Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Similar documents
Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

User Role Firewall Policy

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Junos Enterprise Switching

Junos OS Release 12.1X47 Feature Guide

Junos Security (JSEC)

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Network Configuration Example

Network Configuration Example

Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, O'REILLY. Tim Eberhard, andjames Quinn INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK

HP High-End Firewalls

Exam Questions JN0-633

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

SRX als NGFW. Michel Tepper Consultant

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Lab 4. Firewall Filters and Class of Service. Overview. Introduction to JUNOS Software & Routing Essentials

Junos Security. Chapter 11: High Availability Clustering Implementation

Network Configuration Example

Network Configuration Example

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

KillTest. 半年免费更新服务

Access Rules. Controlling Network Access

CISCO EXAM QUESTIONS & ANSWERS

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

Configuring Network Address Translation

Implementing Firewall Technologies

ipro-04n Security Configuration Guide

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Information about Network Security with ACLs

Firewalls, Tunnels, and Network Intrusion Detection

Network Configuration Example

Zone-Based Policy Firewalls

Web server Access Control Server

Configuring Static and Dynamic NAT Translation

Network Configuration Example

Network Configuration Example

New Features for ASA Version 9.0(2)

Network Configuration Example

History Page. Barracuda NextGen Firewall F

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT

BRANCH SRX SERIES AND J SERIES CHASSIS CLUSTERING

Object Groups for ACLs

Presenter John Baker

Configuring Access Rules

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Configuring Commonly Used IP ACLs

Configuring Dynamic VPN

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

Junos OS. IDP Series Appliance to SRX Series Services Gateway Migration Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Unit 4: Firewalls (I)

version 10.2R3.10; Configuring Basic System Information system { domain-name foo.bar; time-zone America/New_York;

Vendor: Juniper. Exam Code: JN Exam Name: JNCIA-JUNOS EXAM OBJECTIVES. Version: Demo

CCNA Discovery 3 Chapter 8 Reading Organizer

Juniper Security Update. Karel Hendrych Juniper Networks

Using Trend Reports. Understanding Reporting Options CHAPTER

Certkiller JN q

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

CSC Network Security

IPV6 SIMPLE SECURITY CAPABILITIES.

Realtests JN q

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

Implementing Access Lists and Prefix Lists

User FAQ for H3C Security Products

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Juniper JN Security, Specialist (JNCIS-SEC)

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Configuring IP Session Filtering (Reflexive Access Lists)

Network Configuration Example

IP Access List Overview

Juniper JN0-101 Questions & Answers

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

VPN Connection through Zone based Firewall Router Configuration Example

Junos Security Bundle, JSEC & AJSEC

Chapter 8 roadmap. Network Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Juniper Sky ATP Getting Started

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Configuring an IP ACL

CSC 4900 Computer Networks: Security Protocols (2)

HP High-End Firewalls

Maintenance Tasks CHAPTER

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

HP Load Balancing Module

Network Configuration Example

Configuring Network Security with ACLs

HP 3100 v2 Switch Series

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

ipv6 mobile home-agent (global configuration)

High Availability Synchronization PAN-OS 5.0.3

Deploying and Troubleshooting Network Address Translation

Cisco Network Address Translation (NAT)

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Transcription:

Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services

Chapter Objectives After successfully completing this chapter, you will be able to: Explain security policy functionality Explain Junos ALG functionality Describe the components of a security policy Verify policies and monitor their execution Configure a basic security policy using the following elements: Policy match conditions Policy actions basic and advanced Policy scheduling www.juniper.net 4-2

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-3

Security Policy Defined What is a security policy? A set of rules that tells a Junos security device what to do with transit traffic between zones and within a zone What should I do if a packet comes in matching Criterion A? Internet www.juniper.net 4-4

Review: Packet Flow Focus of Forwarding this chapter Flow Module Session-based No Screen Options D-NAT Route Zones Policy S-NAT Services Session ALG First Path Match Session? Yes Screen Options TCP NAT Fast Path Services ALG Packet-based Per Packet Policer Per Packet Filters Per Packet Shaper Ingress Packet Egress Packet www.juniper.net 4-5

Transit Traffic Examination The Junos OS for security platforms always examines transit traffic by using security policies Packet in Does a security policy match the traffic? No Apply default policy Yes Apply policy actions www.juniper.net 4-6

Local Inbound Traffic Examination host-inbound-traffic follows this process: Packet in Is the packet destined to the incoming interface? No Yes Does a security policy match the traffic? No Apply default policy host-inbound-traffic Yes Apply policies actions Does the policy permit the traffic? Yes Is system service or protocol allowed into the interface of the device? No Deny traffic No Yes Drop traffic Permit traffic www.juniper.net 4-7

Default Security Policies System-default security policy: deny all traffic through the device You can change the default policy to permit all traffic Factory-default template security policies (branch devices only): 1 Trust zone System-default security policies behavior Deny ALL transit traffic Factory-default security policies behavior 2 Untrust zone Trust to trust: permit all 3 Trust to untrust: permit all Untrust to trust: deny all www.juniper.net 4-8

Security Policy Conceptual Example A Private Zone Security Policy: from private zone to external zone If Source IP address = Host B Destination IP address = Host D Application = SSH 2 then permit traffic 2 Internet D External Zone B Steps: 1 4 Source Address B D Source Port 29200 22 Session Table Destination Destination Address Port D 22 B 29200 1. Host B initiates SSH to Host D Flow B D. 2. Security policy permits that flow. 3. The flow triggers reverse flow creation; both flows result in a formed session. 4. The return traffic, Host D Host B also receives permission. www.juniper.net 4-9 3 Prot 6 6 Int ge-0/0/0. ge-1/0/0 B C Public Zone

Policy Ordering Ordering: Order is important! By default, new policies go to the end of the list Can change the order using the insert command Remember the system default policy! [edit security policies] user@srx# insert from-zone name to-zone name policy name [before after] policy name www.juniper.net 4-10

Editing Security Configurations Like any other Junos configuration stanza, you can perform the following actions on the security configuration components: Delete Deactivate Activate Insert Annotate Copy Rename Search and replace www.juniper.net 4-11

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-12

ALG Defined ALGs are software processes that manage protocols Designed for each protocol and operate differently The protocols usually use dynamic client and server ports for different parts of the communication This application needs this port opened for return traffic. www.juniper.net 4-13

FTP ALG Example (1 of 3) Trust Untrust SRX Device FTP Server Client SYN SYN 172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21 SYN/ACK 172.20.104.10:49668 < 172.18.1.2:21 SYN/ACK 172.20.104.10:49668 < 172.18.1.2:21 ACK ACK 172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21 www.juniper.net 4-14

FTP ALG Example (2 of 3) Trust Untrust Client SRX Device FTP Server Flow calls ALG to create a hole PORT 172.20.104.10:56804 PORT 172.20.104.10:56804 SYN Hits the pinhole SYN 172.20.104.10:56804 < 172.18.1.2:20 172.20.104.10:56804 < 172.18.1.2:20 SYN/ACK 172.20.104.10:56804 > 172.18.1.2:20 SYN/ACK 172.20.104.10:56804 > 172.18.1.2:20 ACK 172.20.104.10:56804 < 172.18.1.2:20 ACK 172.20.104.10:56804 < 172.18.1.2:20 Data Stream www.juniper.net 4-15

FTP ALG Example (3 of 3) Only one security policy is needed with the ALG applied: user@srx> show security flow session Session ID: 16107, Policy name: trust-to-untrust/6, Timeout: 1800, Valid Resource information : FTP ALG, 1, 0 In: 172.20.104.10/49668 --> 172.18.1.2/21;tcp, If: vlan.104, Pkts: 19, Bytes: 863 Out: 172.18.1.2/21 --> 172.20.104.10/49668;tcp, If: ge-0/0/3.0, Pkts: 18, Bytes: 1085 Session ID: 16139, Policy name: trust-to-untrust/6, Timeout: 2, Valid Resource information : FTP ALG, 1, 1 In: 172.18.1.2/20 --> 172.20.104.10/56804;tcp, If: ge-0/0/3.0, Pkts: 4, Bytes: 278 Out: 172.20.104.10/56804 --> 172.18.1.2/20;tcp, If: vlan.104, Pkts: 3, Bytes: 168 Total sessions: 2 With the ALG ignored, another security policy is needed to allow port 20 www.juniper.net 4-16

Useful ALG Commands Viewing ALGs View predefined ALGs using the hidden show groups junos-defaults security alg command View enabled ALGs using the show security alg status command View which ALGs are active and how they are configured with the hidden show security alg configuration command user@srx> show security alg status ALG Status : DNS : Enabled FTP : Enabled H323 : Enabled MGCP : Enabled user@srx> show security alg configuration H323 Configuration: Endpoint Registration Timeout : 3600 Media Source Port Any : Off Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny www.juniper.net 4-17

ALG Configuration (1 of 3) Edit ALGs under the [edit security alg] hierarchy Some ALGs have a few different options, but all have at a minimum the following components: Disable Traceoptions [edit] user@srx# set security alg dns? Possible completions: disable Disable DNS ALG maximum-message-length Set maximum message length (512..8192 bytes) > traceoptions DNS ALG trace options www.juniper.net 4-19

ALG Configuration (2 of 3) Apply ALGs under the [edit applications application name] hierarchy: [edit applications application name] user@srx# show application-protocol ftp; protocol tcp; destination-port 21; www.juniper.net 4-20

ALG Configuration (3 of 3) Verify that the ALG is applied using the show security policies detail command: user@srx> show security policies detail Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 7, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] www.juniper.net 4-21

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-22

Policy Language You create policies under a context from-zone zone-name to-zone zone-name Set under the [edit security policies] hierarchy Each policy: Identified by user-defined name Composed of a match statement and a then statement Match criteria must include source address, destination address, and application Action can be permit, deny, reject, log, or count (or combination) Optionally contains other advanced policy actions IDP, UTM (branch devices only), firewall authentication www.juniper.net 4-23

Policy Match Criteria Policy matching criteria: Source addresses Individual address Address set Destination addresses Individual address Address set Applications or application sets User defined System defined Configured within a zone s address book Configured within a zone s address book www.juniper.net 4-24

Creating Address Book Entries Commands for address book entries: Adding an address to an address book: Creating a group of addresses, named address sets: [edit security zones] security-zone name { address-book { address name1 X.X.X.X / mask; address name2 X.X.X.X / mask; [edit security zones] security-zone name { address-book { address-set name { address name1; address name2; www.juniper.net 4-25

IPv6 Addressing To create an IPv6 address book entry: inet6 flow must be enabled Must perform a system reboot when enabling IPv6 flow mode [edit security zones] user@srx# show security-zone name { address-book { address name2 X::X / mask; [edit security forwarding-options] user@srx# show family { inet6 { mode flow-based; user@srx# commit warning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. configuration check succeeds www.juniper.net 4-26

DNS Addressing You can use a DNS name instead of an IPv4 or an IPv6 address SRX device must be configured with a DNS server [edit security zones] user@srx# show security-zone name { address-book { address name3 { dns-name abc.com; [edit system] user@srx# show host-name srx; name-server { X.X.X.X; www.juniper.net 4-27

Defining Custom Applications Specifics of implementation: Many built-in applications (junos-rsh, junos-sip, junos-bgp, junos-tacacs, and so forth) You can add applications, application sets, or both to the predefined list No restrictions for the naming convention You can modify protocols, ports, inactivity timers, and so forth [edit applications] application name { application-protocol alg-protocol; protocol protocol; source-port source-port; destination-port destination-port; [edit applications] application-set name { application name1; application name2; www.juniper.net 4-28

Predefined Applications To view predefined applications, issue the show groups junos-defaults applications command user@srx# show groups junos-defaults applications # # File Transfer Protocol # application junos-ftp { application-protocol ftp; protocol tcp; destination-port 21; www.juniper.net 4-29

Altering Built-In Applications (1 of 3) Create a new application with the same name as the built-in application under the [edit applications] hierarchy The same options are available as for creating a custom application Configure only what you want to change Reasons to change a built-in application: To use different ports To change the timeout value To ignore the ALG [edit applications] user@srx# show application junos-ftp { application-protocol ignore; protocol tcp; destination-port 6021; inactivity-timeout 3600; www.juniper.net 4-30

Altering Built-In Applications (2 of 3) Create a group configuration to alter predefined applications Applications must all use the same protocol The example shown here alters the TCP timeout value on the built-in applications junos-ftp and junos-finger [edit groups] user@srx# show group-name { applications { application <junos-f*> inactivity-timeout 3600; [edit] user@srx# show apply-groups apply-groups group-name; www.juniper.net 4-32

Altering Built-In Applications (3 of 3) To verify that your configuration changes took place, issue the command show security flow session extensive: user@srx> show security flow session extensive Session ID: 38296, Status: Normal Flag: 0x42 Policy name: trust-to-untrust/6 Source NAT pool: Null, Application: junos-ftp/1 Maximum timeout: 3600, Current timeout: 3600 user@srx> show security flow session extensive Session ID: 1615, Status: Normal Flag: 0x40 Policy name: trust-to-untrust/6 Source NAT pool: Null, Application: junos-finger/17 Maximum timeout: 3600, Current timeout: 3600 www.juniper.net 4-33

Creating Policy Match Entries Specifics: Group all policies together in the proper order, ensuring proper order of execution Apply defined matching parameters [edit security policies] from-zone zone-name to-zone zone-name { policy name1 { match { source-address address-name1; destination-address address-name1; application application-name1; policy name2 { match { source-address address-name2; destination-address address-name2; application application-name2; www.juniper.net 4-34

Basic Policy Actions Policy actions: permit: allows traffic flow deny: silently drops traffic reject: drops traffic and sends an ICMP unreachable message for UDP traffic and a TCP (RST) message for TCP traffic Optionally log and count traffic Logs sent to external syslog server Can be stored locally on branch devices Counters viewable with the show security policies detail command www.juniper.net 4-35

Advanced Permit Settings If the security policy allows traffic to pass, you can also configure the following actions: Firewall authentication: authenticate the client prior to forwarding the traffic Pass-through Web authentication IPsec VPN: perform encryption and decryption of permitted transit traffic IDP: perform IDP policy evaluation UTM: perform UTM services such as antivirus, Web filtering, and content filtering UTM services only available for branch platforms www.juniper.net 4-36

User Role Firewall Policies Implementing user role firewall policies Classify traffic based on roles Agentless transparent authentication SSO support User Zone Infrastructure Zone Windows Server Active Directory 1 MAG Series Device Server Zone www.juniper.net 4-38

Global Policies What are global policies? Single security policy that allows traffic from any zone to any other zone no from-zone or to-zone configuration Significantly reduces the number of security contexts Can be used in conjunction with regular security policies Regular security policies take precedence Same matching conditions and actions as security policies Configure under: [edit security policies global policy] Global address book: [edit security address-book global] www.juniper.net 4-39

Global Policy in Action Using global policies Only one policy required to facilitate communication between multiple zones HR Zone Global Security Policy: If Source IP address = Host A, Host B, Host C Destination IP address = Any Application = HTTP then permit traffic Internet A External Zone B 1 Eng Zone 4 B C IT Zone www.juniper.net 4-40

Policy Components Summary [edit security policies] from-zone zone-name to-zone zone-name { policy name1 { match { source-address address-name; destination-address address-name; application application-name; then { <action>; policy name2 { match { source-address address-name; destination-address address-name; application application-name; then { <action>; from-zone and to-zone context Action Action Matching criteria Matching criteria www.juniper.net 4-41

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-42

Logging (1 of 3) Control plane logging can be stored locally or sent to an external syslog device Default control plane logging configuration: [edit system] user@srx# show syslog user * { any emergency; file messages { any critical; authorization info; file interactive-commands { interactive-commands error; www.juniper.net 4-43

Logging (2 of 3) SRX Series branch devices can log data plane logs locally or send them to an external server [edit system syslog] user@srx# show host 10.210.14.130 { user info; source-address 10.210.14.133; file messages { any any; authorization info; file default-log-messages { any any; structured-data; Default facility and severity for data plane logs Use this filename for NSM Structured data format www.juniper.net 4-44

Logging (3 of 3) For high-end SRX Series devices, data plane logging can go to an external logging device Sample configuration: [edit security log] user@srx# show format sd-syslog; source-address address; stream name { severity debug; host { address; Sample log: Jun 17 09:41:10 10.210.14.133 [RT_FLOW_SESSION_CLOSE][junos@2636.1.1.1.2.36: session closed TCP FIN: 172.20.102.10/56879->172.20.202.10/23,6: test2, 55(3040) 40(2554) 9 www.juniper.net 4-45

Monitoring Policies (1 of 3) Use log action in security policy [edit security policies from-zone trust to-zone untrust] user@srx# set policy 812 then log? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups session-close Log at session close time session-init Log at session init time Use count action in security policy show outputs add counter Statistics go to logs by default www.juniper.net 4-46

Monitoring Policies (2 of 3) show commands: Use the show security policies command to view details about policies: Use the detail option to display statistics policy must have a counter configured user@srx> show security policies? Possible completions: <[Enter]> detail from-zone policy-name to-zone Execute this command Show the detailed information Show the policy information matching the given source zone Show the policy information matching the given policy name Show the policy information matching the given destination zone Pipe through a command show security flow session Displays flows and associated policy names and index numbers www.juniper.net 4-47

Monitoring Policies (3 of 3) Use traceoptions for detailed troubleshooting: [edit security] user@srx# show policies { traceoptions { file name; flag all; flow { traceoptions { file name; flag basic-datapath; flag session; packet-filter name { source-prefix address-prefix; destination-prefix address-prefix; www.juniper.net 4-48

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-49

Policy Scheduling Overview A scheduled policy is a policy that uses a configured scheduler to make the policy active at specific times Policy and scheduler relationship: A policy can refer to only one scheduler Multiple policies can refer to the same scheduler Policy remains active without an applied scheduler Policy activated Policy deactivated www.juniper.net 4-50

Policy Scheduler Components You can configure a policy scheduler with the following: Slot schedule: Start date and time Stop date and time Daily schedule: Start time Stop time All day Exclude option www.juniper.net 4-51

Policy Scheduler Details Scheduler: Set up the schedule for policy execution, including time and date: [edit schedulers] user@srx# set scheduler name [day-of-the-week daily] [specifics of time] Apply the scheduler Default behavior: Policies that do not have schedulers are always active and in force Apply the scheduler [edit security policies] from-zone name to-zone name { policy name { match { then { scheduler-name name; www.juniper.net 4-52

policy-rematch Statement policy-rematch statement: signals the application of policy configuration changes to existing sessions set security policies policy-rematch Default behavior: Deletion of policies cause drops of impacted sessions Configuration changes to existing policies do not impact sessions in progress Action on Policy Description Enable Delete Deletes policy Drops all existing sessions Modify action Modify address Modifies action field of policy from permit to either deny or reject Modifies source or destination address Drops all existing sessions Re-evaluates policy lookup Modify application Modifies application Re-evaluates policy lookup Rematch Flag Disable (default) Drops all existing sessions All existing sessions continue All existing sessions continue All existing sessions continue www.juniper.net 4-53

Agenda: Security Policies Security Policy Overview Junos ALGs Policy Components Verifying Policy Operation Policy Scheduling and Rematching Policy Case Study www.juniper.net 4-55

Case Study: Creating Policies Between HR and Public Zones 10.1.10.0/24 A 10.1.10.5.1.254 10.1.1.0/24 HR Zone Objectives: -Allow PC A and PC B to FTP to server C using a custom application set -Deny other users in the HR zone from using FTP services in the 1.1.70/24 network; log and count these violations ge-0/0/1 ge-0/0/2 10.1.20.0/24 B 10.1.20.5.1.254 10.1.2.0/24 ge-0/0/1 10.1.1.1 ge-0/0/2 10.1.2.1 ge-0/0/3 1.1.70.1 ge-0/0/3 Public Zone 1.1.70.0/24 1.1.70.0/24.254.1 C B 1.1.70.250 www.juniper.net 4-56

Case Study: Entering Host Addresses into the HR Zone [edit security] user@srx# show zones security-zone HR address-book { address PC_A 10.1.10.5/32; address PC_B 10.1.20.5/32; address all-10-1 10.1.0.0/16; address-set HR_PCs { interfaces { ge-0/0/1.0; ge-0/0/2.0; address PC_A; address PC_B; 10.1.10.0/24.1.254 A 10.1.10. 5 10.1.20.0/24 B 10.1.20.5.1.254 10.1.1.0/24 HR Zone ge-0/0/1 ge-0/0/2 10.1.2.0/24 ge-0/0/1 10.1.1.1 ge-0/0/2 10.1.2.1 ge-0/0/3 1.1.70.1 ge-0/0/3 1.1.70.0/24 Public Zone.254.1 1.1.70.0/24 C 1.1.70.250 www.juniper.net 4-57

Case Study: Entering Host Addresses into the Public Zone [edit security] user@srx# show zones security-zone Public address-book { address Server_C 1.1.70.250/32; address all-1-1-70 1.1.70/24; address-set address-public { interfaces { address Server_C; ge-0/0/3.0; 10.1.10.0/24.1.254 A 10.1.10. 5 10.1.20.0/24 B 10.1.20.5.1.254 10.1.1.0/24 HR Zone ge-0/0/1 ge-0/0/2 10.1.2.0/24 ge-0/0/1 10.1.1.1 ge-0/0/2 10.1.2.1 ge-0/0/3 1.1.70.1 ge-0/0/3 1.1.70.0/24 Public Zone.254.1 1.1.70.0/24 C 1.1.70.250 www.juniper.net 4-58

Case Study: Creating the Application Set [edit applications] user@srx# show application HR-telnet { protocol tcp; source-port 1024-65535; destination-port telnet; application-set HR-Public-applications { application junos-ftp; application junos-ike; application HR-telnet; www.juniper.net 4-59

Case Study: Creating Policy Entries (1 of 2) [edit security] user@srx# show policies from-zone HR to-zone Public { policy HR-to-Public {... match { then { source-address HR_PCs; destination-address address-public; application HR-Public-applications; permit; log { count; session-init; session-close; 10.1.10.0/24.1.254 A 10.1.10. 5 10.1.20.0/24 B 10.1.20.5.1.254 10.1.1.0/24 HR Zone ge-0/0/1 ge-0/0/2 10.1.2.0/24 ge-0/0/1 10.1.1.1 ge-0/0/2 10.1.2.1 ge-0/0/3 1.1.70.1 ge-0/0/3 1.1.70.0/24 Public Zone.254.1 1.1.70.0/24 C 1.1.70.250 www.juniper.net 4-60

Case Study: Creating Policy Entries (2 of 2) policy otherhr-to-public { match { source-address all-10-1; destination-address all-1-1-70; application junos-ftp; then { deny; log { count; session-init; 10.1.10.0/24.1.254 A 10.1.10. 5 10.1.20.0/24 B 10.1.20.5.1.254 10.1.1.0/24 HR Zone ge-0/0/1 ge-0/0/2 10.1.2.0/24 ge-0/0/1 10.1.1.1 ge-0/0/2 10.1.2.1 ge-0/0/3 1.1.70.1 ge-0/0/3 1.1.70.0/24 Public Zone.254.1 1.1.70.0/24 C 1.1.70.250 www.juniper.net 4-61

Case Study: Monitoring the Policy (1 of 2) Viewing the policy: user@srx> show security policies policy-name HR-to-Public detail Policy: HR-to-Public, action-type: permit, State: enabled, Index: 15 Sequence number: 1 From zone: HR, To zone: Public Source Address Source addresses: PC-A: 10.1.10.5/32 Destination addresses: Destination Address Server_C: 1.1.70.250/32 Application: HR-Public-applications IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Application Set Source port range: [0-0] Destination port range: [21-21] Session log: at-create, at-close Scheduler name: schedulerhr Traffic Statistics Policy statistics: Input bytes : 3844 35 bps Output bytes : 2299 21 bps Input packets : 70 0 pps Output packets : 43 0 pps Session rate : 2 0 sps Active sessions : 0 Session deletions: 2 Note: Output is abbreviated. Policy lookups : 1 www.juniper.net 4-62

Case Study: Monitoring the Policy (2 of 2) Policy log from external server: Apr 10 12:34:12 10.210.14.133 [RT_FLOW_SESSION_CREATE] [junos@2636.1.1.1.2.36: session created 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public Apr 10 12:41:22 10.210.14.133 [RT_FLOW_SESSION_CLOSE] [junos@2636.1.1.1.2.36: session closed TCP FIN: 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public, 28(1236) 22(1398) 430 Inbound packets (bytes) Outbound packets (bytes) Elapsed time in seconds www.juniper.net 4-63

Summary In this chapter, we: Explained security policy functionality Explained Junos ALG functionionality Described the components of a security policy Verified policies and monitored their execution Configured a basic security policy using the following elements: Policy match conditions Policy actions basic and advanced Policy scheduling www.juniper.net 4-64

Review Questions 1. What are the basic components of a policy? 2. What is the default action for every policy set? 3. What is the purpose of a scheduler within the security stanza? 4. How can you reorder policies? www.juniper.net 4-65

Lab 2: Security Policies Create policies that control access between networks. www.juniper.net 4-66

Worldwide Education Services

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback