Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Transcription

1 Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services

2 Chapter Objectives After successfully completing this chapter, you will be able to: Explain security policy functionality Explain Junos ALG functionality Describe the components of a security policy Verify policies and monitor their execution Configure a basic security policy using the following elements: Policy match conditions Policy actions basic and advanced Policy scheduling 4-2

3 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study 4-3

4 Security Policy Defined What is a security policy? A set of rules that tells a Junos security device what to do with transit traffic between zones and within a zone What should I do if a packet comes in matching Criterion A? Internet 4-4

5 Review: Packet Flow Focus of Forwarding this chapter Flow Module Session-based No Screen Options D-NAT Route Zones Policy S-NAT Services Session ALG First Path Match Session? Yes Screen Options TCP NAT Fast Path Services ALG Packet-based Per Packet Policer Per Packet Filters Per Packet Shaper Ingress Packet Egress Packet 4-5

6 Transit Traffic Examination The Junos OS for security platforms always examines transit traffic by using security policies Packet in Does a security policy match the traffic? No Apply default policy Yes Apply policy actions 4-6

7 Local Inbound Traffic Examination host-inbound-traffic follows this process: Packet in Is the packet destined to the incoming interface? No Yes Does a security policy match the traffic? No Apply default policy host-inbound-traffic Yes Apply policies actions Does the policy permit the traffic? Yes Is system service or protocol allowed into the interface of the device? No Deny traffic No Yes Drop traffic Permit traffic 4-7

8 Default Security Policies System-default security policy: deny all traffic through the device You can change the default policy to permit all traffic Factory-default template security policies (branch devices only): 1 Trust zone System-default security policies behavior Deny ALL transit traffic Factory-default security policies behavior 2 Untrust zone Trust to trust: permit all 3 Trust to untrust: permit all Untrust to trust: deny all 4-8

9 Security Policy Conceptual Example A Private Zone Security Policy: from private zone to external zone If Source IP address = Host B Destination IP address = Host D Application = SSH 2 then permit traffic 2 Internet D External Zone B Steps: 1 4 Source Address B D Source Port Session Table Destination Destination Address Port D 22 B Host B initiates SSH to Host D Flow B D. 2. Security policy permits that flow. 3. The flow triggers reverse flow creation; both flows result in a formed session. 4. The return traffic, Host D Host B also receives permission Prot 6 6 Int ge-0/0/0. ge-1/0/0 B C Public Zone

10 Policy Ordering Ordering: Order is important! By default, new policies go to the end of the list Can change the order using the insert command Remember the system default policy! [edit security policies] insert from-zone name to-zone name policy name [before after] policy name

11 Editing Security Configurations Like any other Junos configuration stanza, you can perform the following actions on the security configuration components: Delete Deactivate Activate Insert Annotate Copy Rename Search and replace

12 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study

13 ALG Defined ALGs are software processes that manage protocols Designed for each protocol and operate differently The protocols usually use dynamic client and server ports for different parts of the communication This application needs this port opened for return traffic

14 FTP ALG Example (1 of 3) Trust Untrust SRX Device FTP Server Client SYN SYN :49668 > : :49668 > :21 SYN/ACK :49668 < :21 SYN/ACK :49668 < :21 ACK ACK :49668 > : :49668 > :

15 FTP ALG Example (2 of 3) Trust Untrust Client SRX Device FTP Server Flow calls ALG to create a hole PORT :56804 PORT :56804 SYN Hits the pinhole SYN :56804 < : :56804 < :20 SYN/ACK :56804 > :20 SYN/ACK :56804 > :20 ACK :56804 < :20 ACK :56804 < :20 Data Stream

16 FTP ALG Example (3 of 3) Only one security policy is needed with the ALG applied: show security flow session Session ID: 16107, Policy name: trust-to-untrust/6, Timeout: 1800, Valid Resource information : FTP ALG, 1, 0 In: / > /21;tcp, If: vlan.104, Pkts: 19, Bytes: 863 Out: /21 --> /49668;tcp, If: ge-0/0/3.0, Pkts: 18, Bytes: 1085 Session ID: 16139, Policy name: trust-to-untrust/6, Timeout: 2, Valid Resource information : FTP ALG, 1, 1 In: /20 --> /56804;tcp, If: ge-0/0/3.0, Pkts: 4, Bytes: 278 Out: / > /20;tcp, If: vlan.104, Pkts: 3, Bytes: 168 Total sessions: 2 With the ALG ignored, another security policy is needed to allow port

17 Useful ALG Commands Viewing ALGs View predefined ALGs using the hidden show groups junos-defaults security alg command View enabled ALGs using the show security alg status command View which ALGs are active and how they are configured with the hidden show security alg configuration command show security alg status ALG Status : DNS : Enabled FTP : Enabled H323 : Enabled MGCP : Enabled user@srx> show security alg configuration H323 Configuration: Endpoint Registration Timeout : 3600 Media Source Port Any : Off Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny

18 ALG Configuration (1 of 3) Edit ALGs under the [edit security alg] hierarchy Some ALGs have a few different options, but all have at a minimum the following components: Disable Traceoptions [edit] user@srx# set security alg dns? Possible completions: disable Disable DNS ALG maximum-message-length Set maximum message length ( bytes) > traceoptions DNS ALG trace options

19 ALG Configuration (2 of 3) Apply ALGs under the [edit applications application name] hierarchy: [edit applications application name] show application-protocol ftp; protocol tcp; destination-port 21;

20 ALG Configuration (3 of 3) Verify that the ALG is applied using the show security policies detail command: show security policies detail Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 7, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any-ipv4: /0 any-ipv6: ::/0 Destination addresses: any-ipv4: /0 any-ipv6: ::/0 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21]

21 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study

22 Policy Language You create policies under a context from-zone zone-name to-zone zone-name Set under the [edit security policies] hierarchy Each policy: Identified by user-defined name Composed of a match statement and a then statement Match criteria must include source address, destination address, and application Action can be permit, deny, reject, log, or count (or combination) Optionally contains other advanced policy actions IDP, UTM (branch devices only), firewall authentication

23 Policy Match Criteria Policy matching criteria: Source addresses Individual address Address set Destination addresses Individual address Address set Applications or application sets User defined System defined Configured within a zone s address book Configured within a zone s address book

24 Creating Address Book Entries Commands for address book entries: Adding an address to an address book: Creating a group of addresses, named address sets: [edit security zones] security-zone name { address-book { address name1 X.X.X.X / mask; address name2 X.X.X.X / mask; [edit security zones] security-zone name { address-book { address-set name { address name1; address name2;

25 IPv6 Addressing To create an IPv6 address book entry: inet6 flow must be enabled Must perform a system reboot when enabling IPv6 flow mode [edit security zones] user@srx# show security-zone name { address-book { address name2 X::X / mask; [edit security forwarding-options] user@srx# show family { inet6 { mode flow-based; user@srx# commit warning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. configuration check succeeds

26 DNS Addressing You can use a DNS name instead of an IPv4 or an IPv6 address SRX device must be configured with a DNS server [edit security zones] user@srx# show security-zone name { address-book { address name3 { dns-name abc.com; [edit system] user@srx# show host-name srx; name-server { X.X.X.X;

27 Defining Custom Applications Specifics of implementation: Many built-in applications (junos-rsh, junos-sip, junos-bgp, junos-tacacs, and so forth) You can add applications, application sets, or both to the predefined list No restrictions for the naming convention You can modify protocols, ports, inactivity timers, and so forth [edit applications] application name { application-protocol alg-protocol; protocol protocol; source-port source-port; destination-port destination-port; [edit applications] application-set name { application name1; application name2;

28 Predefined Applications To view predefined applications, issue the show groups junos-defaults applications command show groups junos-defaults applications # # File Transfer Protocol # application junos-ftp { application-protocol ftp; protocol tcp; destination-port 21;

29 Altering Built-In Applications (1 of 3) Create a new application with the same name as the built-in application under the [edit applications] hierarchy The same options are available as for creating a custom application Configure only what you want to change Reasons to change a built-in application: To use different ports To change the timeout value To ignore the ALG [edit applications] user@srx# show application junos-ftp { application-protocol ignore; protocol tcp; destination-port 6021; inactivity-timeout 3600;

30 Altering Built-In Applications (2 of 3) Create a group configuration to alter predefined applications Applications must all use the same protocol The example shown here alters the TCP timeout value on the built-in applications junos-ftp and junos-finger [edit groups] user@srx# show group-name { applications { application <junos-f*> inactivity-timeout 3600; [edit] user@srx# show apply-groups apply-groups group-name;

31 Altering Built-In Applications (3 of 3) To verify that your configuration changes took place, issue the command show security flow session extensive: show security flow session extensive Session ID: 38296, Status: Normal Flag: 0x42 Policy name: trust-to-untrust/6 Source NAT pool: Null, Application: junos-ftp/1 Maximum timeout: 3600, Current timeout: 3600 show security flow session extensive Session ID: 1615, Status: Normal Flag: 0x40 Policy name: trust-to-untrust/6 Source NAT pool: Null, Application: junos-finger/17 Maximum timeout: 3600, Current timeout:

32 Creating Policy Match Entries Specifics: Group all policies together in the proper order, ensuring proper order of execution Apply defined matching parameters [edit security policies] from-zone zone-name to-zone zone-name { policy name1 { match { source-address address-name1; destination-address address-name1; application application-name1; policy name2 { match { source-address address-name2; destination-address address-name2; application application-name2;

33 Basic Policy Actions Policy actions: permit: allows traffic flow deny: silently drops traffic reject: drops traffic and sends an ICMP unreachable message for UDP traffic and a TCP (RST) message for TCP traffic Optionally log and count traffic Logs sent to external syslog server Can be stored locally on branch devices Counters viewable with the show security policies detail command

34 Advanced Permit Settings If the security policy allows traffic to pass, you can also configure the following actions: Firewall authentication: authenticate the client prior to forwarding the traffic Pass-through Web authentication IPsec VPN: perform encryption and decryption of permitted transit traffic IDP: perform IDP policy evaluation UTM: perform UTM services such as antivirus, Web filtering, and content filtering UTM services only available for branch platforms

35 User Role Firewall Policies Implementing user role firewall policies Classify traffic based on roles Agentless transparent authentication SSO support User Zone Infrastructure Zone Windows Server Active Directory 1 MAG Series Device Server Zone

36 Global Policies What are global policies? Single security policy that allows traffic from any zone to any other zone no from-zone or to-zone configuration Significantly reduces the number of security contexts Can be used in conjunction with regular security policies Regular security policies take precedence Same matching conditions and actions as security policies Configure under: [edit security policies global policy] Global address book: [edit security address-book global]

37 Global Policy in Action Using global policies Only one policy required to facilitate communication between multiple zones HR Zone Global Security Policy: If Source IP address = Host A, Host B, Host C Destination IP address = Any Application = HTTP then permit traffic Internet A External Zone B 1 Eng Zone 4 B C IT Zone

38 Policy Components Summary [edit security policies] from-zone zone-name to-zone zone-name { policy name1 { match { source-address address-name; destination-address address-name; application application-name; then { <action>; policy name2 { match { source-address address-name; destination-address address-name; application application-name; then { <action>; from-zone and to-zone context Action Action Matching criteria Matching criteria

39 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study

40 Logging (1 of 3) Control plane logging can be stored locally or sent to an external syslog device Default control plane logging configuration: [edit system] show syslog user * { any emergency; file messages { any critical; authorization info; file interactive-commands { interactive-commands error;

41 Logging (2 of 3) SRX Series branch devices can log data plane logs locally or send them to an external server [edit system syslog] show host { user info; source-address ; file messages { any any; authorization info; file default-log-messages { any any; structured-data; Default facility and severity for data plane logs Use this filename for NSM Structured data format

42 Logging (3 of 3) For high-end SRX Series devices, data plane logging can go to an external logging device Sample configuration: [edit security log] show format sd-syslog; source-address address; stream name { severity debug; host { address; Sample log: Jun 17 09:41: [RT_FLOW_SESSION_CLOSE][junos@ : session closed TCP FIN: /56879-> /23,6: test2, 55(3040) 40(2554)

43 Monitoring Policies (1 of 3) Use log action in security policy [edit security policies from-zone trust to-zone untrust] set policy 812 then log? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups session-close Log at session close time session-init Log at session init time Use count action in security policy show outputs add counter Statistics go to logs by default

44 Monitoring Policies (2 of 3) show commands: Use the show security policies command to view details about policies: Use the detail option to display statistics policy must have a counter configured user@srx> show security policies? Possible completions: <[Enter]> detail from-zone policy-name to-zone Execute this command Show the detailed information Show the policy information matching the given source zone Show the policy information matching the given policy name Show the policy information matching the given destination zone Pipe through a command show security flow session Displays flows and associated policy names and index numbers

45 Monitoring Policies (3 of 3) Use traceoptions for detailed troubleshooting: [edit security] show policies { traceoptions { file name; flag all; flow { traceoptions { file name; flag basic-datapath; flag session; packet-filter name { source-prefix address-prefix; destination-prefix address-prefix;

46 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study

47 Policy Scheduling Overview A scheduled policy is a policy that uses a configured scheduler to make the policy active at specific times Policy and scheduler relationship: A policy can refer to only one scheduler Multiple policies can refer to the same scheduler Policy remains active without an applied scheduler Policy activated Policy deactivated

48 Policy Scheduler Components You can configure a policy scheduler with the following: Slot schedule: Start date and time Stop date and time Daily schedule: Start time Stop time All day Exclude option

49 Policy Scheduler Details Scheduler: Set up the schedule for policy execution, including time and date: [edit schedulers] set scheduler name [day-of-the-week daily] [specifics of time] Apply the scheduler Default behavior: Policies that do not have schedulers are always active and in force Apply the scheduler [edit security policies] from-zone name to-zone name { policy name { match { then { scheduler-name name;

50 policy-rematch Statement policy-rematch statement: signals the application of policy configuration changes to existing sessions set security policies policy-rematch Default behavior: Deletion of policies cause drops of impacted sessions Configuration changes to existing policies do not impact sessions in progress Action on Policy Description Enable Delete Deletes policy Drops all existing sessions Modify action Modify address Modifies action field of policy from permit to either deny or reject Modifies source or destination address Drops all existing sessions Re-evaluates policy lookup Modify application Modifies application Re-evaluates policy lookup Rematch Flag Disable (default) Drops all existing sessions All existing sessions continue All existing sessions continue All existing sessions continue

51 Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study

52 Case Study: Creating Policies Between HR and Public Zones /24 A /24 HR Zone Objectives: -Allow PC A and PC B to FTP to server C using a custom application set -Deny other users in the HR zone from using FTP services in the /24 network; log and count these violations ge-0/0/1 ge-0/0/ /24 B /24 ge-0/0/ ge-0/0/ ge-0/0/ ge-0/0/3 Public Zone / / C B

53 Case Study: Entering Host Addresses into the HR Zone [edit security] show zones security-zone HR address-book { address PC_A /32; address PC_B /32; address all /16; address-set HR_PCs { interfaces { ge-0/0/1.0; ge-0/0/2.0; address PC_A; address PC_B; / A /24 B /24 HR Zone ge-0/0/1 ge-0/0/ /24 ge-0/0/ ge-0/0/ ge-0/0/ ge-0/0/ /24 Public Zone /24 C

54 Case Study: Entering Host Addresses into the Public Zone [edit security] show zones security-zone Public address-book { address Server_C /32; address all /24; address-set address-public { interfaces { address Server_C; ge-0/0/3.0; / A /24 B /24 HR Zone ge-0/0/1 ge-0/0/ /24 ge-0/0/ ge-0/0/ ge-0/0/ ge-0/0/ /24 Public Zone /24 C

55 Case Study: Creating the Application Set [edit applications] show application HR-telnet { protocol tcp; source-port ; destination-port telnet; application-set HR-Public-applications { application junos-ftp; application junos-ike; application HR-telnet;

56 Case Study: Creating Policy Entries (1 of 2) [edit security] show policies from-zone HR to-zone Public { policy HR-to-Public {... match { then { source-address HR_PCs; destination-address address-public; application HR-Public-applications; permit; log { count; session-init; session-close; / A /24 B /24 HR Zone ge-0/0/1 ge-0/0/ /24 ge-0/0/ ge-0/0/ ge-0/0/ ge-0/0/ /24 Public Zone /24 C

57 Case Study: Creating Policy Entries (2 of 2) policy otherhr-to-public { match { source-address all-10-1; destination-address all ; application junos-ftp; then { deny; log { count; session-init; / A /24 B /24 HR Zone ge-0/0/1 ge-0/0/ /24 ge-0/0/ ge-0/0/ ge-0/0/ ge-0/0/ /24 Public Zone /24 C

58 Case Study: Monitoring the Policy (1 of 2) Viewing the policy: show security policies policy-name HR-to-Public detail Policy: HR-to-Public, action-type: permit, State: enabled, Index: 15 Sequence number: 1 From zone: HR, To zone: Public Source Address Source addresses: PC-A: /32 Destination addresses: Destination Address Server_C: /32 Application: HR-Public-applications IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Application Set Source port range: [0-0] Destination port range: [21-21] Session log: at-create, at-close Scheduler name: schedulerhr Traffic Statistics Policy statistics: Input bytes : bps Output bytes : bps Input packets : 70 0 pps Output packets : 43 0 pps Session rate : 2 0 sps Active sessions : 0 Session deletions: 2 Note: Output is abbreviated. Policy lookups :

59 Case Study: Monitoring the Policy (2 of 2) Policy log from external server: Apr 10 12:34: [RT_FLOW_SESSION_CREATE] session created /60557-> /21,6: HR-to-Public Apr 10 12:41: [RT_FLOW_SESSION_CLOSE] session closed TCP FIN: /60557-> /21,6: HR-to-Public, 28(1236) 22(1398) 430 Inbound packets (bytes) Outbound packets (bytes) Elapsed time in seconds

60 Summary In this chapter, we: Explained security policy functionality Explained Junos ALG functionionality Described the components of a security policy Verified policies and monitored their execution Configured a basic security policy using the following elements: Policy match conditions Policy actions basic and advanced Policy scheduling

61 Review Questions 1. What are the basic components of a policy? 2. What is the default action for every policy set? 3. What is the purpose of a scheduler within the security stanza? 4. How can you reorder policies?

62 Lab 2: Security Policies Create policies that control access between networks

63 Worldwide Education Services