You are previewing Junos Security.
O'Reilly logo
Junos Security

Book Description

Junos® Security is the complete and authorized introduction to the new Juniper Networks SRX hardware series. This book not only provides a practical, hands-on field guide to deploying, configuring, and operating SRX, it also serves as a reference to help you prepare for any of the Junos Security Certification examinations offered by Juniper Networks. Network administrators and security professionals will learn how to use SRX Junos services gateways to address an array of enterprise data network requirements -- including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration.

Table of Contents

  1. Junos Security
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Foreword
    4. Preface
      1. This Book’s Assumptions About You
      2. What’s In This Book?
      3. Juniper Networks Technical Certification Program (JNTCP)
      4. Topology for This Book
      5. Conventions Used in This Book
      6. Using Code Examples
      7. We’d Like to Hear from You/How to Contact Us/Comments and Questions
      8. Safari® Books Online
      9. About the Tech Reviewers
      10. Acknowledgments
        1. From Rob Cameron
        2. From Tim Eberhard
        3. From Patricio Giecco
        4. From Glen Gibson
        5. From James Quinn
        6. From Brad Woodberg
    5. 1. Introduction to the SRX
      1. Evolving into the SRX
        1. ScreenOS to Junos
          1. Inherited ScreenOS features
          2. Device management
      2. The SRX Series Platform
        1. Built for Services
      3. Deployment Solutions
        1. Small Branch
        2. Medium Branch
        3. Large Branch
        4. Data Center
        5. Data Center Edge
        6. Data Center Services Tier
        7. Service Provider
        8. Mobile Carriers
        9. Cloud Networks
        10. The Junos Enterprise Services Reference Network
      4. SRX Series Product Lines
      5. Branch SRX Series
        1. Branch-Specific Features
        2. SRX100
        3. SRX200
          1. Interface modules for the SRX200 line
        4. SRX600
          1. Interface modules for the SRX600 line
        5. AX411
        6. CX111
        7. Branch SRX Series Hardware Overview
        8. Licensing
        9. Branch Summary
      6. Data Center SRX Series
        1. Data Center SRX-Specific Features
        2. SPC
        3. NPU
        4. Data Center SRX Series Session Setup
        5. Data Center SRX Series Hardware Overview
        6. SRX3000
          1. IOC modules
        7. SRX5000
          1. IOC modules
      7. Summary
      8. Chapter Review Questions
      9. Chapter Review Answers
    6. 2. What Makes Junos So Special?
      1. OS Basics
        1. FreeBSD
        2. Process Separation
        3. Development Model
        4. Adding New Features
        5. Data Plane
        6. Junos Is Junos Except When It’s Junos
      2. Coming from Other Products
        1. ScreenOS
        2. IOS and PIX OS
        3. Check Point
      3. Summary
      4. Chapter Review Questions
      5. Chapter Review Answers
    7. 3. Hands-On Junos
      1. Introduction
      2. Driving the Command Line
      3. Operational Mode
        1. Variable Length Output
        2. Passing Through the Pipe
        3. Seeking Immediate Help
      4. Configuration Mode
      5. Commit Model
      6. Restarting Processes
      7. Junos Automation
      8. Junos Configuration Essentials
        1. System Settings
        2. Interfaces
        3. Switching (Branch)
        4. Zones
      9. Summary
      10. Chapter Review Questions
      11. Chapter Review Answers
    8. 4. Security Policy
      1. Security Policy Overview
      2. SRX Policy Processing
      3. Viewing SRX Policy Tables
      4. Viewing Policy Statistics
      5. Viewing Session Flows
      6. Policy Structure
        1. Security Zones
        2. Service Configuration
        3. Blocking Unwanted Traffic
      7. Policy Logging
      8. Troubleshooting Security Policy and Traffic Flows
        1. Troubleshooting Sample
        2. Troubleshooting Output
        3. Turning Off Traceoptions
      9. Application Layer Gateway Services
        1. How to Configure an ALG
      10. Policy Schedulers
        1. One-Time Schedulers
      11. Web and Proxy Authentication
        1. Web Authentication
        2. Pass-Through Authentication
      12. Case Study 4-1
      13. Case Study 4-2
      14. Converters and Scripts
      15. Summary
      16. Chapter Review Questions
      17. Chapter Review Answers
    9. 5. Network Address Translation
      1. How the SRX Processes NAT
      2. Source NAT
        1. Interface NAT
          1. Implementing a source NAT rule-set
          2. Viewing interface NAT in the session table
          3. Viewing traffic flow logs for interface NAT
          4. Operational commands for interface NAT
          5. Tracing interface NAT flows
        2. Address Pools
          1. Implementing a source NAT address pool
          2. Viewing pool NAT in the session table
          3. Viewing traffic flow logs for pool NAT
          4. Operational commands for pool NAT
          5. Tracing pool NAT flows
        3. Removing PAT
          1. Implementing source NAT without PAT
          2. Viewing source NAT without PAT
        4. Proxy ARP
          1. Implementing proxy ARP
          2. Viewing proxy ARP in action
        5. Persistent NAT
          1. Implementing persistent NAT
          2. Viewing persistent NAT in action
        6. Case Study 5-1: ISP Redundancy via PAT
          1. Implementing redundant ISP PAT
        7. Conclusion
      3. Destination NAT
        1. Implementing Destination NAT
        2. Viewing Destination NAT
        3. Tracing Destination NAT Flows
        4. Case Study 5-2: Virtual IP NAT
          1. Implementing VIP NAT
      4. Static NAT
        1. Case Study 5-3: Double NAT
      5. Summary
      6. Chapter Review Questions
      7. Chapter Review Answers
    10. 6. IPsec VPN
      1. VPN Architecture Overview
        1. Site-to-Site IPsec VPNs
        2. Hub and Spoke IPsec VPNs
        3. Full Mesh VPNs
        4. Multipoint VPNs
        5. Remote Access VPNs
      2. IPsec VPN Concepts Overview
        1. IPsec Encryption Algorithms
        2. IPsec Authentication Algorithms
        3. IKE Version 1 Overview
          1. IKE Phase 1
          2. IKE Phase 2
        4. IPSec VPN Protocol
        5. IPsec VPN Mode
        6. IPsec Manual Keys
      3. Phase 1 IKE Negotiations
        1. IKE Authentication
          1. Preshared key authentication
          2. Certificate authentication
        2. IKE Identities
        3. Phase 1 IKE Negotiation Modes
          1. Main mode
          2. Aggressive mode
      4. Phase 2 IKE Negotiations
        1. Perfect Forward Secrecy
        2. Quick Mode
        3. Proxy ID Negotiation
      5. Flow Processing and IPsec VPNs
      6. SRX VPN Types
        1. Policy-Based VPNs
        2. Route-Based VPNs
          1. Numbered versus unnumbered st0 interfaces
          2. Point-to-point versus point-to-multipoint VPNs
          3. Special point-to-multipoint attributes
          4. Point-to-multipoint NHTB
      7. Other SRX VPN Components
        1. Dead Peer Detection
        2. VPN Monitoring
        3. XAuth
        4. NAT Traversal
        5. Anti-Replay Protection
        6. Fragmentation
        7. Differentiated Services Code Point
        8. IKE Key Lifetimes
        9. Network Time Protocol
        10. Certificate Validation
        11. Simple Certificate Enrollment Protocol
        12. Group VPN
        13. Dynamic VPN
      8. Selecting the Appropriate VPN Configuration
      9. IPsec VPN Configuration
        1. Configuring NTP
        2. Certificate Preconfiguration Tasks
        3. Phase 1 IKE Configuration
          1. Configuring Phase 1 proposals
            1. Configuration for Remote-Office1 proposal with preshared keys
            2. Configuration for Remote-Office1 proposal with certificates
          2. Configuring Phase 1 policies
            1. Configuring Phase 1 IKE policy with preshared key, Main mode
            2. Configuring Phase 1 IKE policy with preshared key, Aggressive mode
            3. Configuring Phase 1 IKE policy with certificates
          3. Configuring Phase 1 gateways
            1. Configuring an IKE gateway with static IP address and DPD
          4. Configuring dynamic gateways and remote access clients
            1. Configuring an IKE gateway with a dynamic IP address
            2. Configuring an IKE remote access client
        4. Phase 2 IKE Configuration
          1. Configuring Phase 2 proposals
            1. Configuring a Phase 2 proposal for remote offices and client connections
          2. Configuring Phase 2 IPsec policy
            1. Configuring an IPsec policy defining the Phase 2 proposal
          3. Configuring common IPsec VPN components
            1. Configuring a common site-to-site VPN component
          4. Configuring policy-based VPNs
            1. Configuring a policy-based VPN for the East Branch to the Central site VPN
          5. Configuring route-based VPNs
        5. Configuring Manual Key IPsec VPNs
          1. Configuring a manual key IPsec VPN
        6. Dynamic VPN
      10. VPN Verification and Troubleshooting
        1. Useful VPN Commands
          1. show security ike security-associations
          2. show security ipsec security-associations
          3. show security ipsec statistics
        2. VPN Tracing and Debugging
          1. VPN troubleshooting process
          2. Configuring and analyzing VPN tracing
          3. Troubleshooting a site-to-site VPN
          4. Troubleshooting a remote access VPN
      11. Case Studies
        1. Case Study 6-1: Site-to-Site VPN
        2. Case Study 6-2: Remote Access VPN
      12. Summary
      13. Chapter Review Questions
      14. Chapter Review Answers
    11. 7. High-Performance Attack Mitigation
      1. Network Protection Tools Overview
        1. Firewall Filters
        2. Screens
        3. Security Policy
        4. IPS and AppDoS
      2. Protecting Against Network Reconnaissance
        1. Firewall Filtering
        2. Screening
        3. Port Scan Screening
        4. Summary
      3. Protecting Against Basic IP Attacks
        1. Basic IP Protections
        2. Basic ICMP Protections
        3. Basic TCP Protections
      4. Basic Denial-of-Service Screens
      5. Advanced Denial-of-Service and Distributed Denial-of-Service Protection
      6. ICMP Floods
      7. UDP Floods
      8. SYN/TCP Floods
      9. SYN Cookies
        1. SYN-ACK-ACK Proxies
      10. Session Limitation
      11. AppDoS
      12. Application Protection
        1. SIP
        2. MGCP
        3. SCCP
      13. Protecting the SRX
      14. Summary
      15. Chapter Review Questions
      16. Chapter Review Answers
    12. 8. Intrusion Prevention
      1. The Need for IPS
        1. How Does IPS Work?
          1. Licensing
          2. IPS and antivirus
          3. What is the difference between full IPS and deep inspection/IPS lite?
          4. Is it IDP or IPS?
          5. False positives and false negatives in IPS
          6. Management IPS functionality on the SRX
          7. Stages of a system compromise
        2. IPS Packet Processing on the SRX
          1. Packet processing path
          2. Direction-specific detection
          3. SRX IPS modes
          4. SRX deployment options
        3. Attack Object Types
          1. Application contexts
          2. Predefined attack objects and groups
          3. Custom attack objects and groups
          4. Severities
          5. Signature performance impacts
        4. IPS Policy Components
          1. Rulebases
          2. Match criteria
          3. Then actions
            1. IPS actions
            2. Notification actions
            3. Packet logging
            4. IP actions
            5. Targets and timeouts
          4. Terminate Match
        5. Security Packages
          1. Attack database
          2. Attack object updates versus full updates
          3. Application objects
          4. Detector engines
          5. Policy templates
          6. Scheduling updates
        6. Sensor Attributes
          1. Logging sensor attributes
          2. Application identification attributes
          3. Flow attributes
          4. Reassembler attributes
          5. IPS attributes
          6. Global attributes
          7. Detector attributes
          8. SSL inspection attributes
        7. SSL Inspection
          1. SSL decryption/inspection overview
          2. Alternatives to SSL decryption and inspection
        8. AppDDoS Protection
          1. AppDDoS profiles
        9. Custom Attack Groups and Objects
          1. Static attack groups
          2. Dynamic attack groups
          3. Custom attack objects
      2. Configuring IPS Features on the SRX
        1. Getting Started with IPS on the SRX
          1. Getting started example
          2. Configuring automatic updates
          3. Useful IPS files
          4. Configuring static and dynamic attack groups
          5. Creating a custom attack object
          6. Creating, activating, and referencing IPS
          7. Exempt rulebase
          8. AppDDoS protection
          9. SSL decryption
          10. Configuring IPS modes
      3. Deploying and Tuning IPS
        1. First Steps to Deploying IPS
        2. Building the Policy
        3. Testing Your Policy
        4. Actual Deployment
        5. Day-to-Day IPS Management
      4. Troubleshooting IPS
        1. Checking IPS Status
        2. Checking Security Package Version
        3. IPS Attack Table
        4. Application Statistics
        5. IPS Counters
        6. IP Action Table
        7. AppDDoS Useful Commands
        8. Troubleshooting the Commit/Compilation Process
      5. Case Study 8-1
      6. Summary
      7. Chapter Review Questions
      8. Chapter Review Answers
    13. 9. Unified Threat Management
      1. What Is UTM?
        1. Application Proxy
        2. Web Filtering
          1. Configuring web filtering using SurfControl
          2. Configuring web filtering using Websense redirect
          3. Creating custom category lists
          4. Using local classification only
        3. Antivirus
          1. Kaspersky full antivirus
          2. Juniper Express antivirus
          3. Sophos in-the-cloud antivirus
          4. Antivirus trickling
          5. Whitelists
        4. Notifications
        5. Viewing the UTM Logs
        6. Controlling What to Do When Things Go Wrong
        7. Content Filtering
          1. Filtering FTP traffic
          2. Filtering HTTP traffic
        8. Antispam
      2. UTM Monitoring
        1. Licensing
        2. Tracing UTM Sessions
      3. Case Study 9-1: Small Branch Office
        1. Security Policies
        2. UTM Policies and Profiles
      4. Summary
      5. Chapter Review Questions
      6. Chapter Review Answers
    14. 10. High Availability
      1. Understanding High Availability in the SRX
        1. Chassis Cluster
        2. The Control Plane
        3. The Data Plane
        4. Junos High Availability Concepts
          1. Cluster ID
          2. Node ID
          3. Redundancy groups
          4. Interfaces
        5. Deployment Concepts
          1. Active/passive
          2. Active/active
          3. Mixed mode
          4. Six pack
      2. Configuration
        1. Differences from Standalone
        2. Activating JSRPD (Juniper Services Redundancy Protocol)
        3. Managing Cluster Members
        4. Configuring the Control Ports
        5. Configuring the Fabric Links
        6. Node-Specific Information
        7. Configuring Heartbeat Timers
        8. Redundancy Groups
        9. Configuring Interfaces
        10. Integrating Dynamic Routing
        11. Upgrading the Cluster
      3. Fault Monitoring
        1. Interface Monitoring
        2. IP Monitoring
        3. Manual Failover
        4. Hardware Monitoring
          1. Route engine
          2. Switch control board
          3. Switch fabric board
          4. Services Processing Card
          5. Network Processing Card
          6. Interface card
          7. Control link
          8. Data link
          9. Control link and data link failure
          10. Power supplies
        5. Software Monitoring
        6. Preserving the Control Plane
        7. Using Junos Automation
      4. Troubleshooting the Cluster
        1. First Steps
        2. Checking Interfaces
        3. Verifying the Data Plane
        4. Core Dumps
        5. The Dreaded Priority Zero
        6. When All Else Fails
      5. Summary
      6. Chapter Review Questions
      7. Chapter Review Answers
    15. 11. Routing
      1. How the SRX “Routes” IP Packets
        1. Forwarding Tables
        2. IP Routing
        3. Asymmetric Routing
        4. Address Resolution Protocol (ARP)
      2. Static Routing
        1. Creating a Static Route
        2. Verifying a Static Route
      3. Dynamic Routing
        1. Configuring OSPF Routing
          1. Troubleshooting OSPF adjacencies
          2. OSPF security zone configuration
        2. Case Study 11-1: Securing OSPF Adjacencies
        3. Case Study 11-2: Redundant Paths and Routing Metrics
        4. Growing OSPF Networks
          1. IS-IS
          2. Configuring IS-IS
          3. Verifying IS-IS
          4. Configuring BFD
          5. Configuring RIP
          6. Verifying RIP
      4. Routing Policy
        1. Case Study 11-3: Equal Cost Multipath (ECMP)
      5. Internet Peering
        1. Configuring BGP Peerings
        2. BGP Routing Tables
        3. Case Study 11-4: Internet Redundancy
      6. Routing Instances
        1. Configuring Routing Instances
      7. Filter-Based Forwarding
        1. Configuring Filter-Based Forwarding
        2. Case Study 11-5: Dynamic Traffic Engineering
      8. Summary
      9. Chapter Review Questions
      10. Chapter Review Answers
    16. 12. Transparent Mode
      1. Transparent Mode Overview
        1. Why Use Transparent Mode?
          1. Segmenting a Layer 2 domain
          2. Complex routing environments
          3. Separation of duties
          4. Existing transparent mode infrastructure
        2. MAC Address Learning
        3. Transparent Mode and Bridge Loops, Spanning Tree Protocol
        4. Transparent Mode Limitations
        5. Transparent Mode Components
          1. Interfaces, family bridge, and bridge domains in transparent mode
        6. Interface Modes in Transparent Mode
        7. Bridge Domains
        8. IRB Interfaces
        9. Transparent Mode Zones
        10. Transparent Mode Security Policy
        11. Transparent Mode Specific Options
        12. QoS in Transparent Mode
        13. VLAN Rewriting
        14. High Availability with Transparent Mode
          1. Spanning Tree Protocol in transparent mode Layer 2 deployments
        15. Transparent Mode Flow Process
          1. Slow-path packet SPU packet processing
          2. Fast-path SPU processing
          3. Session teardown
      2. Configuring Transparent Mode
        1. Configuring Transparent Mode Basics
        2. Configuring Integrated Routing and Bridging
        3. Configuring Transparent Mode Security Zones
        4. Configuring Transparent Mode Security Policies
        5. Configuring Bridging Options
        6. Configuring Transparent Mode QoS
        7. Configuring VLAN Rewriting
      3. Transparent Mode Commands and Troubleshooting
        1. The show bridge domain Command
        2. The show bridge mac-table Command
        3. The show l2-learning global-information Command
        4. The show l2-learning global-mac-count Command
        5. The show l2-learning interface Command
        6. Transparent Mode Troubleshooting Steps
      4. Case Study 12-1
      5. Summary
      6. Chapter Review Questions
      7. Chapter Review Answers
    17. 13. SRX Management
      1. The Management Infrastructure
        1. Operational Mode
        2. Configuration Mode
      2. J-Web
      3. NSM and Junos Space
      4. NETCONF
      5. Scripting and Automation
        1. Commit Scripts
          1. Hello World, commit script edition
          2. Adding and enabling commit scripts
          3. Special tags for MGD
          4. Using a script to enforce some condition
          5. Missing security zone binding
        2. Creating a Configuration Template
          1. Transient versus persistent changes
          2. Configuration templates part II
        3. Operational Scripts
        4. Event Scripts
      6. Keeping Your Scripts Up-to-Date
      7. Case Studies
        1. Case Study 13-1: Displaying the Interface and Zone Information
        2. Case Study 13-2: Zone Groups
        3. Case Study 13-3: Showing the Security Policies in a Compact Format
        4. Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover
        5. Case Study 13-5: Track-IP Using RPM Probes
        6. Case Study 13-6: Top Talkers
        7. Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses
        8. Case Study 13-8: High-End SRX Monitor
      8. Summary
      9. Chapter Review Questions
      10. Chapter Review Answers
    18. Index
    19. About the Authors
    20. Colophon
    21. SPECIAL OFFER: Upgrade this ebook with O’Reilly