Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Junos Security
A Note Regarding Supplemental Files
Foreword
Preface
This Book’s Assumptions About You
What’s In This Book?
Juniper Networks Technical Certification Program (JNTCP)
Topology for This Book
Conventions Used in This Book
Using Code Examples
We’d Like to Hear from You/How to Contact Us/Comments and Questions
Safari® Books Online
About the Tech Reviewers
Acknowledgments
From Rob Cameron
From Tim Eberhard
From Patricio Giecco
From Glen Gibson
From James Quinn
From Brad Woodberg
1. Introduction to the SRX
Evolving into the SRX
ScreenOS to Junos
Inherited ScreenOS features
Device management
The SRX Series Platform
Built for Services
Deployment Solutions
Small Branch
Medium Branch
Large Branch
Data Center
Data Center Edge
Data Center Services Tier
Service Provider
Mobile Carriers
Cloud Networks
The Junos Enterprise Services Reference Network
SRX Series Product Lines
Branch SRX Series
Branch-Specific Features
SRX100
SRX200
Interface modules for the SRX200 line
SRX600
Interface modules for the SRX600 line
AX411
CX111
Branch SRX Series Hardware Overview
Licensing
Branch Summary
Data Center SRX Series
Data Center SRX-Specific Features
SPC
NPU
Data Center SRX Series Session Setup
Data Center SRX Series Hardware Overview
SRX3000
IOC modules
SRX5000
IOC modules
Summary
Chapter Review Questions
Chapter Review Answers
2. What Makes Junos So Special?
OS Basics
FreeBSD
Process Separation
Development Model
Adding New Features
Data Plane
Junos Is Junos Except When It’s Junos
Coming from Other Products
ScreenOS
IOS and PIX OS
Check Point
Summary
Chapter Review Questions
Chapter Review Answers
3. Hands-On Junos
Introduction
Driving the Command Line
Operational Mode
Variable Length Output
Passing Through the Pipe
Seeking Immediate Help
Configuration Mode
Commit Model
Restarting Processes
Junos Automation
Junos Configuration Essentials
System Settings
Interfaces
Switching (Branch)
Zones
Summary
Chapter Review Questions
Chapter Review Answers
4. Security Policy
Security Policy Overview
SRX Policy Processing
Viewing SRX Policy Tables
Viewing Policy Statistics
Viewing Session Flows
Policy Structure
Security Zones
Service Configuration
Blocking Unwanted Traffic
Policy Logging
Troubleshooting Security Policy and Traffic Flows
Troubleshooting Sample
Troubleshooting Output
Turning Off Traceoptions
Application Layer Gateway Services
How to Configure an ALG
Policy Schedulers
One-Time Schedulers
Web and Proxy Authentication
Web Authentication
Pass-Through Authentication
Case Study 4-1
Case Study 4-2
Converters and Scripts
Summary
Chapter Review Questions
Chapter Review Answers
5. Network Address Translation
How the SRX Processes NAT
Source NAT
Interface NAT
Implementing a source NAT rule-set
Viewing interface NAT in the session table
Viewing traffic flow logs for interface NAT
Operational commands for interface NAT
Tracing interface NAT flows
Address Pools
Implementing a source NAT address pool
Viewing pool NAT in the session table
Viewing traffic flow logs for pool NAT
Operational commands for pool NAT
Tracing pool NAT flows
Removing PAT
Implementing source NAT without PAT
Viewing source NAT without PAT
Proxy ARP
Implementing proxy ARP
Viewing proxy ARP in action
Persistent NAT
Implementing persistent NAT
Viewing persistent NAT in action
Case Study 5-1: ISP Redundancy via PAT
Implementing redundant ISP PAT
Conclusion
Destination NAT
Implementing Destination NAT
Viewing Destination NAT
Tracing Destination NAT Flows
Case Study 5-2: Virtual IP NAT
Implementing VIP NAT
Static NAT
Case Study 5-3: Double NAT
Summary
Chapter Review Questions
Chapter Review Answers
6. IPsec VPN
VPN Architecture Overview
Site-to-Site IPsec VPNs
Hub and Spoke IPsec VPNs
Full Mesh VPNs
Multipoint VPNs
Remote Access VPNs
IPsec VPN Concepts Overview
IPsec Encryption Algorithms
IPsec Authentication Algorithms
IKE Version 1 Overview
IKE Phase 1
IKE Phase 2
IPSec VPN Protocol
IPsec VPN Mode
IPsec Manual Keys
Phase 1 IKE Negotiations
IKE Authentication
Preshared key authentication
Certificate authentication
IKE Identities
Phase 1 IKE Negotiation Modes
Main mode
Aggressive mode
Phase 2 IKE Negotiations
Perfect Forward Secrecy
Quick Mode
Proxy ID Negotiation
Flow Processing and IPsec VPNs
SRX VPN Types
Policy-Based VPNs
Route-Based VPNs
Numbered versus unnumbered st0 interfaces
Point-to-point versus point-to-multipoint VPNs
Special point-to-multipoint attributes
Point-to-multipoint NHTB
Other SRX VPN Components
Dead Peer Detection
VPN Monitoring
XAuth
NAT Traversal
Anti-Replay Protection
Fragmentation
Differentiated Services Code Point
IKE Key Lifetimes
Network Time Protocol
Certificate Validation
Simple Certificate Enrollment Protocol
Group VPN
Dynamic VPN
Selecting the Appropriate VPN Configuration
IPsec VPN Configuration
Configuring NTP
Certificate Preconfiguration Tasks
Phase 1 IKE Configuration
Configuring Phase 1 proposals
Configuration for Remote-Office1 proposal with preshared keys
Configuration for Remote-Office1 proposal with certificates
Configuring Phase 1 policies
Configuring Phase 1 IKE policy with preshared key, Main mode
Configuring Phase 1 IKE policy with preshared key, Aggressive mode
Configuring Phase 1 IKE policy with certificates
Configuring Phase 1 gateways
Configuring an IKE gateway with static IP address and DPD
Configuring dynamic gateways and remote access clients
Configuring an IKE gateway with a dynamic IP address
Configuring an IKE remote access client
Phase 2 IKE Configuration
Configuring Phase 2 proposals
Configuring a Phase 2 proposal for remote offices and client connections
Configuring Phase 2 IPsec policy
Configuring an IPsec policy defining the Phase 2 proposal
Configuring common IPsec VPN components
Configuring a common site-to-site VPN component
Configuring policy-based VPNs
Configuring a policy-based VPN for the East Branch to the Central site VPN
Configuring route-based VPNs
Configuring Manual Key IPsec VPNs
Configuring a manual key IPsec VPN
Dynamic VPN
VPN Verification and Troubleshooting
Useful VPN Commands
show security ike security-associations
show security ipsec security-associations
show security ipsec statistics
VPN Tracing and Debugging
VPN troubleshooting process
Configuring and analyzing VPN tracing
Troubleshooting a site-to-site VPN
Troubleshooting a remote access VPN
Case Studies
Case Study 6-1: Site-to-Site VPN
Case Study 6-2: Remote Access VPN
Summary
Chapter Review Questions
Chapter Review Answers
7. High-Performance Attack Mitigation
Network Protection Tools Overview
Firewall Filters
Screens
Security Policy
IPS and AppDoS
Protecting Against Network Reconnaissance
Firewall Filtering
Screening
Port Scan Screening
Summary
Protecting Against Basic IP Attacks
Basic IP Protections
Basic ICMP Protections
Basic TCP Protections
Basic Denial-of-Service Screens
Advanced Denial-of-Service and Distributed Denial-of-Service Protection
ICMP Floods
UDP Floods
SYN/TCP Floods
SYN Cookies
SYN-ACK-ACK Proxies
Session Limitation
AppDoS
Application Protection
SIP
MGCP
SCCP
Protecting the SRX
Summary
Chapter Review Questions
Chapter Review Answers
8. Intrusion Prevention
The Need for IPS
How Does IPS Work?
Licensing
IPS and antivirus
What is the difference between full IPS and deep inspection/IPS lite?
Is it IDP or IPS?
False positives and false negatives in IPS
Management IPS functionality on the SRX
Stages of a system compromise
IPS Packet Processing on the SRX
Packet processing path
Direction-specific detection
SRX IPS modes
SRX deployment options
Attack Object Types
Application contexts
Predefined attack objects and groups
Custom attack objects and groups
Severities
Signature performance impacts
IPS Policy Components
Rulebases
Match criteria
Then actions
IPS actions
Notification actions
Packet logging
IP actions
Targets and timeouts
Terminate Match
Security Packages
Attack database
Attack object updates versus full updates
Application objects
Detector engines
Policy templates
Scheduling updates
Sensor Attributes
Logging sensor attributes
Application identification attributes
Flow attributes
Reassembler attributes
IPS attributes
Global attributes
Detector attributes
SSL inspection attributes
SSL Inspection
SSL decryption/inspection overview
Alternatives to SSL decryption and inspection
AppDDoS Protection
AppDDoS profiles
Custom Attack Groups and Objects
Static attack groups
Dynamic attack groups
Custom attack objects
Configuring IPS Features on the SRX
Getting Started with IPS on the SRX
Getting started example
Configuring automatic updates
Useful IPS files
Configuring static and dynamic attack groups
Creating a custom attack object
Creating, activating, and referencing IPS
Exempt rulebase
AppDDoS protection
SSL decryption
Configuring IPS modes
Deploying and Tuning IPS
First Steps to Deploying IPS
Building the Policy
Testing Your Policy
Actual Deployment
Day-to-Day IPS Management
Troubleshooting IPS
Checking IPS Status
Checking Security Package Version
IPS Attack Table
Application Statistics
IPS Counters
IP Action Table
AppDDoS Useful Commands
Troubleshooting the Commit/Compilation Process
Case Study 8-1
Summary
Chapter Review Questions
Chapter Review Answers
9. Unified Threat Management
What Is UTM?
Application Proxy
Web Filtering
Configuring web filtering using SurfControl
Configuring web filtering using Websense redirect
Creating custom category lists
Using local classification only
Antivirus
Kaspersky full antivirus
Juniper Express antivirus
Sophos in-the-cloud antivirus
Antivirus trickling
Whitelists
Notifications
Viewing the UTM Logs
Controlling What to Do When Things Go Wrong
Content Filtering
Filtering FTP traffic
Filtering HTTP traffic
Antispam
UTM Monitoring
Licensing
Tracing UTM Sessions
Case Study 9-1: Small Branch Office
Security Policies
UTM Policies and Profiles
Summary
Chapter Review Questions
Chapter Review Answers
10. High Availability
Understanding High Availability in the SRX
Chassis Cluster
The Control Plane
The Data Plane
Junos High Availability Concepts
Cluster ID
Node ID
Redundancy groups
Interfaces
Deployment Concepts
Active/passive
Active/active
Mixed mode
Six pack
Configuration
Differences from Standalone
Activating JSRPD (Juniper Services Redundancy Protocol)
Managing Cluster Members
Configuring the Control Ports
Configuring the Fabric Links
Node-Specific Information
Configuring Heartbeat Timers
Redundancy Groups
Configuring Interfaces
Integrating Dynamic Routing
Upgrading the Cluster
Fault Monitoring
Interface Monitoring
IP Monitoring
Manual Failover
Hardware Monitoring
Route engine
Switch control board
Switch fabric board
Services Processing Card
Network Processing Card
Interface card
Control link
Data link
Control link and data link failure
Power supplies
Software Monitoring
Preserving the Control Plane
Using Junos Automation
Troubleshooting the Cluster
First Steps
Checking Interfaces
Verifying the Data Plane
Core Dumps
The Dreaded Priority Zero
When All Else Fails
Summary
Chapter Review Questions
Chapter Review Answers
11. Routing
How the SRX “Routes” IP Packets
Forwarding Tables
IP Routing
Asymmetric Routing
Address Resolution Protocol (ARP)
Static Routing
Creating a Static Route
Verifying a Static Route
Dynamic Routing
Configuring OSPF Routing
Troubleshooting OSPF adjacencies
OSPF security zone configuration
Case Study 11-1: Securing OSPF Adjacencies
Case Study 11-2: Redundant Paths and Routing Metrics
Growing OSPF Networks
IS-IS
Configuring IS-IS
Verifying IS-IS
Configuring BFD
Configuring RIP
Verifying RIP
Routing Policy
Case Study 11-3: Equal Cost Multipath (ECMP)
Internet Peering
Configuring BGP Peerings
BGP Routing Tables
Case Study 11-4: Internet Redundancy
Routing Instances
Configuring Routing Instances
Filter-Based Forwarding
Configuring Filter-Based Forwarding
Case Study 11-5: Dynamic Traffic Engineering
Summary
Chapter Review Questions
Chapter Review Answers
12. Transparent Mode
Transparent Mode Overview
Why Use Transparent Mode?
Segmenting a Layer 2 domain
Complex routing environments
Separation of duties
Existing transparent mode infrastructure
MAC Address Learning
Transparent Mode and Bridge Loops, Spanning Tree Protocol
Transparent Mode Limitations
Transparent Mode Components
Interfaces, family bridge, and bridge domains in transparent mode
Interface Modes in Transparent Mode
Bridge Domains
IRB Interfaces
Transparent Mode Zones
Transparent Mode Security Policy
Transparent Mode Specific Options
QoS in Transparent Mode
VLAN Rewriting
High Availability with Transparent Mode
Spanning Tree Protocol in transparent mode Layer 2 deployments
Transparent Mode Flow Process
Slow-path packet SPU packet processing
Fast-path SPU processing
Session teardown
Configuring Transparent Mode
Configuring Transparent Mode Basics
Configuring Integrated Routing and Bridging
Configuring Transparent Mode Security Zones
Configuring Transparent Mode Security Policies
Configuring Bridging Options
Configuring Transparent Mode QoS
Configuring VLAN Rewriting
Transparent Mode Commands and Troubleshooting
The show bridge domain Command
The show bridge mac-table Command
The show l2-learning global-information Command
The show l2-learning global-mac-count Command
The show l2-learning interface Command
Transparent Mode Troubleshooting Steps
Case Study 12-1
Summary
Chapter Review Questions
Chapter Review Answers
13. SRX Management
The Management Infrastructure
Operational Mode
Configuration Mode
J-Web
NSM and Junos Space
NETCONF
Scripting and Automation
Commit Scripts
Hello World, commit script edition
Adding and enabling commit scripts
Special tags for MGD
Using a script to enforce some condition
Missing security zone binding
Creating a Configuration Template
Transient versus persistent changes
Configuration templates part II
Operational Scripts
Event Scripts
Keeping Your Scripts Up-to-Date
Case Studies
Case Study 13-1: Displaying the Interface and Zone Information
Case Study 13-2: Zone Groups
Case Study 13-3: Showing the Security Policies in a Compact Format
Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover
Case Study 13-5: Track-IP Using RPM Probes
Case Study 13-6: Top Talkers
Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses
Case Study 13-8: High-End SRX Monitor
Summary
Chapter Review Questions
Chapter Review Answers
Index
About the Authors
Colophon
Copyright
← Prev
Back
Next →
← Prev
Back
Next →