCIS-SEC Study Guide Layer 3 Packet Forwarding The graphic illustrates the transmission of packets from host

The graphic illustrates the transmission of packets from host 10.1.1.10 to host 10.3.3.10. Routers perform Layer 3 packet forwarding using routing table entries. Routers build routing tables based on the results of dynamic routing protocols (for example, RIP, OSPF, IS-IS, and BGP), statically entered routes, or both of these methods. Note that routers forward packets based on the longest prefix match. For example, on the graphic, Router A selects interface ge-0/0/2 to send traffic to destination 10.3.3.10 because 10.3.3.10/32 is a longer prefix match than 10.3.3.0/24. If entry 10.3.3.10/32 does not exist in the routing table, the router selects interface ge-0/0/0 as the next hop for the same packet flow.

Promiscuous Behavior of a Traditional Router

JNCIS-SEC Study Guide Layer 3 Packet Forwarding The graphic illustrates the transmission of packets from host

A traditional router is a promiscuous device that performs stateless packet processing. It is promiscuous because once it is configured, it immediately forwards all traffic by default (provided, of course, that some combination of static and dynamic routing is configured). Typically, a router operates only at Layer 3 and does not recognize any security threats in higher-layer protocols. Furthermore, a traditional router operates per packet, which adds to its fundamentally insecure nature, because it cannot detect malformed sessions. The network and the router itself are immediately vulnerable to all security threats.

Typical Treatment of Security

Other than implementing standard access control using IP header information, most routers are not equipped to secure a network. Traditionally, a full security solution involves adding a separate firewall device.

Typical Router Positioning

JNCIS-SEC Study Guide

Typical Router Positioning JNCIS-SEC Study Guide Enterprise customer premise applications are served by the J Series

Enterprise customer premise applications are served by the J Series family of service routers and, in the case of larger enterprises, M Series routers. Enterprise data center applications can also be served by M Series routers. Internet service provider (ISP) networks can be served by M Series, MX Series, or T Series routers. J Series, M Series, MX Series and T Series routers support the rich routing and class-of-service (CoS) features needed by networks, and maintain value, stability, and predictably high performance.

Adding Security to the Network

Standalone routers do not provide adequate security to enterprise networks and data centers. As networks expand, network applications continue to diversify and expand, and as new methods of remote communications such as telecommuting increase, the need for added security becomes apparent. Typically, a standalone firewall is added to the network, increasing costs and maintenance.

Requirements for Firewall Devices

A firewall device must be capable of the following:

Stateful packet processing based on contents of IP and higher-level packet information, which includes TCP/UDP and the Application Layer;

Network Address Translation (NAT) and Port Address Translation (PAT), achieving private-to-public translations and vice versa; and

Establishing virtual private networks (VPNs) compounded with authentication and encryption.

Additional Services

The growth in network security has resulted in additional services provided by standalone firewalls such as Secure Sockets Layer (SSL) network access, intrusion detection and prevention (IDP), application-level gateway (ALG) processing, and more.

JNCIS-SEC Study Guide

Firewall: Stateful Packet Processing

JNCIS-SEC Study Guide Firewall: Stateful Packet Processing Because the main job of a firewall is to

Because the main job of a firewall is to protect networks and devices, fundamental firewall intelligence consists of the ability to make packet processing decisions based on IP packet header information, including its upper layers.

Stateful packet processing involves the creation of a unidirectional flow, which consists of six elements of information—source IP address, destination IP address, source port number, destination port number, protocol number, and a session token. The session token is derived from a combination of a routing instance and a zone. The outgoing flow initiates a session table entry and the expected return flow for that packet. Both outgoing and incoming flows comprise the session and are entered into the session table. The session table enables bidirectional communication without any additional configurational steps for return traffic.

Firewall: NAT and PAT

JNCIS-SEC Study Guide Firewall: Stateful Packet Processing Because the main job of a firewall is to

When a security device resides at the edge of a network, it must be able to replace private, nonroutable addresses with public addresses before traffic is sent to the public network. Translation can consist of replacing the IP address, port numbers, or both, depending on the configuration. Note that NAT can be used on both source and destination addresses, and PAT can be used on both source and destination ports.

Firewall: Virtual Private Networks

JNCIS-SEC Study Guide

Firewall: Virtual Private Networks JNCIS-SEC Study Guide You can use a firewall to build VPNs using

You can use a firewall to build VPNs using the public network as an access medium between two private sites. As such, the firewall must be able to perform the following:

Encapsulate the original traffic in a packet that can be transported over the public network;

Encrypt the original packet so that it cannot be easily decoded if it is intercepted on the public network; and

Authenticate the originating device as a member of the VPN—not a random device operating on the public network.

Firewall Positioning

Firewall: Virtual Private Networks JNCIS-SEC Study Guide You can use a firewall to build VPNs using

The graphic illustrates a typical enterprise deployment of firewall devices. Small office and home offices or retail storefronts use branch firewall devices to provide secured access to the Internet, as well as an IP Security (IPsec) VPN tunnel back to a central site.

JNCIS-SEC Study Guide

The enterprise firewall device at the central site provides VPN termination and firewall protection between internal zones as well as from the Internet, and it might also provide other security services such as IDP, Web filtering, and antispam services.

Current Trends

As boundaries of networks are becoming less clear, so are the requirements of network edge devices. More and more enterprises are interconnecting themselves through an ISP’s virtual cloud by using IP. The Internet has created possibilities and opportunities for businesses and markets, and it has erased the concept of distance. With the Internet, however, came network vulnerabilities. Traditionally, routers have been positioned on the edge of an enterprise network and provided very basic network security such as stateless firewall filters. Network administrators became used to relying on separate firewall devices positioned within enterprise DMZs. The consolidation of these functions at the network edge improves costs, reduces management overhead, and increases operational simplicity.

A New Perspective

JNCIS-SEC Study Guide The enterprise firewall device at the central site provides VPN termination and firewall

The graphic illustrates how a device with strong routing and firewall features can be positioned at network boundaries. Remote offices can deploy SRX Series branch platforms running the Junos OS to provide both routing and security features.

The SRX Series Services Gateway at the enterprise headquarters in this example also provides routing and security in a high-density, modular chassis. The Dynamic Services Architecture allows SRX Series Services Gateways to leverage new services with appropriate processing capabilities without sacrificing overall system performance. SRX Series Services Gateways are next-generation systems designed to meet the network and security requirements for the enterprise and service provider infrastructure, and facilitate data center consolidation, rapid managed services deployments, and security services aggregation.

SRX Series High-End Systems

JNCIS-SEC Study Guide

SRX Series High-End Systems JNCIS-SEC Study Guide The Juniper Networks SRX Series Services Gateways for the

The Juniper Networks SRX Series Services Gateways for the high end are next-generation services gateways based on a revolutionary architecture that provides market-leading scalability and service integration. These devices are ideally suited for large enterprise and service provider networks:

Securing large enterprise data centers;

Securing service provider and collocated data centers;

Aggregating departmental or segmented security solutions; and

Securing managed services and core service provider infrastructure.

Based on the Dynamic Services Architecture, the SRX Series provides unrivaled scalability. Each services gateway can support almost linear scalability with each additional Services Processing Card (SPC), enabling a fully equipped SRX5800 to support more than 120 Gbps of firewall throughput. The SPCs are designed to support a wide range of services enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that no resources are idle, based on specific services being used, maximizing the utilization of equipped hardware.

The scalability and flexibility of the SRX5000 and SRX3000 lines of services gateways are supported by equally robust interfaces. The SRX Series high-end line employs a modular approach to interfaces where the gateway can be equipped with a flexible number of input/output cards (IOCs).

With the IOCs sharing the same interface slot as the SPCs, you can configure the gateway to support the ideal balance of processing, input, and output. Hence, you can tailor each deployment of the SRX Series to specific network requirements. With this flexibility, you can configure the SRX5800 to support more than 400 gigabit ports, with choices of Gigabit Ethernet or 10-Gigabit Ethernet.

The feature integration on the SRX Series is enabled by the Junos OS. By combining the routing heritage of the Junos OS and the security heritage of ScreenOS, the SRX Series is equipped with a robust list of features that include firewall, intrusion detection and prevention (IDP), denial of service (DoS), Network Address Translation (NAT), and quality of service (QoS).

JNCIS-SEC Study Guide

SRX Series High-End System Components

The SRX Series line of high end systems includes the following integral components:

Input/output card (IOC): To provide the most flexible solution, the SRX Series employs the same modular architecture for SPCs and IOCs. With the flexibility to install an IOC or an SPC on a given slot, the SRX Series can be equipped to support an ideal balance between interfaces and processing capabilities.

Network Processing Card (NPC): To ensure maximum processing performance and flexibility, the SRX3000 line utilizes NPCs to distribute inbound and outbound traffic to the appropriate SPCs and IOCs, to apply QoS, and to enforce DoS and distributed DoS (DDoS) protections. In the SRX5000 line, the NPC is integrated into the IOC. Note that a minimum of one NPC must be installed in platforms in the SRX3000 line to ensure proper functionality.

Services Processing Card (SPC): SPCs are designed to process all available services on the gateway. Without the need for dedicated hardware for specific services or capabilities, no instances exist in which a piece of hardware is taxed to the limit while other hardware is sitting idle. All the processing capabilities of the SPCs are designed to process all configured services on the gateway. Note that a minimum of one SPC must be installed in an SRX Series high-end system to ensure proper functionality.

Switch Control Board (SCB): The SCB monitors and controls system functions and provides the interconnections to all the IOCs within a chassis through the switch fabrics integrated into the SCB. At least one SCB is required for the system to function. Two or three SCBs increase capacity or provide redundancy, depending on the specific platform.

Routing Engine (RE): The RE is an Intel-based PC platform that runs the Junos OS. Software processes that run on the RE maintain the routing tables, manage the routing protocols, control some chassis components, and provide the interface for system management and user access to the device.

For more information on specific SRX Series high-end system models and hardware, visit the Juniper Networks Web site for technical publications at http://www.juniper.net/techpubs.

Physical Packet Flow for High-End Security Platforms

JNCIS-SEC Study Guide SRX Series High-End System Components The SRX Series line of high end systems

The graphic illustrates physical packet flow through a high-end security platform running the Junos OS. The packet flow coverage includes the SRX5000 and the SRX3000 line of products.

JNCIS-SEC Study Guide

Physical packet flow through a high-end security platform proceeds through the following sequence of steps:

  • 1. A packet enters the security platform through the IOC. (Step 1.5: Oversubscription control applies at the IOC.)

  • 2. The packet traverses the switch fabric from the IOC to the NPC. (In the SRX5000 line of products, the NPC integrates with the IOC.) The NPC performs a flow lookup. If the packet belongs to an existing flow, the NPC forwards the packet to the SPC associated with the packet’s session. If the flow does not currently exist, the NPC installs a new session for the flow and assigns the flow to an SPC for processing. The NPC also performs CoS, policing, and shaping.

  • 3. The packet traverses the switch fabric to its associated SPC, where security processing and forwarding or routing occurs.

  • 4. The packet traverses the switch fabric back to an NPC where additional packet processing such as shaping and CoS occurs.

  • 5. The packet traverses the switch fabric to the IOC associated with the egress interface and travels to the attached physical medium.

SRX Series Branch Devices

JNCIS-SEC Study Guide Physical packet flow through a high-end security platform proceeds through the following sequence

Juniper Networks SRX Series Services Gateways for the branch provide essential capabilities that connect, secure, and manage workforce locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience.

SRX Series for the branch operates with the Junos OS, the proven operating system used by core Internet routers in all of the top 100 service providers around the world. The rigorously tested carrier-class routing features of IP version 4 (IPv4)/IP version 6 (IPv6), OSPF, BGP, and multicast have been proven in over 10 years of worldwide deployments.

SRX Series Services Gateways for the branch provide perimeter security, content security, access control, and network-wide threat visibility and control. Best-in-class firewall and VPN technologies secure the perimeter with minimal configuration and consistent performance. By using zones and policies, even new network administrators can configure and deploy an SRX Series branch device quickly and securely. Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, SRX Series for the branch offers a complete suite of Unified Threat Management (UTM) services consisting of intrusion prevention system (IPS), antivirus, antispam, Web filtering, and data loss prevention through content filtering to protect your network from the latest content-borne threats.

JNCIS-SEC Study Guide

Select models feature Content Security Accelerator for high-performance IPS and antivirus performance. Junos security platforms for the branch integrate with other Juniper Networks security products to deliver enterprise-wide unified access control and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.

Branch Platform System Components

The SRX Series line of Junos security platforms include the following integral components:

Multi-core processing unit: The processing unit uses multiple hardware threads to provide data plane services including security services and control plane services to the branch device. The SRX branch line of platforms utilizes a system-on-a-chip (SOC) multi-core processor that provides the control and data plane functions as well as additional services such as Ethernet controller technology and a cryptographic engine.

Physical Interface Modules (PIMs): The SRX Series line of branch and enterprise devices provide various media interfaces known at PIMs. The media support includes 10/100 Ethernet, 10/100/1000 Ethernet, Gigabit Ethernet, T1/E1, T3/E3, ISDN, serial, ADSL and G.SHDSL interfaces, depending on the model. Some SRX Series branch models also contain an ExpressCard slot for utilization with a 3G wireless card to serve as a backup for primary interfaces. Select models contain Power over Ethernet (PoE) enabled ports.

Services and Routing Engine (SRE): The SRE, a field replacable unit in the SRX650, houses the processing unit and provides processing power for security services; routing protocol processes; and other software processes that control the services gateway interfaces, some of the chassis components, system management, and user access to the device.

For more information on specific Junos security platform branch models and hardware, visit the Juniper Networks Web site for technical publications at http://www.juniper.net/techpubs.

Physical Packet Flow for Branch Security Platforms

JNCIS-SEC Study Guide Select models feature Content Security Accelerator for high-performance IPS and antivirus performance. Junos

In SRX Series branch gateways, control and data plane separation is maintained using multiple threads on multiple cores within the processor. One hardware core is used for control plane functions. Packets ingress the device through built-in ports or PIM ports and pass to an Ethernet switch, which acts as the switch fabric for the device. In SRX Series branch devices, local switching occurs at the switch so that the CPU or the NPU is not taxed with switched traffic. As a result, security services such as security policy and IDP are not available with locally switched traffic. The switch performs CoS classification and traffic policing. It then passes non-locally switched packets to the processor where security services, routing lookup, and forwarding lookup is performed. SRX branch devices then send egress packets to the appropriate egress port by means of the switch.

JNCIS-SEC Study Guide

Depending on the device type, the CPU might perform hardware acceleration and cryptographic acceleration. Some branch devices are equipped with a separate regular expression (REGEX) content processor to provide hardware-based pattern matching for IDP and antivirus acceleration.

Junos Security Platforms Versus a Traditional Router

JNCIS-SEC Study Guide Depending on the device type, the CPU might perform hardware acceleration and cryptographic

The traditional router and a Junos security platform have completely different starting points with respect to security and traffic flow.

The traditional router begins by forwarding all traffic. Thus, the network is vulnerable to all threats. You add security policies to reduce vulnerability until you reach the ideal configuration. Because the traditional router begins as completely promiscuous and it requires that you add security policies, a greater chance exists that the network will remain vulnerable to some threats.

An SRX Series Services Gateway running the Junos OS begins by forwarding no traffic. The network is secure but not functional. You add rules to allow traffic until you reach the ideal configuration. Because a Junos security platform begins by forwarding no traffic and because you must add rules, a greater likelihood exists that the network will restrict undesirable traffic.

The Junos OS for Security Platforms Merges Routing and Security

The new features of the Junos OS for security platforms bring new core security capabilities to the Junos OS. Because the forwarding algorithm is session-based, security features are tightly integrated into the forwarding plane, improving security performance. Session-based forwarding and stateful firewall features derive from Juniper Networks ScreenOS software.

Junos security platforms incorporate ALG functionality, IPsec VPNs, and screen protection in a flowd module within the Junos OS. Juniper Networks world-class IDP technology is also fully integrated into the Junos OS for security platforms. We discuss these features later in this material.

Junos Elements

SRX Series Services Gateways use the Junos OS as their base operating system. As such, these devices deploy all the industry-proven processes of the Junos OS, such as the routing process, management process, device control process, and others. Another building element of the Junos OS for security platforms is session-based forwarding, thereby resulting in a strong suite of security features.

JNCIS-SEC Study Guide

Packet-Based Junos Forwarding

The Junos OS basic control plane, routing protocol process implementation, per-packet stateless filters, policers, and CoS functions are all packet based. Furthermore, other nonsecurity-related features, such as all interface encapsulations and de-encapsulations, use the industry-proven Junos OS. You can configure SRX Series Services Gateways using either the CLI or J-Web—the Junos OS-based graphical user interface (GUI).

Session-Based Forwarding

The Junos OS for security platforms leverages ScreenOS software’s security features as well as its flow-based nature. The first packet entering the device follows a series of path and policy determination schemes. The Junos OS caches the session information, the creation of which is triggered by the first packet of the flow. The cached session is used by subsequent packets of that same flow and the reverse flow of that session. Using the flow module, which is integrated into the forwarding path, the hardware performs data-plane packet forwarding. Because the Junos OS for security platforms is security-based, all IPv4 packets entering the services gateway on an interface associate with an incoming zone. Likewise, all IPv4 packets exiting the device on an interface associate with an outgoing zone. The Junos OS for security platforms adds a bundle of high-security features to the regular features of a router, including stateful firewall, VPNs, NAT, ALGs, and IDP.

Control Plane

The control plane on a Junos security platform is implemented using the Routing Engine. The control plane consists of the Junos kernel, various processes, chassis management, user interface, routing protocols and some security features. Many of the security features resemble ScreenOS features, including the network security process, the VPN process, the authentication process, and Dynamic Host Configuration Protocol (DHCP). For its control plane, the Junos OS for security platforms deploys these features along with well-known, traditional Junos features.

Data Plane

The data plane on Junos security platforms, implemented on IOCs, NPCs, and SPCs for high-end devices and on CPU cores and PIMs for branch devices, consists of Junos OS packet-handling modules compounded with a flow engine and session management like that of the ScreenOS software. Intelligent packet processing ensures that one single thread exists for packet flow processing associated with a single flow. Real-time processes enable the Junos OS to perform session-based packet forwarding.

Logical Packet Flow Details

JNCIS-SEC Study Guide

Logical Packet Flow Details JNCIS-SEC Study Guide Security platforms running the Junos OS handle an incoming

Security platforms running the Junos OS handle an incoming packet as follows:

  • 1. The software applies stateless policing filters and CoS classification to the packet at the ingress.

  • 2. If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. The Junos OS matches on six elements of traffic information for this determination—source IP address, destination IP address, source port number, destination port number, protocol number, and a session token.

  • 3. If the packet does not match an existing session, the software creates a new session for it. This process is referred to as the first-packet path. If the packet matches a session, the software performs fast-path processing.

The first packet of a flow is subject to first-packet-path processing. The software takes the following steps during first-packet-path processing:

  • 1. Based on the protocol used and its session layer (TCP or UDP), the software starts a session timer. For TCP sessions, the default timeout is 30 minutes. For UDP sessions, the default timeout is 1 minute. These values are the defaults, and you can change them.

  • 2. The software applies firewall SCREEN options.

  • 3. If destination NAT is used, the software performs address allocation.

  • 4. Next, the software performs the route lookup. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.

  • 5. The software determines the packet’s incoming zone by the interface through which it arrives. The software also determines the packet’s outgoing zone by the forwarding lookup.

  • 6. Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checks the packet against defined policies to determine how to treat the packet.

  • 7. If source NAT is used, the software performs address allocation.

  • 8. The software sets up the ALG service vector.

JNCIS-SEC Study Guide

  • 9. The software creates and installs the session. Furthermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.

    • 10. The packet now enters the fast-path processing.

Subsequent packets of a flow are all subject to fast-path processing. The software takes the following steps during fast-path processing:

  • 1. The software applies firewall SCREEN options.

  • 2. The software performs TCP checks.

  • 3. The software applies NAT.

  • 4. The software applies an ALG.

  • 5. The software applies packet forwarding features, which include the following:

    • a. Stateless packet filters;

    • b. Traffic shaping by packet; and

    • c. Packet encapsulation and transmission.

Session Maintenance

When a packet enters the system and does not match any existing sessions, the Junos OS creates a new session based on routing and security policy information. Once this new session is created, the software puts it into a session hash table for further packet matching and processing. Depending on the protocol and service (TCP or UDP), the session is programmed with a default timeout. The default TCP timeout is 30 minutes and the UDP default timeout is 1 minute.

Session Cleanup

If no traffic matches the session during the service timeout, the Junos OS ages out the session and frees it to a common resource pool for a later reuse.

Session Run-Time Changes Propagation

The flow module is responsible for propagating any run-time changes that happen during the lifetime of the session. This propagation allows new packets that match the session to forward using up-to-date information. Routing run-time changes always propagate into the session. Security policy run-time changes might propagate into the session in progress, based on the corresponding security policy configuration.

Packet Flow Example: Part 1

JNCIS-SEC Study Guide

Packet Flow Example: Part 1 JNCIS-SEC Study Guide We now apply the described decision process to

We now apply the described decision process to a specific example. As the graphic shows, Host-B at 10.1.20.5 wants to initiate an HTTP session with the Web server at 200.5.5.5. The traffic passes through an SRX Series Services Gateway and is therefore subject to the decision process.

Packet Flow Example: Part 2

Packet Flow Example: Part 1 JNCIS-SEC Study Guide We now apply the described decision process to

The graphic shows the packet as received by the SRX Series Services Gateway on interface ge-0/0/1. Following the flowchart, you can track the progress of the packet through the services gateway:

  • 1. Based on a lookup in the session table, the Junos OS determines that this session is not an existing session.

  • 2. The forwarding table shows that the software detects how to reach the destination network.

  • 3. Now that the forwarding lookup is complete, the software can determine the ingress and egress zones required for security policy evaluation.

JNCIS-SEC Study Guide

Packet Flow Example: Part 3

JNCIS-SEC Study Guide Packet Flow Example: Part 3 The following is a continuation of the list

The following is a continuation of the list from the previous page:

  • 4. The packet is from host 10.1.20.5 and is an HTTP packet. This packet matches the policy statement on the graphic. The action for this particular type of traffic is to permit it.

  • 5. The SRX Series Services Gateway adds the flow information to the session table. At the same time a return flow is automatically created and also adds to the session table.

  • 6. The SRX Series Services Gateway then forwards the packet out interface ge-1/0/0 (as determined by the destination lookup). The Junos OS allows traffic in both directions for this particular session to pass without any subsequent policy evaluation.

Review Questions

JNCIS-SEC Study Guide Packet Flow Example: Part 3 The following is a continuation of the list

Answers

1.

Traditionally, routers process packets on a per-packet basis.

2.

Traditionally, firewalls process packets based on stateful flows.

3.

JNCIS-SEC Study Guide

Junos OS for security platforms uses session-based packet forwarding and by default does not allow traffic to pass, whereas the traditional Junos OS uses packet-based forwarding and by default allows all traffic to pass.

4.

The first packet of a new session is subject to first-path packet processing.

JNCIS-SEC Study Guide Chapter 2: Zones This Chapter Discusses: • Zones and their purpose; • Types

JNCIS-SEC Study Guide

Chapter 2: Zones

This Chapter Discusses:

Zones and their purpose;

Types of zones;

Application of zones;

Configuring zones; and

Monitoring zones.

Zone Definition

JNCIS-SEC Study Guide Chapter 2: Zones This Chapter Discusses: • Zones and their purpose; • Types

A zone is a collection of one or more network segments sharing identical security requirements. To group network segments within a zone, you must assign logical interfaces from the device to a zone.

Traffic Regulation Through a Junos Security Platform

Zones enable network security segregation. Security policies are applied between zones to regulate traffic through the security platform running the Junos operating system. By default, all network interfaces belong to the system-defined Null Zone. All traffic to or from the Null Zone is dropped. Special interfaces including the fxp0 management ethernet interface present in some SRX Series platforms, chassis cluster fabric interfaces, and internal system em0 interfaces cannot be assigned to a zone.

JNCIS-SEC Study Guide

Review: Packet Flow

JNCIS-SEC Study Guide Review: Packet Flow Recall the packet flow through a Junos security platform. Specifically,

Recall the packet flow through a Junos security platform. Specifically, once the packet enters a flow module, the device examines it to determine whether it belongs to an already established session. Recall that the Junos OS matches on six elements of traffic information to identify a session—source IP address, destination IP address, source port number, destination port number, protocol number, and a session token.

This material focuses on defining, configuring, and monitoring zones.

Zones and Interfaces

You can assign one or more logical interfaces to a zone. You can also assign one or more logical interfaces to a routing instance. You cannot assign a logical interface to multiple zones or multiple routing instances. You must also ensure that all of a zone’s logical interfaces are in a single routing instance. Violating any of these restrictions results in a configuration error as shown in the following examples:

[edit] user@host# commit check [edit security zones security-zone trust] 'interfaces ge-0/0/2.0' Interface ge-0/0/2.0 already assigned to another zone error: configuration check-out failed [edit] lab@host# commit check [edit routing-instances A interface]

'ge-0/0/0.0'

RT Instance: Interface ge-0/0/0.0 already configured under instance B [edit routing-instances B] 'interface' Interface ge-0/0/0.0 is in more than one routing instance (latest A) error: dcd_config_read fails to set parsing options error: configuration check-out failed

[edit] user@host# commit check [edit security zones security-zone untrust]

JNCIS-SEC Study Guide

'interfaces ge-0/0/2.0' Interface ge-0/0/2.0 must be in the same routing instance as other interfaces in the zone error: configuration check-out failed

One exception to the rule exists when all interfaces are assigned to one zone using the interface all configuration option. In this case, interfaces can belong to multiple routing instances.

Interfaces, Zones, and Routing Instances

JNCIS-SEC Study Guide 'interfaces ge-0/0/2.0' Interface ge-0/0/2.0 must be in the same routing instance as other

The graphic summarizes logical relationships between interfaces, zones, and routing instances.

Logical interfaces are connections to specific subnets. Zones are logical groupings of logical interfaces with a common security requirement, and a logical interface can belong to only one zone. Zone configuration can be as simple as a two-zone setup, where all interfaces connected to internal networks are in one zone, and all interfaces connected to the external world are in a different zone. A more complicated configuration might divide interfaces based on internal department or function in addition to external and demilitarized zone (DMZ) connections.

A physical device can be broken up into multiple routing instances. A routing instance is a logical routing construct within a platform running the Junos OS. Each routing instance maintains its own routing table and forwarding table. A routing instance can contain one or more zones, which cannot be shared with other routing instances.

Zone Types

JNCIS-SEC Study Guide 'interfaces ge-0/0/2.0' Interface ge-0/0/2.0 must be in the same routing instance as other

JNCIS-SEC Study Guide

The zones within the Junos OS can be subdivided into two categories—user-defined and system-defined. You can configure user-defined zones, but you cannot configure system-defined zones. You can subdivide the user-defined category into security and functional zones. We cover user-defined and system-defined zones in detail on the next few pages.

Security Zones

Security zones are a collection of one or more network segments requiring regulation of inbound and outbound traffic through the use of policies. Security zones apply to transit traffic as well as traffic destined to any interfaces belonging to the security zone. You need one or more security policies to regulate intrazone and interzone traffic. Note that the Junos OS does not have any default security zones, and you cannot share a security zone between routing instances.

Functional Zones

Functional zones are special-purpose zones that cannot be specified in security policies. Note that transit traffic does not use functional zones. While the fxp0 management ethernet interface is out-of-band by default, the Management Zone allows you to assign other network interfaces the same behavior of isolating management traffic from transit traffic.

Null Zone

Currently there is only one system-defined zone, the Null Zone. By default, an interface belongs to the Null Zone. You cannot configure the Null Zone. When you delete an interface from a zone, the software assigns it back to the Null Zone. The Junos OS rejects all traffic to and from interfaces belonging to the Null Zone.

Branch Platforms

JNCIS-SEC Study Guide The zones within the Junos OS can be subdivided into two categories—user-defined and

Junos security platforms for the branch ship from the factory with a template configuration that includes security zones. SRX Series high-end platforms do not contain zones in the factory-default template configuration and, therefore, you must configure required zones manually.

Factory-Default Configuration

In branch devices’ factory-default configuration, two security zones are defined—trust and untrust. In the template configuration, vlan.0 belongs to the trust zone. In addition, the factory-default configuration file has a security policy permitting all transit traffic within the trust zone and from the trust zone to the untrust zone. The security policy prohibits any traffic from the untrust zone to the trust zone. We discuss security policy in further detail in subsequent material. The zone names trust and untrust have no system-defined meaning. Like any zones defined in the configuration, you can modify or delete them. You can revert a Junos platform to its factory-default configuration by entering the load factory-default command from the top of the configuration hierarchy.

JNCIS-SEC Study Guide

Zone Configuration Procedure

Zone configuration involves the following steps:

• Define a security or a functional zone; Add logical interfaces to the zone; and

Optionally, identify some combination of system services and protocols allowed into the device through the interfaces belonging to the zone. If you omit this step, all traffic entering through the zone’s interfaces destined for the device is blocked.

Configuration Mode

JNCIS-SEC Study Guide Zone Configuration Procedure Zone configuration involves the following steps: • Define a security

To define a zone you must enter configuration mode, as illustrated on the graphic.

Defining a Zone Type

Once you enter the configuration mode, you can define a zone type. Recall that you can configure only two types of zones—functional, which is used for device management only (no transit traffic is permitted), and security. You define zones under the security configuration stanza. Note that user-defined zone names are case sensitive and can contain any standard characters, like any other variable name in the Junos OS.

Functional Zone Specifics

The following are two important configuration characteristics of the functional zone:

  • 1. You can define only one type of functional zone—management; and

  • 2. The functional zone does not have a user-defined name.

Adding Logical Interfaces to the Zone

Now you are ready to add logical interfaces to the zone. The graphic illustrates two variations. The first example illustrates adding interface ge-0/0/1.0 to the security zone, called HR, and the second example illustrates adding interface ge-0/0/1.100 to the functional management zone. If you omit the specification of the logical unit of the interface, the Junos OS assumes unit 0. Also, you can assign all interfaces to a zone by using the keyword all. Should you choose to assign all interfaces to a zone, you will not be able to assign any interfaces to a different zone.

Specifying Types of Traffic Permitted into the Device: Part 1

Without explicit configuration, traffic destined for a Junos security platform is not permitted. You can specify types of traffic allowed into the device using the host-inbound-traffic configuration option under a specific zone or under an interface configured in a zone. By default, all outbound traffic originating from the device is always allowed.

JNCIS-SEC Study Guide

Specifying Types of Traffic Permitted into the Device: Part 2

When specifying types of traffic permitted into a Junos security platform, you use some combination of system-services and protocols configuration options. The Junos OS provides you with the ability to refer to all system services and protocols and respective ports with the help of the all keyword. To open all ports for all services, use the any-service keyword. In addition, you can isolate any exceptions to the referred list of protocols or system services with the help of the except keyword. The examples on the following pages illustrate the use of this keyword.

You can specify any of the following system services:

[edit security zones] user@host# set security-zone HR host-inbound-traffic system-services ? Possible completions:

all

All system services

any-service

Enable services on entire port range

dns

DNS and DNS-proxy service

finger

Finger service

ftp

FTP

http

Web management service using HTTP

https

Web management service using HTTP secured by SSL

ident-reset

Send back TCP RST to IDENT request for port 113

ike

Internet Key Exchange

lsping

Label Switched Path ping service

netconf

NETCONF service

ntp

Network Time Protocol service

ping

Internet Control Message Protocol echo requests

reverse-ssh

Reverse SSH service

reverse-telnet

Reverse telnet service

rlogin

Rlogin service

rpm

Real-time performance monitoring

rsh

Rsh service

sip

Enable Session Initiation Protocol service

snmp

Simple Network Management Protocol service

snmp-trap

Simple Network Management Protocol traps

ssh

SSH service

telnet

Telnet service

tftp

TFTP

traceroute

Traceroute service

xnm-clear-text

JUNOScript API for unencrypted traffic over TCP

xnm-ssl

JUNOScript API service over SSL

You can specify any of the following protocols:

[edit security zones]

user@host# set security-zone HR host-inbound-traffic protocols ? Possible completions:

all

All protocols

bfd

Bidirectional Forwarding Detection

bgp

Border Gateway Protocol

dvmrp

Distance Vector Multicast Routing Protocol

igmp

Internet Group Management Protocol

ldp

Label Distribution Protocol

msdp

Multicast Source Discovery Protocol

nhrp

Next Hop Resolution Protocol

ospf

Open Shortest Path First

pgm

Pragmatic General Multicast

pim

Protocol Independent Multicast

JNCIS-SEC Study Guide

rip

Routing Information Protocol

router-discovery

Router Discovery

rsvp

Resource Reservation Protocol

sap

Session Announcement Protocol

vrrp

Virtual Router Redundancy Protocol

Specifying Types of Traffic Permitted into the Device: Part 3

You can specify allowed traffic either at the zone level of configuration or the interface level within a zone. As with any configuration in the Junos OS, the precedence rule of more specific configuration applies here as well. In other words, interface-level configuration (as it is more specific) overrides the zone-level configuration. In the examples on the graphic, only HTTP system services are allowed into interface ge-0/0/1, which is part of the HR Zone. All other interfaces associated with the HR Zone can accept all system services.

Check Your Knowledge: Part 1

JNCIS-SEC Study Guide rip Routing Information Protocol router-discovery Router Discovery rsvp Resource Reservation Protocol sap Session

The graphic shows an example of zone configuration. What types of traffic are allowed into the specified zone and interfaces?

Check Your Knowledge: Part 2

JNCIS-SEC Study Guide rip Routing Information Protocol router-discovery Router Discovery rsvp Resource Reservation Protocol sap Session

The graphic shows another example of zone configuration. What types of traffic are allowed into the specified zone and interfaces?

JNCIS-SEC Study Guide

Check Your Knowledge: Part 3

JNCIS-SEC Study Guide Check Your Knowledge: Part 3 The graphic shows the third example in this

The graphic shows the third example in this series. What does this configuration do?

Monitoring Zones

JNCIS-SEC Study Guide Check Your Knowledge: Part 3 The graphic shows the third example in this

The graphic illustrates the show security zones command, which is useful for zone monitoring. The command provides information on the zone type and name along with the number and names of interfaces bound to the zone.

Monitoring Traffic Permitted into Interfaces: Part 1

JNCIS-SEC Study Guide Check Your Knowledge: Part 3 The graphic shows the third example in this

JNCIS-SEC Study Guide

Using the show interfaces interface-name extensive command enables you to view zone specifics. The command displays information on permitted protocols and system services allowed into the device through the corresponding interfaces. In addition, the command provides information on flow statistics through the interface.

Monitoring Traffic Permitted Into Interfaces: Part 2

JNCIS-SEC Study Guide Using the show interfaces interface-name extensive command enables you to view zone specifics.

The graphic provides the continuation of the output from the previous page.

Review Questions

Answers 1. A zone is a collection of one or more network segments sharing identical security
Answers
1.
A zone is a collection of one or more network segments sharing identical security requirements.

2.

Overall, there are two types of zones in the Junos OS—user-defined and system-defined zones. User-defined zones include security and functional zones, both of which you can configure. The Null Zone is a system-defined zone that you cannot configure. The security zone facilitates transit packets and packets to the device itself. The functional zone facilitates only management traffic. The Null Zone is a placeholder for interfaces that do not belong to any zone. All interfaces belonging to the Null Zone drop all packets.

JNCIS-SEC Study Guide

3.

To configure a zone, you must perform the following steps: (1) Define a security zone or a functional zone; (2) Add logical interfaces to the zone; and (3) Optionally, add services and protocols that must be permitted into the device.

4.

You can specify traffic types to be allowed into a Junos security platform using the host-inbound-traffic statement.

JNCIS-SEC Study Guide Chapter 3: Security Policies This Chapter Discusses: • Security policy functionality; • Components

JNCIS-SEC Study Guide

Chapter 3: Security Policies

This Chapter Discusses:

Security policy functionality;

Components of a security policy;

Verification and monitoring of security policies; and

Configuring a security policy.

What Is a Security Policy?

JNCIS-SEC Study Guide Chapter 3: Security Policies This Chapter Discusses: • Security policy functionality; • Components
JNCIS-SEC Study Guide Chapter 3: Security Policies This Chapter Discusses: • Security policy functionality; • Components

A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service. If a packet arrives that matches those specifications, the SRX Series device performs the action specified in the policy.

Network security policies are highly valuable for secure network functionality. Network security policies outline all network resources within a business and the required security level for each resource. The Junos operating system provides a set of tools to implement a network security policy within your organization. Security policies enforce a set of rules for transit traffic, identifying which traffic can pass through the firewall and the actions taken on the traffic as it passes through the firewall.

JNCIS-SEC Study Guide

Review: Packet Flow

JNCIS-SEC Study Guide Review: Packet Flow The graphic reviews packet flow through the flow module of

The graphic reviews packet flow through the flow module of a Junos security platform.

When the device examines the first packet of a flow, based on incoming and outgoing zones, it determines the corresponding security policy, and it performs a security policy lookup. The system checks the packet against defined policies to determine how to treat the packet.

In this material, we focus on the security policies portion of the Junos OS.

Transit Traffic Examination

JNCIS-SEC Study Guide Review: Packet Flow The graphic reviews packet flow through the flow module of

The Junos OS for security platforms always examines transit traffic by using security policies. As illustrated on the graphic, should no match exist in the security policy, the default security policy applies to the packet. We highlight the default security policy in a subsequent graphic.

host-inbound-traffic Examination

JNCIS-SEC Study Guide

host-inbound-traffic Examination JNCIS-SEC Study Guide If the destination of traffic is the device’s incoming interface, security

If the destination of traffic is the device’s incoming interface, security policies are not applicable. The only examination that takes place is the list of services and protocols allowed into that interface using the host-inbound-traffic statement within a zone definition.

The Junos OS examines security policies if the traffic destination is any interface other than the incoming interface. This process is true regardless of whether the incoming interface and the destination interface are in the same zone (intrazone traffic) or in different zones (interzone traffic).

The flowchart on the graphic illustrates the order of packet examination. When the device receives traffic destined to itself, it first examines whether the destination of the traffic is the incoming interface. If so, it skips the policy examination. Otherwise, the corresponding security policies evaluate the traffic. If no policy match exists for the traffic, the default policy action applies. We discuss the default security policy next. If traffic matches a security policy that permits it, the device then examines the list of services and protocols allowed into the destination interface within the corresponding zone, and applies the corresponding action.

JNCIS-SEC Study Guide

System-Default Security Policy

JNCIS-SEC Study Guide System-Default Security Policy By default, the Junos OS denies all traffic through an

By default, the Junos OS denies all traffic through an SRX Series device. In fact, an implicit default security policy exists that denies all packets. You can change this behavior by configuring a standard security policy that permits certain types of traffic, or by configuring the default policy to permit all traffic as shown in the following screen capture.

[edit security policies] user@host# set default-policy permit-all

[edit security policies] user@host#

Factory-Default Security Policies

The factory-default template configuration file in branch security platforms has three preconfigured security policies (not to be confused with the system-default security policy discussed in the previous paragraph):

  • 1. Trust-to-trust zone policy: Permits all intrazone traffic within the trust zone;

  • 2. Trust-to-untrust zone policy: Permits all traffic from the trust zone to the untrust zone; and

  • 3. Untrust-to-trust zone policy: Denies all traffic from the untrust zone to the trust zone.

Security Policy Conceptual Example

JNCIS-SEC Study Guide

Security Policy Conceptual Example JNCIS-SEC Study Guide We now examine an example of a packet flow

We now examine an example of a packet flow through a Junos security platform.

The device’s interfaces are separated into three security zones—private, external, and public. The business requirement calls for an SSH application to be allowed from Host B, located in the private zone, to Host D, located in the external zone. To meet the requirement, we created the security policy illustrated on the graphic.

The following is the sequence of events that takes place:

  • 1. Host B initiates the SSH session to Host D.

  • 2. The Junos security device receives traffic and examines it using its security policy from the private zone to the external zone. The security policy permits that traffic.

  • 3. The Host B-to-Host D flow triggers the creation of the reverse flow from Host D to Host B. The graphic identifies the contents of this newly formed session. It consists of two flows—source to destination and destination to source.

  • 4. Host D sends the return traffic, from Host D to Host B. The device, using a pre-created session, permits the return traffic through to Host B.

Policy Ordering

Security Policy Conceptual Example JNCIS-SEC Study Guide We now examine an example of a packet flow

Because policies execute in the order of their appearance in the configuration file, you should be aware of the following:

Policy order is important.

New policies go to the end of the policy list.

You can change the order of policies in the configuration file using the Junos insert command.

The last policy is the default policy, which has the default action of denying all traffic.

JNCIS-SEC Study Guide

Editing Security Configurations

Like any other Junos configuration stanza, you can delete, deactivate, activate, insert, annotate, and copy security policies.

Security Policy Contexts

When defining a policy, you must associate it with a source zone, or incoming zone—named the from-zone. Also, you must define a destination zone, or an outgoing zone—named the to-zone. Within a direction of source and destination zones, you can define more than one policy, referred to as an ordered set of policies, which the Junos OS executes in the order of their configuration.

Recall that a zone is a collection of multiple logical interfaces with identical security requirements. The Junos OS always checks all transit traffic—intrazone and interzone—through the use of security policies.

Security Policy Components

Within the defined context title, each policy is labeled with a user-defined name. Under the user-defined name is a list of matching criteria and specified actions, similar to a Junos routing policy. One major difference is that each security policy must contain a matching source address, destination address, and application. Actions for traffic matching the specified criteria include permit, deny, reject, log, or count.

The Junos OS also uses policy to invoke the use of Intrusion Detection and Prevention (IDP) policies, the Unified Thread Management (UTM) feature for branch devices, and firewall authentication.

Policy Match Criteria

Each of the defined policies must include the following matching criteria:

Source addresses: This criterion can be in the form of address sets or individual addresses. You can group individual addresses into address sets.

Destination addresses: This criterion can be in the form of an address sets or individual addresses. You can group individual addresses into address sets.

Applications or application sets: This criterion can be user-defined or system-defined. The Junos OS supports system-crafted default applications and application sets, referred to using the format junos-application, where application is the name of the actual application. You can also define your own applications.

You must specify all matching components. If you omit any of these components, the Junos OS will not allow you to commit the configuration.

Creating Address Book Entries

JNCIS-SEC Study Guide

Creating Address Book Entries JNCIS-SEC Study Guide The graphic illustrates the syntax that you must use

The graphic illustrates the syntax that you must use when creating address book entries. An address book within a zone can consist of individual addresses or address sets. An address set is a set of one or more addresses defined within an address book. Address sets are useful when you must refer to a group of addresses more than once. If the matching criteria needs no specific address, no address book entry is necessary. In this case, you can specify the configuration option any as the source or destination address in a security policy.

Defining Custom Applications

Creating Address Book Entries JNCIS-SEC Study Guide The graphic illustrates the syntax that you must use

The Junos OS has many built-in applications, such as junos-rsh, junos-sip , junos-bgp, and so forth. You can customize the list of predefined applications (thus expanding the overall list), which gives you the capability to support complex applications.

user@host> top show groups junos-defaults | match application | match junos application junos-ftp { application junos-tftp { application junos-rtsp { application junos-netbios-session {

JNCIS-SEC Study Guide

application junos-ssh { application junos-telnet {

...

To configure a custom application, define the application name, associate the application with a protocol and ports. Use the application-protocol configuration option to associate the custom application with an application-level gateway (ALG). A user-configured application has a timeout value associated with it. The Junos OS applies the timeout value to the created session. Once the timeout expires, the software clears the session from the session table. You can modify the timeout value for a specific application. Note that the new timeout value applies only to new sessions—not to existing ones.

Creating Policy Match Entries

JNCIS-SEC Study Guide application junos-ssh { application junos-telnet { ... To configure a custom application, define

You enter all policies under the

from-zone...to-zone

stanza for that particular traffic direction. The

from-zone...to-zone

stanza associates the policies under it with a source zone and a destination zone. Under a

specific zone direction, each security policy contains a name, match criteria, and an action. This example focuses on

match criteria. The system executes all policies in the order of their appearance within a configuration file.

Basic Policy Actions

Each policy has a list of basic and advanced actions associated with it. The basic actions are the following:

permit: Allows traffic flow;

deny: Results in a silent packet drop; and

reject: Results in a packet drop and the sending of an Internet Control Message Protocol (ICMP) unreachable message for UDP traffic and a TCP reset register suppression time (RST) message for TCP traffic.

Log and Count Traffic

For each of these actions, you can configure the Junos OS to log and count traffic as well. To view counters, use the show security policies detail operational mode command.

Advanced Permit Settings

Among the policy actions mentioned on the previous section, the following advanced permit settings exist:

Firewall authentication;

IPsec VPN tunnel;

IDP; and

UTM features.

JNCIS-SEC Study Guide

Firewall authentication enables you to restrict and permit users accessing protected resources that could be located in different zones. The Junos OS offers two methods of firewall authentication:

Pass-through: Firewall users that are using FTP, Telnet, or the Hypertext Transfer Protocol (HTTP) to access protected resources across the device receive authentication through a username and password. The Junos security platform intercepts the session and then performs user authentication.

Web authentication: Firewall users use HTTP or HTTP over Secure Sockets Layer (HTTPS) to access an IP address of the Junos security device, instead of the protected resource. The device acts as a proxy, authenticating the user with a username and password and caches the information.

We discuss firewall authentication in more detail in “Firewall User Authentication.”

If a policy associates with a preconfigured IPsec VPN tunnel, the tunnel creation occurs dynamically upon the receipt of the first packet that matches such a policy. The policy-based IPsec VPN can be one of two types—IKE or manual. We discuss IPsec VPNs in more detail in “IPsec VPNs.”

A policy can associate with an IDP policy. IDP policies inspect traffic and enforce various attack detection and prevention techniques. We discuss IDP in more detail in “Introduction to IDP”.

In branch devices only, a policy can also associate traffic with UTM features such as antivirus, content filtering, and Web filtering.

Policy Components Summary

• IDP; and • UTM features. JNCIS-SEC Study Guide Firewall authentication enables you to restrict and

The following is a summary of the policy components:

• A security policy is positioned within the from-zone and the to-zone direction of traffic within configuration; Each policy has a set of matching conditions; Each policy has a set of actions that the system performs upon success of all matching conditions; Many security policies within the same direction of the flow can exist; and Policy order is important, because policies execute in the order of their appearance in the configuration file.

JNCIS-SEC Study Guide

Control Plane Logging

JNCIS-SEC Study Guide Control Plane Logging The Junos OS logs control plane events either locally or

The Junos OS logs control plane events either locally or to an external syslog device. Locally stored logs are stored on

the Routing Engine under the /var/log directory; you can view them by using the show

log log-name

operational mode command. To configure logs to be sent to an external syslog server, use the host configuration

option. The example on the graphic shows the control plane logging statements present in a factory-default configuration.

Branch Device Data Plane Logging

JNCIS-SEC Study Guide Control Plane Logging The Junos OS logs control plane events either locally or

Data plane logging in Junos security platforms for the branch can be stored locally or on an external system log (syslog) server. Use the session-close and session-init configuration options within a security policy to log the start and close of sessions matching a policy. We suggest to use only session-close on production devices. Logging both session-close and session-init will cause high CPU utilization on some SRX Series devices for the branch.

The graphic illustrates a sample log file configuration for branch devices. Logs are stored locally in the /var/log directory when designated with a filename. To send logs to an external device, use the host IP address configuration option.

JNCIS-SEC Study Guide

The default facility and severity for data plane session logging is user info. To enable a Network and Security Manager (NSM) device to be able to retrieve logs, name the log file default-log-messages, as shown on the graphic, and include the structured-data configuration option.

High-End SRX Series Data Plane Logging

JNCIS-SEC Study Guide The default facility and severity for data plane session logging is user info

Data plane logging in high-end SRX Series devices can go to an external syslog device. The Junos OS supports limited local data plane logging because of the high volume of session handling that a high-end SRX Series device supports. The graphic illustrates the configuration of data plane logging for high-end SRX Series devices.

Currently, the Junos OS supports one stream of logging traffic. Supported collection devices include UNIX syslogd-based servers and the Juniper Networks Series Security Threat Response Manager (STRM).

Logging Sessions in Security Policy

JNCIS-SEC Study Guide The default facility and severity for data plane session logging is user info

Use the session-close and session-init configuration options to log the start and close of sessions matching a policy. The graphic illustrates the configuration of the policy log action.

JNCIS-SEC Study Guide

Collecting Security Policy Statistics

Use the count security policy action to collect statistics and make them available using operational show commands. The count security policy action is not necessary to enable statistics collection in security policy logs. Logs containing session-close messages contain statistics by default.

Operational Monitoring Commands

JNCIS-SEC Study Guide Collecting Security Policy Statistics Use the count security policy action to collect statistics

Various show commands are available for monitoring the application of security policy. The show security policies command allows you to view details about an applied policy such as the policy index number, policy matching conditions, and policy actions. Use the detail command option to view statistics associated with policy counters.

The show security flow session command displays active sessions on the device and each session’s associated security policy. Note that this command output is categorized per Services Processing Unit (SPU) application-specific integrated circuit (ASIC). The following output is from a services gateway containing two services processing cards (SPCs) and therefore, four total SPUs. Only one session is active on the services gateway:

user@host> show security flow session

  • 0 sessions displayed

  • 0 sessions displayed

  • 0 sessions displayed

Session ID: 210000935, Policy name: permit-ftp/5, Timeout: 1768 In: 10.100.0.2/50054 --> 10.200.1.2/21;tcp, If: ge-1/2/1.10 Out: 10.200.1.2/21 --> 10.100.0.2/50054;tcp, If: ge-1/0/1.40

  • 1 sessions displayed

Tracing Security Policy

JNCIS-SEC Study Guide

Tracing Security Policy JNCIS-SEC Study Guide The configuration shown on the graphic enables the tracing of

The configuration shown on the graphic enables the tracing of security policy evaluation and sessions on a Junos security platform. Use the packet-filter configuration option to log only details concerning selected sessions. Note that because of the architectural design of Juniper Networks security and routing platforms, you can enable reasonably detailed tracing in a production network without negative impact on overall performance or packet forwarding. However, a good practice would be to deactivate traceoptions when not troubleshooting the device to reduce the impact on system resources.

Policy Scheduling

Tracing Security Policy JNCIS-SEC Study Guide The configuration shown on the graphic enables the tracing of

A policy scheduler is a method for scheduling a policy execution for a specified duration or a set of durations. A policy scheduler is optional. A scheduler supports system time updates either through manual configuration or through the Network Time Protocol (NTP) by synchronizing itself with the time changes.

JNCIS-SEC Study Guide

Rules for Scheduling

The following rules apply to policy scheduling:

• An individual policy can have only one scheduler applied; Multiple policies can use the same scheduler; and

A scheduler must be referenced in a policy to become active. Without a defined scheduler within a policy, the policy is always active.

Security Policy Scheduler Components

A security policy scheduler provides you with the flexibility to identify the start date and time and stop date and time for policy enforcement. In particular, the scheduler components include the following:

Slot schedule: This component consists of the start date and time and the stop date and time of policy enforcement; and

Daily schedule: This component consists of the start time, the stop time, the all-day option, and the exclude option.

Policy Scheduler Details

JNCIS-SEC Study Guide Rules for Scheduling The following rules apply to policy scheduling: • An individual

A policy scheduler turns on recurrently or once at the specified time. Recall that a policy scheduler activates and deactivates a policy according to the scheduled time, which you configure. Once you create the scheduler, you must apply it to a policy. The default behavior of a policy is to execute at all times.

JNCIS-SEC Study Guide

Optionally Applying the policy-rematch Statement

JNCIS-SEC Study Guide Optionally Applying the policy-rematch Statement The default behavior of the Junos OS is

The default behavior of the Junos OS is to not disturb sessions in progress when you make configuration changes to security policies. For example, you can modify an address field or modify the actions of a policy used for session examination. By default, because a session was pre-established, it continues to be operational without any interruptions. You can change that default behavior by enabling the policy-rematch statement. Once you enable the statement, every time a configuration change to a policy occurs, it reflects in the sessions in progress. Configuration changes, such as source addresses, destination addresses, and application changes, cause policy re-evaluation as the system performs a policy lookup. If the newly matched policy is not the policy referred to by the session, the session clears. If an IPsec VPN change occurs, the Junos security platform clears the session.

The following list explains the actions that the Junos OS performs on impacted sessions in progress based on whether the policy-rematch flag is enabled or disabled.

When the policy-rematch flag is enabled:

The software inserts a policy: no impact;

The software modifies the action field of a policy from permit to either deny or reject : all existing sessions are dropped; and

The software modifies some combination of source address, destination addresses, and applications fields: the Junos OS re-evaluates policy lookup.

When the policy-rematch flag is disabled (default behavior):

The software inserts a policy: no impact;

The software modifies the action field of a policy from permit to either deny or reject : all existing sessions continue; and

The software modifies some combination of source address, destination addresses, and applications fields: all existing sessions continue unchanged.

Note that irrespective of the value of policy-rematch policy flag, deletion of the policy causes the device to drop all impacted existing sessions.

JNCIS-SEC Study Guide

Case Study: Creating Policies

JNCIS-SEC Study Guide Case Study: Creating Policies The next series of graphics presents an example an

The next series of graphics presents an example and configurations for a setup in which two zones exist—HR and Public. The private PCs A and B, located in the HR Zone, must communicate with Server C in the Public Zone using a custom application set. Restrictions are placed on the rest of the 10.1.0.0/16 network that are logged and counted.

Case Study: Entering Host Addresses into the HR Zone

JNCIS-SEC Study Guide Case Study: Creating Policies The next series of graphics presents an example an

The graphic presents the configuration that adds host addresses belonging to zone HR. The hosts include PC_A and PC_B, whose addresses are 10.1.10.5 and 10.1.20.5 respectively. The rest of the 10.1.0.0/16 subnet is also defined, which is named all-10-1 in the address book. In addition, the PC_A and PC_B addresses are grouped into an address set named HR_PCs .

JNCIS-SEC Study Guide

Case Study: Entering Host Addresses into the Public Zone

JNCIS-SEC Study Guide Case Study: Entering Host Addresses into the Public Zone The graphic presents the

The graphic presents the configuration that adds host addresses belonging to the Public Zone. The Public Zone has Server_C, whose address is 1.1.70.250. The rest of the 1.1.7.0/24 subnet is also defined, named all-1-1-70 in the address book. In addition, an address set, named address-Public, consists of the Server_C address for now.

Case Study: Adding New Applications

JNCIS-SEC Study Guide Case Study: Entering Host Addresses into the Public Zone The graphic presents the

The graphic presents the configuration of a new application, HR-telnet, for the HR Zone. In the configuration, source-port is an optional setting for an application. The configuration shows that the new application is added under the applications stanza. In addition, the new application set, named HR-Public-applications consists of two predefined applications, junos-ftp and junos-ike, and the newly defined HR-telnet application.

JNCIS-SEC Study Guide

Case Study: Creating Policy Entries: Part 1

JNCIS-SEC Study Guide Case Study: Creating Policy Entries: Part 1 We must now define the policies

We must now define the policies from the HR Zone to the Public Zone. We must define two policies. The purpose of the first one, named HR-to-Public on the graphic, is to permit traffic from the HR Zone to Public Zone, provided that its source address belongs to the address set HR_PCs, its destination address belongs to the address set address-Public , and its application is part of HR-Public-applications. Matching traffic is logged and counted.

Case Study: Creating Policy Entries: Part 2

JNCIS-SEC Study Guide Case Study: Creating Policy Entries: Part 1 We must now define the policies

The graphic shows the definition of the next policy for the same direction—from the HR Zone to the Public Zone. This policy denies packets, logs, and counts packets for only the following cases:

The source address of the packet must be all-10-1;

The destination address must be all-1-1-70; and

The application must be junos-ftp.

JNCIS-SEC Study Guide

If a packet does not match the previous policy—HR-to-Public—or—otherHR-to-Public, the default security policy examines it, resulting in the device dropping it.

Case Study: Optionally Creating a Scheduler

JNCIS-SEC Study Guide If a packet does not match the previous policy— HR-to-Public —or— otherHR-to-Public ,

We now create a scheduler named schedulerHR. Its purpose is to activate policy HR-to-Public on a daily basis, from 9:00 am until 5:00 pm, excluding weekends (Saturday and Sunday). Because HR-to-Public is the only policy that permits some traffic, application of the scheduler results in the Junos security device blocking all traffic completely on a daily basis after 5:00 pm and on weekends.

Case Study: Optionally Applying a Scheduler

JNCIS-SEC Study Guide If a packet does not match the previous policy— HR-to-Public —or— otherHR-to-Public ,

The graphic shows the application of the previously defined scheduler schedulerHR to the HR-to-Public policy.

JNCIS-SEC Study Guide

Check Your Knowledge

JNCIS-SEC Study Guide Check Your Knowledge What are the answers to the questions posed on the

What are the answers to the questions posed on the graphic?

Case Study: Monitoring Security Policies: Part 1

JNCIS-SEC Study Guide Check Your Knowledge What are the answers to the questions posed on the

The graphic shows the output of the show security policies detail command for one of the policies in the case study. We removed some content for brevity.

Case Study: Monitoring Security Policies: Part 2

JNCIS-SEC Study Guide

Case Study: Monitoring Security Policies: Part 2 JNCIS-SEC Study Guide The graphic shows an example of

The graphic shows an example of the data plane log output resulting from live FTP traffic transiting the case study’s security policy. We captured the output on an external UNIX syslogd-enabled server.

Review Questions

Case Study: Monitoring Security Policies: Part 2 JNCIS-SEC Study Guide The graphic shows an example of

Answers

1.

The basic components of a policy are: (1) policy name; (2) source zone and destination zone; (3) matching conditions, consisting of one or many source addresses or sets, one or many destination addresses or sets, one or many applications or sets; and (4) actions.

2.

The default action for every policy set is to deny traffic.

3.

The policy scheduler enables the user to dynamically activate or deactivate a security policy. If you deactivate a policy, and no other matches are found, the default security policy examines the packet.

4.

You can reorder policies using the Junos insert command.

JNCIS-SEC Study Guide Chapter 4: Firewall User Authentication This Chapter Discusses: • The purpose of firewall

JNCIS-SEC Study Guide

JNCIS-SEC Study Guide Chapter 4: Firewall User Authentication This Chapter Discusses: • The purpose of firewall

Chapter 4: Firewall User Authentication

This Chapter Discusses:

The purpose of firewall user authentication;

Implementing pass-through authentication;

Implementing Web authentication;

Using client groups; and

Monitoring firewall user authentication.

The Purpose of Firewall User Authentication

JNCIS-SEC Study Guide Chapter 4: Firewall User Authentication This Chapter Discusses: • The purpose of firewall

Firewall user authentication provides another layer of protection in the network on top of security zones, policies, and screens. With firewall authentication, you can restrict or permit users individually or in groups. Users attempting to access a network resource receive a prompt from the Junos operating system for a username and password even if a security policy is in place permitting the traffic.

Users can be authenticated using a local password database or using an external password database. The Junos OS supports RADIUS, Lightweight Directory Access Protocol (LDAP), or SecurID authentication servers.

The example on the graphic illustrates a user (Host A) attempting to access a network resource belonging to the Public Zone. With firewall user authentication configured, the user must first authenticate with the Junos security platform before accessing the resource. In this example, the device can query an external authentication server to determine the authentication result. The security policy must also allow traffic flow. Once the user receives

JNCIS-SEC Study Guide

authentication, subsequent sessions from the same source IP address bypass firewall user authentication. This behavior is especially important when considering the usage of firewall user authentication for a network that might have source-based Network Address Translation (NAT) employed.

Pass-Through Authentication

Two types of firewall user authentication are available—pass-through or Web authentication. Pass-through authentication must first be triggered by Telnet, FTP, and Hypertext Transfer Protocol (HTTP) traffic. In this type of firewall authentication, the user initiates a session to a remote network device or resource. If traffic matches the security policy configured for pass-through authentication, the SRX Series Services Gateway intercepts the session. The user receives a prompt for a username and password. If the authentication is successful, subsequent traffic from the same source IP address is automatically allowed to pass through the device, provided it matches the applied security policy.

Web Authentication

Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly access the Junos security platform using HTTP. The user enters the address or hostname of the device into a Web browser and then receives a prompt for a username and password. If authentication is successful, the user can then access the restricted resource directly. Subsequent traffic from the same source IP address is automatically allowed access to the restricted resource, as long as security policy allows for it.

Local Authentication

JNCIS-SEC Study Guide authentication, subsequent sessions from the same source IP address bypass firewall user authentication.

The Junos OS supports local authentication on the Junos security platform itself as well as RADIUS, LDAP, and SecurID external authentication servers. The local password database supports authentication and authorization.

RADIUS Authentication

The Junos OS supports Juniper Network’s Steel-Belted Radius for authentication as well as authorization. The Junos security platform acts as a RADIUS client and communication uses UDP. RADIUS uses a shared secret key to encrypt user information during the exchange.

LDAP Authentication

An LDAP server is another form of external authentication server. The Junos OS supports authentication only when utilizing an LDAP server. The Junos OS is compatible with LDAP Version 3 and Microsoft Windows Active Directory.

SecurID Authentication

JNCIS-SEC Study Guide

An RSA SecurID server can be used for external authentication. This method allows users to enter either static or dynamic passwords as credentials. A dynamic password is a combination of a user’s PIN and a randomly generated token that is valid for a short period of time. The Junos OS supports SecurID servers for authentication only and does not support the SecurID challenge feature.

Pass-Through Authentication

SecurID Authentication JNCIS-SEC Study Guide An RSA SecurID server can be used for external authentication. This

The graphic illustrates the process used for pass-through firewall authentication. A user attempts to connect directly to a remote network resource using either Telnet, HTTP, or FTP. The Junos security platform intercepts the first packet and stores it in memory. The device prompts the end user for a username and password. If authentication is successful, a configurable banner displays to the user, and the original buffered packet travels to its destination. The Junos OS allows subsequent traffic from the same source IP address until the user is idle for 10 minutes. At this point, authentication must be performed again for further traffic to pass through the device. The default idle timeout of 10 minutes is configurable as shown:

[edit access profile profile-name] user@host# set session-options client-idle-timeout ? Possible completions:

<client-idle-timeout> Time in minutes of idleness after which access is denied

JNCIS-SEC Study Guide

Creating an Access Profile

JNCIS-SEC Study Guide Creating an Access Profile The graphic provides an example of a basic access

The graphic provides an example of a basic access profile. This example shows the configuration of a user-defined profile name. One or more clients are configured within the profile, representing end users. The client-name represents the username. The password is entered in plain-text format but displays in encrypted form when you view the configuration.

Associating the Access Profile with an Authentication Type

JNCIS-SEC Study Guide Creating an Access Profile The graphic provides an example of a basic access

Once an access profile has been defined, it must be associated with pass-through firewall authentication. The graphic shows a basic example of this configuration. The Junos OS also allows you to set a customized banner that will display to the end user. The Junos OS can display an initial login banner, a successful authentication banner, and a failed authentication banner when configuring pass-through authentication.

Apply Pass-Through Authentication as Policy Action

JNCIS-SEC Study Guide

Apply Pass-Through Authentication as Policy Action JNCIS-SEC Study Guide Enable pass-through and Web authentication using security

Enable pass-through and Web authentication using security policies. To be subject to firewall user authentication, traffic must align with the policy’s matching conditions and have an extended action of permit, specifying the type of firewall authentication to use. The graphic shows an example of applying pass-through firewall authentication to a security policy.

Web Authentication

Apply Pass-Through Authentication as Policy Action JNCIS-SEC Study Guide Enable pass-through and Web authentication using security

The graphic illustrates the process used for Web firewall au thentication. A user that requires access to a remote network resource must first access the Junos security platform directly using a Web browser. The device prompts the end user for a username and password. If authentication is successful, a configurable banner displays and the user gains permission to access the remote resource. The Junos OS allows subsequent traffic from the same source IP address until the user is idle for 10 minutes. At this point, authentication must be performed again for further traffic to pass through the device. The default idle timeout of 10 minutes is configurable as shown here:

[edit access profile profile-name] user@host# set session-options client-idle-timeout ?

JNCIS-SEC Study Guide

Possible completions:

<client-idle-timeout> Time in minutes of idleness after which access is denied

Enabling the HTTP Process

JNCIS-SEC Study Guide Possible completions: <client-idle-timeout> Time in minutes of idleness after which access is denied

To use Web authentication, the SRX Series device must initiate the httpd process. The graphic highlights the required configuration to enable this system process for the device. The highlighted configuration allows HTTP access for Web management using the J-Web user interface and also allows for the use of Web authentication. You can also configure this feature to restrict access to an individual interface or a group of interfaces. The security zone containing the interface to be used for Web authentication (or for the J-Web user interface) must allow HTTP traffic as host inbound traffic.

Enabling Interface for Web Authentication

JNCIS-SEC Study Guide Possible completions: <client-idle-timeout> Time in minutes of idleness after which access is denied

The interface that users access for Web authentication must be enabled for authentication. The graphic illustrates a sample configuration for enabling Web authentication on the ge-0/0/0 interface. We recommend using a secondary IP address as the Web authentication address. The Web authentication address must be in the same subnet as the primary interface address. Use the preferred configuration option to ensure that traffic sourced from this interface continues to use the primary address as its source address.

Creating an Access Profile

JNCIS-SEC Study Guide

Creating an Access Profile JNCIS-SEC Study Guide Web authentication can use the same profile as pass-through

Web authentication can use the same profile as pass-through authentication. The example on the graphic shows the configuration of a user-defined profile name. One or more clients are configured within the profile representing end users. The client-name represents the username. The user enters the password in plain-text format but it displays in encrypted form when you view the configuration.

Associating the Access Profile with an Authentication Type

Creating an Access Profile JNCIS-SEC Study Guide Web authentication can use the same profile as pass-through

The access profile must associate with Web authentication using the same configuration structure as pass-through authentication. The graphic shows a basic example of this configuration. The Junos OS also allows you to set a customized banner that will display to the end user. Web authentication supports a customized banner for successful authentication only.

Applying Web Authentication as Policy Action

Creating an Access Profile JNCIS-SEC Study Guide Web authentication can use the same profile as pass-through

Pass-through and Web authentication are enabled using security policies. To be subject to firewall user authentication, traffic must align with the policy’s matching conditions and have an extended action of permit, specifying the type of firewall authentication to use. The graphic shows an example of applying Web firewall authentication to a security policy.

JNCIS-SEC Study Guide

A Cleaner Method of Web Authentication

JNCIS-SEC Study Guide A Cleaner Method of Web Authentication Directly accessing the device through a browser

Directly accessing the device through a browser before gaining access to a remote resource is burdensome. To alleviate this burden, the Junos OS allows Web redirection. The graphic illustrates the configuration of Web redirection. With Web redirection enabled, the device responds to the user device with an HTTP redirect message, which tells the user device to use HTTP to access the Junos security platform at a particular address. The Junos OS uses the address of the interface on which the initial user request was received. You must enable Web authentication for this interface and for the system itself, just as you would for standard Web authentication.

Using Client Groups

JNCIS-SEC Study Guide A Cleaner Method of Web Authentication Directly accessing the device through a browser

A client group is a list of groups associated with a client. Client groups allow for easier management of multiple firewall users. Security policy references client groups in the same manner in which it references individual clients. The graphic shows a simple conceptual example of using client groups to manage multiple users. The next two graphics utilize this example for illustrating the configuration of client groups.

Adding Client Groups to a User

JNCIS-SEC Study Guide

Adding Client Groups to a User JNCIS-SEC Study Guide The graphic provides an example configuration of

The graphic provides an example configuration of three users associated with various groups. A number of groups (contained in square brackets in the example configuration) represent a client group. Groups are not configured elsewhere, thus the utilization of the tab key can be beneficial to ensure that you do not inadvertently create extra groups.

Configuring a Policy to Use Client Groups

Adding Client Groups to a User JNCIS-SEC Study Guide The graphic provides an example configuration of

Once client groups have been organized, groups can be referenced in a security policy with firewall authentication. Groups can be used in place of individual clients. The graphic illustrates the use of a client group in a security policy. In this example, Group-A from the previous graphic is subject to pass-through authentication.

JNCIS-SEC Study Guide

Which Users Have Telnet Access to the Engineering Resource?

In the referenced example configuration, firewall authentication is enabled and the security policy specifies only client group Group-A. Client group Group-A associates with user1 and user2. Therefore, user1 and user2 have access to the engineering remote network resource (if they authenticate successfully).

What if All Three Users Use the Same Source IP Address?

Firewall user authentication is based on the source IP address. As we discussed earlier in this material, once firewall authentication is successful, subsequent sessions from the same source IP address are not subject to further authentication within the idle timeout period. In this example, if user1 or user2 were to authenticate first, user3 would also be able to access the remote engineering resource.

Default Client Groups

JNCIS-SEC Study Guide Which Users Have Telnet Access to the Engineering Resource? In the referenced example

The Junos OS allows the configuration of a default client group to serve as a catch-all for all users within an access profile. This setup allows ease of management by categorizing users in access profiles. If a user or client does not associate with a client group and a default client group exists, the user associates with the default client group. The client group can consist of one or more groups.

Adding Servers to the Access Profile

JNCIS-SEC Study Guide Which Users Have Telnet Access to the Engineering Resource? In the referenced example

You configure external authentication server details within an access profile. The Junos OS supports only one external authentication server for access profiles, but you can use it in conjunction with the local password database. You must specify an authentication order if you plan to use an external server. The Junos security platform will try to authenticate with the first method listed. If the configuration does not list the password database in the authentication order and the listed method of external authentication is unreachable, the Junos OS still consults the local password database. However, if the listed external authentication method fails, the Junos OS does not consult the local password database, denying user access.

Viewing the Authentication Table

JNCIS-SEC Study Guide

Viewing the Authentication Table JNCIS-SEC Study Guide The example on the graphic illustrates how to view

The example on the graphic illustrates how to view the current authentication table. This table contains a list of users and their associated access profiles. It shows the source IP address, source and destination security zones, the authentication result, and the current age of the idle timer. You can also sort the authentication table by source IP address or user ID by issuing the command with the address or identifier command options as shown in the following output:

user@host> show security firewall-authentication users ? Possible completions:

<[Enter]>

Execute this command

address

Locate authentication entry by ip address

identifier

Locate authentication entry by id

Viewing Authentication Table History

Viewing the Authentication Table JNCIS-SEC Study Guide The example on the graphic illustrates how to view

The graphic shows how to view a historical authentication table. This table keeps a record of firewall authentication attempts in brief form, including date and time stamps. This command also supports the use of the address and identifier command options.

Review Questions

Viewing the Authentication Table JNCIS-SEC Study Guide The example on the graphic illustrates how to view

JNCIS-SEC Study Guide

Answers

1.

The Junos OS supports RADIUS, LDAP, and SecurID external authentication servers.

2.

In pass-through authentication, the user attempts to access the remote network resource directly, and the Junos security platform intercepts the session to perform firewall authentication, while buffering the session. The buffered session is released as long as authentication is successful. In Web authentication, the user must first access an IP address belonging to the Junos security device using a Web browser; the authentication is performed using this HTTP session. The user can then proceed to access the remote network resource as long as authentication is successful. FTP, Telnet, and HTTP traffic trigger pass-through authentication, while an HTTP session must trigger Web authentication.

3.

A client group is a list of groups associated with a client. Groups can be used in security policies in place of individual clients for ease of management.

4.

Use the show security firewall-authentication history command to view a history of firewall authentication attempts.

JNCIS-SEC Study Guide Chapter 5: SCREEN Options This Chapter Discusses: • SCREEN options and their meanings;

JNCIS-SEC Study Guide

Chapter 5: SCREEN Options

This Chapter Discusses:

SCREEN options and their meanings;

Various types of attacks prevented by SCREEN options;

SCREEN options advantages;

Configuration of SCREEN options; and

Applying and monitoring SCREEN options.

Networks Are Under Attack

JNCIS-SEC Study Guide Chapter 5: SCREEN Options This Chapter Discusses: • SCREEN options and their meanings;
JNCIS-SEC Study Guide Chapter 5: SCREEN Options This Chapter Discusses: • SCREEN options and their meanings;

Although basic network security issues have changed very little over the past decade, the network security landscape has changed dramatically. Today’s IT professionals must still protect the confidentiality of corporate information, prevent unauthorized access, and defend the network against attacks. They also face new challenges as their networks become more complex and dynamic. The following list examines some of these issues:

Ubiquitous Internet access: The growing availability of Internet access has made every home, office, and business partner a potential entry point for an attack. The corporate network is vulnerable to attacks that hackers can deliberately launch and from remote users logging onto the corporate network

JNCIS-SEC Study Guide

and unknowingly hiding an attack within their sessions. The trend of working at home and using a work PC for personal use increases the possibility of dangerous and annoying attacks such as spyware, phishing, and spam.

Internal attacks: While stopping external attacks remains a constant challenge, the attacks that originate from inside the network by employees are equally challenging. Internal attacks can range from unauthorized server or resource access to a disgruntled employee destroying or stealing proprietary information.

Regulatory compliance: As new national and industry regulations emerge, security is a continual emphasis. Whether the requirement is to encrypt all data or simply to protect it from unauthorized access, complying with these new regulations complicates matters for you as a security administrator.

Changing levels of trust: Remote employees, business partners, customers, and suppliers might have different levels of access to corporate resources. You must take appropriate measures to protect the corporate network at all these levels. While the number of applications to which remote users have access through the demilitarized zone (DMZ) increases, companies are simultaneously trying to reduce costs by minimizing the application instances between internal and external users. This approach makes it necessary for security policies to accommodate application use by both groups.

Points of Vulnerability Equal Points of Control

JNCIS-SEC Study Guide and unknowingly hiding an attack wi thin their sessions. The trend of working

The key to striking a balance between tight network security and the network access required by employees, business partners, and customers is a layered security solution. A layered security solution gives you a complete set of tools you can deploy to achieve end-to-end security from the remote site to the data center. If one layer fails, the next layer stops the attack, limits the damage that might occur, or does both.

Layered security allows you to apply the appropriate level of resource protection to the various network entry locations based upon your different security, performance, and management requirements. The following are vulnerable points in the network:

Remote access occurs when a user connects to the corporate network through a public or private connection. The key security goal to pursue with remote access is the protection of content and user identity as they traverse the network.

Site-to-site communications, both employee and nonemployee, are the interactions between two offices of any type or any size. The site-to-site security layers must protect resources at both sites from external threats such as session hijacking, U-turn attacks, and Trojan or worm attacks launched from a trusted

JNCIS-SEC Study Guide

PC that has been compromised. Internal attacks are increasingly common and can include unauthorized server access, improper use of bandwidth, and planting of spyware.

The network perimeter represents the point at which external traffic gains initial access to the network, as well as the point through which internal traffic traverses the Internet. With the diversity of traffic that the perimeter represents, the security solution must protect against the widest range of attacks using an assortment of security layers that can include a VPN, denial of service (DoS) protection, a firewall, antivirus scanning, an intrusion detection service (IDS), and possibly antispam scanning.

At the heart of an enterprise is the network data center (or network core) where the applications and data that drive day-to-day business reside. Financial, human resources, and manufacturing applications with supporting data represent the company crown jewels and, if compromised, can sink even the most stable enterprise. The core network security layers must protect these business-critical resources by preventing unauthorized user access, containing internal attacks launched by disgruntled employees, and protecting against application-level attacks.

In conjunction with applying layered security to the network core, IT departments are increasingly deploying security internally on LANs to prevent unauthorized user access to network resources, to encrypt and decrypt communications, and to contain damage that might occur if an attack succeeds.

Attack Detection System: SCREEN Options

The most obvious element of the Junos operating system for security platforms is basic access control using security policies. These policies define who and what has access to the network. The Junos OS uses stateful inspection to protect the network from malicious content. With stateful inspection, Junos security platforms collect data such as source and destination IP addresses, source and destination port numbers, and packet sequence numbers from TCP and UDP pseudosessions. The device then maintains this data in state tables for future use in analyzing traffic.

Through the deployment of custom security zones, you can use the Junos OS not only to protect the perimeter of your network, but also to provide segmentation of your internal infrastructure. Used internally, SRX Series Services Gateways provide additional layers of access control to protect against the organization's sprawling definition of

authorized user.

Using SCREEN options, Junos security platforms can protect against more than 30 different internal and external attacks, including SYN flood attacks, UDP flood attacks, and port scan attacks. DoS attack protection leverages stateful inspection to look for and then allow or deny all connection attempts that require crossing an interface on their way to and from the intended destination.

When applied, SCREEN options pertain to traffic at its entry point. The Junos OS applies SCREEN checks to traffic prior to the security policy processing, thereby resulting in less resource utilization.

JNCIS-SEC Study Guide

Review: Packet Flow

JNCIS-SEC Study Guide Review: Packet Flow Before discussing SCREEN options, we revisit packet flow through a

Before discussing SCREEN options, we revisit packet flow through a Junos security platform. Note that SCREEN processing occurs before any packet processing, which results in fewer resources used and better protection of the Junos security platform itself.

Stages of an Attack

To understand SCREEN option configuration, we must first discuss the stages of network attacks and the types of network attacks. A network attack consists of three major stages. In the first stage, the attacker performs reconnaissance on the target network. This reconnaissance might consist of many different kinds of network probes. In this information-gathering phase, the attacker works to gather information about the target network, any open ports, and the operating systems in use.

In the second stage, the attacker launches an attack at the target network. To protect themselves, attackers must also conceal the origin point of the attack and attempt to remove any evidence that an attack took place.

Depending on the type of attack, a third phase can occur. After infiltrating a trusted machine, the attacker can use that machine as a point of origin for further invasion of the network. Traffic now appears to originate from the trusted system, which might not be subject to the same security scans as an outside system.

JNCIS-SEC Study Guide Review: Packet Flow Before discussing SCREEN options, we revisit packet flow through a

IP Address Sweep

Attackers can better plan their attack when they first know the layout of the targeted network, possible entry points, and constitution of their victims.

An address sweep occurs when one source IP address sends Internet Control Message Protocol (ICMP) packets to different hosts. The purpose of this scheme is to send traffic to various hosts in hope that one replies, thus revealing an address to target.

Port Scanning

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to different ports at the same destination IP address. The purpose of this scheme is to scan services in hope that one port will respond, thus identifying a service to target.

IP Options

JNCIS-SEC Study Guide

RFC 791, “Internet Protocol,” specifies a set of options to provide special routing controls, diagnostic tools, and security. RFC 791 states that these options are “unnecessar y for the most common communications” and, in reality, they rarely appear in IP packet headers. When they do appear, they are frequently being put to illegitimate use.

OS Probes

An attacker might try to probe the targeted host to learn its operating system. Because TCP standards do not dictate how to respond to anomalous traffic, different operating systems respond differently to anomalies. The response to the anomaly gives the attacker information about the type of operating system running on a given host.

Evasion Techniques

Whether gathering information or launching an attack, the attacker generally tries to avoid detection. Although some IP address and port scans are blatant and easily detectable, more advanced attackers use a variety of means to conceal their activity.

Forms of Denial of Service Attacks

IP Options JNCIS-SEC Study Guide RFC 791, “Internet Protocol,” specifies a set of options to provide

The intent of a DoS attack is to overwhelm the targeted victim with a tremendous amount of fake traffic so that the victim becomes so preoccupied processing fake traffic that it is unable to process legitimate traffic. In the case of a router or firewall device, the goal of a DoS attack is to fill up the device session table so that no new sessions can be established. An attacker can also launch a network DoS or a DoS targeting various operating systems.

This material explains each of the attacks and the ability of the Junos OS to handle these attacks.

JNCIS-SEC Study Guide

Types of Attacks: Suspicious Packets

JNCIS-SEC Study Guide Types of Attacks: Suspicious Packets Attackers can craft packets to perform reconnaissance or

Attackers can craft packets to perform reconnaissance or launch DoS attacks. Sometimes the intent of a crafted packet is unclear, but its crafted nature suggests that it is being put to an insidious use.

SCREEN Options—Best Practices

JNCIS-SEC Study Guide Types of Attacks: Suspicious Packets Attackers can craft packets to perform reconnaissance or

Prior to analyzing Junos SCREEN options in detail, we discuss best practice suggestions for SCREEN option use.

You should understand the applications and their behavior within your network before you begin implementing features that might have an impact on legitimate traffic. Furthermore, you must understand the traffic patterns traversing your network. To determine appropriate thresholds for limit-based SCREEN functions, you must first know what is typical of your network. For example, if you want to enable SYN flood protection, you must first determine what constitutes an acceptable number of connection requests. This determination requires a period of observation and analysis to establish a baseline for typical traffic flows. You must also consider the maximum number of concurrent sessions required to fill up the session table of the particular Junos security platform you are using. To see the maximum number of sessions that your session table supports, use the CLI command show security flow session summary. Remember the output of this command reports statistics for each Services Processing Unit (SPU) separately.

You can use the alarm-without-drop statement, as illustrated on the graphic, to gather the traffic going to and through your Junos security platform. The gathered information might help you to better understand your network’s vulnerabilities. Typically, you want to deploy SCREEN options only in vulnerable zones.

IP Address Sweep and TCP Port Scan: The Attack

An address sweep occurs when one source IP address sends a predefined number of ICMP packets to various hosts within a predefined interval of time. The purpose of this attack is to send ICMP packets, which are typically echo requests, to various hosts, hoping that at least one host replies. Once attackers receive a reply, they uncover an address, which becomes a target.

Port scanning occurs when one source IP address sends IP packets containing TCP SYN segments to a predefined number of different ports at the same destination IP address within a predefined time interval. This attack attempts to scan the available services hoping that at least one port responds, thereby identifying an attack target.

IP Address Sweep and TCP Port Scan: The Defense

The Junos OS internally logs the number of ICMP echo request packets from one remote source. You can set up a threshold interval, ranging from 1000 to 1,000,000, measured in microseconds for those ICMP packets. The default threshold value is 5000. By using the default settings, if a remote host sends ICMP echo request traffic to 10

JNCIS-SEC Study Guide

addresses in 0.005 seconds (5000 microseconds), the Junos security platform flags that remote host as an address sweep attacker. The flagging process results in the denial of all further ICMP echo requests from that host for the remainder of the configured threshold time period.

For TCP port scanning protection, the Junos OS internally logs the number of different ports scanned from one remote source. The configured threshold value is in microseconds, ranging from 1000 to 1,000,000. The default threshold value is 5000 microseconds. The Junos OS flags the traffic as an attack when 10 ports are scanned within the threshold value. Once port scanning detection triggers, the Junos OS silently drops all further packets from the remote source for the remainder of the configured threshold time period.

IP Address Sweep and Port Scanning—SCREEN Options

JNCIS-SEC Study Guide addresses in 0.005 seconds (5000 microseconds), the Junos security platform flags that remote

The graphic illustrates an IP address sweep or port scanning attack. During an IP address sweep attack, the attacker, using one source IP address, sends ICMP packets to different hosts in hopes that at least one host replies, thereby uncovering an address to target.

During a port scanning attack, the attacker, using one source IP address, sends IP packets containing TCP SYN segments to a defined number of different ports at the same destination IP address within a defined interval. The attacker hopes that at least one port responds, thereby uncovering a service to target.

To block IP address sweeps or TCP port scans originating in a particular security zone, you must perform the configuration illustrated on the graphic. Note that this configuration only defines the SCREEN option—it does not activate it. To activate the SCREEN option, you must apply it within a security zone. We address this topic later in the material.

IP Address Sweep and Port Scanning: The Attack

RFC 791 specifies a set of options within an IP packet, providing special routing controls, diagnostic tools, and security. Within an IP packet header, these options come after the destination address field. Although the original intent for these options was to enhance network functionality, most common communications do not require them. As the Internet expanded and continues to expand, attackers have started abusing the options field of a packet, causing problems to networks and network devices. An attacker can abuse the record route, timestamp, security, and stream ID fields.

JNCIS-SEC Study Guide

IP Address Sweep and Port Scanning: The Defense

To compensate for the vulnerability that these IP options fields create, the Junos OS tracks packets that have any of these option fields used, flags them as a network reconnaissance attack, and records the event. You can view the events in the SCREEN counters list for the ingress interface.

IP Options—SCREEN Options

JNCIS-SEC Study Guide IP Address Sweep and Port Scanning: The Defense To compensate for the vulnerability

The graphic illustrates an IP packet header, highlighting the options field. An attacker can misuse bits within the options field to cause problems with networks. You can define SCREEN options to detect the IP options that an attacker can use. These IP options fields include record route, timestamp, security, and stream ID. The Junos OS flags an event in which a device configured with the appropriate SCREEN options receives a packet with any of these IP options. The Junos OS marks the event as a network reconnaissance attack and records the associated ingress interface.

The graphic illustrates the syntax for this SCREEN option definition. You can configure each of the options independently. Note that this configuration only defines the SCREEN options—it does not activate them. To activate the SCREEN options, you must apply them within a security zone. We address this topic later in the material.

Operating System Probes: The Attack

Prior to launching an exploit, an attacker might probe the targeted host, trying to learn its operating system. Various operating systems react to TCP anomalies in different ways. With that knowledge, an attacker can decide which further attack might inflict more damage to the device, the network, or both.

Operating System Probes: The Defense

The Junos OS configured with the appropriate SCREEN options blocks operating system probes by detecting any of the following invalid TCP flag settings:

Both SYN and FIN flags set;

FIN flag set and ACK flag not set; or

No flags set.

TCP traffic matching any of these criteria is immediately, and silently, dropped.

Operating System Probes—SCREEN Options

JNCIS-SEC Study Guide

Operating System Probes—SCREEN Options JNCIS-SEC Study Guide The graphic illustrates the TCP header, highlighting the SYN

The graphic illustrates the TCP header, highlighting the SYN and FIN flags, which an attacker might use to launch the attack. The graphic also illustrates the configuration of SCREEN options designed to block these probes. You configure each statement independently as follows:

To detect the condition when both SYN and FIN flags are set, use the syn-fin configuration option;

To detect the condition when the FIN flag is set and the ACK flag is not set, use the fin-no-ack configuration option; and

To detect the condition when no flags are set, use the tcp-no-flag configuration option.

Note that this configuration only defines the SCREEN options—it does not activate them. To activate the SCREEN options, you must apply them within a security zone. We address this topic later.

IP Spoofing: The Attack

IP address spoofing is one of the earliest and most well known attacks. An attacker simply inserts a fake source address into the packet header source address field in an attempt to make the packet appear as if it is coming from a trusted source.

IP Spoofing: The Defense

The Junos OS provides IP address spoofing detection with the help of forwarding table entries. The Junos OS compares the source IP address of an incoming packet with the closest prefix match found in its forwarding table. If the interface associated with that prefix is different from the ingress interface of the packet, the software concludes that the packet has a spoofed source IP address and discards it. Once it detects IP spoofing, the Junos OS silently drops all spoofed packets.

JNCIS-SEC Study Guide

IP Spoofing Detection—SCREEN Option

JNCIS-SEC Study Guide IP Spoofing Detection—SCREEN Option The graphic illustrates an IP spoofing attack in which

The graphic illustrates an IP spoofing attack in which the attacker uses an IP address belonging to the range of IP addresses within the private zone. The Junos OS compares the source IP address 168.10.10.1 of the incoming packet with the closest match prefix found in its forwarding table, which is 168.10.10/24. It then detects that the interface associated with prefix 168.10.10/24 is different from the ingress interface of the packet, which is ge-1/0/ 0. The software concludes that the packet has a spoofed source IP address and discards it.

To set up the Junos IP spoofing SCREEN option, you must perform the configuration shown on the graphic. Note that this configuration only defines the SCREEN option—it does not activate it. To activate the SCREEN option, you must apply it within a security zone. We address this topic later.

IP Source Router Options: The Attack

Source routing allows users to specify the packet’s desired path when traversing a network. This feature provides additional aid to users during network troubleshooting.