O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Web and Proxy Authentication

The SRX can also be used as an inline web proxy, forcing users to authenticate for access, or as a pass-through authentication forcing Telnet, FTP, and HTTP to authenticate, adding an additional layer of security while keeping a historical log for later review and auditing.

Web Authentication

Figure 4-6 illustrates the stages of the web authentication process.

How web authentication works

Figure 4-6. How web authentication works

Configuring web authentication is relatively painless. The largest task is creating the user profiles that would be needed for authentication.

The first step is to enable authentication on the interface itself. Here we apply web authentication to an already existing interface, ge-0/0/0, of which the Trust zone is a part:

[edit]
juniper@SRX5800# set interfaces ge-0/0/0 unit 0 family inet
address 10.1.0.254/24 web-authentication http
[edit]
juniper@SRX5800#

Next, we need to create a user or list of users that have permission to access the Web. Here we use the volunteer sample user Tim_Eberhard which has been set up under access profile web-allow-group. The access profile will be referenced later in the configuration.

[edit]
juniper@SRX5800# set access profile web-allow-group client Tim_Eberhard
firewall-user password letmeinpls

An alternative to using local user lists on the SRX is to authenticate users to an external database on a RADIUS, RSA, or LDAP server.

Let’s begin a web authentication configuration example to an external RADIUS server. A RADIUS server could be configured with thousands of individual accounts:

[edit]
juniper@SRX5800# set access profile web-allow-group_radius
radius-server 10.3.4.100 secret radius_secret_key retry 2

Next we will configure the SRX to try the RADIUS server first; if that server fails, the SRX will resort back to the local database (this way, if the RADIUS server ever fails, it’s possible to have a default account that allows access during emergencies):

[edit]
juniper@SRX5800# set access profile web-allow-group authentication-order radius
authentication-order password

Now we’ll apply the web authentication to the policy, adding the permit-http policy from the Trust zone to the Internet zone:

[edit]
juniper@SRX5800# set security policies from-zone trust to-zone Internet
policy permit-http then permit firewall-authentication web-authentication

Let’s look at the configuration as a whole:

[edit]
juniper@SRX5800# show access profile web-allow-group
authentication-order [ radius password ];
client Tim_Eberhard {
    firewall-user {
        password "$9$hISclM7NbgaUX7wgoZkqCtu0RS7Nb2oG"; ## SECRET-DATA
    }
}
radius-server {
    10.3.4.100 {
        secret "$9$iq5Fn6AOBEP5hrvM-d6/CuIcKvLN-wKM7VbsZGREclvLdVYgJD";
## SECRET-DATA
        retry 2;
    }
}
[edit]
juniper@SRX5800# show interfaces ge-0/0/0
description "Inside network";
speed 100m;
link-mode full-duplex;
unit 0 {
    family inet {
        address 10.1.0.254/24 {
            web-authentication http;
        }
    }
}
juniper@SRX5800# show security policies from-zone trust to-zone Internet
policy permit-http {
    match {
        source-address any;
        destination-address any;
        application junos-http;
    }
    then {
        permit {
            firewall-authentication {
                web-authentication;
            }
        }
    }
}

This basic web authentication will prompt users when they try to use HTTP. Web authentication is basically a portal that will authenticate a user’s traffic through.

Pass-Through Authentication

Another method of authentication that you can use on the SRX is called pass-through authentication. Pass-through authentication is different from web authentication as it just prompts the user to enter his account information for authentication somewhat transparently. Pass-through can be triggered by HTTP, Telnet, and FTP traffic.

From a user standpoint, the authentication process looks as though the website or Telnet, or the FTP session, is prompting the user for his account information, whereas with web authentication users need to go to a certain IP address and authenticate before attempting to send any other traffic.

Figure 4-7 illustrates the pass-through authentication process.

How pass-through authentication works

Figure 4-7. How pass-through authentication works

Configuring pass-through authentication is much like configuring web authentication. The first thing you need to do is to turn on pass-through authentication and assign it to a profile. For the following example, we’ll reuse web-allow-group since it already had a user account and RADIUS server configured. The second thing you need to do is to set a banner to inform the user what to submit for authentication.

Note

A banner should provide a phone number or an email address that users can use for support if they cannot get past the inline challenge.

We’ll use the Telnet service for our example. Since Telnet is an insecure protocol that must sometimes be supported due to legacy applications and systems, using inline authentication here is an additional layer of security that we can apply to our connection.

juniper@SRX5800# edit access firewall-authentication pass-through
[edit access firewall-authentication pass-through]
juniper@SRX5800# set default-profile web-allow-group
[edit access firewall-authentication pass-through]
juniper@SRX5800# set telnet banner success "PLEASE ENTER IN YOUR ACCOUNT INFO.
FOR SUPPORT PLEASE CALL THE NOC AT 1-800-555-1212"
[edit access firewall-authentication pass-through]
juniper@SRX5800# top
[edit]
juniper@SRX5800# edit security policies from-zone trust to-zone web-dmz
[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy permit-telnet match source-address any
destination-address any
[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy permit-telnet match application junos-telnet
[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy permit-telnet then permit firewall-authentication
pass-through access-profile web-allow-group

And here is what that configuration looks like all together:

juniper@SRX5800# show | compare
[edit security policies from-zone trust to-zone web-dmz]
      policy web_deny { ... }
+     policy permit-telnet {
+         match {
+             source-address any;
+             destination-address any;
+             application junos-telnet;
+         }
+         then {
+             permit {
+                 firewall-authentication {
+                     pass-through {
+                         access-profile web-allow-group;
+                     }
+                 }
+             }
+         }
+     }

We can view active authenticated information about the SRX’s authentications using the following output:

juniper@SRX5800# show security firewall-authentication users
Firewall authentication data:
  Total users in table: 1
          Id Source Ip       Src zone Dst zone Profile    Age Status   User
           4 10.3.0.12     Trust   Internet      webauth-     4 Success  Tim

The show security firewall-authentication history command shows all active and authenticated users currently passing through the SRX:

juniper@SRX5800> show security firewall-authentication history
History of firewall authentication data: Authentications: 2 Id Source Ip
Date Time Duration Status User
1 10.1.0.120 2010-01-12 18:20:02 0: 00:22 Failed bob
2 10.1.0.125 2010-01-13 12:22:48 0: 00:21 Success bill

Firewall authentication provides an additional layer of security as well as logs. It can be used to enforce company access policies or better protect network boundaries and access. It is a very simple way to improve the overall security strategy of anything from the smallest home office to a large corporate network.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required