Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, O'REILLY. Tim Eberhard, andjames Quinn INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK

Similar documents
ScreenOS Cookbook. Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa

Network Configuration Example

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Junos Security (JSEC)

Hillstone IPSec VPN Solution

Junos Security Bundle, JSEC & AJSEC

Network Configuration Example

Chapter 3 Network Foundation Protection (NFP) Overview 39. Configuring and Implementing Switched Data Plane Security Solutions 57

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Systrome Next Gen Firewalls

Juniper Networks Certified Professional Security Bootcamp, AJSEC and JIPS (JNCIP-SEC BC)

User Role Firewall Policy

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Exam Questions JN0-633

Network Configuration Example

Junos OS Release 12.1X47 Feature Guide

Firepower Threat Defense Site-to-site VPNs

Cisco Cookbook. Kevin Dooley and IanJ. Brown. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

BRANCH SRX SERIES AND J SERIES CHASSIS CLUSTERING

Fundamentals of Network Security v1.1 Scope and Sequence

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Cisco 5921 Embedded Services Router

Gigabit SSL VPN Security Router

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

Certified SonicWALL Security Administrator (CSSA) Instructor-led Training

Chapter 5. Security Components and Considerations.

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Cisco Certified Network Associate ( )

CISCO EXAM QUESTIONS & ANSWERS

New Features for ASA Version 9.0(2)

Firewalls for Secure Unified Communications

Junos OS. IDP Series Appliance to SRX Series Services Gateway Migration Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Exam Topics Cross Reference

CCNA Routing and Switching (NI )

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol

Cisco 5921 Embedded Services Router

Implementing Cisco Network Security (IINS) 3.0

Fortinet NSE7 Exam. Volume: 30 Questions

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

This section describes the clustering architecture and how it works. Management access to each ASA for configuration and monitoring.

Realtests JN q

Concepts & Examples ScreenOS Reference Guide

VPN Auto Provisioning

A-B I N D E X. backbone networks, fault tolerance, 174

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

EN6200 Series Feature Sheet

Sophos Migration Assistant. migration guide

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Some features are not supported when using clustering. See Unsupported Features with Clustering, on page 11.

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Load Balancing Technology White Paper

TEXTBOOK MAPPING CISCO COMPANION GUIDES

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

ISG-600 Cloud Gateway

KillTest. 半年免费更新服务

Juniper JN Security, Specialist (JNCIS-SEC)

Junos Security. Chapter 11: High Availability Clustering Implementation

Juniper JN Number: JN0-633 Passing Score: 800 Time Limit: 120 min File Version: 1.0. Juniper JN0-633 Exam

Network Security. Thierry Sans

WiNG 5.x How-To Guide

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Configuring a Hub & Spoke VPN in AOS

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

CCNP Security VPN

Cluster Upgrade. SRX Series Services Gateways for the Branch Upgrade Junos OS with Minimal Traffic Disruption and a Single Command APPLICATION NOTE

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Overview 1. Service Features 1

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

CompTIA Network+ Study Guide Table of Contents

Advantage TLS Why IpTL TLS versus IPSec Technology Reference Guide

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Eudemon200E-X Series Unified Security Gateway

Vendor: Juniper. Exam Code: JN Exam Name: FWV, Specialist (JNCIS-FWV) Version: Demo

Juniper Sky Enterprise

This release of the product includes these new features that have been added since NGFW 5.5.

Juniper Security Update. Karel Hendrych Juniper Networks

Exam Name: VMware Certified Associate Network Virtualization

Cisco RV180 VPN Router

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

ASACAMP - ASA Lab Camp (5316)

Index. Numerics 3DES (triple data encryption standard), 21

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.1.0:

Cisco Router Configuration Handbook

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Network Configuration Example

High Availability Synchronization PAN-OS 5.0.3

Configuring Dynamic VPN

Transcription:

Junos Security Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, andjames Quinn TECHNISCHE INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK HANNOVER O'REILLY Beijing Cambridge Farnham Kiiln Sebastopol Taipei Tokyo

Table of Contents Foreword xv Preface xvii 1. Introduction to the SRX 1 Evolving into the SRX 1 ScreenOS to Junos 2 The SRX Series Platform 5 Built for Services 5 Deployment Solutions 6 Small Branch 7 Medium Branch 8 Large Branch 9 Data Center 10 Data Center Edge 11 Data Center Services Tier 12 Service Provider 15 Mobile Carriers 16 Cloud Networks 19 The Junos Enterprise Services Reference Network 21 SRX Series Product Lines 26 Branch SRX Series 27 Branch-Specific Features 27 SRX100 30 SRX200 32 SRX600 36 AX411 39 CXI 11 42 Branch SRX Series Hardware Overview 42 Licensing 44 Branch Summary 45 v

Data Center SRX Series 46 Data Center SRX-Specific Features 46 SPC 48 NPU 49 Data Center SRX Series Session Setup 51 Data Center SRX Series Hardware Overview 55 SRX3000 57 SRX5000 61 Summary 68 Chapter Review Questions 68 Chapter Review Answers 69 2. What Makes Junos So Special? 71 OS Basics 72 FreeBSD 73 Process Separation 74 Development Model 75 Adding New Features 77 Data Plane 78 Junos Is Junos Except When It's Junos 79 Coming from Other Products 79 ScreenOS 80 IOS and PIX OS 82 Check Point 83 Summary 84 Chapter Review Questions 85 Chapter Review Answers 85 3. Hands-On Junos 87 Introduction 87 the Command Line 88 Driving Operational Mode 89 Variable Length Output 90 Passing Through the Pipe 90 Seeking Immediate Help 91 Configuration Mode 95 Commit Model 100 Restarting Processes 106 Junos Automation 108 Junos Configuration Essentials 109 System Settings 109 Interfaces 113 Switching (Branch) 116 vi Table ofcontents

Zones 119 Summary 122 Chapter Review Questions 123 Chapter Review Answers 123 4. Security Policy 125 Security Policy Overview 125 SRX Policy Processing 128 Viewing SRX Policy Tables 130 Viewing Policy Statistics 133 Viewing Session Flows 135 Policy Structure 137 Security Zones 137 Service Configuration 139 Blocking Unwanted Traffic 143 Policy Logging 145 Troubleshooting Security Policy and Traffic Flows 149 Troubleshooting Sample 150 Troubleshooting Output 152 Turning Off Traceoptions 159 Application Layer Gateway Services 160 How to Configure an ALG 163 Policy Schedulers 168 One-Time Schedulers 170 Web and Proxy Authentication 172 Web Authentication 172 Pass-Through Authentication 174 Case Study 4-1 176 Case Study 4-2 184 Converters and Scripts 188 Summary 189 Chapter Review Questions 190 Chapter Review Answers 190 5. Network Address Translation 193 How the SRX Processes NAT 193 Source NAT 195 Interface NAT 197 Address Pools 208 Removing PAT 216 Proxy ARP 219 Persistent NAT 223 Case Study 5-1: ISP Redundancy via PAT 227 Table of Contents vii

Conclusion 231 Destination NAT 231 Implementing Destination NAT 232 Viewing Destination NAT 234 Tracing Destination NAT Flows 236 Case Study 5-2: Virtual IP NAT 238 Static NAT 240 Case Study 5-3: Double NAT 243 Summary 245 Chapter Review Questions 245 Chapter Review Answers 246 6. IPsecVPN 247 VPN Architecture Overview 248 Site-to-Site IPsec VPNs 248 Hub and Spoke IPsec VPNs 249 Full Mesh VPNs 250 Multipoint VPNs 250 Remote Access VPNs 251 IPsec VPN Concepts Overview 253 IPsec Encryption Algorithms 254 IPsec Authentication Algorithms 254 IKE Version 1 Overview 255 IPSec VPN Protocol 257 IPsec VPN Mode 258 IPsec Manual Keys 258 Phase 1 IKE Negotiations 259 IKE Authentication 259 IKE Identities 260 Phase 1 IKE Negotiation Modes 261 Phase 2 IKE Negotiations 262 Perfect Forward Secrecy 263 Quick Mode 263 Proxy ID Negotiation 263 Flow Processing and IPsec VPNs 264 SRXVPN Types 264 Policy-Based VPNs 265 Route-Based VPNs 265 Other SRX VPN Components 268 Dead Peer Detection 268 VPN Monitoring 269 XAuth 269 NAT Traversal 270 viii [ TableofContents

Anti-Replay Protection 270 Fragmentation 271 Differentiated Services Code Point 272 IKE Key Lifetimes 272 Network Time Protocol 273 Certificate Validation 273 Simple Certificate Enrollment Protocol 274 Group VPN 274 Dynamic VPN 275 Selecting the Appropriate VPN Configuration 275 IPsec VPN Configuration 279 Configuring NTP 279 Certificate Preconfiguration Tasks 279 Phase 1 IKE Configuration 282 Phase 2 IKE Configuration 293 Configuring Manual Key IPsec VPNs 303 Dynamic VPN 305 VPN Verification and Troubleshooting 309 Useful VPN Commands 310 VPN Tracing and Debugging 312 Case Studies 326 Case Study 6-1: Site-to-Site VPN 326 Case Study 6-2: Remote Access VPN 335 Summary 337 Chapter Review Questions 337 Chapter Review Answers 338 7. High-Performance Attack Mitigation 341 Network Protection Tools Overview 342 Firewall Filters 342 Screens 345 Security Policy 347 IPS and AppDoS 348 Protecting Against Network Reconnaissance 349 Firewall Filtering 350 Screening 350 Port Scan Screening 352 Summary 353 Protecting Against Basic IP Attacks 354 Basic IP Protections 354 Basic ICMP Protections 356 Basic TCP Protections 357 Basic Denial-of-Service Screens 358 Table of Contents ix

Advanced Denial-of-Service and Distributed Denial-of-Service Protection 361 ICMP Floods 363 UDP Floods 364 SYN/TCP Floods 365 SYN Cookies 370 SYN-ACK-ACK Proxies 371 Session Limitation 372 AppDoS 377 Application Protection 377 SIP 378 MGCP 378 SCCP 380 Protecting the SRX 381 Summary 385 Chapter Review Questions 386 Chapter Review Answers 386 8. Intrusion Prevention 389 The Need for IPS 389 How Does IPS Work? 391 IPS Packet Processing on the SRX 396 Attack Object Types 404 IPS Policy Components 408 Security Packages 416 Sensor Attributes 418 SSL Inspection 421 AppDDoS Protection 423 Custom Attack Groups and Objects 427 Configuring IPS Features on the SRX 432 Getting Started with IPS on the SRX 432 Deploying and Tuning IPS 454 First Steps to Deploying IPS 454 Building the Policy 454 Testing Your Policy 455 Actual Deployment 456 Day-to-Day IPS Management 456 Troubleshooting IPS 457 Checking IPS Status 457 Checking Security Package Version 458 IPS Attack Table 458 Application Statistics 459 IPS Counters 460 IP Action Table 461 x Table ofcontents

AppDDoS Useful Commands 462 Troubleshooting the Commit/Compilation Process 463 Case Study 8-1 466 Summary 484 Chapter Review Questions 484 Chapter Review Answers 485 9. Unified Threat Management 487 What Is UTM? 487 Application Proxy 488 Web Filtering 489 Antivirus 498 Notifications 506 Viewing the UTM Logs 508 Controlling What to Do When Things Go Wrong 514 Content Filtering 516 Antispam 521 UTM Monitoring 523 Licensing 527 Tracing UTM Sessions 528 Case Study 9-1: Small Branch Office 530 Security Policies 533 UTM Policies and Profiles 534 Summary 537 Chapter Review Questions 537 Chapter Review Answers 537 10. High Availability 539 Understanding High Availability in the SRX 540 Chassis Cluster 540 The Control Plane 542 The Data Plane 543 Junos High Availability Concepts 545 Deployment Concepts 548 Configuration 554 Differences from Standalone 554 Activating JSRPD (Juniper Services Redundancy Protocol) 555 Managing Cluster Members 557 Configuring the Control Ports 558 Configuring the Fabric Links 563 Node-Specific Information 567 Configuring Heartbeat Timers 570 Redundancy Groups 571 Table of Contents xi

Configuring Interfaces 577 Integrating Dynamic Routing 583 Upgrading the Cluster 584 Fault Monitoring 586 Interface Monitoring 586 IP Monitoring 591 Manual Failover 595 Hardware Monitoring 599 Software Monitoring 604 Preserving the Control Plane 605 Using Junos Automation 605 Troubleshooting the Cluster 606 First Steps 606 Checking Interfaces 610 Verifying the Data Plane 611 Core Dumps 615 The Dreaded Priority Zero 615 When All Else Fails 617 Summary 618 Chapter Review Ques tio ns 618 Chapter Review Answers 619 11. Routing 621 How the SRX "Routes" IP Packets 622 Forwarding Tables 622 IP Routing 624 Asymmetric Routing 625 Address Resolution Protocol (ARP) 626 Static Routing 626 Creating a Static Route 627 Verifying a Static Route 629 Dynamic Routing 631 Configuring OSPF Routing 632 Case Study 11-1: Securing OSPF Adjacencies 646 Case Study 11-2: Redundant Paths and Routing Metrics 648 Growing OSPF N etwo rks 651 Routing Policy 664 Case Study 11-3: Equal Cost Multipath (ECMP) 670 Internet Peering 672 Configuring BGP Peerings 674 BGP Routing Tables 682 Case Study 11-4: Internet Redundancy 683 Routing Instances 688 xii Table of Contents

Configuring Routing Instances 689 Filter-Based Forwarding 693 Configuring Filter-Based Forwarding 694 Case Study 11-5: Dynamic Traffic Engineering 697 Summary 705 Chapter Review Questions 706 Chapter Review Answers 706 12. Transparent Mode 709 Transparent Mode Overview 709 Why Use Transparent Mode? 710 MAC Address Learning 712 Transparent Mode and Bridge Loops, Spanning Tree Protocol 712 Transparent Mode Limitations 713 Transparent Mode Components 714 Interface Modes in Transparent Mode 715 Bridge Domains 715 IRB Interfaces 716 Transparent Mode Zones 716 Transparent Mode Security Policy 717 Transparent Mode Specific Options 717 QoS in Transparent Mode 718 VLAN Rewriting 718 High Availability with Transparent Mode 718 Transparent Mode Flow Process 721 Configuring Transparent Mode 724 Configuring Transparent Mode Basics 725 Configuring Integrated Routing and Bridging 729 Configuring Transparent Mode Security Zones 731 Configuring Transparent Mode Security Policies 732 Configuring Bridging Options 736 Configuring Transparent Mode QoS 736 Configuring VLAN Rewriting 738 Transparent Mode Commands and Troubleshooting 740 The show bridge domain Command 740 The show bridge mac-table Command 741 The show 12-learning global-information Command 741 The show 12-learning global-mac-count Command 742 The show 12-learning interface Command 742 Transparent Mode Troubleshooting Steps 743 Case Study 12-1 745 Summary 752 Chapter Review Questions 752 Table of Contents xiii

. Case Chapter Review Answers 753 13. SRX Management 755 The Management Infrastructure 755 Operational Mode 756 Configuration Mode 758 J-Web 761 NSM and Junos Space 761 NETCONF 763 Scripting and Automation 766 Commit Scripts 767 Creating a Configuration Template 774 Operational Scripts 777 Event Scripts 783 Keeping Your Scripts Up-to-Date 789 Case Studies 790 Case Study 13-1: Displaying the Interface and Zone Information 791 Study 13-2: Zone Groups 791 Case Study 13-3: Showing the Security Policies in a Compact Format 792 Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover 793 Case Study 13-5: Track-IP Using RPM Probes 794 Case Study 13-6: Top Talkers 796 Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Ad dresses 798 Case Study 13-8: High-End SRX Monitor 800 Summary 801 Chapter Review Questions 801 Chapter Review Answers 801 Index 803 xiv Table of Contents

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback