O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Application Layer Gateway Services

Application layer gateways (ALGs) are advanced application-inspecting features available on the SRX that serve two primary purposes. The first is to dynamically pinhole traffic for applications allowing return inbound packets (e.g., for FTP there may be multiple sessions for control and data for the same data connection between the source and destination). The second role of an ALG is to provide a deeper layer of inspection and a more granular layer of application security. ALGs can be better described as extra intelligence built to assist with certain applications that have problems with stateful firewalls.

This type of extra security and inspection is possible because an ALG understands the application protocol and how it is supposed to function. The SRX can prevent many types of SCCP DoS attacks, such as call flooding, from taking place on the network. We will cover these configurable application screens in detail in Chapter 7, but in a nutshell, ALGs are application (Layer 7)-aware packet processing (Layer 4).

Note

It’s worth noting that not all ALGs are available in the higher-end SRX models. For example, at the time of this writing, SCCP and H323 are not available on the high-end SRX devices, while the branch SRX Series has full support for all listed ALGs.

Here is a list of ALGs currently built into the SRX, along with a brief explanation of what each one does:

REAL

RealAudio/RealVideo are proprietary formats developed by RealNetworks and they use what is called Progressive Network Audio (PNA) or Progressive Network Media (PNM) to send streaming audio data. PNA packets are sent over a TCP connection and act like a control channel. The audio data itself is sent over a UDP connection. The ALG dynamically allows these UDP data connections and performs any NAT that needs to take place.

RTSP

Real-Time Streaming Protocol is used to establish and control media connections between end hosts. RTSP handles all client-to-media server requests such as play and pause, and is used to control real-time playback of the media files from the server. RTSP does not, however, stream any media data. Commonly, that is left to Real-time Transport Protocol (RTP), and the two are used in combination to deliver media to the clients.

DNS

The Domain Name System ALG monitors DNS queries and response packets. Since DNS is UDP and is a simple request-response type of flow, the DNS ALG monitors for the response flag and then closes down the UDP session. This is very useful; otherwise, the SRX would wait two minutes before timing out the session, which is the default for UDP.

FTP

The File Transfer Protocol ALG monitors the FTP connection for PORT, PASV, and 227 commands. The ALG will handle all NAT functions and pinholing of any additional ports necessary. Additional security options can be leveraged by configuring the FTP ALG to block specific FTP functions, such as FTP put or FTP get.

TFTP

The Trivial File Transfer Protocol ALG monitors the initiation of a TFTP connection and pinholes a connection through the SRX permitting the reverse direction.

TALK

TALK is a legacy chat-type application for Unix platforms developed in the early 1980s. TALK communicates on UDP port 517/518 for control-channel-type functions. The TALK ALG will handle all NAT functions in addition to any pinholing that needs to take place.

RSH

RSH stands for Remote Shell. RSH is a Unix-type program that can execute commands across a network. RSH typically uses TCP port 514. RSH has largely been replaced by SSH as RSH communicates unencrypted. The RSH ALG handles all NAT functions as well as any pinholing that needs to take place.

PPTP

Point-to-Point Tunneling Protocol is a Layer 2 protocol used for tunneling PPP over an IP network. PPTP is often used as a way to implement virtual private networks (VPNs) and is tunneled over TCP and a Generic Route Encapsulation (GRE) tunnel encapsulating the PPP packets. The PPTP ALG handles all NAT functions and pinholing for functions of PPTP, such as Call IDs of PAC and PNS.

SQL

The Structured Query Language ALG handles SQL TNS response frames and then evaluates the packet for IP address and port information. The SQL ALG handles all NAT functions and pinholing for the TCP data channel.

H323

This is a suite of protocols that provides audio-visual communication sessions over an IP network. The H.323 standard includes call signaling, call control, multimedia transport, multimedia control, and bandwidth control. The H323 ALG handles all NAT functions in addition to gatekeeper discovery, endpoint registration/admission/status, and call control/call setup. The H323 ALG also has many application screens that provide additional protections at an application level.

SIP

Session Initiation Protocol is a signaling protocol used for initiating, modifying, and terminating multimedia sessions such as voice and video calls over IP. The SIP ALG on the SRX only supports Session Description Protocol (SDP), even though SIP can use a variety of different description protocols to describe the session. The SIP ALG monitors SIP connections and dynamically pinholes for the SIP traffic.

SCCP

Skinny Client Control Protocol is a Cisco protocol for VoIP call signaling to the Cisco CallManager. The SCCP ALG will look within the control packets and allow the RTP port number and IP address of the media termination, dynamically pinholing for the RTP flows. In addition to pinholing, the SCCP ALG also handles all NAT functions and application layer protections.

MGCP

Media Gateway Control Protocol is a signaling and call control protocol used in VoIP between the media gateway and media controller. The MGCP ALG handles the dynamic pinholing for any additional connections needed, as well as handling all NAT functions. The MGCP ALG also inspects the VoIP signaling data and ensures that it complains to RFC standards blocking any malformed packets or attacks. Additional application layer protections are also configurable within the ALG.

RPC

Remote Procedure Call is a secure interprocess communication that handles data exchange and invocation to a different process, typically to a machine on the local network or across the Internet. The RPC ALG handles dynamic port negotiation and pinholing as well as all NAT functions.

IKE/ESP

IKE (Internet Key Exchange) and ESP (Encapsulating Security Payload) are a part of the IP Security (IPsec) protocol. In situations where the SRX is inline and an IPsec VPN passes through the SRX and NAT is enabled, IPsec VPNs can have issues. This is a common problem with IPsec and address translation. The IKE/ESP ALG should help with that problem, enabling the SRX to go inline and not interfere with VPN flows.

ALGs all perform the same type of function: they inspect the applications control channel and handle either NAT, dynamic pinholing of ports, or both. The ALG process does not inspect or monitor the actual data channel, something to keep in mind when working with ALGs.

To view which ALGs are currently enabled on the SRX, use the show security alg status command to display the ALGs:

juniper@SRX5800> show security alg status
ALG Status :
  DNS      : Enabled
  FTP      : Enabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled

How to Configure an ALG

Let’s use the FTP ALG as our first configuration example, because if you remember from earlier in this chapter, it was configured for web-dmz administration.

From the trust network the web administrators are now requesting FTP access to the web1 server so that files can be uploaded to the server. In a secured network, their request should be denied because FTP transmits everything in clear text as it is an insecure protocol. The web administrators should be told to use SFTP. However, for this example, let’s assume that SFTP is not available and FTP must be used. Sadly, cases such as this widely exist due to many legacy platforms and applications.

Enabling the FTP ALG is simple, since there is already a policy that allows the web administrators to connect to the web-dmz:

juniper@SRX5800> show security policies from-zone trust to-zone web-dmz
From zone: trust, To zone: web-dmz
  Policy: webdmz_mgt, State: enabled, Index: 8, Sequence number: 1
    Source addresses: any
    Destination addresses: web-servers
    Applications: web_mgt
    Action: permit, log
  Policy: web_deny, State: enabled, Index: 9, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny, log

All we need to do is add the Junos-FTP service to the web_mgt application-set:

[edit]
juniper@SRX5800# set applications application-set web_mgt application junos-ftp
[edit]
juniper@SRX5800# commit and-quit
commit complete
Exiting configuration mode

Look at the applications the Junos-FTP service shows under web_mgt:

juniper@SRX5800> show configuration applications application-set web_mgt
application junos-ssh;
application junos-ping;
application junos-pc-anywhere;
application windows_rdp;
application junos-http;
application junos-ftp;

A more detailed look at the webdmz_mgt policy shows the new ALG information:

juniper@SRX5800> show security policies from-zone trust to-zone web-dmz
policy-name webdmz_mgt detail
Policy: webdmz_mgt, action-type: permit, State: enabled, Index: 8
  Sequence number: 1
  From zone: trust, To zone: web-dmz
  Source addresses:
    any: 0.0.0.0/0
  Destination addresses:
    web2: 10.2.0.2/32
    web1: 172.31.100.60/32
  Application: web_mgt
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [22-22]
    IP protocol: 1, ALG: 0, Inactivity timeout: 60
      ICMP Information: type=255, code=0
    IP protocol: udp, ALG: 0, Inactivity timeout: 60
      Source port range: [0-0]
      Destination port range: [5632-5632]
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [1024-65535]
      Destination port range: [3389-3389]
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [80-80]
    IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination port range: [21-21]
  Session log: at-create, at-close

Let’s confirm that FTP does work to the server and that the web administrators can now upload their files as needed:

ftp> open 172.31.100.60
Connected to 172.31.100.60.
220-FileZilla Server version 0.9.34 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (172.31.100.60:tle4729):
331 Password required for tle4729
Password:

Now view this connection on the SRX:

juniper@SRX5800> show security flow session application ftp
Session ID: 11663, Policy name: webdmz_mgt/8, Timeout: 788
  In: 10.1.1.100/59832 --> 172.31.100.60/21;tcp, If: ge-0/0/0.0
  Out: 172.31.100.60/21 --> 10.1.1.100/59832;tcp, If: fe-0/0/2.0
Session ID: 11664, Policy name: webdmz_mgt/8, Timeout: 790
  In: 10.1.1.100/59834 --> 172.31.100.60/21;tcp, If: ge-0/0/0.0
  Out: 172.31.100.60/21 --> 10.1.1.100/59834;tcp, If: fe-0/0/2.0
2 sessions displayed

Voilà! Some ALGs are simple to set up, as easy as using the prebuilt Junos application. ALGs such as FTP, TFTP, and DNS are perfect examples of this type of ALG. Other, more complex ALGs have more optional configuration knobs.

Our second ALG configuration example concerns the SIP ALG. The SIP ALG has a lot more configuration options than the FTP ALG, but the SIP ALG is applied in the same way the FTP ALG is applied: via security policy and Junos-SIP as the application.

Although SIP has various configuration knobs under the security alg sip stanza, I’ll cover just a few here. First, set the SIP ALG maximum-call-duration setting to 1,000 minutes (that’s more than 15 hours!):

[edit]
juniper@SRX5800# set security alg sip maximum-call-duration 1000

The next optional configuration is the timeout value (this value is in seconds):

[edit]
juniper@SRX5800# set security alg sip inactive-media-timeout 60

Overall, the SIP ALG is pretty easy to set up and configure. Problems arise when vendors do not follow RFC guidelines or they write their own one-off SIP implementations. If issues start after the SIP ALG is configured, the primary things to check are the SIP counters for errors. For inoperability issues, one possible workaround is to enable the unknown-message option; by default, the SRX’s SIP ALG drops all unsupported messages for security purposes. Note that this disables that security feature:

[edit]
juniper@SRX5800# set security alg sip application-screen unknown-message
permit-routed

Another common issue is when vendors implement proprietary headers into their SIP packets. Per standards, the call-id header should contain a hostname or source IP address, and in some cases, vendors adjust or change this. To disable the call-id enforcement use the following:

[edit]
juniper@SRX5800# set security alg sip disable-call-id-hiding
juniper@SRX5800# edit security policies from-zone trust to-zone voip-dmz

Once that has been applied, the base SIP configuration is finished. SIP calls can be made and should have no problems going through. Let’s verify the SIP stats by using the show security alg sip counters command to view the counters, including errors on decoding packets:

juniper@SRX5800> show security alg sip counters
   Method       T     1xx      2xx      3xx     4xx      5xx    6xx
               RT      RT       RT       RT      RT       RT     RT
   INVITE       2       1        0        0       2        0      0
                0       0        0        0       0        0      0
   CANCEL       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
      ACK       2       0        0        0       0        0      0
                0       0        0        0       0        0      0
      BYE       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
 REGISTER      28       0        8        0      20        0      0
                0       0        0        0       0        0      0
  OPTIONS       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
     INFO       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
  MESSAGE       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
   NOTIFY       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
    PRACK       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
  PUBLISH       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
    REFER       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
SUBSCRIBE       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
   UPDATE       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
 BENOTIFY       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
  SERVICE       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
    OTHER       0       0        0        0       0        0      0
                0       0        0        0       0        0      0
SIP Error Counters:
  Total Pkt-in                  : 76
  Total Pkt dropped on error    : 13
  Transaction error             : 0
  Call error                    : 0
  IP resolve error              : 0
  NAT error                     : 0
  Resource manager error        : 0
  RR header exceeded max        : 0
  Contact header exceeded max   : 0
  Call Dropped due to limit     : 0
  SIP stack error               : 0
  SIP decode error              : 13
  SIP unknown method error      : 0
  RTO message sent              : 0
  RTO message received          : 0
  RTO buffer allocation failure : 0
  RTO buffer transmit failure   : 0
  RTO send processing error     : 0
  RTO receive processing error  : 0
  RTO receive invalid length    : 0

To view a higher-level overview of calls, use the show security alg sip calls command as the optional detail flag at the end to display even more information about the call:

juniper@SRX5800> show security alg sip calls
Total number of calls: 2 (# of call legs 4)
   Call leg1: zone 3
      UAS callid:120ed748-11121207-04c1279d-0bbb7e18@172.31.100.50 (pending tsx 1)
      Local tag
      Remote tag: 120ed748111212e264b0a951-5cbb0a95
      State: STATE_DISCONNECTED
   Call leg2: zone 2
      UAC callid:120ed748-11121207-04c1279d-0bbb7e18@172.31.100.50 (pending tsx 1)
      Local tag: 120ed748111212e264b0a951-5cbb0a95
      Remote tag
      State: STATE_DISCONNECTED
   Call leg1: zone 3
      UAS callid:120ed748-11121207-04c1279d-0bbb7e18@172.31.100.50 (pending tsx 1)
      Local tag:  120f90542e7e64cd724880f5-65db2f99
      Remote tag: 120ed748111212e264b0a951-5cbb0a95
      State: STATE_ESTABLISHED
   Call leg2: zone 2
      UAC callid:120ed748-11121207-04c1279d-0bbb7e18@172.31.100.50 (pending tsx 1)
      Local tag:  120ed748111212e264b0a951-5cbb0a95
      Remote tag: 120f90542e7e64cd724880f5-65db2f99

To view transactions, use the show security alg sip transaction command:

 juniper@SRX5800> show security alg sip transaction
Total number of transactions: 1
       Transaction Name   Method  CSeq  State        Timeout  VIA RSC ID
       UAS:gsn0x5a06ddf1   BYE    101   Proceeding      −1        -
       UAC:gsn0x5a06f615   BYE    101   Calling         25        8184

And to view the overall health of the SIP ALG, use show security alg sip rate:

juniper@SRX5800> show security alg sip rate
CPU ticks per microseconds is 3735928559
Time taken for the last message is 0 microseconds
Total time taken for 0 messages is 0 microseconds(in less than 10 minutes)
Rate: 3735928559 messages/second

ALGs provide an additional layer of security and handle NAT as well as dynamic pinholing when needed. With that deeper layer of inspection come more processing and additional potential problems. Oftentimes when Juniper writes ALGs, they are written to follow and enforce RFC specifications. The problem most commonly comes when vendors write one-off applications or their own additions to the protocol, or to the service, and the ALG doesn’t know how to properly handle it.

Juniper has incorporated as many workarounds as possible, such as called-hiding and unknown-message, in the SIP ALG. However, sometimes issues still occur. In these events, the only option may be to open more port ranges than the vendor has provided.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required