book

Junos Security

by Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn

August 2010

Intermediate to advanced

846 pages

24h 53m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Foreword
Preface
This Book’s Assumptions About YouWhat’s In This Book?Juniper Networks Technical Certification Program (JNTCP)Topology for This BookConventions Used in This BookUsing Code ExamplesWe’d Like to Hear from You/How to Contact Us/Comments and QuestionsSafari® Books OnlineAbout the Tech ReviewersAcknowledgmentsFrom Rob CameronFrom Tim EberhardFrom Patricio GieccoFrom Glen GibsonFrom James QuinnFrom Brad Woodberg
1. Introduction to the SRX
Evolving into the SRXScreenOS to JunosInherited ScreenOS featuresDevice managementThe SRX Series PlatformBuilt for ServicesDeployment SolutionsSmall BranchMedium BranchLarge BranchData CenterData Center EdgeData Center Services TierService ProviderMobile CarriersCloud NetworksThe Junos Enterprise Services Reference NetworkSRX Series Product LinesBranch SRX SeriesBranch-Specific FeaturesSRX100SRX200Interface modules for the SRX200 lineSRX600Interface modules for the SRX600 lineAX411CX111Branch SRX Series Hardware OverviewLicensingBranch SummaryData Center SRX SeriesData Center SRX-Specific FeaturesSPCNPUData Center SRX Series Session SetupData Center SRX Series Hardware OverviewSRX3000IOC modulesSRX5000IOC modulesSummaryChapter Review QuestionsChapter Review Answers
2. What Makes Junos So Special?
OS BasicsFreeBSDProcess SeparationDevelopment ModelAdding New FeaturesData PlaneJunos Is Junos Except When It’s JunosComing from Other ProductsScreenOSIOS and PIX OSCheck PointSummaryChapter Review QuestionsChapter Review Answers
3. Hands-On Junos
IntroductionDriving the Command LineOperational ModeVariable Length OutputPassing Through the PipeSeeking Immediate HelpConfiguration ModeCommit ModelRestarting ProcessesJunos AutomationJunos Configuration EssentialsSystem SettingsInterfacesSwitching (Branch)ZonesSummaryChapter Review QuestionsChapter Review Answers
4. Security Policy
Security Policy OverviewSRX Policy ProcessingViewing SRX Policy TablesViewing Policy StatisticsViewing Session FlowsPolicy StructureSecurity ZonesService ConfigurationBlocking Unwanted TrafficPolicy LoggingTroubleshooting Security Policy and Traffic FlowsTroubleshooting SampleTroubleshooting OutputTurning Off TraceoptionsApplication Layer Gateway ServicesHow to Configure an ALGPolicy SchedulersOne-Time SchedulersWeb and Proxy AuthenticationWeb AuthenticationPass-Through AuthenticationCase Study 4-1Case Study 4-2Converters and ScriptsSummaryChapter Review QuestionsChapter Review Answers
5. Network Address Translation
How the SRX Processes NATSource NATInterface NATImplementing a source NAT rule-setViewing interface NAT in the session tableViewing traffic flow logs for interface NATOperational commands for interface NATTracing interface NAT flowsAddress PoolsImplementing a source NAT address poolViewing pool NAT in the session tableViewing traffic flow logs for pool NATOperational commands for pool NATTracing pool NAT flowsRemoving PATImplementing source NAT without PATViewing source NAT without PATProxy ARPImplementing proxy ARPViewing proxy ARP in actionPersistent NATImplementing persistent NATViewing persistent NAT in actionCase Study 5-1: ISP Redundancy via PATImplementing redundant ISP PATConclusionDestination NATImplementing Destination NATViewing Destination NATTracing Destination NAT FlowsCase Study 5-2: Virtual IP NATImplementing VIP NATStatic NATCase Study 5-3: Double NATSummaryChapter Review QuestionsChapter Review Answers
6. IPsec VPN
VPN Architecture OverviewSite-to-Site IPsec VPNsHub and Spoke IPsec VPNsFull Mesh VPNsMultipoint VPNsRemote Access VPNsIPsec VPN Concepts OverviewIPsec Encryption AlgorithmsIPsec Authentication AlgorithmsIKE Version 1 OverviewIKE Phase 1IKE Phase 2IPSec VPN ProtocolIPsec VPN ModeIPsec Manual KeysPhase 1 IKE NegotiationsIKE AuthenticationPreshared key authenticationCertificate authenticationIKE IdentitiesPhase 1 IKE Negotiation ModesMain modeAggressive modePhase 2 IKE NegotiationsPerfect Forward SecrecyQuick ModeProxy ID NegotiationFlow Processing and IPsec VPNsSRX VPN TypesPolicy-Based VPNsRoute-Based VPNsNumbered versus unnumbered st0 interfacesPoint-to-point versus point-to-multipoint VPNsSpecial point-to-multipoint attributesPoint-to-multipoint NHTBOther SRX VPN ComponentsDead Peer DetectionVPN MonitoringXAuthNAT TraversalAnti-Replay ProtectionFragmentationDifferentiated Services Code PointIKE Key LifetimesNetwork Time ProtocolCertificate ValidationSimple Certificate Enrollment ProtocolGroup VPNDynamic VPNSelecting the Appropriate VPN ConfigurationIPsec VPN ConfigurationConfiguring NTPCertificate Preconfiguration TasksPhase 1 IKE ConfigurationConfiguring Phase 1 proposalsConfiguration for Remote-Office1 proposal with preshared keysConfiguration for Remote-Office1 proposal with certificatesConfiguring Phase 1 policiesConfiguring Phase 1 IKE policy with preshared key, Main modeConfiguring Phase 1 IKE policy with preshared key, Aggressive modeConfiguring Phase 1 IKE policy with certificatesConfiguring Phase 1 gatewaysConfiguring an IKE gateway with static IP address and DPDConfiguring dynamic gateways and remote access clientsConfiguring an IKE gateway with a dynamic IP addressConfiguring an IKE remote access clientPhase 2 IKE ConfigurationConfiguring Phase 2 proposalsConfiguring a Phase 2 proposal for remote offices and client connectionsConfiguring Phase 2 IPsec policyConfiguring an IPsec policy defining the Phase 2 proposalConfiguring common IPsec VPN componentsConfiguring a common site-to-site VPN componentConfiguring policy-based VPNsConfiguring a policy-based VPN for the East Branch to the Central site VPNConfiguring route-based VPNsConfiguring Manual Key IPsec VPNsConfiguring a manual key IPsec VPNDynamic VPNVPN Verification and TroubleshootingUseful VPN Commandsshow security ike security-associationsshow security ipsec security-associationsshow security ipsec statisticsVPN Tracing and DebuggingVPN troubleshooting processConfiguring and analyzing VPN tracingTroubleshooting a site-to-site VPNTroubleshooting a remote access VPNCase StudiesCase Study 6-1: Site-to-Site VPNCase Study 6-2: Remote Access VPNSummaryChapter Review QuestionsChapter Review Answers
7. High-Performance Attack Mitigation
Network Protection Tools OverviewFirewall FiltersScreensSecurity PolicyIPS and AppDoSProtecting Against Network ReconnaissanceFirewall FilteringScreeningPort Scan ScreeningSummaryProtecting Against Basic IP AttacksBasic IP ProtectionsBasic ICMP ProtectionsBasic TCP ProtectionsBasic Denial-of-Service ScreensAdvanced Denial-of-Service and Distributed Denial-of-Service ProtectionICMP FloodsUDP FloodsSYN/TCP FloodsSYN CookiesSYN-ACK-ACK ProxiesSession LimitationAppDoSApplication ProtectionSIPMGCPSCCPProtecting the SRXSummaryChapter Review QuestionsChapter Review Answers

8. Intrusion Prevention
The Need for IPSHow Does IPS Work?LicensingIPS and antivirusWhat is the difference between full IPS and deep inspection/IPS lite?Is it IDP or IPS?False positives and false negatives in IPSManagement IPS functionality on the SRXStages of a system compromiseIPS Packet Processing on the SRXPacket processing pathDirection-specific detectionSRX IPS modesSRX deployment optionsAttack Object TypesApplication contextsPredefined attack objects and groupsCustom attack objects and groupsSeveritiesSignature performance impactsIPS Policy ComponentsRulebasesMatch criteriaThen actionsIPS actionsNotification actionsPacket loggingIP actionsTargets and timeoutsTerminate MatchSecurity PackagesAttack databaseAttack object updates versus full updatesApplication objectsDetector enginesPolicy templatesScheduling updatesSensor AttributesLogging sensor attributesApplication identification attributesFlow attributesReassembler attributesIPS attributesGlobal attributesDetector attributesSSL inspection attributesSSL InspectionSSL decryption/inspection overviewAlternatives to SSL decryption and inspectionAppDDoS ProtectionAppDDoS profilesCustom Attack Groups and ObjectsStatic attack groupsDynamic attack groupsCustom attack objectsConfiguring IPS Features on the SRXGetting Started with IPS on the SRXGetting started exampleConfiguring automatic updatesUseful IPS filesConfiguring static and dynamic attack groupsCreating a custom attack objectCreating, activating, and referencing IPSExempt rulebaseAppDDoS protectionSSL decryptionConfiguring IPS modesDeploying and Tuning IPSFirst Steps to Deploying IPSBuilding the PolicyTesting Your PolicyActual DeploymentDay-to-Day IPS ManagementTroubleshooting IPSChecking IPS StatusChecking Security Package VersionIPS Attack TableApplication StatisticsIPS CountersIP Action TableAppDDoS Useful CommandsTroubleshooting the Commit/Compilation ProcessCase Study 8-1SummaryChapter Review QuestionsChapter Review Answers
9. Unified Threat Management
What Is UTM?Application ProxyWeb FilteringConfiguring web filtering using SurfControlConfiguring web filtering using Websense redirectCreating custom category listsUsing local classification onlyAntivirusKaspersky full antivirusJuniper Express antivirusSophos in-the-cloud antivirusAntivirus tricklingWhitelistsNotificationsViewing the UTM LogsControlling What to Do When Things Go WrongContent FilteringFiltering FTP trafficFiltering HTTP trafficAntispamUTM MonitoringLicensingTracing UTM SessionsCase Study 9-1: Small Branch OfficeSecurity PoliciesUTM Policies and ProfilesSummaryChapter Review QuestionsChapter Review Answers
10. High Availability
Understanding High Availability in the SRXChassis ClusterThe Control PlaneThe Data PlaneJunos High Availability ConceptsCluster IDNode IDRedundancy groupsInterfacesDeployment ConceptsActive/passiveActive/activeMixed modeSix packConfigurationDifferences from StandaloneActivating JSRPD (Juniper Services Redundancy Protocol)Managing Cluster MembersConfiguring the Control PortsConfiguring the Fabric LinksNode-Specific InformationConfiguring Heartbeat TimersRedundancy GroupsConfiguring InterfacesIntegrating Dynamic RoutingUpgrading the ClusterFault MonitoringInterface MonitoringIP MonitoringManual FailoverHardware MonitoringRoute engineSwitch control boardSwitch fabric boardServices Processing CardNetwork Processing CardInterface cardControl linkData linkControl link and data link failurePower suppliesSoftware MonitoringPreserving the Control PlaneUsing Junos AutomationTroubleshooting the ClusterFirst StepsChecking InterfacesVerifying the Data PlaneCore DumpsThe Dreaded Priority ZeroWhen All Else FailsSummaryChapter Review QuestionsChapter Review Answers
11. Routing
How the SRX “Routes” IP PacketsForwarding TablesIP RoutingAsymmetric RoutingAddress Resolution Protocol (ARP)Static RoutingCreating a Static RouteVerifying a Static RouteDynamic RoutingConfiguring OSPF RoutingTroubleshooting OSPF adjacenciesOSPF security zone configurationCase Study 11-1: Securing OSPF AdjacenciesCase Study 11-2: Redundant Paths and Routing MetricsGrowing OSPF NetworksIS-ISConfiguring IS-ISVerifying IS-ISConfiguring BFDConfiguring RIPVerifying RIPRouting PolicyCase Study 11-3: Equal Cost Multipath (ECMP)Internet PeeringConfiguring BGP PeeringsBGP Routing TablesCase Study 11-4: Internet RedundancyRouting InstancesConfiguring Routing InstancesFilter-Based ForwardingConfiguring Filter-Based ForwardingCase Study 11-5: Dynamic Traffic EngineeringSummaryChapter Review QuestionsChapter Review Answers
12. Transparent Mode
Transparent Mode OverviewWhy Use Transparent Mode?Segmenting a Layer 2 domainComplex routing environmentsSeparation of dutiesExisting transparent mode infrastructureMAC Address LearningTransparent Mode and Bridge Loops, Spanning Tree ProtocolTransparent Mode LimitationsTransparent Mode ComponentsInterfaces, family bridge, and bridge domains in transparent modeInterface Modes in Transparent ModeBridge DomainsIRB InterfacesTransparent Mode ZonesTransparent Mode Security PolicyTransparent Mode Specific OptionsQoS in Transparent ModeVLAN RewritingHigh Availability with Transparent ModeSpanning Tree Protocol in transparent mode Layer 2 deploymentsTransparent Mode Flow ProcessSlow-path packet SPU packet processingFast-path SPU processingSession teardownConfiguring Transparent ModeConfiguring Transparent Mode BasicsConfiguring Integrated Routing and BridgingConfiguring Transparent Mode Security ZonesConfiguring Transparent Mode Security PoliciesConfiguring Bridging OptionsConfiguring Transparent Mode QoSConfiguring VLAN RewritingTransparent Mode Commands and TroubleshootingThe show bridge domain CommandThe show bridge mac-table CommandThe show l2-learning global-information CommandThe show l2-learning global-mac-count CommandThe show l2-learning interface CommandTransparent Mode Troubleshooting StepsCase Study 12-1SummaryChapter Review QuestionsChapter Review Answers
13. SRX Management
The Management InfrastructureOperational ModeConfiguration ModeJ-WebNSM and Junos SpaceNETCONFScripting and AutomationCommit ScriptsHello World, commit script editionAdding and enabling commit scriptsSpecial tags for MGDUsing a script to enforce some conditionMissing security zone bindingCreating a Configuration TemplateTransient versus persistent changesConfiguration templates part IIOperational ScriptsEvent ScriptsKeeping Your Scripts Up-to-DateCase StudiesCase Study 13-1: Displaying the Interface and Zone InformationCase Study 13-2: Zone GroupsCase Study 13-3: Showing the Security Policies in a Compact FormatCase Study 13-4: Track-IP Functionality to Trigger a Cluster FailoverCase Study 13-5: Track-IP Using RPM ProbesCase Study 13-6: Top TalkersCase Study 13-7: Destination NAT on Interfaces with Dynamic IP AddressesCase Study 13-8: High-End SRX MonitorSummaryChapter Review QuestionsChapter Review Answers
Index
About the Authors
Colophon
Copyright

Content preview from Junos Security

Chapter 1. Introduction to the SRX

Firewalls are a staple of almost every network in the world. The firewall protects nearly every network-based transaction that occurs, and even the end user understands its metaphoric name, meant to imply keeping out the bad stuff. But firewalls have had to change. Whether it’s the growth of networks or the growth of network usage, they have had to move beyond the simple devices that only require protection from inbound connections. A firewall now has to transcend its own title, the one end users are so familiar with, into a whole new type of device and service. This new class of device is a services gateway. And it needs to provide much more than just a firewall—it needs to look deeper into the packet and use the contained data in new ways that are advantageous to the network for which it is deployed. Can you tell if an egg is good or not by just looking at its shell? And once you break it open, isn’t it best to use all of its contents? Deep inspection from a services gateway is the new firewall of the future.

Deep inspection isn’t a new concept, nor is it something that Juniper Networks invented. What Juniper did do, however, is start from the ground up to solve the technical problems of peering deeply. With the Juniper Networks SRX Series Services Gateways, Juniper built a new platform to answer today’s problems while scaling the platform’s features to solve the anticipated problems of tomorrow. It’s a huge challenge, especially with the rapid ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide

Publisher Resources

ISBN: 9781449381721Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Junos Security

by Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn

Chapter 1. Introduction to the SRX

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.