book

Juniper SRX Series

by Rob Cameron, Brad Woodberg

June 2013

Intermediate to advanced

1018 pages

28h 48m

English

O'Reilly Media, Inc.

Read now

Unlock full access

How to Use This BookWhat’s in This Book?Conventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Evolving into the SRXScreenOS to JunosInherited ScreenOS featuresDevice managementThe SRX Series PlatformBuilt for ServicesDeployment SolutionsSmall BranchMedium BranchLarge BranchData CenterData Center EdgeData Center Services TierService ProviderMobile CarriersCloud NetworksThe Junos Enterprise Services Reference NetworkSummaryStudy Questions
Branch SRX SeriesBranch-Specific FeaturesSRX100 SeriesSRX200 SeriesInterface modules for the SRX200 lineSRX500 SeriesSRX600 SeriesInterface modules for the SRX600 lineJunosV Firefly (Virtual Junos)AX411CX111Branch SRX Series Hardware OverviewLicensingBranch SummaryData Center SRX SeriesData Center SRX-Specific FeaturesSPCNPUData Center SRX Series Session SetupData Center SRX Series Hardware OverviewSRX1000 SeriesSRX3000 SeriesIOC modulesSRX5000 SeriesNG-SPCIOC modulesSummaryStudy Questions
J-Web: Your On-Box AssistantDashboardChassis viewInformational panelsDevice ConfigurationTask wizardsCommitting the configurationInterfacesFirewall policiesPoint and click CLIMonitoring Your SRXInterface monitoringTraffic reportsOperational TasksSoftware managementConfiguration managementRebootingDisk managementTroubleshooting from J-WebPacket captureNetwork connectivityCentralized ManagementSpace: The Final Frontier of ManagementThe Junos Space ecosphereSecurity DirectorFirewall policy managementLog Management with STRMReporting with STRMLegacy Security ManagementUsing NSMSummaryStudy Questions
InterfacesPhysical InterfacesManagement InterfacesVirtual InterfacesLogical InterfacesSwitching ConfigurationAggregate InterfacesLACP protocolTransparent InterfacesZonesSecurity ZonesFunctional ZonesBasic ProtocolsStatic RoutingDynamic Routing ProtocolsSpanning TreeRouting InstancesRouting Instance TypesConfiguring Routing InstancesFlow Mode and Packet ModeSample DeploymentSummaryStudy Questions
System Services Operation on the SRXSystem Services and the Control PlaneSystem services that operate on the control planeSystem Services and the Data PlaneAccounts for Administrative UsersConfiguring local usersCreating a login classRemote authenticationAccessing System Services: Control Plane Versus Data PlaneConfiguring a stateless firewall filter to control traffic on fxp0Configuring a stateless firewall filter to control all inbound management trafficConfiguring a security policy to control data plane management trafficZone-Based Service ControlConfiguring system services and protocols per zone or interfaceManagement ServicesCommand-Line InterfacesConfiguring console optionsConfiguring Telnet accessConfiguring SSH accessWeb Management on the SRXEnabling NetConf over SSHSNMP ManagementConfiguring SNMP ManagementConfiguring SNMP TrapsSNMP in High Availability Chassis ClustersJunos SNMP MIBNetworking ServicesNetwork Time ProtocolManually configuring SRX timeConfiguring the SRX as an NTP clientConfiguring the SRX as an NTP serverDomain Name SystemConfiguring the SRX as a DNS clientConfiguring the SRX as a proxy serverDynamic Host Configuration ProtocolConfiguring the SRX as a DHCP serverConfiguring the SRX as a DHCP clientConfiguring the SRX as a DHCP relay serverSRX Logging and Flow RecordsControl Plane Versus Data Plane LogsData plane logs: Event versus Stream modeConfiguring control plane logging on the SRXConfiguring Stream mode logging on the data planeSyslog format typesConfiguring Event mode logging to the control planeTips for Viewing Syslog MessagesJFlow on the SRXBest PracticesTroubleshooting and OperationViewing the System Connection TableViewing the Services/Counters on the InterfaceChecking NTP StatusChecking SNMP StatusDHCP Operational Mode CommandsViewing Security Logs LocallyChecking for Core DumpsRestarting Platform DaemonsTroubleshooting Individual DaemonsSummaryStudy Questions
Transparent Mode OverviewWhen to Use Transparent ModeSegmenting a Layer 2 domainComplex routing environmentsSeparation of dutiesExisting transparent mode infrastructureMAC Address LearningTransparent Mode and Bridge Loops, Spanning Tree ProtocolTransparent Mode LimitationsTransparent Mode ComponentsInterfaces, family bridge, and bridge domains in transparent modeInterface Modes in Transparent ModeBridge DomainsIRB InterfacesTransparent Mode ZonesTransparent Mode Security PolicyTransparent Mode Specific OptionsQoS in Transparent ModeVLAN RewritingHigh Availability with Transparent ModeSpanning Tree Protocol in transparent mode Layer 2 deploymentsTransparent Mode Flow ProcessSlow-path SPU packet processingFast-path SPU packet processingSession teardownConfiguring Transparent ModeConfiguring Transparent Mode BasicsTraditional SwitchingConfiguring Integrated Routing and BridgingConfiguring Transparent Mode Security ZonesConfiguring Transparent Mode Security PoliciesConfiguring Bridging OptionsRestricting BPDUs to VLANsConfiguring Transparent Mode QoSConfiguring VLAN RewritingTroubleshooting and OperationThe show bridge domain CommandThe show bridge mac-table CommandThe show l2-learning global-information CommandThe show l2-learning global-mac-count CommandThe show l2-learning interface CommandTransparent Mode Troubleshooting StepsSample DeploymentsSummaryStudy Questions
Understanding High Availability in the SRXChassis ClusterThe Control PlaneThe Data PlaneGetting Started with High AvailabilityCluster IDNode IDRedundancy GroupsInterfacesDeployment ConceptsActive/passiveActive/activeMixed modeSix packPreparing Devices for DeploymentDifferences from StandaloneActivating Juniper Services Redundancy ProtocolManaging Cluster MembersConfiguring the Control PortsConfiguring the Fabric LinksConfiguring the Switching Fabric InterfaceNode-Specific InformationConfiguring Heartbeat TimersRedundancy GroupsIntegrating the Cluster into Your NetworkConfiguring InterfacesFault MonitoringInterface MonitoringIP MonitoringHardware MonitoringRoute engineSwitch control boardSwitch fabric boardServices Processing Card/Next Generation Services Processing CardNetwork Processing CardInterface cardControl linkData linkControl link and data link failurePower suppliesSoftware MonitoringPreserving the Control PlaneTroubleshooting and OperationFirst StepsChecking InterfacesVerifying the Data PlaneCore DumpsThe Dreaded Priority ZeroWhen All Else FailsManual FailoverSample DeploymentsSummaryStudy Questions
Packet FlowSecurity Policy Criteria and PrecedenceSecurity Policy PrecedenceTop to Bottom Policy EvaluationSecurity Policy Components in DepthMatch CriteriaSecurity zonesOne interface per zone versus multiple interfaces per zoneConfiguring security zonesAddress booksAddress objectsIP prefix address objectsConfiguring IP prefix address objectsDNS address objectsConfiguring DNS address objectsIP range objectsConfiguring IP range objectsWildcard address objectsConfiguring wildcard address objectsAddress setsConfiguring address setsApplication objectsApplication setsConfiguring applications and application setsSource-IdentityNegated source and destination objectsSchedulersConfiguring schedulersAction CriteriaPermit optionsConfiguring security policiesHost security policiesConfiguring a policy to restrict inbound or outbound management requestsApplication Layer GatewaysEnabling an ALG exampleBest PracticesTroubleshooting and OperationViewing Security PoliciesSecurity policy toolsViewing the Firewall Session TableSample firewall logsMonitoring Interface CountersPerforming a Flow TracePerforming a Packet Capture on SRX BranchPerforming a Packet Capture on the High-End SRXSample DeploymentSummaryStudy Questions

The Need for NATNAT as a Security Component?Junos NAT FundamentalsJunos NAT TypesNAT Precedence in the Junos Event ChainNAT type precedenceJunos NAT ComponentsRulesetsStatic NAT rulesetsDestination NAT rulesetsSource NAT rulesetsNAT ruleset precedenceNAT ruleset precedence exampleNAT Interfaces, Pools, and Mapping ObjectsStatic NAT transformsSource NAT transformsInterfacesPoolsDestination NAT poolsNAT RulesNAT and Security PoliciesProxy-ARP and Proxy-NDPConfiguring Proxy-ARP/NDPWhen you don’t need Proxy-ARP/NDPJunos NAT in PracticeStatic NATStatic NAT one-to-one mappingStatic NAT many-to-many mappingOption 1: NAT44/NAT66Option 2: NAT46 Static mappingOption 3: NAT 64 automatic translationSource NATSource NAT with interfacesSource NAT with pools and interfacesOther SRX source NAT configuration optionsDestination NATConfiguration destination NATCombination Source and Destination NATNo-NAT with Source or Destination NATBest PracticesTroubleshooting and OperationNAT Rule and Usage CountersViewing the Session TableView NAT ErrorsView Firewall Logs with NATFlow Debugging with NATSource NATDestination NATStatic NATSample DeploymentSummaryStudy Questions
VPN Architecture OverviewSite-to-Site IPsec VPNsHub and Spoke IPsec VPNsFull Mesh VPNsPartial Mesh VPNsRemote Access VPNsIPsec VPN Concepts OverviewIPsec Encryption AlgorithmsIPsec Authentication AlgorithmsIKE Version 1 OverviewPhase 1 IKE negotiation modesMain modeAggressive modePhase 2 IKE negotiation modesPerfect Forward SecrecyQuick modeProxy ID negotiationIKE Version 2IKEv1 versus IKEv2IPsec VPN ProtocolIPsec VPN ModeIPsec Manual KeysIPv6 and IPsec on the SRXIKE NegotiationsIKE AuthenticationPreshared key authenticationCertificate authenticationIKE IdentitiesFlow Processing and IPsec VPNsSRX VPN TypesPolicy-Based VPNsRoute-Based VPNsNumbered versus unnumbered st0 interfacesPoint-to-point versus point-to-multipoint VPNsSpecial point-to-multipoint attributesPoint-to-multipoint NHTBWhich should you use: Policy- or route-based VPN?Other SRX VPN ComponentsDead Peer DetectionVPN MonitoringXAuthNAT TraversalAnti-Replay ProtectionFragmentationDifferentiated Services Code PointIKEv1 Key LifetimesNetwork Time ProtocolCertificate ValidationSimple Certificate Enrollment ProtocolGroup VPNDynamic VPNSelecting the Appropriate VPN ConfigurationIPsec VPN ConfigurationConfiguring NTPCertificate Preconfiguration TasksPhase 1 IKE ConfigurationConfiguring Phase 1 proposalsConfiguration for Remote-Office1 proposal with preshared keysConfiguration for Remote-Office1 proposal with certificatesConfiguring IKEv1 Phase 1 policiesConfiguring IKEv1 Phase 1 IKE policy with preshared key, Main modeConfiguring IKEv1 Phase 1 IKE policy with preshared key, Aggressive modeConfiguring IKEv1 Phase 1 IKE policy with certificatesConfiguring IKEv1 Phase 1 gatewaysConfiguring an IKEv1 gateway with static IP address and DPDConfiguring dynamic gateways and remote access clientsConfiguring an IKE gateway with a dynamic IP addressConfiguring an IKEv1 remote access clientPhase 2 IKE ConfigurationConfiguring IKEv1 Phase 2 proposalsConfiguring an IKEv1 Phase 2 proposal for remote offices and client connectionsConfiguring Phase 2 IPsec policyConfiguring an IPsec policy defining the Phase 2 proposalConfiguring common IPsec VPN componentsConfiguring a common site-to-site VPN componentIKEv1 Versus IKEv2 ConfigurationConfiguring policy-based VPNsConfiguring a policy-based VPN for the East Branch to the Central site VPNConfiguring route-based VPNsIPsec and SRX HAIPsec termination in HAISSU for VPNDynamic VPNBest PracticesTroubleshooting and OperationUseful VPN Commandsshow security ike security-associationsshow security ipsec security-associationsshow security ipsec inactive-tunnelsshow security ipsec statisticsChecking interface statisticsVPN Tracing and DebuggingVPN troubleshooting processConfiguring and analyzing VPN tracingSample DeploymentsSite-to-Site VPNRemote Access VPNIPsec Caveats on SRXSummaryStudy Questions
A Brief Review of Denial-of-Service AttacksExploit-Based DoSFlood-Based DoSDoS Versus DDoSScreen Theory and ExamplesHow Screens Fit into the Packet FlowScreen Processing only happens on the ingress interfaceScreens in Hardware and SoftwareScreen ProfilesPacket versus threshold ScreensApplying Screen profiles to single and multiple zonesConfiguring a Screen profileDoS Attacks with IP ProtocolsBad IP Option ScreenConfiguring Bad IP Option ScreenBlock Frag ScreenConfiguring Block Frag ScreenRoute Option ScreensConfiguring Route Option ScreensIP Security Option ScreenConfiguring the IP Security Option ScreenIP Spoofing ScreenConfiguring the IP Spoofing ScreenIP Stream Option ScreenConfiguring the IP Stream Option ScreenIP Tear Drop ScreenConfiguring the IP Tear Drop ScreenIP Timestamp Option ScreenConfiguring the IP Timestamp Option ScreenUnknown IP Protocol ScreenConfiguring the Unknown IP Protocol ScreenDoS Attacks with ICMPICMP Flood ScreenConfiguring the ICMP Flood ScreenICMP Fragment ScreenConfiguring the ICMP Fragment ScreenICMP IP Sweep ScreenConfiguring the ICMP IP Sweep ScreenICMP Large Packet ScreenConfiguring the ICMP Large Packet ScreenICMP Ping of Death ScreenConfiguring the ICMP Ping of Death ScreenDoS Attacks with UDPUDP Flood ScreenConfiguring the UDP Flood ScreenUDP Sweep ScreenConfiguring the UDP Sweep ScreenDoS Attacks with TCPFIN-No-ACK ScreenConfiguring the FIN-No-ACK ScreenLAND Attack ScreenConfiguring the LAND Attack ScreenTCP Port Scan ScreenConfiguring the TCP Port Scan ScreenSYN-ACK-ACK Proxy ScreenConfiguring the SYN-ACK-ACK-Proxy ScreenSYN-FIN ScreenConfiguring the SYN-FIN ScreenSYN flood/spoofing attacksSYN flood rate limitingConfiguring SYN Flood Rate LimitingSYN Spoofing Protection ModesConfiguring SYN Cookie/Proxy ProtectionSYN-Frag ScreenConfiguring the SYN-Frag ScreenTCP No Flags ScreenConfiguring the TCP No Flags ScreenTCP Sweep ScreenConfiguring the TCP Sweep ScreenWinNuke ScreenConfiguring the WinNuke ScreenSession Limit ScreensSource IP Session Limit ScreenConfiguring the Source IP Session Limit ScreenDestination IP Session Limit ScreenConfiguring the Destination IP Session Limit ScreenSRX Flow OptionsAggressive session agingConfiguring the aggressive session ageout flow optionTCP sequence checksConfiguring TCP sequence checksConfiguring TCP sequence checks for RST packetsTCP SYN checksStrict SYN checksConfiguring the strict SYN checkSYN checks in tunnelsTCP state timeoutsConfiguring the TCP initial session timeout and TCP time wait timeoutBest PracticesTroubleshooting and OperationViewing Screen Profile SettingsViewing the Screen Attack StatisticsViewing Flow ExceptionsSample DeploymentConfiguration for Screen and Flow Option Sample DeploymentSummaryStudy Questions
AppSecure Component OverviewApplication IdentificationApplication TrackingApplication FirewallApplication Quality of ServiceUser Role FirewallingSSL Forward ProxyAI Processing ArchitectureHow Application Identification identifies applicationsSignature-based pattern matchingNested application signaturesKeeping honest applications honestHeuristic-based detectionPredictive session identificationApplication system cacheDeploying AppSecureAppSecure LicensingDownloading and Installing Application Identification SigpacksControlling application cachingEnabling application identification heuristicsAppID Signature OperationsEnabling and disabling applications and application groupsCreating Layer 3/Layer 4 applicationsCreating custom application groupsConfiguring and Deploying AppTrackEnabling AppTrackConfiguring AppTrack optionsConfiguring and Deploying Application FirewallThree types of Application Firewall rulesetsConfiguring a blacklist application rulesetConfiguring a whitelist application rulesetConfiguring a hybrid application rulesetWhen to use blacklist, whitelist, and hybrid rulesetsConfiguring application redirectConfiguring and Deploying Application Quality of ServiceDSCP rewriteForwarding classLoggingLoss priorityRate limiterConfiguring an AppQoS exampleConfiguring and Deploying User Role FirewallUserFW functionality overviewUserFW packaging and licensingDeploying UserFWConfiguring the SRX for UserFWConfiguring the ICConfiguring the SRX as an IC enforcerConfiguring the authentication serverConfiguring realms, roles, and sign-in policiesMiscellaneous Active Directory tasksConfiguring and Deploying SSL Forward ProxyConfiguring SSL Forward Proxy on the SRXAppFW with encrypted applicationsBest PracticesApplication IdentificationAppTrackAppFWAppQoSUserFWSSL FPTroubleshooting and OperationOperating Application IdentificationChecking the AppID packageChecking the AppID engine settings and cacheChecking AppID countersChecking application statisticsAppTrackOperating Application FirewallOperating Application QoSOperating UserFWOperating SSL Forward ProxySample DeploymentsSummaryStudy Questions
The Need for IPSWhat About Application Firewalling in NGFW?How Does IPS Work?LicensingIPS and UTMWhat Is the Difference Between Full IPS and Deep Inspection/IPS Lite?Is It IDP or IPS?False Positives and False Negatives in IPSManagement IPS Functionality on the SRXStages of a System CompromiseIPS Packet Processing on the SRXPacket processing pathDirection-specific detectionSRX deployment optionsAttack Object TypesApplication contextsPredefined attack objects and groupsCustom attack objects and groupsSeveritiesSignature performance impactsIPS Policy ComponentsRulebasesMatch criteriaThen actionsIPS actionsNotification actionsPacket loggingConfiguring packet logging in the STRMIP actionsTargets and timeoutsTerminal MatchSecurity PackagesAttack databaseAttack object updates versus full updatesApplication objectsDetector enginesPolicy templatesScheduling updatesSensor AttributesSSL Inspection (Reverse Proxy)Custom Attack GroupsStatic attack groupsDynamic attack groupsConfiguring IPS Features on the SRXGetting Started with IPS on the SRXGetting started exampleConfiguring automatic updatesUseful IPS filesViewing IPS attack objects and group membershipConfiguring static and dynamic attack groupsCreating, activating, and referencing IPSExempt rulebaseEnabling GZIP/Deflate DecompressionDeploying and Tuning IPSFirst Steps to Deploying IPSBuilding the PolicyTesting Your PolicyLeveraging sniffer mode for the deploymentActual DeploymentDay-to-Day IPS ManagementBest PracticesTroubleshooting and OperationChecking IPS StatusChecking Security Package VersionTroubleshooting and Monitoring Security Package InstallationClearing the download and cache files on the SRXChecking Policy Compilation StatusIPS Attack TableIPS CountersIP Action TableSample DeploymentsSummaryStudy Questions
Shifting ThreatsUTM, IPS, or Both?AntivirusURL FilteringAntispamContent FilteringAntivirus + URL Filtering+ IPS?I Have SRX Antivirus: Do I Need Desktop Antivirus?UTM LicensingConfiguring LicensingUTM ComponentsFeature ProfilesCustom ObjectsUTM PoliciesApplication ProxyNetworking Requirements for UTM FeaturesAntivirusAntivirus flavors in the SRXSophos AVImplementing Sophos AVConfiguring Sophos with a default profileDefault profile configurationSophos AV feature profilesConfiguring Sophos feature profile exampleKaspersky Full AVConfiguring Kaspersky with the default profileDefault Kaspersky profile configurationConfiguring Kaspersky AV scanning and fallback optionsExpress AVDefault Express AV profileWhich AV to Choose?URL FilteringURL filtering flavorsConfiguring the URL filtering with default profilesWebsense Enhanced filteringConfiguring Websense Enhanced default profileDefault Websense Enhanced profileConfiguring a custom Websense Enhanced profileSurfcontrol/Websense Integrated URL filteringConfiguring Surfcontrol Integrated with default profileDefault Surfcontrol/Websense profile configurationConfiguring Surfcontrol/Websense Integrated optionsWebsense RedirectConfiguring Websense RedirectDefault Websense Redirect profileDefault local URL filtering profileURL Custom URLs, blacklists, whitelists, and categoriesCustom URL patternsCustom URL categoryURL filtering profilesJuniper Local feature profile optionsPutting it all together for Juniper Local web filteringWhich URL filtering solution to choose?AntispamConfiguration options for antispamConfiguring antispam with the default profileConfiguring a custom spam profile and policyContent FilteringConfiguring content filtering exampleLogging UTM MessagesConfiguring syslog to send UTM to a remote serverBest PracticesTroubleshooting and OperationUTM EngineAntivirusTesting antivirusURL FilteringWebsense site lookup toolAntispamContent FilteringSample DeploymentsSummaryStudy Questions

Content preview from Juniper SRX Series

Chapter 8. Security Policies

Security policies are at the core of applying the security mechanisms of the SRX. This makes logical sense because of the granular, flexible nature of the firewall rulebase. Up until this point, we have had various discussions about the platform-level support of the SRX, but now, as we enter the second half of the book, we focus in on the actual application of security features.

In this chapter, we begin by quickly reviewing the packet flow of the SRX, followed by a discussion of the related security policy components, and an in-depth discussion of the SRX policy configuration itself. We explore some additional security policy features like the Level 7 security features and ALGs. We conclude this chapter with some hands-on discussions of best practices, troubleshooting and device operations, and sample deployments. By the end of this chapter, you should be a pro at not only configuring security policies, but also properly designing an effective security policy in your network.

Packet Flow

Earlier in the book we reviewed the packet flow of an SRX, but it is helpful to briefly discuss it here as a refresher (or if you’re just reading this chapter out of the book by itself).

Figure 8-1 gives us a visual representation of the security policy. When it comes to security policy enforcement on the SRX, this is entirely handled on the data plane of the SRX, unlike ScreenOS, which would do at least the policy lookup on the control plane. Completely leveraging the ...