Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Junos Security A Note Regarding Supplemental Files Foreword Preface
This Book’s Assumptions About You What’s In This Book? Juniper Networks Technical Certification Program (JNTCP) Topology for This Book Conventions Used in This Book Using Code Examples We’d Like to Hear from You/How to Contact Us/Comments and Questions Safari® Books Online About the Tech Reviewers Acknowledgments
From Rob Cameron From Tim Eberhard From Patricio Giecco From Glen Gibson From James Quinn From Brad Woodberg
1. Introduction to the SRX
Evolving into the SRX
ScreenOS to Junos
Inherited ScreenOS features Device management
The SRX Series Platform
Built for Services
Deployment Solutions
Small Branch Medium Branch Large Branch Data Center Data Center Edge Data Center Services Tier Service Provider Mobile Carriers Cloud Networks The Junos Enterprise Services Reference Network
SRX Series Product Lines Branch SRX Series
Branch-Specific Features SRX100 SRX200
Interface modules for the SRX200 line
SRX600
Interface modules for the SRX600 line
AX411 CX111 Branch SRX Series Hardware Overview Licensing Branch Summary
Data Center SRX Series
Data Center SRX-Specific Features SPC NPU Data Center SRX Series Session Setup Data Center SRX Series Hardware Overview SRX3000
IOC modules
SRX5000
IOC modules
Summary Chapter Review Questions Chapter Review Answers
2. What Makes Junos So Special?
OS Basics
FreeBSD Process Separation Development Model Adding New Features Data Plane Junos Is Junos Except When It’s Junos
Coming from Other Products
ScreenOS IOS and PIX OS Check Point
Summary Chapter Review Questions Chapter Review Answers
3. Hands-On Junos
Introduction Driving the Command Line Operational Mode
Variable Length Output Passing Through the Pipe Seeking Immediate Help
Configuration Mode Commit Model Restarting Processes Junos Automation Junos Configuration Essentials
System Settings Interfaces Switching (Branch) Zones
Summary Chapter Review Questions Chapter Review Answers
4. Security Policy
Security Policy Overview SRX Policy Processing Viewing SRX Policy Tables Viewing Policy Statistics Viewing Session Flows Policy Structure
Security Zones Service Configuration Blocking Unwanted Traffic
Policy Logging Troubleshooting Security Policy and Traffic Flows
Troubleshooting Sample Troubleshooting Output Turning Off Traceoptions
Application Layer Gateway Services
How to Configure an ALG
Policy Schedulers
One-Time Schedulers
Web and Proxy Authentication
Web Authentication Pass-Through Authentication
Case Study 4-1 Case Study 4-2 Converters and Scripts Summary Chapter Review Questions Chapter Review Answers
5. Network Address Translation
How the SRX Processes NAT Source NAT
Interface NAT
Implementing a source NAT rule-set Viewing interface NAT in the session table Viewing traffic flow logs for interface NAT Operational commands for interface NAT Tracing interface NAT flows
Address Pools
Implementing a source NAT address pool Viewing pool NAT in the session table Viewing traffic flow logs for pool NAT Operational commands for pool NAT Tracing pool NAT flows
Removing PAT
Implementing source NAT without PAT Viewing source NAT without PAT
Proxy ARP
Implementing proxy ARP Viewing proxy ARP in action
Persistent NAT
Implementing persistent NAT Viewing persistent NAT in action
Case Study 5-1: ISP Redundancy via PAT
Implementing redundant ISP PAT
Conclusion
Destination NAT
Implementing Destination NAT Viewing Destination NAT Tracing Destination NAT Flows Case Study 5-2: Virtual IP NAT
Implementing VIP NAT
Static NAT
Case Study 5-3: Double NAT
Summary Chapter Review Questions Chapter Review Answers
6. IPsec VPN
VPN Architecture Overview
Site-to-Site IPsec VPNs Hub and Spoke IPsec VPNs Full Mesh VPNs Multipoint VPNs Remote Access VPNs
IPsec VPN Concepts Overview
IPsec Encryption Algorithms IPsec Authentication Algorithms IKE Version 1 Overview
IKE Phase 1 IKE Phase 2
IPSec VPN Protocol IPsec VPN Mode IPsec Manual Keys
Phase 1 IKE Negotiations
IKE Authentication
Preshared key authentication Certificate authentication
IKE Identities Phase 1 IKE Negotiation Modes
Main mode Aggressive mode
Phase 2 IKE Negotiations
Perfect Forward Secrecy Quick Mode Proxy ID Negotiation
Flow Processing and IPsec VPNs SRX VPN Types
Policy-Based VPNs Route-Based VPNs
Numbered versus unnumbered st0 interfaces Point-to-point versus point-to-multipoint VPNs Special point-to-multipoint attributes Point-to-multipoint NHTB
Other SRX VPN Components
Dead Peer Detection VPN Monitoring XAuth NAT Traversal Anti-Replay Protection Fragmentation Differentiated Services Code Point IKE Key Lifetimes Network Time Protocol Certificate Validation Simple Certificate Enrollment Protocol Group VPN Dynamic VPN
Selecting the Appropriate VPN Configuration IPsec VPN Configuration
Configuring NTP Certificate Preconfiguration Tasks Phase 1 IKE Configuration
Configuring Phase 1 proposals
Configuration for Remote-Office1 proposal with preshared keys Configuration for Remote-Office1 proposal with certificates
Configuring Phase 1 policies
Configuring Phase 1 IKE policy with preshared key, Main mode Configuring Phase 1 IKE policy with preshared key, Aggressive mode Configuring Phase 1 IKE policy with certificates
Configuring Phase 1 gateways
Configuring an IKE gateway with static IP address and DPD
Configuring dynamic gateways and remote access clients
Configuring an IKE gateway with a dynamic IP address Configuring an IKE remote access client
Phase 2 IKE Configuration
Configuring Phase 2 proposals
Configuring a Phase 2 proposal for remote offices and client connections
Configuring Phase 2 IPsec policy
Configuring an IPsec policy defining the Phase 2 proposal
Configuring common IPsec VPN components
Configuring a common site-to-site VPN component
Configuring policy-based VPNs
Configuring a policy-based VPN for the East Branch to the Central site VPN
Configuring route-based VPNs
Configuring Manual Key IPsec VPNs
Configuring a manual key IPsec VPN
Dynamic VPN
VPN Verification and Troubleshooting
Useful VPN Commands
show security ike security-associations show security ipsec security-associations show security ipsec statistics
VPN Tracing and Debugging
VPN troubleshooting process Configuring and analyzing VPN tracing Troubleshooting a site-to-site VPN Troubleshooting a remote access VPN
Case Studies
Case Study 6-1: Site-to-Site VPN Case Study 6-2: Remote Access VPN
Summary Chapter Review Questions Chapter Review Answers
7. High-Performance Attack Mitigation
Network Protection Tools Overview
Firewall Filters Screens Security Policy IPS and AppDoS
Protecting Against Network Reconnaissance
Firewall Filtering Screening Port Scan Screening Summary
Protecting Against Basic IP Attacks
Basic IP Protections Basic ICMP Protections Basic TCP Protections
Basic Denial-of-Service Screens Advanced Denial-of-Service and Distributed Denial-of-Service Protection ICMP Floods UDP Floods SYN/TCP Floods SYN Cookies
SYN-ACK-ACK Proxies
Session Limitation AppDoS Application Protection
SIP MGCP SCCP
Protecting the SRX Summary Chapter Review Questions Chapter Review Answers
8. Intrusion Prevention
The Need for IPS
How Does IPS Work?
Licensing IPS and antivirus What is the difference between full IPS and deep inspection/IPS lite? Is it IDP or IPS? False positives and false negatives in IPS Management IPS functionality on the SRX Stages of a system compromise
IPS Packet Processing on the SRX
Packet processing path Direction-specific detection SRX IPS modes SRX deployment options
Attack Object Types
Application contexts Predefined attack objects and groups Custom attack objects and groups Severities Signature performance impacts
IPS Policy Components
Rulebases Match criteria Then actions
IPS actions Notification actions Packet logging IP actions Targets and timeouts
Terminate Match
Security Packages
Attack database Attack object updates versus full updates Application objects Detector engines Policy templates Scheduling updates
Sensor Attributes
Logging sensor attributes Application identification attributes Flow attributes Reassembler attributes IPS attributes Global attributes Detector attributes SSL inspection attributes
SSL Inspection
SSL decryption/inspection overview Alternatives to SSL decryption and inspection
AppDDoS Protection
AppDDoS profiles
Custom Attack Groups and Objects
Static attack groups Dynamic attack groups Custom attack objects
Configuring IPS Features on the SRX
Getting Started with IPS on the SRX
Getting started example Configuring automatic updates Useful IPS files Configuring static and dynamic attack groups Creating a custom attack object Creating, activating, and referencing IPS Exempt rulebase AppDDoS protection SSL decryption Configuring IPS modes
Deploying and Tuning IPS
First Steps to Deploying IPS Building the Policy Testing Your Policy Actual Deployment Day-to-Day IPS Management
Troubleshooting IPS
Checking IPS Status Checking Security Package Version IPS Attack Table Application Statistics IPS Counters IP Action Table AppDDoS Useful Commands Troubleshooting the Commit/Compilation Process
Case Study 8-1 Summary Chapter Review Questions Chapter Review Answers
9. Unified Threat Management
What Is UTM?
Application Proxy Web Filtering
Configuring web filtering using SurfControl Configuring web filtering using Websense redirect Creating custom category lists Using local classification only
Antivirus
Kaspersky full antivirus Juniper Express antivirus Sophos in-the-cloud antivirus Antivirus trickling Whitelists
Notifications Viewing the UTM Logs Controlling What to Do When Things Go Wrong Content Filtering
Filtering FTP traffic Filtering HTTP traffic
Antispam
UTM Monitoring
Licensing Tracing UTM Sessions
Case Study 9-1: Small Branch Office
Security Policies UTM Policies and Profiles
Summary Chapter Review Questions Chapter Review Answers
10. High Availability
Understanding High Availability in the SRX
Chassis Cluster The Control Plane The Data Plane Junos High Availability Concepts
Cluster ID Node ID Redundancy groups Interfaces
Deployment Concepts
Active/passive Active/active Mixed mode Six pack
Configuration
Differences from Standalone Activating JSRPD (Juniper Services Redundancy Protocol) Managing Cluster Members Configuring the Control Ports Configuring the Fabric Links Node-Specific Information Configuring Heartbeat Timers Redundancy Groups Configuring Interfaces Integrating Dynamic Routing Upgrading the Cluster
Fault Monitoring
Interface Monitoring IP Monitoring Manual Failover Hardware Monitoring
Route engine Switch control board Switch fabric board Services Processing Card Network Processing Card Interface card Control link Data link Control link and data link failure Power supplies
Software Monitoring Preserving the Control Plane Using Junos Automation
Troubleshooting the Cluster
First Steps Checking Interfaces Verifying the Data Plane Core Dumps The Dreaded Priority Zero When All Else Fails
Summary Chapter Review Questions Chapter Review Answers
11. Routing
How the SRX “Routes” IP Packets
Forwarding Tables IP Routing Asymmetric Routing Address Resolution Protocol (ARP)
Static Routing
Creating a Static Route Verifying a Static Route
Dynamic Routing
Configuring OSPF Routing
Troubleshooting OSPF adjacencies OSPF security zone configuration
Case Study 11-1: Securing OSPF Adjacencies Case Study 11-2: Redundant Paths and Routing Metrics Growing OSPF Networks
IS-IS Configuring IS-IS Verifying IS-IS Configuring BFD Configuring RIP Verifying RIP
Routing Policy
Case Study 11-3: Equal Cost Multipath (ECMP)
Internet Peering
Configuring BGP Peerings BGP Routing Tables Case Study 11-4: Internet Redundancy
Routing Instances
Configuring Routing Instances
Filter-Based Forwarding
Configuring Filter-Based Forwarding Case Study 11-5: Dynamic Traffic Engineering
Summary Chapter Review Questions Chapter Review Answers
12. Transparent Mode
Transparent Mode Overview
Why Use Transparent Mode?
Segmenting a Layer 2 domain Complex routing environments Separation of duties Existing transparent mode infrastructure
MAC Address Learning Transparent Mode and Bridge Loops, Spanning Tree Protocol Transparent Mode Limitations Transparent Mode Components
Interfaces, family bridge, and bridge domains in transparent mode
Interface Modes in Transparent Mode Bridge Domains IRB Interfaces Transparent Mode Zones Transparent Mode Security Policy Transparent Mode Specific Options QoS in Transparent Mode VLAN Rewriting High Availability with Transparent Mode
Spanning Tree Protocol in transparent mode Layer 2 deployments
Transparent Mode Flow Process
Slow-path packet SPU packet processing Fast-path SPU processing Session teardown
Configuring Transparent Mode
Configuring Transparent Mode Basics Configuring Integrated Routing and Bridging Configuring Transparent Mode Security Zones Configuring Transparent Mode Security Policies Configuring Bridging Options Configuring Transparent Mode QoS Configuring VLAN Rewriting
Transparent Mode Commands and Troubleshooting
The show bridge domain Command The show bridge mac-table Command The show l2-learning global-information Command The show l2-learning global-mac-count Command The show l2-learning interface Command Transparent Mode Troubleshooting Steps
Case Study 12-1 Summary Chapter Review Questions Chapter Review Answers
13. SRX Management
The Management Infrastructure
Operational Mode Configuration Mode
J-Web NSM and Junos Space NETCONF Scripting and Automation
Commit Scripts
Hello World, commit script edition Adding and enabling commit scripts Special tags for MGD Using a script to enforce some condition Missing security zone binding
Creating a Configuration Template
Transient versus persistent changes Configuration templates part II
Operational Scripts Event Scripts
Keeping Your Scripts Up-to-Date Case Studies
Case Study 13-1: Displaying the Interface and Zone Information Case Study 13-2: Zone Groups Case Study 13-3: Showing the Security Policies in a Compact Format Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover Case Study 13-5: Track-IP Using RPM Probes Case Study 13-6: Top Talkers Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses Case Study 13-8: High-End SRX Monitor
Summary Chapter Review Questions Chapter Review Answers
Index About the Authors Colophon Copyright
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab
.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion