0 ratings0% found this document useful (0 votes) 656 views452 pagesJSP Student Guide
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content,
claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
JUNOS for Security Platforms
sSidv Col -Tpime lve lcyJUNOS for Security Platforms
9.b
Student Guide
F :
Qe Juniper
{408-745-2000
‘course Number: EDUAUNSECChapter 1: Course Introduction... at
[Chapter 2: Introduction to JUNOS Security PlatOrMS «....2+seeseeeeeeeeee ween
TTodtonal Rowing. 23
Troaona Sour 28
Breaking the Taaton ‘ae
UNOS Software Seomtectr| : 228
Chapter 3: Zones «ses eeoeeceecseeseesecseeeeseesereessereerestnereerees Se
‘he Detnion of Zanes 23
Zana Contgraton ae
Montorng Seat Zones : 328
ab: Conigring and Moning Zanes 332
Chapter 4: Security Policies
verona Secu) Poly
Poly Components
\ersig Poy Operation 42
Poly Scheduling ond Resting 429
Paty Case Stuy as
case Stuy: Mentoring Secu Pcs Part as,
‘ase Stuy: Montoring Seu Posies: Part 2 46
(2: Security Potties 40
CChepter5: Firewall User Authentication. costessseeeesseseeaeenee SA
renal User Auteatcaton Overview 53
ase tnowgh Authancoton Se
[AGlaner Method of Wb Athenteaton 519
ine Grous 520
Using stems! Ahenicaon Sones 528
Verhig Preval User Autres 528
ao 3: Comiguing FrevallAuantcaton $22
CChapter6: SCREEN Options. e1
Matiayer NetworP 63
Stages and Types o tack 610
UsingJUNOS Software SCREEN Options Reconnaicance sc Handing 18,
Using sUNOS Sotvaro SCREEN Optons-Donil of Senice tack Honlng 029
UsingJUNOS Software SOREEN OptonsSuspleus Paces tack Handing ear
oping and enitoring SCREEN Options 656
{ab 4: Implementing SCREEN Options 666Chapter 7
chapter 8:
Chapter 9:
‘Appendix A: Acronym List.
‘Appendix 8: Answer Key.
Conte
[Network Address Translation
NAT Ovomon oven.
Destination NAT Operation and anfiration
‘Source NAT person and Coigason| 78
Prony ARP 10
Montonng ad Vrijing WAT Operation 13
Labs Rework ies rslaton 148
IPsec VPNS
Types
‘Secure VPN eguirerons Be
Pee Deas 19
‘ongration of aoe VPN 240
Peco VPN Mentone : : Bs
{sb mplemening ace VPNs 870
Introduction to Intrusion Detection and Prevention .
Intedution to JINOS Software IOP
{DP Poe Components ard Coniwation
‘Saratre Databece
Cove Stuy: ping he Resammended id? Paley
‘Montoting DP Operator
{ab T:mplemenang OP
High availabilty Clustering. ee Ot
Hig vay Ovens 103
(ssa Custer Componenis 106
(Chasse Custer Operator tox
(asses Custer Contiuraton soso
(Gases Guster Mentoring 3040
{aba inplemending crass Chore so87Ge Juniper
JUNOS for Security Platforms
Chapter 1: Course IntroductionUNOS for Secuty Pore
Chapter Objectives
= After successfully completing this chapter, you will be
able to:
+ Get to know one another
+ Identity the objectives, prerequisites, facilities, and
materials used during this course
+ Identity additional Juniper Networks courses:
+ Describe the Juniper Networks Technical Certification
Progam
‘This Chapter Discusses:
+ Objet an couse content internation
‘+ sdtana nip Networs re. courses ana
+ ner Netw Tectia Certieaton Program UNTER)
‘Shaper -Z + Course ausion ae
zl
]
]JUNO for Securty Porm
Introductions
*" Before we get started
+ What is your name?
Where do you work?
+ What is your primary role in your
‘organization?
+ What kind of network experience
do you have?
+ What is the most important thing for
you to leam inthis training session?
Introductions
This se asks severe question oyu to answer uring ats nodctons,
Cours TReaLaIGN > Caer ESINOS for Sent Porm
Course Contents
= Contents
‘+ Chapter 1:
Chapter 2:
+ Chapter 3:
Chapter 4:
*Chapter 5:
“Chapter 6:
Chapter 7
* Chapter 8:
Chapter 9:
‘Course Introduction
Introduction to JUNOS Security Platforms
Zones
Security Policies
Firewall User Authentication
SOREEN Options
Network Address Translation
IPsec VPN
Introduction to Intrusion Detection and Prevention
“Chapter 10: High Availability Clustering
‘Course ContentsUNOS fr Sect Platorms
®= The prerequisites for this course are the following:
+ Basic networking knowledge
+ Understanding of the 0S! model and TCP/IP
‘Experience with JUNOS Software, including device
management, routing, and policy through
+ Renn te natn JUNDS Sara UNOS Rout
+ Working with devices running JUNOS ScAware ina networking
Prerequisites
‘Tis se sts the prcequies for ths core,
QiperSSOSOSOSSSSC ON erUNS for Socurty Platforms
(ee) 2)
Course Administration
"The basics:
+ Signin sheet
Schedule a)
+ case tines
+ aeaies
* Linen
+ Break and restroom facies
+ Fite and safety procedures
+ Communications
lophones and wireless devices
set access
General Course Administration
Tis Sle documents neal aspects of castoom administration, ]
]JUNO for Seu tors
Education Materials
= Available materials:
+ In olass:
+ Lecture matrial
+ Lab guide
+ Lab equipment
+ Online:
+ eLearning cours
en
Training and Study Materials
‘This decorbesEdveation Serves materia that ae aval for ference bath
{nthe essoom and onineUNOS fr Secu Patorms
Additional Resources
* For those who want more:
+ Juniper Networks Techinial Assistance Center JTAC)
+ htp.//won juniper ntysupport/requestngsupport htm
«Juniper Networks books
+ hite://win juniper ney traringinDookey
+ Hardware and software technical
documentation
+ Onn: tye juniper net/echpubs/
+ Image fe for offine viewing
itp / wn Juniper netechpubs/resources/tom hl
+ Certification resources
+ htp://woru juniper netytraning/certcationy resources nt
‘Additonal Resources
anrraton, and operation of anit Networks pros.
Ce ss TordUNOS for Seourty Platforms
Satisfaction Feedback
ee
To receive your certificate, you must complete the
survey
+ Either you wil recelve a survey to complete at the end of
class, or we will e-mail it to you within two weeks
* Completed surveys help us serve you better!
‘Satisfaction Feedback
Junper Newari ses an electronic suey sat to cate and anaye your
‘commonts and feodback:Depenaingon the cass you are taking, lease complete ne
_survoy athe end of the class orb ut ok or an ermal about vo week am
siaseapleton tat diets you to camplete an ontine sure fom. (Be sie
fwovge us wihoureurert ermal acess)
Submit ourfeodback ents outa certicato of aes compton. We thank
youn acvace fr aking etme fo hep ws improve eur educational ofogs
ls3 liner tte mes roid = ang)UNOS for Scart Plato
Juniper Networks Education Services
Curriculum
® Consists of courseware for both enterprise and service
provider environments
+ Complete lst of courses
+ http won juniper net/s/enytaining/tecricaleducation/
Juniper Networks Education Services Curriculum
Juniper Networks Education Serves can help ensure that you have the know
and sks cpl and martin costes, higpertomance ntwors for Bath
tntrpse ae serve provger environment: We hve expat tanng ea sh Soop
‘cohen! ond industry Krowidge proiding ou wih nstucor i nds on enue
swells convenient sel peed teaming couaes
‘ou can acess he nts cation Serves ferns covering» wie range of
piaorms tts unigetealing/ erection.
‘aT > Coase eae10N0S for Sour toms
Technical Certification Programs
= Demonstrate competence with Juniper Networks
technology
+ Multiple tracks
+ Multiple certifeation levels
‘Witten proficiency exams
‘Hands-on configuration and troubleshooting exams
* For more information and details on how to prepare for the
+ hii//wm juniper netyus/enytraining/eertiaton/
EDUCATION
‘Technical Certicaion
Te Juniger Networks Teena! Creton Program UNTCP) cons of
Platomspedte mtteres wack at erate paint to demonstrate, tosh
SB cantinston of wton prteieny exams and head-on caigrtion and
‘rosblshooting exams, competance with unger Networs technology. Suecessht
‘relates demonstrate thorough undertandng of remot and scurty
{ecinclges an uniper Networks platform coniraton ard woublesootng sits
Yeu cn ean more iration stout he INTCP
itn /woe nies taningcereatory.
x ———___— aaa20N0S for Security Pitforms
Certification Levels
fone sane
* Up to four levels per track:
*Associate J>CERTIFIED
‘Multiple choice exam reer
+ Specialist J-CERTIFIED
+ Multiple choice exam eee
+ Professional J+CERTIFIED
+ One day, fatsbasec exam
+ Expert J+CERTIFIED
* One-day, fb-besed exam boieat
Certication Levels
ach JNTP track ha one o ou orteton eels. Associate! and
‘Specalst eve exams are computer nnsea exams composed of mute coke
‘question. These computer based xams af administared at roma esing
‘Cora wri and have no prerequstecortfeaen queens
ProlessioneHovel and Expertievel exams are composed ot hands-on lb xsreses
‘at oe adriiseed at selec ier Networks testing carters. Potsslonal ve
‘nd Epertovo exam regis that ou frst tin he net ower cetfiton nthe
‘tack eso vist the JNTCP Wed ste a
py june tring cetston for deta exam information ey
pn, and eam regalo.20N0S for Socurty atoms
Certification Preparation
= How to prepare:
+ Training and study resources
“INTO Web te
nee //wo juniper netaiing/certiicatony
+ Eoucation Senices training classes
p/w junipsrnettainng/tectneal education
+ Juniper networks documentation and white papers
hite//wjunpernetecrpubs/
+ Practical exams: lots of hands-on practioe
+ Onthejeb experience
+ Education Senvoas taining cases
+ Equpment access
Prepping and Studying
‘is le ts some options or thse interested in rein for nie NetworksNOS for Sent Ptorms
Questions
Saar TT + Ca - BuuniperChapter 2: Introduction to JUNOS Security
PlatformsNOS for Scour Patios
Chapter Objectives
"After successfully completing this chapter you will be
able to:
+ Descrte traditional routing and security
+ Desert current trends in internetworking
+ Provide an overview of SRX Series Services Gateways
+ Provide an overview of JUNOS Software for the SRX Series
+ Describe physical and logical packet flow through SRX
Series devices
‘This Chapter Discusses:
+ Taonl ung and secu implementatons
+ cunt trends i remenworag:
Se Series Services Gateways
+ J0N0S Soft forth SAX Series: ane
+ Physcal and egos! packet ow trough Sx Sores devies.
BuniperUNOS for Seourty ators
‘Agenda:
} Introduction to JUNOS Security Platforms
} Traditional Routing
* Traditional Security
* Breaking the Tradition
) "JUNOS Software Architecture
‘Traditional Routing
| “These ts th opis we cover in ts chapter, We cus the igo topic
]{0N0S fer Sour Plato
Routers
* Traditionally, a router forwards packets based on a
Layer 3 IP address
+ Uses some type of path determination mechanism
® Packet processing is stateless and promiscuous
* Routers separate broadcast domains and provide
WAN connectivity
Bult to Forward Packets
“The primar responsibilty of eter sto formas pockets using Layer SP adressos
found nan pocket header. To forward packets, the router must Rave 3 path
‘etesatonmethnam. Th chan coud be saa assigned ees
touting protools, o pole based routing
Packet Processing Is Statoless
‘Tactonaly, rotors process pacts na statis fasion, Routers do natkeep ack
f brecbnal sessons; ey foward ach pack Irenualy based onto packet
header
‘Separate Broadcast Domains and Provide WAN Connectivity
outers were orgy wed to separate broadcast domai. With he nroducion of
‘avaroed sung tena and he ttn of vita LAN (AN) stands,
Sroadeast domains ca also be separate ing shes, Tat apa, Nowe,
ows not adres itr VLAN connect whch sil ecesssts te ue of eters
‘or forwarding vate batween VLANs Furthermore, ours provide MAN connocty
the reson ee.
‘Ghapiar + vedo we TuNOS Seeuriy aos
Suuniper{INOS er Sent Porm
Layer 3 Packet Forwarding (Routing)
"IP packets forwarded based on destination address
* Maintain routing table entries,
= Stati routes
+ Dynamic routs (RI, OSPF, BGP)
+ Longest oreftc match
fa fear
Layer 3 Packet Forwarding,
Routers perform Layer 3 packet forwaring sng routing table enres. Routers ult
routing tables based on tho rests of dyna ting roses for example, RP.
(SP, S15, and BG), sttnly entre roves or bn of thse ethos. Nota
routers foward pockets ase on the longest pe mato or expe nthe
{gophicon th sh, Router Assets intertoce g0/0/2 son acto detnaton
410.3.810 because 10:33.10/32 6a longer pix mtch tan 10.3.20/28.
‘entry 30.33.0/39 doesnot ont inthe outing abe, te ute act ere
'860/0/0 3 te nest hop forthe same packet fon
TivSdUGION To IONOS SoG PRIOR > CARI{00S for Secunty Pato
Traditional Routing Is Promiscuous
= traditional router provides
forwards al wt bydtet &
“GperatasetLyer sare
detect security threats in . &
figerner poms” — ES Sb sas
malformed sessions
+The networks Immediately
vtinerable
Typically reats securty 8 O
‘as a luxury add-on item | ae
+ Operates on each packet
individually-cannot detect J
Promiscuous Behavior of a Traditional Router
‘A vadtonaeuter is 2 promiscuous device thet performs satlss pact
frocesing tis promcvoue because ane is congued, kmmedetelyfrwars
St wate ydeaut roves ef cous, hat some combination of state ara dynamic
touts congue). pea a vutr opeats ony at Layer 3 ae doesnt
tecogize any secur eats in hgh ayer plac Furermar, a ever
‘outer operates per past, wich se te fundeentay anerenir,o t
‘cannot detect matloned seasons Te network and te ur tet ae nmedately
‘nerable to al ecury hve,
‘Yypical Treatment of Securty
‘thor than implementing standard aocees con sing header formation most
‘ours rent enue to eacre network Tadtonly 3 fal sort oiion
Invotesadcrga separate eval dove.
Blunper
UUNOS or Scout Pastors
Router Positioning
= Typical router positioning
BJuniper
Service Provider Network
‘plea Router Postioning
Entree customer premise appeaton are send byte J Saris amy of servo
rotor ad nth cae oiargerenorraas M Soe rotors Eros dt sont
Sppizatans ca also be saves ty M Series route Itemet sevice powder (SP)
etworscan be served by Mt aren MX Sra, Serious] Sess M Series
INXSeros and Sees routes support the ch oun and clase eres (25)
features neodes by networks and matin vue, sabi, ana redltab Nigh
perfomance
Tvedueon to JUNOS Senay Pairs > Chagiar2-7UNOS fr SecutyPatorms
‘Agenda:
Introduction to JUNOS Security Platforms
"Traditional Routing
Traditional Security
*= Breaking the Tradition
= JUNOS Software Architecture
Traditional Security
Thole helt the tole we dues not
‘Thapar 2-8 > Tavedueon JUNO SeriyaUNOS for Socurty Patforms
= Traditionally, a standalone firewall adds enhanced
security in the enterprise network.
* Firewall must perform:
+ Stateful packet processing
+ Kops a seeson or state tabs base on IP header and higher-level
Information (1/UDP ana applcation layers)
“NAT and PAT
+ Privat to-pubc and pubic to-prvte translation
+VPN establishment
+ Eneapeuaton,authentization, and erention
* Can also implement other security elements such as
SSL, IDP, ALGs, and so forth
‘Adding Security to the Network
‘Stadolone routers do nat provide adequate scury to ertoise networks ard ta
‘ners networks coniaue o expand, network aptstons cartier
‘and eng and es new mettadso remote communion such gs teconmilng
Inorease, to ned for added sect becomes apnaret. Typical 8 saraaano
‘rewa sad tw the retort, increasing costs and maintonance.
Requirements for Frewall Devices
fowl device mast be capable ofthe bowing
‘+ sttft pact processing based on contents of Pana hghoevl
packet intermation, which incdes TCP/UDP andthe Apsoaton ave,
1+ Network Adres Translation (NAT) ad or Adress Taran (PA),
chong private to puoi Variations and veo versa: and
+ stabising tl pate netwocs VPN compounded wth
lutbonteaton and enero
‘Additional Services
‘Tho growth in eter secur has rested In atonal srvies proved by
standolone frewas suc a Secure Sockets Lajer (SSL) petwor acces, nuson
Detection and Prevention 09), aplcton eve! slew ALG) processing oe mae.
TrTeaucion e TONOS Sear Paar + CrapUNOS for Security Patorms
Stateful Packet Processing
‘Stateful Packet Processing
real it tet networks ae dees, indamenta
ge aby ome paket processing deisions based
‘on packet header vamaton including super ae,
‘State packet pocesing oles the cestion of unidietosl ow which
seis fsx elements of nrmaton-soutee Pstdress, esinain P aes,
‘Source port nub, desttion port number, pret number, ane season akan,
“he sescon token deed om 3 combination of # rating stan and 2 one Me
tara soso ai ante mone en owe et
red
‘SaaS TD © TREN STINGS Sy PTE
{alJuniperUNOS for Suny torms
NAT and PAT
= NAT and PAT:
“NAT converts IP addresses
‘PAT converts TCP or UDP port numbers
‘Typically used at the boundary between private and public
addressing
Firewall: NAT and PAT
nen a scutty deve resis at he edge ofa network. must be alee pace
buble network. Tansiatin can const ef repiacng the Paces, pot numbers or
both, depending one configuration. Note at NAT can be used o beth soureo and
CRF 2TB
GiuniperUNOS er Scunty toms
A New Perspective
= SRX Series Services Gateways
“Integrated security and network features
with robust Dynamic Services Architecture
ANew Perspective
The graphic onthe si crates how devi with stong out nd rewal
{atures can be pstbond at network boundaries, Rema oes can dopioy SRK
‘Sere bran platforms running UNOS Soar to provide oth rowing nd seer
“ho SRK Saris SanvcosGatonay att otorssheadquartorsin this exam ao
[roves ting and scanty ina densi, modular chass The Dyamle
‘Services hrecure ows SAX Sere Series Gateway to leverage new serves
with appropat processing capabiies without sacri ovealsjstem
rfomance. SRX Sales Solas Gateway are ext enero syste designed to
‘moot te network nd ocunyrequremerts tho emtoprce and sarc pear
Inraetetore and folie doa corer eoneasdation, rps mana soles
Seseynet, ond secant sence aerezton.
‘iapior 2-16 + wveston wo ANS Besar Paorrs eae10N0S for Sunt Poms
‘SRX Series High-End Platform Overview
* High performance, modular chassis
+ Firewall throughput ranging from 20 Gbps to 120 Gbps
= Components:
+ 0c: nputyoutput card
‘NPC: Network Processing Card
+ SPO: Services Processing Card
+ SCB: Switch Control Board
++ RE; Routing Engine
‘SAX Series High-End Systems
‘The Juniper Networks SRK Series Serons Gators for the high end are
ret generation serves gateways bed on realonay now arcitecture that
roses markateadeg scalbiy snd sevice tegraton, These devices oe Mealy
‘Sea or ge enarpse and serie powcr nator:
‘Securing large nterie date centers
+ Seering serve rover and colcaod dat centers:
+ Aasreemtng departmental or segmented secur solitons: an
+ seeuing mansgea services and core serve prove irasuuctue
‘Based onthe Dynamic Servos Aha, he SX Series proves untaled
Scalblly ach servos gatney ean support almost ea satbay wih esc)
‘atonal Sorios Prosesing Cora (SPC), enabling fly equipped SXSE00 0
Supportmore tan 120 Gaps of fewal reugost TheSPOs are desked to suppor
a wide range of sorvces erabing fue supper of now capaiios without We need
for sere specte hardware. Using Ss onl serves ensure that no rears
tae asad on speci seces being used, madnzing the ulEzaton equipped
‘The satbilty ane eb ofthe 25000 and SRX3OOO ns of servis Eanes
a sported by equy rebut tears. The SX Sees ighred ne enploys 8
‘adulrapposth ointefaces whe the stay canbe equpped wi alae
rurnar ef rt/ouout ears 1003,
Continued on net pg
uniper aa NS ea PROS > CRTUNOS for Sour atoms
'SRX Series High-End Systems (conte)
ith ne 100s shang the same itrace slot sth Ss, ou can congue the
2toay to support he al alance of process, Input and out Hors, ou can
{alr each aepiomant of the SAX Series to specie network requirements With ths
‘ext you ean config te SFXSEOO to sport mare then 400 wea pt,
‘wn ceices of Guat Eteret or 10-Gigab Ethernet
‘Te festr integration onthe SRK Serie endl by Juniper Networks UNOS
Sorwar. By combining he etngNertage of UNOS Satware an the scanty
hea of SreenoS the SX Seles i equipped whe obust st of etures tat
Include tral mzusion detection ana prevertion fi), denial of service (06S).
Network Adres Translation (NAT, and aualty fs (2S)
'SRX Series High-End System Components
‘The Sx Sores ine of high end systems relies the follwing negra components:
+ Inpu/ouput card (OC: Yo prvi the mos bl sohiton the
SRX Sores onploe te same maior renter foe SPCs and 100
‘Wt he Reb instal an OC ora SPC on ven the SRK
‘Sens can e euiped to suppor ane alongs between teraces
‘and processing capitis.
*+ Network roessng Car NPC: To eraure mas processing
perfomance and ebay te SAS000 tne utes NPCS to toute
Inbound and outbound ae to the appropri SPs an OCs, to apay
65, and to onfore DoS anders Ds (DDE) prxectons. Inthe
‘75000 Ine, the NPCs integrate he KC Note tat 9 mane of
‘ne NPC rat be nal in ators nthe SRIIOOO tne oenere
‘rope unto.
+ Seriees Processing Crd (SA: SPC are designed to proces
‘rai serves onthe ate Without the need or edie
araare to spec serieso spate, no stances ext which
‘2 pleco of hardware taxed oem who ober haraveres Sting
ide. the procesingcapabites ote SPCS are dakod to prose
‘atconfguod sarees on te gxtoway. Noto that a minimur of ore SPC
‘mst be stalled nan SHH Sees highend sytem to ensire proper
+ Sten Contra Board (8 The C8 montors and conte seem
Funan or pride he ntercannectons ot he 103 within 9
tas mou te stn Tabs grate to he SCB. test one
‘56 seguro ar he syst to func. Two or vee SCs inreese
‘capac pov redundancy, depending the specie plato,
+ Routing engine (RT RE i ant ase PC pao ta uns
routing tables, manago the eu protec, cont sme chasse
Cempenerts and poe the terface fer sytom managorent a user
esto the doen,
For mor ination on space SAX Soros highend stom modes and hardware,
‘ie the Jonper Netra Wed st for eenialpobentons at
nto/wenjmipexreectous.
TESITEIGN Te INOS SSS PTS
aoe oe)UNOS er Searty Pltorms
Physical Packet Flow (High-End
Physical Packet Flow for High-End Securty Platforms
‘These lustrates physical pace ow tug a grand secu pltorm unig
UNOS Sorta. The pace ow coverage nudes the SAXSOOO and he SAX3000
line of products.
Pysical act flow through 2 hia sacurty platoon proceeds tough the
‘olowing sequence of eps
‘LA pacha mtr th sunt ato hrougn th 10.
{Step 15: Overubseption cont! apis at the OC)
2 The och traveres the sth fbr from the 10 the NP. the
‘55000 ne af products, he NPC erates wth the 0c) Te NPC
orlome a ow bolup. ne packet belongs tan exsting ow, tne NPC
feewards the packet to the SPC seroclted wth fe packet's session I
‘he ow dos not cron ox, the NPC installs are sesion forthe
‘ow and asin the few oan SPC for ovesen, The NPC alsa
eros Qo poling ond shine
3. The pocket traverses test fare tn ts assoited SPC where
secty processing and forwaring or tng ors.
4. The packet traverses the swt fare bak a an NPC whee aconal
paekatprocesing such af ehaping and Qo ez
5. The pocket vores the sth fare to he Castel wn he
gress nterfoce an toe te atlached py medium,
an 9 ANOS Sosy PE + CaF IATUNOS for Seurty ators
SRX Branch Platforms Overview
= Switching, routing, and security for the branch office
+ Firewall throughput ranging from 75 Mbps to 7 Gbps
= Components:
+ Multicore “System-on-a-chip network processing unit
+ PIM: Physical Interfave Module
+ SRE: Services and Routing Engine
+ SRKGEO only
‘SRX Series Branch Devioes
Junge Nawors SX Sones Sericas Gateways or th branch poi asset
“spabites that connoc secre, ard maragewoefoce ecto 20 em
ans to andre of vers y eorsoiting fax. hy avallale switching
tein secur, and spon eapaities a single devo, etree cn
‘earomizly dlr ew servi, ete connec, ands erg ons er
‘experence
‘SP Sets forthe branch operates wth NOS Softwar, the proven operating stom
sed year ret ruts nao he ap 100 sence por fed the wor
‘he rigorousy tested camo as tng eats of Person 4 (v4 version 6
(6), OSPF BGP, and muteast nave been proven ore 10 years of worldwide
‘SP Soles Serves Gatenays forth branch provide perimeter secu, content
secur, acces conto ana eter wid treat Ws ard conto. Best ness
‘rowa ana VPN tocnelgies secure te permet with minimal efiguraton and
‘onset performance. By ving zones ae ples, ere new network
‘snstators can confite sd deloy an SRXSers tran Saves kl Sr
‘secure. Py based VPN support mate compa securyecectues that eu
‘manic addressing and sit tunneling Fr content ec, SX Saris forthe
branch ofr: a complete ut of Une Treat Management (UTM) sericas
‘onsstngofnusenproverton stom (PS) anus arespam, Wed tern and
{aos peevoton though caren rng o pote jour neta rm the tos
Cortina on rot page.UNOS for Seeuty Potts
'SRX Series Branch Devices (contd)
‘Select models feature Canter Security Acserator fr high performance IP and
‘scr ortormanceJUNOS scour toms othe bron tegrte wih ther
Juniper Nears secur products to dear erated ued access contol
‘sndadaptve teat management. These capabilites ve see poesia
wer toon the Mt agar eybrce aed daa
Branch Platform System Components,
‘Te 5X Serine of JUNOS seat atoms nla he follwing intra
componarts
1+ Muti cor processing unt The processing unit uses mul hardware
‘treads o pro dats pane services using sour sarees and
onl pla srvious athe branch deen The SRK ranch ie of
Datforns ulass a ystaman ace (80) multicore processor that
provides ie conto and data pane funtons aswel as adatena
‘Serces sich ae Etoret controlar tonaogy ad a eyetovePNe
engine.
+ Physical interface Modes (PIS: The SAX Sets nef branch and
‘oterpse devs provide various modi nice known at Pi. The
moda support tudes 10/10 Beret, 10/100/3000 Ethernet
‘Gignot Etternet TEX. TES, ISDN, seri, ADSL sna GSHOSL
Interfaces, dopnaing onthe most Some SAX Sora branch meds
‘so conan ah ExpressCard sit er uz wih 3 wets cad to
‘Serve asa backup for primary intrfaces. Select meds conan Power
‘re Ethernet (PE) enable por
+ Serves ana Roatng Erne (SEE The SRE, fo rptacabo unit in
‘he SRNBSO, houses he processing unt ane pois prosessng power
{or secur sence: ung poiocas process and oer sare
processes et conv te services gatenay inerace, some fe
hosss components sjstem mansgoment nd user sass othe
‘en,
For mor nfeemtien on specie 1UNOS secur patrm brsnch mols and
haronaro vtteJunpor Networks Web ste fo tchricalpubiations at
Intp/mwiporneechputs,
BBuruniper ara a Say a CaF AEUNOS for Sect Patorms
Physical Packet Flow (Branch Devices)
= CPU performs most control and data plane processing
using separate hardware cores
Physical Packet Flow or Branch Secunty Platforms
‘ns Seres ranch gateways control and data plane separation is maained using
‘mutt tveads on muti ores within the proses. One hardware core fuse or
‘itr pane unton. Petes ingess the aevice trough Blt ports or PIM ports
Seo branch davews, ea switching ocous tthe sith so thatthe PU or te NPU
[Srotumed wit swiched wate As result secuny secs such a scary poly
and 10 are not araabe wi local steed wate. To swe prorms C8
‘Session and vai pacing then passes nonlocal shed paces tthe
‘processor where sect sees, ving look, ana formating bap
Deron 7 branch devices then ona egress pacts o Ue operon eres
Dorey moans of hese,
Depending o te deve ype, the CPU mist perfor hraware seston se
‘eypogran acceleration Some branch devoes ae equpped wid a separate
‘ear expression (REGEN) coment processr to rode naraarebaced pan
tmatotingfor DP and ants section,{INOS or Scant ators
‘Agenda:
Introduction to JUNOS Security Platforms
* Traditional Routing
* Traditional Security
= Breaking the Tradition
DJUNOS Software Architecture
JUNOS Software Architecture
‘The side highs re opie we dacs ret.
Sper CE Oe10N0S for Scury Pst
JUNOS Security Platforms Versus a
Traditional Rout
No trate permits
UNOS Sentware for
‘curt platrorms
‘tans of 28
complete secure
‘Tradtlonal router starts
off as competely
ulnerse
JUNOS Security Pistforms Versus a Traitional Router
‘The trio outer anda JUNDS secu plottorm hve completly erent starting
pains win respect scary anda
‘The taonl outer egy onward tai Ths, the network is unerable
twailtveats. You aa secu ptoes to educevlneranity ul you eee the eat
‘oir. Boceuse he vadkona rue bops as completly prmscunus ant
requ tat you ade secur poles, great’ chance ats ht the network Wi
remain winerabi to some tats,
‘an SX Sores SoroesGatovy runing UNOS Stare begs by frwaring no
‘efi The network secre but rattan You 268 esto all afc unt ou
‘each te lea eonigration. Bocas 9 UNOS secur plaorm begs ty
‘orwaring no wie sr becuse you must 968 res ee loo estat
‘Giapler 2-24 + odcion TosONOS Sooo Ratios
BuniperUNOS for Seurty ators
JUNOS Softwaro for Security Platforms
* JUNOS Software for security platforms provides
routing and security
+ Bestin-class high-performance firewall derived from
Sereen0S software, including security policies and zones
+ IPsec VPNs:
+ IDP Integration ea
+
Gea
‘sR1210 Senices Gateway ‘315900 Series Gateway
UNOS for Securty Platforms Merges Routing and Security
‘Then fetus of UNOS for secu lator bing rie core secu capabties
{oJUNOS Sofware. Bacause he oar alg session based, Sci
features oe tity negated note forwarding plano, mproving sary
eforance Session basd forwarding ae ttf eval fates dere fom
Sniper Networks Sree sttare,
{NOS secu platornsnceperat ALG functional, sec VPN, and scr2on
rototon nafs mod thin JUNOS Stare npr Networks woridelaes DP
(echnaogy a ful tegrated ito JUNOS for secur pation, We deci ese
educon to NOS Sooty Pas
Granta 25
lumberUNOS for Sect aoe
JUNOS Software Foaturos (1 of 2)
= JUNOS Software for security platforms includes the
following elements:
“JUNOS Software as the base operating system
+ Session-based forwarding
+ Some Soreen0S-lke security features
= Packetbased features:
«Control plane OS
+ Routing protocols
+ Forwarding features:
+ Por packet stale ers
+ Polos
cos
sJWeb
JUNOS Software Elements
‘SX Saves Servo Gateway use JUNOS Software asthe base operating st AS
Suc, ese devas deny a the ndusty proven processes of UNOS Software such
as thorostng procs, managomant proces, doves cont procoss and ctor
Rooter balding elemento UNOS Software fx seciy pinto i season ted
‘ornare thereby resulting avon aut of secur ott
Packet-Based JUNOS Forwarding
‘Tre JUNOS Sortware base contel pane, routing roteoa! proses iplementaton,
or ocke status ites, paler, and Ga functions aa pack base,
Firhemoe, ther noreecurtylated festire, stn ae al itertaceeneapeulatons
and d-ocapsdlatons so ndust proven JUNOS Software, Yeu can cng SAX
Sere Servos Gateways shee he Cl or Web te JUNOS Sofware based
‘poohice veer interace (GUN,
‘Shaper 2-26 + Thaeduaon ToHUNOS Secay Palomera
uuniper{20NOS or Secutty Platforms
JUNOS Software Features (2 of 2)
= Session-based features:
implement some Soren0S features and unctonaly
trougirbe quabt tee eioeane
+ Fret pect fon tear salon cretion bese on.
\easoe relate een
+ Soren ae eta pot
rec
puma
+ Zone-based security features: aoa
+ Packeton the incoming interface asst th the ncaing one
+ Packeton te outging terface assets wh the ogo Zane
+ Core security features:
+ Frenal VPN, NAT Se, DP. and SCREEN options
‘Session Based Forwarding
4JUNS Software or secu plato levrages Screen setae’ secur
features sweats ow boned nature. The fs pocket entering te eves lows ©
Series of path an pay detrminton samos. UNOS Sortarecacts the season
inrmation. the cteaton of whic tigers byte fst pasa of he Now. The
ached session used by subsequent packets of at same fow andthe reese flow
‘tat season. Usage fw aul, nhc grated note Frnarding th
the naraware proms cata plane pacha forwarding Boose UNOS Software or
socury patos secu sod al Pvt pacts entering the serves gtenay on
‘nintartace sso wth an mooming one Lewis, al vt packets ein ne
flv on an trace associate with an outgoing zoe. UNOS Stare fer sacurty
Plstors add a bun of hh erty Featires othe ees fears of 9 outer
Ineuing ttt revel, VPN, NA, ALG, DP
IBuuniper eon TONS Seca Pos > Chaeter2=2T{NOS for Sent atoms
Control Plane Versus Data Plane
* Control plane:
‘Implemented on the RE or SRE
+ JUNOS Software kernel, processes, chassis management,
user interface, routing protocols, system monitoring,
Clustering contro!
* Data plane:
+ Implemented on the 10Cs, NPCs, and SPCs
+ Implemented on CPU/NPU are PMs for branch patorms
+ Forwarding packets, session setup and maintenance,
load-balancing, security policy, soreen options, IDP, VPN.
Control Piane
‘The con plane on aN securty lator is nperented sng he Rout,
nga. To carvl pane consis ofthe JUNOS Satnae koa valous process,
‘tates management, usr reface, evtng protozoan sma acu Feats.
Many of te securty fare resemble Sreen0S fetes, ncn th network
‘Secuty proces, the VPN process, te aiertiation poses, and Dynami Hot
Conguration Prtoal OHCP) Forts conv plans JUNOS Sitar er sary
atoms deploys these estas along wih weltiow,vadtonal UNOS Satware
feature,
Data Plane
Te data plare on UNOS socury latforms,impsrantad on OCs, NPS, and SPOS
{er nghend devs and on CPU cores a HN or oranch eves, canes of
INOS Software packet honing modules compounds wit fom egin
easion management theta ofthe SreerOS sotwae test pace prooesing
‘onsues that one single ead ests fo packet how processing asso wth 9
‘ge Pow Rartme processes orale JUNOS Softwar to pero session based
achat forwarding
‘Sraier 2-28 Tavedoeon To sUNOS SeouryPaoms
UuUu ouINOS for Sooty ators
Logical Packet Flow
Logical Packet Flow Details
UNOS secuty patforms ancl an incoming pocket 3 allows:
1 ThesoFtnare apollo tatoos poling ters an CaS cossicaton to
me packet othe ngs
2 the patet des ot drop, the sotnare partons a session lokup to
determin whee he packet blogs tan existing session. JUNOS
‘detemination-souree I eras, destination P adres, cure port
umber, desteaion port number, otea number, ad @ session tka,
3. tbe pact does nt match anexsing session, he stare creates 8
now session for. Tis proceos is eter tase spate pa
‘he pocket matones 9 econ, tha stware proms fst peth
Processing
Contnved on net,
Dieper SCOT ESeOS + ONZEJUNG for Sounty atoens
rapier
Logical Packet Flow Detalls (contd)
‘ho fret pacha of a flw subject rst ocho ath processing The software takes
{he fouonng stop rng feet pact path prose
4.
20.
‘Based onthe prtaol used and its session er (TP 0 UDP), ho
‘atta sare a session tino For Te sessions the df mena
‘0 mites. For UDP sso, te deat tmeout smite. These
‘alues oe te astute, and you son ehonge Oem.
‘The software apples rewal SCREEN opr
1 esination NA is use te software performs adress alloaton,
"Nox the stare performs the eto op. a ovo ost for he
» Chapter 2-33UNOS for Seurty Pao
Packet Flow Example (3 of 3)
= Example:
4. Permitted by policy? se
+ Ye8 fnew
5. Action: add to session table
Packet Flow Example: Part 3
Tho folowing isa contation ofthe is fom tho proves pas:
4. Te pacts rom host 10.20. an san MIP packet Ts packet
matches to poy statoment ont
‘spe of att pormit
"he acon fer tis partclor
5. TeSRKSarios Sores Gatonay a8 the low iformaton oho
session ble. th samo timo atu flew eateratcalyeostdand
isos the season tbe.
16 The SRXSois Sores Gatonay then foruards tho packet out
Interfoce ge-1/0/0 (as determined by tre destation eau JUNOS
Software owe vain wh vectors for pareatr Sesion 9
pass witout oy sutsequent pole evan
‘Baar BE + econ to NGS Seay PS
{lJuniperUNOS for Securty Platforms
Summary
' In this chapter we discussed:
‘Traditional routing and seourity
«The curtent trends in internetworking
* SRK Series overview
“JUNOS Software for the SRX Series
+ Physical and logical packet flow through SRX Series devices
‘This Chapter Discussed:
+ Tadtionloutng ora secury plementation:
+ cent endsinntemetworkne
+ SRXSeres Serves Gateways:
+ sno Sotteare forthe SX Sars and
+ Pry ana toga! pact ow tough 8 JUNOS seus torn.
invoducion te WNOS Soeur PatoorsUNOS for Seourty ators
Review Questions
4. What type of packet processing do traditional routers
provide?
What type of packet processing do traditional
firewalls provide?
What are two main differences between JUNOS
Software for security platforms and traditional
JUNOS Software?
How is the first packet of a session handled
differently than subsequent packets of the same
session?
Juniper’(Juniper
JUNOS for Security Platforms
Chapter 3: ZonesUNOS for Sect Platoon
Chapter Objectives
= After successfully completing this chapter, you will be
able to,
* Describe 2 zone and its purpose
«Define types of zones,
+ Explain the application of zones
+ Configure zones
‘Monitor zones
Se
‘This Chapter Discusses:
+ ypss of ones;
+ popleation of nes
+ Configuring zones: ana
+ Montonng zones
JAgenda: Zones
>The Definition of Zones
* Zone Configuration
* Monitoring Security Zones
‘The Definition of Zones
estas nt metpes we coverin th chp Me dacss ete tape
Guumiper SSCSUNOS fr SecutyPatorms
What Is a Zone?
= Azone is a collection of one or more network.
‘segments sharing identical security requirements
* Security policies control transit traffic between zones
+ Null zone:
* Defaur zone
+ Drops al trate
+ Interfaces can pass and accept traffic only if assigned to
‘non-Null zones
+ Exception fer special interfaces Ike pO
Zone Definition
‘Azone scallion of ne or more network sgrent sharing erie Securty
rogurements. To group network sgronts whim a zone, you must sgn ages!
Interac rom the devi toa ne
Traffic Regulation Through a JUNOS Security Platform
Zones enabe new Secrty segregntion. Secs polices ae spaied between
Zone a eplate vac tough th NGS secuy ptr. eal neta
Ineraces boangto nod Nl Ze. Alva to” fom the Nul Zanes
‘ropped. Special traces nung tha p0 management etoretnerfaco
Dresentinsome SR platorms nasi cuter fsb teoces, an nema etm
‘m0 interfaces connote anined 8 one.
rape + Danes
QeuniperUNOS for Scourty Platforms
Review: Packet Flow
Focus of tis chapter
Review: Packet Flow
ec the pct fw tough 2 JUNOS scuryplatorm. Specifsty, one the
achat enor alow module, Ye device xine determine weer Belongs
{an ead) etabisnes season Roca tat UNOS Sotware matches oni
iment tat Infra fa iden seaslon-sbuce
'Paaoress, ostinato IP ares, soureo port number, estan port ruber,
‘rtoeoi number and a ssson tka,
Ths chapter focuses on detining, configuring and entering zones.INOS for Seounty Platforms
Hierarchical Dependencies (1 of 2)
* Astrict hierarchical linkage exists between zones and
interfaces
+ You assign logical interfaces to a zone
+ You cannot assign a logical interface to multiple zones
+ You can also assign logical interfaces to @ routing instance
+ You cannot assign a logical interface to multiple routing
instances
“All zone logical interfaces must belong to the same routing
instance
+ Bhogption When “intexfaces al’ statement i configured
Zones and interfoces.
‘can aig oe ae tga intrace to 3 zane, You canals assign one or
moa! races oo eutginstanes. You canno asgh tg! rons
Imtiaz of mutpe out stances. You must lo ensure tat a 20's
loge irtorfoces arena sng rong stance. Viatng ay fee resesons
reste na comiguraton enor as soa nthe flaming evans
feaiey
[edit security zones eccurity-zore trust)
Interfaces go-0/0/2.0"
interface ge-0/0/2"0 already
Continued on net pag,
U vu
fe) 1) ee) fe) le}INOS for Set ators
Zones and interface Assignments (contd.)
cea A interface]
‘ne exconton othe ees wena nerfaces ae aed oon ane ngtne
terface al1 confgraton open, nth case, eriaes car belonto mule
routing watances.
| Baier 2 TT aTUNOS fox Seer atoms
Hierarchical Dependencies (2 of 2)
“Relationship between interfaces, zones, and routing
instances
Interfaces, Zones, and Routing Instances.
These snares ptosis between eee, dt
Lagat ieraces ere connections to specie subnets Zanes ae lagi! runing of
legal iertaces win a common eeuryrequreent, onda iogca! eoce can
bongs ony one zane. Zane canfiguraton can be as Simpl asa twozon@ Setup.
wire aliteroces connect iral network are inane sone anda roe
onnete othe extemal werd ae ina aferet zoe. Amore eamlated
fontgation might vie efaces ase on terol deprient or fneton
‘aaton a eomal and demtatzes ze (DMZ connections
A pial devs can be token up nto muti routing stances, A outing tance
‘sa loge outing corsa wn spar urrngJUNOS Software ach rong
Instance mains ts onn routing lable an oer abe Arouting stance can
Contam cne or more zones, whi cannot ba shared wih erring stances,
hres
Muniper| JUNOS for Seunty Platforms,
| Zone Types
ine
Zone Types
] ‘The zone wha JUNOS Sftaare can be subsided ino wo catgpries-erdefned
‘nd sytem dined You can contre ve defined Zones bt ou canna onigre
‘Sjetemdetined Zone, You con subdivide te wer defied cates into secu and
| ‘incloal zones We cover waded ond systm-define heat deta onthe
rot fow ages.
| Qimper —S—~—SsSs—SSSSSOUNOS for Sout Palos
Security Zones
= Security zones:
«Acallection of one or more network segments requiring the
regulation of inbound and outbound traffio through the use
of policies
+ Used by traffic destined for the device itself
+ Used by transit traffic
+ Itrazone and interzone rani traffic lw requie security policies
‘No defined default security zones
+ Cannot share between routing instances
‘Securty Zones
Scurty29 colection of ne oF more retro segments equengrequation
‘inbod and outbound ati the us of ples, Secu znos apoyo
‘ana vote os well as Wal este ary nertaees beng the sory
Zane You need ane of more sacar poie to replat ntszane adnan
‘ati. Note hat JUNOS Software oes not have ary ete Secunty nes, and you
‘cannot share a secur zone between eutginstances.
QuniperINOS for Security Pastors
Functional Zones
* Functional zones are special-purpose zones
+ Only one purpose for now—Management Zone
+ Used for outorbane devi management
‘Cannot speciy in policies
+The Management Zone does not pass traffic
‘Can define only one Management Zone
Functional Zones
Furctonal zones ar pods purpose 206 et canna be speed secunty
poles. Not tat wars vae des et use functonal anes wie the pO
‘management ethret races owt band ty default, tn Management Zone
‘lowe yout ari ater network ntfs te ame behavior of ong
management aterm eae ac
Tones + Chapior FEUNOS for Sout atoms
System-Defined Zones
= Null Zone
+ Unconfigurable
+ Every interface belongs to a Null Zone by default
‘When you delete an interface from a zone, it goes into the
Null zone pool
+ JUNOS Software rejects all traffic to and from the interface
belonging to the Null Zone
NultZone
Curent nares ony ane s)stam-detned 206, the Nul Zane 8y deta an
Intertse belongs the Nul Zane, You anno congue the Nl Zane When yOu
Clas anirorace oma zoe, he software ass back othe Nl Zope. UNOS
Softwar eet al trate oan rom nteraces belonging tthe Nl Zone,UNOS for Security Platforms
Factory-Default Zones
= Applicable only to branch
security platforms
* Configuration template
defines two security
zones:
+ bust with interface
9-0/0/0.0 belonging
—
vent —
Branch Pietforms
{UNOS secur plato fr the branch ship mth factory wi tpt
ontgrsion hat incsudes secur zones. SX ned lator one catala
nes in the fatnydofault amelatecoguation and therefore, you must conve
rogue zones manual.
Factory Default Configuration
Inbranch doves factory ete configuration to scary zones re definod
‘teuse and une rust. Ine tempat coniguraton, 0/0/00 belong tothe
‘crust 2ne. nation the fat Sefout cotguaton fees a sear poly
ormitng all wars wari witin te trae zane andifon ta erust 220010 the
{ineeust zone Te secu ley penis any wate om he unt rast zoneta ne
‘Crust ze. We decuss sent olen furterdetal na subsoquant chapter The
tone names ra and antst have no sytem cetined earn Uke ay sores
‘tind nthe costigratn, ou san madly o delete thes You can revert 9 UNOS
Softwar does plato ois actor dau canfgraion yentsring te Load
‘ectory-detault command om tha top fhe cotati heartyUNOS for Seer atoms
Agenda: Zones
= The Definition of Zones
Zone Configuration
= Monitoring Security Zones
Diner to
Zone Configuration
“The side nents he topic we sacs net.
‘Shaper + Danes ee
{aJuniperUNOS for Security Platforms
Zone Configuration Procedure
= Steps:
* Define a security or a functional zone
‘Add logical interfaces to the zone
* Optionally, add services and protocols needing permission
into the device through the interface belonging to the zone
+ Iryouomi ti step the SRX Series device perms no trae
destined for Reet
Zone Configuration Procedure
Zone casiguration aves the oon tes
+ Dafne a socurty ora functional one:
+ saga! erases tothe zone: and
+ opty, dent some combination of ta serves and protools
‘sowed Ito te coves vou the traces blogg the Zo.
Youomi ths stp, al uate entonng tough he zones ertoces
ttestnad forthe coven ected.
Seuniper’{UNOS or Sean toms
Defining a Zone
= Enter configuration mode:
' Define a seourity zone or a functional zone:
-OR-
= Functional zone specifics:
+ You can define one type—management
+ thoes nothave a user-defined name
‘Configuration Mode
Ta define a zone you must enter conigiration mse, 9 usta on the se,
Defining @ Zone Type
‘once you enter he conguretion made, ou ean define zone ype. Real that you
‘an congue nt tn pas of onesfunclonal, wich swe deve
Imaragoment onl (to tenst wtfiesparmitod), an sour You define 2000s
Undo the secuety confguation stanza Nes hat seein zane names are
‘tee soneto and ean conan ay Stand charactors, we ay ote varie name
In UNOS sotware
Functional Zone Spectios
‘The folowing ote wo important coniguaion coroctrsies of the unto zane:
4. Youcan deine onion typeof functional zone-management: ad
2. Thefunetonal zone doesnot have 2 userdtined name.UNOS for Socurty atoms
Adding Logical Interfaces to the Zone
* Add logical interfaces to a zone:
+ Security zone:
‘Functional zone:
‘Adding Logical Interfaces tothe Zone
Now you re e800 ald loge rtefses to the zone The si ita wo
‘vations Theat example lates ang trace 0/0/10 th sony
ane eal Wand tne second earpi ustates aang inertace ge 0/0/1100 t>
‘e funcional managemart zone you omitnespetistin ofthe lgeal unto the
interfao,JUNOS Softwar eseumee unt, Ae you an aecg al neces to
zoe by using the kword al. Should ou chowes to asi a irtaraces oa 200,
ou wl nat be eto stig ny nero to leer one.
Tones + Chagas0N0S fer Secu Pion
Local Host Traffic (1 of 3)
= AJUNOS security device does not allow traffic
destined to itself by default
+ Use the host~inbound-traf fie statomont to allow
specific traffic destined to the devioe coming froma
particular zone or interface
+ AJUNOS security platform always allows all outbound
‘tate sourced from itself
‘Speciying Types of Traffic Permitted into the Device: Part.
aout exe contauation trate destin for JUNOS sory lator nt
ormite. You can spoay pes of i alowed it the devi sin he
bost-inhound eraefiecontguraon aon under spe neo under an
ero cnfgin ane yeaa osoain ta orang ee
(i 8 eet}
Gauniper
UNOS for Sent latorms
Local Host Traffic (2 of 3)
= host~inbound-traffic statement choices:
+ system-services: Specifies allowed services into the
device through the interfaces belonging to a zone:
«Telnet. SSH. ONS, ping: SNMP, and there
+ Specty a. option to alow al serves on thei respective ports
+ Speci any-service option to allow al servioss an open all
ports
*protocols: Specifies allowed protocols into the device
through the interfaces belonging to a zene
+ BFD, BGP. LOP, OSPF. RIP. PM, and others
+ Speci 1:1 option to tow al protoco defined in UNOS
sortware
«Can use the except keyword to isolate exceptions
‘Spectying Types of Traffic Permitted into the Device: Part 2
hon socting peso vate permite a JUNOS secur platform you use
‘ame combination of eysten- services and pratocalsconfgution ptons
NOS Sota provides yu wit the ably to eer al system servos and
‘eto onreazectve prt wth the hep ofthe a hayward To opel prs for
series se tte anyservice kwon natn, you can else ay
‘Sceptons to th tera ist of proto or stom sence wh hep oe
‘xcept koynrd The examples on the folowing page atte the vse of he
yn
Comtinved on ret ae.UNOS for Sect Patios
‘Spectving Types of Traffic Permitted Into the Deviee: Part 2 (cont)
Yeu cen spect any ofthe following sstom orcas:
edit security zones!
userthoet# sot seourity-zone HR hoet-inbound-traftie systea-services 7
sreept
eb managenent service Using HTTP secured by Sst
Send back TCP RST to IDENT request. for port 113
in-service traffic to disallow
login service
janagenent Protocol traps
continued on not pa,
‘Bape Das ee
BuniperJUNO fr Sacuty Paton
‘Spectying Types of Traffic Permitted into the Device: Part 2 (cont)
‘ou can see an of he following pretocts:
leat security zones)
eerinoset
ap
ign
ae
ince
router-discovery
1 security-xone HR host-inbound-tratfic protocols 7
Bidirectional Forwarding Detection
Border Gatenay Protocol
Internet Group Management Protocol
outing thformation Protocel
uuniper SS OSNOS for Seourty Patios
Local Host Traffic (3 of 3)
= Configurational hierarchy
* Can configure the statement under the entire zone stanza:
+ Can configure the statement under an interface stanza
within a zone
+ Interface-level configuration overrides the zone-evel
configuration
‘Specifying Types of Traffic Permitted into the Device: Part 3
‘oucan sooty allowed aff ether atthe zone ve of ofan ofthe trace
lovol within a zone. As wh ay configuration n UNOS Soar the recsnco rie
‘tmore sets conguation spe hare as wo, n ter words, rear
‘iiguaon (a tis more spec) overdes eZonetevel canton nthe
‘ramps one ade ony HTTP seen services ae lowed in erce 6-0/1,
‘Socepcll syst senices.
QduuniperCheck Your Knowledge (1 of 3)
* What does the following configuration do?
‘Check Your Knowledge: Part 1
‘he sie shows an example of ne congwation What yp of wai are alowed
Itt spoced zone an rericos?UNOS for Sect Poems
Check Your Knowledge (2 of 3)
= What does the following configuration do?
‘Check Your Knowledge: Part 2
‘Tho sie shows anchor exams of one coniguaton. What pes vate ae
owed into re spctiog ne and inersees?
Thapar 28 + TonesUNOS for Scourty Patorms
Check Your Knowledge (3 of 3)
= What services Se aa
can enter the
device through
interfaces ,
Be-0/0/0.0 and aa Te
g¢-0/0/1.07 RE eee snece |
Check Your Knowledge: Part 3
‘Theale shows the th exampein he series. What does this configuration do?
er{Nos or Sey Paton 1
Agenda: Zones |
= The Definition of Zones 1
* Zone Configuration and Applicability
> Monitoring Security Zones |
Monitoring Security Zones
‘These ight the tole we esos ret ]
oes sas fpr?UNOS for Securty Paton
Monitoring Zones
"The show security zones command provides
information about:
+ Zone types:
*Zone names
+ Number of interfaces bound to corresponding zones
+ Interface names bound to corresponding zones
Monitoring Zones.
!montong. he command preiéesntormaton on heron pe andname slong wh
Banas > Cae TTJUN for Security Patorms
Monitoring Traffic Permitted into interfaces
(1 of 2)
Additional interface-specific zone information is
available by using the show interfaces
name extensive command.
Monitoring Traffic Permittd into Interfaces: Part
Usingthe show interfaces intertace-nane extensive commansenabes
oUt view zone specs. Te command apis ermatn on parted protocols
‘nd tem sores alowed it the deve tough the crespondn race.
‘aon, te coand poids loot chow tats ough the traceUNOS for Securty Pattorms
Monitoring Traffic Permitted into Interfaces
(2 of 2)
Monitoring Traffic Permitted into Interfaces: Part 2
‘These provides the continuation ofthe output fom the revs age{INOS for Seon atoms
Summary
"In this chapter, we:
+ Desoribed zones and their purpose
+ Defined types of zones
+ Explained the application of zones
+ Described zone configuration
+ Described zone monitoring
Sage
This Chapter Discussed:
+ Zones ona thei purpoe
+ Wpss ofzones;
+ ropteaton of zones:
+ zane configuration and
+ Zone montrng
caer 30+ Tana{20N0S for Security Platforms
Review Questions
1. What is the purpose of a zone?
2, What zone types exist in JUNOS security platforms?
Describe the applicability of each zone type.
3. What steps are necessary to configure @ zone?
4, How can you specify the types of traffic to be allowed
into a JUNOS security platform?
PoeUNOS fr Soe atoms 1
Lab 4: Configuring and Monitoring Zones |
‘Perform initial setup and tasks normally associated }
with zone configuration and monitoring. |
Lab 1: Configuring and Monitoring Zones
‘he si proves tote fr sb ]
(te 9 erate |JUNOS for Security Platforms
Chapter 4: Securlty PoliciesChapter Objectives
™ After successfully completing this chapter, you will be
able to:
+ Explain security policy functionality
+ Describe the components of a security policy
+ Configure a basic security policy using the following
elements:
+ Potcy maton conltons
+ Poboy actons-basie and advanced
+ Policy senecuting
+ Verity policies and monitor their execution
‘This Chapter Discusses:
+ secur pty funciona
+ components of secunty sale
+ Configuring security poy ana
+ Nerieaton ana manitnng of securty poles.
Rar + Soma Pag eeNOS for Security Patiorms
Agenda: Security Policies
Security Policy Overview
* Policy Components
* Verifying Policy Operation
* Policy Scheduling and Rematching
* Policy Case Study
Overview of Security Policy
‘Tre se sts te tps we cavern this chapter We dss te iene topic1N0S fer Seeunty atoms,
Security Policy Defined
= What is a security policy?
‘Aset of rules that tells a JUNOS securly platform what to do
‘with transit traffic between zones and within a zone
What Is @ Securty Policy?
Ascouty poly i staf tataments that cotta tom a pecied source to
Specie destino using spected servis. fa packet aes that matznes hace
‘Sbeticatons, te SRK Seis device performs tha action spectied in the poly.
Network secur plies ae nly vaste er secure network functionally, Network
Secu ptses cut al natwork resources wthin a busness and te requres
Secure for och resoureeJUNOS Sofware pois ase of tals implement
‘netrrk ser nti wit your orgnizaon Secury pales enforce a set of
‘ues for want ae entijing which raf can pas hou te firewall and he
‘selon akon an the ao passes tough the ew
Sse gaara fprGauniper
{UNOS for Scout atoms
Focut of this chapter
Review: Packet Flow
‘These evens packet Now trough he flow module of UNOS scunty patton,
When te device examines te fist packet fa fw, base on incoming and otgng
re deterines the corresponding ec ply, ae it pefomea souty
aly oak. The stom checks the poche gait deine polcins a determine
ns enptr, me ees. on the sacuty poses parton of NOS Software
‘Secary Pas ~ Chapt.10808 for Security Ptfoms
‘Transit Traffic Examination
= JUNOS Software for security platforms always
examines transit traffic by using security policies
-@ =
a
‘Transit Traffic Examination
{UNOS Satwave er secu pls vay examines ars wate by sing sect
Police, a usted on th ide shoud no matin eit in the scuty ole. the
‘eta scum poy applies tothe packet We highlight he dtaut secu sly a
oan
See Beanie trUNOS fr Seeury Pats
Local Inbound Traffic Examination
*host-inbound-traf fic follows this process:
Rupe
host-inbound-traffic Examination
rte ostinato of watts the deuee's incoming rte securty poses ar nt
‘2pplcabe. he ony examination tet aks places melt of services a petals
‘lowed in hat foc using the host- inbound-erafese staomert win a
{one dfn. sae Chaps 3"Zanes or deal)
{JUNG Sofware eannes ser pales the trate destination say interface
‘tnrthan the nonmingimerine, Ths proces ie regan of whether te
Incoming trace arte destination tore oem fe same one naan
tat) in aterent zones eterna tte),
‘The font onthe se ilstrates the order of packet examination. When he
doce ecives ate destined el lexis wheter he destination of
{he wae soe ncoming trace 5, l stip the oly amino. ers,
{he coresponding scary poles aust the Ut rope match ets or
‘th Vale the dou plc acon apples. We seuss the default secur ply on
{tho next side ate matches a scuntypoeey tat permis te dove then
‘amines the it sarees and poten allowed ino the destination ner
‘itn the covespanirg fone, end aples the coresponsing acon
Sea PSS ORRETTDefault Security Policies
* System-default security
Policy: deny all traffic
through the device
+ You can change the default
policy to permit al trafic.
* Factory-default template
security policies (branch
devices only)
‘Trust to trust permit all
‘Trust to untrust: permit al
+ Untrustto trust: deny all
‘System Default Security Policy
15 dcaut UNOS Stare denies a ac nou an SRKSeies deve. aft, an
Impl defer seoury poy nists that dona at packets. You can charges
bahar by confiung standard sacunty poly that permits certain pes of at
‘or bycongving te default poy to pormital afc as shown the folowing seen
apt,
pottetes)
Setaoit-policy permit-all
Factory Default Security Policies
The acon eau tompat configuration le In rarch scout lator has thee
Preconfigire seciry poles (otto be confused wi te yen deaut secuty
pole decused nthe previous paragaph
A. Trstsrst zone poly: Permits alinvazene tac wth the rust
2 Trusttounst zone ply Ports altaf rom te tst zo tthe
Unt one nd
3. Unrustn ‘rust zone potty: Denes avatc om tn untst zane ttheUNOS for Seeuty Patton
‘Security Policy Conceptual Example
Steps: [tes nm 6 nue
1. Host B initiates SSH to Host D-Fiow 8 > D
2. Security policy permits that flow
3, The flow triggers reverse flow creation; both flows result ina
formed session
4, The return traffic, Host D > Host B receives permission also
Securty Policy Conceptual Example
Wo now examine an example a pocket ow though 8 JUNOS secu lato
‘The cece’ ntetaes are separate ino thee secu zones, extra, aed
publ. Th business roqurmont calf’ an SSH polation tobe alloved rom
Host aod into pate zone. to Het, ete nthe exoral ane To meet he
regaremnt we crest the sunt pote trated on hes,
The folowing the sequence of eens that ake place
Host Bilates te SSH seson to Host.
2 The UNOS securty device reeves taf and nang ing ts
ecu pt trom the vate ane tothe xe ane The secur
poly parma tate,
3. Test sn Host Dow veges the reation of the ever flow frm
Host Do Host & The de eis te ontant of hs ney ore
esson coral of wo fowe-saurce to destination and destination to
4. Host 0 sends tne ctu ate tom Host to Hest The deo, wing @
rosrate session prmis the tun vate tough to Has
Seas Palas + Caer TUNOS for Sout Paorms
Policy Ordering
= Ordering.
+ Order is important
+ 8y default, new policies go to the end of the list
+ Can change the order using the insert command
+ Rememiber the system defauit policy
Tasurioy pollalos feamsowe Ram toraone Rano pollo Bam
ore | after] policy seme
Policy Ordering
Because pots execute ne oer of he appeaancein te congrain fi you
‘Shou be aware ofthe lowing
+ Poioyarderiimportan,
1+ Now pts goo the end ofthe plist
+ Youcan change te over of pos inthe catguation le using the
UNOS Sofware nse command
+ Test pats the detour poy which asthe defer action of
onying at vate
‘Saar A> Seca Par{20N0S for Seouty Poms
Editing Security Configurations
* Like any other JUNOS Software configuration stanza,
you can perform the following actions on the security
‘configuration components:
= Delete
+ Deactivate
+ Activate
* Insert
+ Annotate
“Copy
Rename
+ Search and replace
citing Securty Configurations
uk any tner UNOS Software conuration stanze ou con delete, deactivate,
sctivate, insert, annotate, snd copy sean polcks
DieUNOS for Seounty atoms
Agenda: Security Policies
* Security Policy Overview
Policy Components
* Verifying Policy Operation
* Policy Scheduling and Rematching
Policy Case Study
Ser
Policy Components
‘Tho sie igs to topiowe dsuss next
amLeraD > Seay Poses —Policy Language
= You create policies under a context
“£rom-zone zone-name to-zone gone-name
‘Set under the [edit security policies! hierarchy
* Each policy:
* Identified by user-defined name
‘+ Composed of a match statement and a then statement
+ Maton ctiterla must Include souroe acess. destination adores,
‘nc appiestion
+ Acton canbe permit. deny eect, log oF count or combination)
+ Optionally contains other advanced policy actions
+ 1DP, UTM (branch devices ony). thewal authentication
‘Security Policy Contexts
\non dein poly. you must asso wth Source zone, rncoming zne—
‘ames the om rane, Alo, you mus ina destination one oF an ou one
red eto one iin 3 Srecton of source and destination zones, a can dete
ore han one policy, tered to a nora et of ples, which JUNOS Sofware
‘recut te order ter coniurto,
Recall that zone aleton of lena traces with ental secur
‘equrements. UNOS Sotware aways checks a vant olTe~intozone and
Iterono-ttcugh tho uso of secur pts
Security Polley Components,
Within the defined cont tit, each poy abeed with a usr ete rare
Under he users name sit of matching eter ond speafed acon,
sino JUN0S Stare routing ol. One major aferene stat each socurty
py mus containa matching source ade, destaton sade, and appt,
‘etons for vate matanng te speed cera incude por, der eet og. oF
UNOS Sota also uses pay to moke the use of nuskn Deletion a
Prveron (0) polices tho Unfed Tread Managoment (IN feature a ranch
foes, nd trowal aahenation, We discus IDF an fea
‘ea subsoqvet chaptersNOS for Seouty ators
Policy Match Criteria
Policy matching criteria:
+ Source addresses
+ Indviual accross, - [SE
+ Aedes set <—<—<$—<—<$—_——
* Destination addresses
+ Indvial adress <=
+ Address cet
+ Applications or application sets,
* User dined
+ Systom defined
Policy Match Criteria
ach of the defined poes must include he folowing matring eter:
+ Sowoe aareses This ceterion can be a therm of edres et or
naval adresses. ou ean group inaiidul addresses into soos
Sats ndval adresses. ou can gloup indualeadresses to
+ Aopleatons or appcaton sets: Tis ertarion can be user stned or
‘Sstm-efne.JUNDS Software supports sjtemctaft dete
_apseatos ard appleaton sts, referred to sing the format.
Sn sion whee appl .eaton te ne one
‘cat appiceton. You cn ie deine our wn sppoatos,
You must spect a matching components. Fyou ost any of thse component,
UNOS Satuare wil nat lon you to commit the comaton.
aor Seay Pas —NOS for Seouty Platforms
Creating Address Book Entries
= Commands for address book entries:
‘Adding an address = Creating group of
to an address book: addresses, named
address sets:
Creating Address Book Entries
Test usates tho sya that you must use when creating ates took entre
Anaaress book whi one can Sonat of nda adsense or aces sets. An
‘area set sat of one or moe adresses Gotinedwithn an adress book
‘areas set te sal whan you tut ree to rou of ates more an once.
Iftho mathing ertaria needs no peste oades, no odes boDk ety
ocean ths cso, ou can spe the corgwatlon oon any a8 he souee oe
Aestnatanaderesein 2 secu plc.
Quer SOS~OOSSSSSC PF{NOS for Seeunty Pltoms
Defining Custom Applications
= Specifics of implementation:
+ Many builtin applications (junos~rsh, junos~sip,
junos-bgp, junos-tacacs, and so forth}
+ You can add applications, application sets, or both to the
predefined lst
+ No striction forthe naming canvention
+ Youcan mexty protocols, pots, inactivity timers, and soforth
Defining Custom Applications
10N0s satware has mary bultinappleations, suchas Junos~rsh, junos-3ip,
Shunoe-byp ands forth. You can cstorze the lt of pedi ppetons hs
‘areng he oa is which res you the capsbity to suppot comple
Sppaations,
Ta configure a custom apscatin, defn the aplication nae, associate the
appicaton wit a protocol and pts Use the app ica ion-protocol
‘vigraion option azote te custom appration wit an appa vl
{iewoy (ALG) A werconfigured appioston has @ most valu esodted with
SUNOS Setware apples te timeout velo tothe eat season. One the Uncut
‘xars,the software leas th season rom the session tae Yeu can ed the
‘meat ae for specie sppston Noe that renew tout ale pps ony
‘ore somions- ott esting one,
Date + Sony Pasar
BuniperNOS for Secunty aloo
Creating Policy Match Entries
* Specifies: a casey
* Group all polices
together inthe
proper order,
ensuring proper ,
‘order of execution ,
‘Apply defined Phorm
matching
parameters:
Creating Policy Match Entries
‘ou ental oes under the fron-zone.to-zone sanz fo that prtevar
tate dtecton. Te fram-none..r0-s0ne sana ateosates the palses onder
Securty pate contains a name, match era and an action. Tis
fonmath entra. Tn eyatom acest a poles nthe ere ft appearence
wn a anionUNOS for Seouty ators
Basic Policy Actions
* Policy actions:
permit: allows traffic flow
+ deny: silently drops traffic
ject: drops traffic and sends an ICMP unreachable
message for UDP traffic and a TOP (RST) message for TOP
traffic
* Optionally log and count traffic
+ Logs sent to external syslog server
+ Can Be stored leclly on ranch dviees
+ Counters viewable with the show security policies
detail command
Basi Policy Actions
Each pole hasa ist of bale and advanced actors assodatd wth he base
tons are te sowing
+ permit Alone tate tow
+ reject: Rents ina pocket op sd the seeing ofan net Conta
‘Message Protocl (CMP) uneachatie message or UP afc and TCP
‘eset rego suppression ue RST) message or TOP tai
Log and Count Trafic
For each of these actos, you can configure JUNOS Softwar toga cout wae
a5 wel To vw curr, use the show security polictes detait
‘spertons mos commons. We dscns ogg in dtin subsoauent ses
‘Seay Poteea —BuntperUNOS for Sunt Ptorms
Advanced Permit Settings
= Ifthe security policy allows traffic to pass, you can
also configure the following actions:
+ Firewall authentication: authenticate the lent prior to
forwarding the atic
+ Paasttrough
+ Web athetieation
+ IPsec VPN: perform encryption and decryption of permitted
‘transit traffic
+ IDP: perform IDP policy evaluation
“ UTNE perform UTM services such as antivirus, Web fiteing
and content ftering
+ UTM sees ony avatar branch platorme
‘Advanced Permit Setings
‘ong the ply actons mentioned onthe previous si the following advanced
part stings eit
+ ovo uthentoaton
+ eee VPN tne
+ umes.
Frew uthenation enable out rest ana permit users aocesing tected
‘eeaurcen tha ou be onted in ferent res. JUNOS Sata tes
+ Pass-through: Fen users ha ar using FP, Tele, Fhe Hypertet
‘Ware Protea (HTP) access protects temures sacs he dee
‘ecohe authentzstion tneugh a usemame a pose. The UNOS.
‘Secu plaorn Iterepts he session and then proms ser
‘Socks Layer HTTPS) to sass an Padres ofthe UNOS securty
‘ove, stad ofthe protctodresouro. The dves 2c 2 3 Pe
‘uthenatin the user wth» userrame and pasnword and caches the
‘ost
Cominve on next pa.
Soeur Pass + Chapter{0S for Sexe atoms a]
‘Advanced Permit Settings (cont) i
We dics oval authentication more detain techs te, -Freval User .
‘teria 1
apa assoc win a recone soe YPN unalone! ration
cearednamicaly won tre recat est packet et mates such pale. The 1
$y bases hse VPN can bone fe pes-IKE ermal Ne cts
tee VP in roe Geta chop dase Ne”
Aol an ast with an DP pol. 1 pois noe rai and ontece 1
‘orou ato eecton and pevertaneehaques We eas hin ore dln
‘hecho ted eduction >
‘mean ees oly an lo aso aff wt UM fei sch 98 |
tvs coment rng ra We erg,
‘rae D+ Seer PRN ee
GaduniperUNOS for Sourty Paorms
Policy Components Summary
Policy Components Summary
The fotowing 9 summary ofthe poe components:
’socurty poy posted win the fom zone and he tozene
‘reson tre win contrat
ach pleyhas a set of matching cantons;
ach ply has a et fasion hatte sytem proms upon sucess
of allmathing condor,
Many scurty pois whine same dreston o teow ean east and
Pay ere important, because plies execute in the ode of heir
‘Spearane inne coniguation fie
impr OC aaUNOS for Sour atoms
Agenda: Security Policies
+= Security Policy Overview
Policy Components
Verifying Policy Operation
* Policy Scheduling and Rematching
* Policy Case Study
Veritying Policy Operation
The sie highlights te tpi we dacuss nex
‘apa 1-22 Seay Bee
BeuniperUNOS fr Socuty Patforns
Logging (1 of 3)
* Control plane logging can be stored locally or sent to
an external syslog device
* Default control plane logging configuration:
Control Plane Logging
UNOS Sotwarogs cont lane evens other calor an extra =yog dove
‘cal stord logs restored on the Routing Ege under te /var/1o1 directo
you cen vew them by vege show Log Log-name operational ode command
‘a congue ost be a oan exernalsyaog server, ie te hase congraion
‘option. he exemple on te se shows the conti plane eng statements present
Ina factory efaut coniguraton.
Say rales + haatUNS for Securty Patton
Logging (2 of 3)
= SRX Series branch devices can log data plane logs
locally or send them to an external server
Branch Device Data Plane Logging
ta plane nin JUNDS scurtypaforms the branch an be sored lel or
‘onan etal sytem og (og) seve Ue the saaston-close and
seroion inst conguraon pions within e secur poy tag te star ond
‘Shes of sastons mating pally.
“These iterates sample og le configuration for branch devoes Lops are stored
ioaiy nthe /vac/iog drectary wnen designated ih lena, To end gs
‘sv extral davis se the hot Padareescongueton opto
“he eto acy ana seventy for Gta plane session ggng suse ino. To
erabie a Network ana Seauty Manager (NSM) dove tbo bit ree oes.
ame tio lg defavit~log-messages, as shown on te side, and nce the
(structured-data conigraon olen
osseousLogging (3 of 3)
* For high-end SRX Series devices, data plane logging
must go to an external logging device
+ Sample configuration
High-End SRX Series Data Plane Logging
‘Data pon ogg phon SFX Sees dois must go oan externa 50g
vic. JUNOS Softwar doesnot support cal daa pane legging Docausee the ih
‘elu of session hanaingthat anand SAX Ser Sorvoae Gateway supper.
‘The sid tate be confiraton of ata plane lang or Series Nhend
‘Curent, UNOS Software suppers oe stream of ong afi. Supported
‘allecton doves incu UNIX eylogi based serves and Juniper Networks STAM,UNOS for Scout atoms
Monitoring Policies (4 of 3)
= Use og action in security policy
appnypemerskape ona bere contigaon et ten ane Hoa
Use count action in security policy
show outputs add counter
+ Statistics go to logs by default
Logging Sessions in Securty Policy
Use te ses sion-close and sansion-initconiguation options to lgthe stat
‘and dove of cassions malchinga poly he side ustates he conigation athe
pal og ator
‘collecting Securty Policy Statistics
Use te count secuntypoey scan to caleet sts nc make them atable
‘sing operation show commands, Te count sec ply nton at nce
{0 oad statistics colton msec ply log Loge containing
Sesodon-close mesagea conan satiate by defn Me cated rin his
raptor provides examples fot forms of states clin
BeuniperUNOS for Secu Plaorms
Monitoring Policies (2 of 3)
* show commands:
+Use the show security policies command to view
details about polices:
+ Use tne deta option to cepa statistics
+ Polley must have a counter configured
+show security flow session
+ Dlopays tows ant asocited policy names anc index numbers
‘Operational Monitoring Commands
‘arous ahow commands are avaible for mentoring the application of secur
ply The show security Poldetes comand allows yout vw dts abo
‘aol tay sch athe poy index umber, poly matching conto, and
ey aston Use the datas command oon io vaw stats assoc wit
prey courts
The show security flow session commend pays ect ssslone onthe
doves and each sesstors associa socury poly Net at this command output
Is categoraod por Serves Proessng Unt (SPU) appicaten specie grated
‘reat (AS), Te long output rom 9 see entowy contatning wo sons
processing ar (SPC) ond hereto, four ttl SPUs Only one season ative on
{he sees eaten
hserthost> show security flow session
0 sessions atspiayed
Session 10: 210000935, Policy nane: perait-ftp/5, Timeout: 2768
Tn: 20-200.0.2/50 10.200-1.2/2 te! gent/2/1.20UNOS for Seouty ators
Monitoring Policies (3 of 3)
= Use traceopt ions for detailed troubleshooting:
‘Tracing Security Poicy
Te congueion shown on the ide enables the ing of secury pie extn
‘sta sesion on JUNOS sos platorn Use We packat~ft1terconiguton
pon tog ony otal concering sceted sessions, Not that because of te
Betocturaldesgn ef unpor Netwerks secur ane outing patos, You can
rable reasonaby detaled vacrg 9 production neterk witout negate pact
‘nowt perfomance or packet frwaring Howeve 8 god pace to sable
‘TEsceopt ions ment oubleshodng the dees reduce the pact on stem
CamarDE > Seay PE
{JuniperAgenda: Security Policies
* Security Policy Overview
* Policy Components
* Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
Policy Scheduling and Rematching
‘These nigga tpi we discuss ret.
10N0S fer Scary Plato
SoS POTS + Caer DTUNOS fer Seouty Patoms
Policy Scheduling Overview
"A scheduled policy is a policy that uses a configured
scheduler to make the policy active at specific times.
"Policy and scheduler relationship:
‘A policy can refer to only one scheduler
* Multiple policies can refer to the same scheduler
+ Policy remains active without an applied scheduler
Polly Scheduling
| pot scheduler sa method fr scheduling a poteyeceuton for aspects
‘uration ora seo uratons. polly scaler tonal. schedule uppects
“stom tne undstes eer rough manus onan or though te Hetere
“ine Procol NT) by serena se wt te te canes.
Rules for Scheduling
“The floming rues app pole scheduling
+ Amini! poly can hae ont ore scheduler apps:
+ Mulpe polices can use tho same scheduler and
+ Ascrealer must be refrancd in a potcy to become sve. without a
afin seheculer win a ply, te poly is alvays ateUNOS for Sent Paton
Policy Scheduler Components
* You can configure a policy scheduler with the
following:
*Slot schedule
«Start date ana tine
+ Stop date and time
+ Dally schedule
+ Start time
+ Stop time
+ Alay
+ Bictude option
‘Security Policy Scheduler Components
secu poy seer provides you wih the ebilty identi th tet date an
‘me and top date an tno poly enrcamen part, he sched,
emporents include re felowing:
‘Slot eed Tis component consi of te start de nd tine and
‘he stop dat ang tne a poy enforcement and
‘Daly schedule: Tis component const ofthe stat tie, the stop ive,
‘he day open, andthe exude opto,
+ Sees
Barer OOOO ST20N0S or Seanty Plato
Policy Scheduler Details
* Scheduler:
+ Setup the schedule for policy execution, including tme and
date
+ Apply the scheduler ‘emesore mane Sra ae {
* Default behavior: me et
+ Policies that donot
have scheduler are
atvays ative an in
Policy Scheduler Detalis
pote ser tus on ecurentor oe a the speciedtime. Real tht
fale Scheduler ceva and deactivates poy accor tothe scheded Ue,
‘leh you configure, One ou erate the sched you must apoyo pl. The
Gotaut bohavir of pol isto exceuo at at tres.
Senay Potaas
JuniperUNOS for Seourty Patfoens
policy-rematch Statement
+ policy-rematch statement: signals the application
of policy configuration changes to existing sessions
+ Defaut behavior:
* Dolton of poles
causa ot
‘pace
+ oriaton
changes tng
pote coat
frat ecsore
rogees
Optionally Applying the policy-rematch Statement
{UNOS Software's deft bebo not tc sessions in pogress when ou
‘make coniguation change o secur poles. Fos example, ou ean mo 90,
‘resi or moaty te actions a pay wed fr season exit. By
‘ete, bocauea session was pe estaishod cortines tobe operational without
‘ry mrruptons. You can change hat deter behave by ening the
ppolcy-remateh tatoment Onc yeu anata tho statomant eer te 2
onfigraton change toa poly ecu, rte nth sessions n reso.
Conigrtion changes, such source asreseas, destination adres 9nd
‘sppltsten changes, case pay evalua the system priors 9 poy
lola. he nen matched pot tna tha pot ere a bythe session, the
‘stclon eas ah Psac VPN chang occurs the UNOS secur plo cers the
‘continued on next 6,UNOS for Secunty atoms
Optionally Applying poli cy-xemat.ch Statement (contd,)
‘The folowing Ist explains the actions mat 1UNDS State perfoms on impacted
sees progres based on whether he polLey-renatsch fogs abled
‘eaties,
* month poticy-remateh fags noted
= Tmo sorare sets pot: no inpeet
~The sofware mais he act son Held oa pally from porate
{Deter Sony orenjects al ecatng sestons ae dropped and
= Treseftware modi some combination of source des,
‘sstnation asses, ard oppieatons Nels: UNOS Sotware
rewsaluaas ply lookup.
men te poiscy-ranatoh fags dsabied (rout Bohan
= Thesofteare insets poli: no inpoet
= Twosoftnare modifies the action fd of poy fom peraie
toelter deny or sect al essing sesonecontruc ana
= Tye softeare mois some combinatlon cf source adress,
estnaton adresses, ard appcations els al essing
Seosions conte unchanaed
Note that nespocti ofthe value of po sey-renatch poy fag deletion ofthe
pe caus the device to ropa impacted existing estos,
ater Seay RS
falJuniper
alUNOS for Seer oer
Agenda: Security Pol
* Security Policy Overview
= Policy Components
* Verifying Policy Operation
* Policy Scheduling and Rematching
Policy Case Study
Policy Case Study
The sie ngs he tople we discuss vox
Bluiper SSSCS*C«URPES = ChoonUNOS for Sacuty Poors
Case Study: Creating Policies Between HR
and Public Zones
torre
wie Sei
ane 170250
Case Stuy: Creating Policies
‘Te nat sve of sites pests an exste ond contain fer set in which
two anes oxt-HR ana Pu. The pra Ps hand, weteain the Zon, mst
"ammuneato win Sener rte ule Zane sina custom appton set
Resticions are plcod onto rest of te 10:1.0.0/16 network hat re ogg ena
‘outed
“aa A-3 + See POR ee
@evuniperUNOS for SeourtyPattorms
Case Study:
Entering Host Addresses into the HR Zone
‘case Study: Entering Host Addresses into the HR Zone
‘The sc presets he confguration tht adds host adcesees belonging one HR
Theos neue FA eA whose arose re 10.4055 9nd 104.205
respec Thee the 10..00/16sutnet to deine, which named
(ouped ino an address ost named i Pos,UNOS for Sect Patorms
Case Study: Entering Host Addresses Into
the Public Zone
(Case Study Entering Host Addresses into the Public Zone
‘Tesla reson ne confeaten as sarees gg te Pe
11.70.250. Theres of the{20N0S for Socury Pato
Case Study: Creating the Application Set
Teale wepliontionel
(case Study: Adding New Applications
‘These pesos the coniguatin of «new ppiaton i-reinet othe HR
Zane The contusion sows tht the now appeaton ded unde the
SppLieationsstana aden tha new apcaton set caned
Mi Publie-apel oat fone consists of wo predeinod apalcalors, junce-£ep
{and junos- te, and th nowy detne eee apleatonUNOS fer Seourty Patons
Case Study: Creating Policy Entries (1 of 2)
‘Case Study: Creating Poley Entries: Part
We mustnow dtine the poices rom the HR Zone ote Pubie Zone We must deine
toting vac s logged an cous
‘Ghar 3-30+ Seeaig Panes meUNOS or Secunty Plato
Case Study: Creating Policy Entries (2 of 2)
(Case Study: Creating Policy Entries: Part 2
‘Tre si sho he deiniton ofthe nest poly forthe same dein trom the HR
Zonet th Pubic Zone. This pay denies pacts, logs, and eau pacts er ony
‘he otoning cases:
‘The sauce ates of the pocket muse othes-10-1;
“The destination adress must be othar-2-1~70; 9nd
The appeaon mustbe junos-rep,
SuperUNOS for Seu Plsorns
Case Study: Creating a Scheduler
Grama AT + oe FOIE
Case Stuy Optionally Creating @ Scheduler
‘We now ceate a scheduler ramed scheciLexin. Re purpose to aa poy
1H-to- Pubcon daly bass fom 300 am un 00 pm xcludng weckards
(Seterday an Sunday) Because t-te th ony ply that per ome
{rtf appeton ofthe scheduler resin in the JUNOS eovrty deve blocking a
{tte completely ons day batter 500 pm and on weokers
uuniper2080S for Security Pistons
Case Study: Applying a Scheduler
(Case Study: Optionally Applying a Scheduler
Tesi shows the applaton ofthe previous dened scheduler achedoerA (©
the eR-to-Pub Le pty,
em Sa Pas + aR AS{UNOS for Scout atoms
Case Study: Check Your Knowledge
* Questions:
«Will the policies illustrated in the previous example be
sufficient to permit FTP traffic between the HR Zone and the
Public Zone? Explain your reasoning,
+ Will network administrators be able to use Telnet to acsess
the JUNOS security device? Explain your reasoning,
‘Check Your Knowledge
What are te aries tothe question posed on hese?
‘Shaper 4-5 + SecuiyPanS@s me
fe eye) aUNOS ror Seouty ators
Case Study: Monitoring the Policy (1 of 2)
‘Case Study: Monitoring Security Policies: Part 1
‘Tesco shows te cuputol he ahow security policies datait command
{orone fhe poses nthe case study. We removed soe creat fo ev.
sean Paiaes + Captor aSNOS for Socurty Patforms
Case Study: Monitoring the Policy (2 of 2)
= Policy log from external server:
‘Case Study: Monitoring Security Policies: Part 2
“These shows an example of the ata plane og output resulting ive FTP atic
tasting te ease stu secur poly. We eaptre he output onan etal UND.
‘slog enabled sever
a TT od)
UNOS for Seety Paton
Summary
In this chapter, we:
+ Explained security policy functionality
+ Configured a basie security policy using the following
elements:
+ Polly match conditions
+ Poly actons-basie and advanced
+ Policy scheduling
+ Verifed policies and monitored their execution
‘This Chepter Discussed:
+ Secufty pose functionality
+ Secunty poe configuration, nce:
= Paley mate sont
~ Pate enacting on
+ Seouny poe veication ne montorng,UNOS for Sunt ators
Review Questions
1. What are the basic components of a policy?
2. What is the default action for every policy set?
3. What is the purpose of a scheduler within the security
stanza?
4. How can you reorder policies?
nm ny in tot PN|
{INOS for Scurty Prato
Lab 2: Security Policies
= Create policies that control access between networks.
ee
Lab 2: Security Policies
“These provides the objector hea
Genrer CT AUNOS for Seu lors
(uuniperChapter 5: Firewall User AuthenticationUNOS for Security Poms
Chapter Objectives
= After successfully completing this chapter, you will be
able to:
= Desorive the purpose of firewall user authentication
‘Implement pass-through authentication
‘implement Web authentication
+ Implement firewall user client groups
+ Monitor firewall user authentication
This Chapter Discusses:
+The purase of frenal usr authentication
+ implomertng pssshrougn atrentston:
tmplemerting Wed auteniation:
+ Using een poups and
+ Motoring renal usr autor.
1
|UNOS for Seourty atorms
Agenda: Firewall User Authentication
Firewall User Authentication Overview
® Pass-Through Authentication
= Web Authentication
= Client Groups
* Using External Authentication Servers
ing Firewall User Authentication
Firewall User Authentication Overview
‘Theale its the tole we over inthis chapter. We dsc the ile toleUNOS for Seoanty Plato
Firewall User Authentication Overview
= Method to restrict or permit network user access to
protected resources between security zones
f Men
ae
ee
Perera
eel
‘The Purpose of Frewall User Authentication
revo user auanenteaton poses another ner of rteton nthe network ontop
of scouy zones, pie, an serene With firewall autenotan you ea esist
‘or permit users nid on group. Users atemping tates 3 network
‘esourea recat a promet rom UNOS Software fore warneme and pasword eve i
ceca poy place parting the wae.
Users canbe autnetated using ne! poser database or using sn eens
password database, JOS Software suppor RADIUS, ight Decay Accass
Protocol LDA, er Securautartzaten serves.
‘The cramp on the sl ustates a user (Host A atempting to ozs a network
resowes belonging the Publ Zone. Wh rex usar auterteston configures,
‘he user most st auoricat wn tho JUNOS secrty oat bore ccesing
the reoute. ns example, te device can query an extemal automaton saver
\oaetemin the ouheneaton rau The secant poly mont io allow rai fom
(nce he we ecehesauttartaton subsequent seals rom th sme sue
ees typeea eval ser auentoaton, Thi eta especaly nortan
‘when conederng he ego eval user autho fora network hat mint
Fe souce-based Netork Adress Transition NAT empoed
‘Ghaper5-a > Frewa User Aaenicaion
Juniper20N0S er Sacunty atoms
Firewall User Authentication Types
= Pass-through authentication:
‘Triggered by Telnet, FTP, and HTTP traffic
* User attempts to access the network resource directly
+ JUNOS security platform Intercepts trafic and prompts for
uusermame and password
+ If authentication Is successful, subsequent traffic from the
‘same source IP address is allowed
® Web authentication’
+ User first connects directly to JUNOS security platform using
HTTP,
+ Software prompts user for username and password
+ If authentication is sucessful, subsequent traffic from the
Pass-Through Authentication
‘vo type of fremal wor authentiaton are maliabe-pase through oe
‘uthenseaton Paseo atnereation mst fst be tre by Tene, FTP, and
ype naer Pract (HTTP we Int ype of rena astern, the
‘ser tates a session to a emate network dein oer. va ates the
Secu pote congue fer passatvough aunertaaton, te SX Stes Services
‘Gateway rcpt he session. Tho uso feoaves a prompt for a usorname and
essword fe authetieation isucoosstu, subsequent ate em te same
*urceP adress automata alowed to pass trough to deve, rood
‘rates the appa secur py.
Web Authentication
Wo authentication vat for a pes fae WA Web uthentoton onigured,
‘eer mist et crac eeces tha UNS secur lator ving The vt
tenor the dee or hostname of te devios nts Web bovee and than eos @
‘romp fora userams and password authontatn Is succes the sor an
then soca he rested resoure ed. Subsequet ae om te same Source
‘Pasres a avtoraealy awed acoso the rested esource, 2 longo
secuty ply allows or.
G geet ITY dat ee yallUNOS for SecurtyPatforms
Authentication Server Support
* Local:
«Authentication and authorization
= RADIUS:
‘Authentication and authorization
= LDAP:
‘Authentication only
= SecurlD:
‘Authentication only
Local Authentication
=m
UNOS Software support oa autentiaton onthe JUNOS scuty Paton sets
‘nell 9s RADIUS, LOA, and Ser era utheneaton sere The os!
ascnord ealabae supports sulhenteaten ana surat,
RADIUS Authentication
‘ella authoraton. Te JUNGS secu platorm acs sa RADILS cent and
ommunicaton uses UDP RADIUS uso5 shared sere fe 10 encrypt uot
Information drng he enanes
LDAP Authentioation
An LOA server rate: form of xem utenti sere, INOS Sofware
‘opr suthertieabon oly whe sigan LDAP seer. INOS Softwares
fempatle win LDAP Versan 3 and Wsoeo Windows Active Dretory,
Continued on nest age.Suniper
UNOS for Security Platforms
SeourlD Authentication
An SAO server canbe sod for extemal authenteaten, Tha meth allows
‘esto ee eer tat or rami password a5 cede Adame password
ISa combination oo users PN ana randomly enero tven thal ea fora
Short perio afte UNOS Software supports SeoutD sores autheneation on
{and does not uppot the Secu chalongo feature
Trew Ot RARER > CHaTS-T{0N0S or Seca Poms
Agenda: Firewall User Authentication
‘ewall User Authentication Overview
Pass-Through Authentication
* Web Authentication
* Client Groups
* Using External Authentication Servers
* Verifying Firewall User Authentication
Pass-Through Authentication
‘Teste ight the opie we seuss next
‘Ceaper SS + Brena User maetcaiea
BBJuniperUNOS for Seourty Pore
Pass-Through Authentication
a) =]
3 =")
Pass-Through Authentication
“Thos iaste the proces vod for pas trough eval authentication A user
attempts toconnest direct ta verte ntwak sour usrg other Tlnet. HTTP or
FP. The UNOS secur lator sero the fst packet and snes in memo.
‘Te devon prompts te end we fre uername and pensar. Fauthetiaton
succes configurable Daner dois ote use ana he rial uted
acetals ts destination JUNGS Setvare alons subsequent vac fom the
‘Some soice Padres un the wold 30 minutes. Ath pot,
‘suthetation ust be prtmed nin fr futher tac to pas tra the davon.
‘he defn te eo of 10 minutes conga as show:
profile profile-nane)
jot seceion-options client-sdle-tinsout 7Anes te Secaty Parma 1
Pass-Through Configuration (4 of 3)
= Create access profile: 1
{eaie accuse]
profile peosile-nane |
Creating an Aovess Profile
‘The sie provides an xargle oa base access rie. Tis example shows the 1
nfiiratin of» ser defined poe nme One ormere eens ae conte
‘nthin he pro, represening end users. Te lent nme represarts the samamne
‘The posowor's trod in paint format but csplasin encrypted fom when YOu ]
‘ete configuration,
‘Seanar 6-10 > Frew Uae RaionNOS for Scout atoms
Pass-Through Configuration (2 of 3)
* Associate access profile with pass-through
authentication and add banner:
‘Associating the Access Profile with an Authentication Type
‘nce an scons fle has boon defined, mst be assole wih pss ough
‘real authetigater These shows 2 bese exarse of this congratn.JUNOS
‘Software ao alows you ta sts custome tener ht ll ispy ote end ne.
SUNOS Softwere can poy an nel tog bane, succesful auhenaon|
‘nner anda fled auzhenteaten Denner wen contiguring paso touh
‘suthenteton,
ienioaion > Cater AT
Giuniper20N0S for cunt Paton
Pass-Through Configuration (3 of 3)
* Configure policy action with firewall authentication
‘Apply Pass-Through Authentication as Policy Acton
Enable pass tvough and Web atesaton using security pos. Tobe subject 0
frovaltser autonteaton tafe must algn wih th pos atching.concibons
andave an extended action of pert peihngthe ype of frewoluthedcaton 0
te. Te sge snows an example of oping pass-vough irewa aeration to
secur acy.J UNOS fr See atoms
1 Agenda: Firewall User Authentication
} * Firewall User Authentication Overview
+ Pase-Through Authentication
Web Authentication
1 * Client Groups
* Using External Authentication Servers
| * Verifying Firewall User Authentication
Web Authentication
] Tre side hahiges te tpi we deus ne.
]UNOS for Sunt tors
Web Authentication
Web Authentication
‘These masates the proses used for Web fewa authentcaon Auer tat
‘equ acon ta rerote network esoree mint fist zens the UNOS sony
flttorm crt ving a Web bromoer. The device pomp the end wer ora
Ssemamoand password. authoriaton success configura banner
‘Sepaye ana to usor gals pormsion to oeeess We ara raoute. UNOS
‘Software alle subsoqunt ae fom the same source IP adeess uti te usar
“le 30 mutes pont, uthoneton mus be perermed gin or further
tatreto sass tough the device, The deta le menu of 10 nutes
tiga as shown ore:
(eait accers profile profile-nare)
sserdnoatt set seasion-options client-idle-tinecut ?
‘CREEL > Preval User ASINUNOS for Seay Plato
Web Authentication Configuration (1 of 4)
Enable HTTP service on the JUNOS security platform
“Aso enables Web management of the device
“Ensure host~inbound-trafic allows HTTP.
Enabling the HTTP Process
‘Touse Web eutenteation the SFX Sores doce musta te tp proess. The
‘log nights the reauvod corfguwation wo onabie ts stem proces foe
vice. Tne righted contguraten allows HTP ecoss or Web management use
‘the hed werner ad alo slows fore ve of Wed authereaton. You can
to configure hs etre rete aon to a nda. erface or 00D of
irrfaes The seu ane conan the rtertace ote used or We
‘sutheneato (orfar he reo user interac) mis alow MIT vac as hast,
inoouna ate
Frew User RIG + Chapa TS{UNOS for Scurty Pistons
Web Authentication Configuration (2 of 4)
* Enable Web authentication on interface
+ Use secondary address
‘Must in same subnet
(este sneaeensss]
Enabling Interface for Web Authentication
auenteaton. The side usvatss a sample configuration fr enabing Wed
“uthenoston onthe g60/0/0 merfce. We recommend using 2 secondary P
‘drese a the Web auhentatonsacrese The Web athentston address must be
inthe same subntae the pimary trace adorns. Use to pretarted
‘iran option ensure ht ae sourcaa rom isnerfoee conto use
‘he pamary adores a ou
Sa eR $$ ange4UN0S for Securty Pato
Web Authentication Configuration (3 of
= Create access profile:
' Associate access profile with Web authentication and
add banner:
Creating an Access Profle
\Webauthenoaton can use the same pre as pss trough authorisation. The
‘mole on he se shows he contguraton of wer Setnes poe name. One ot
‘mare lets ae conngzed within he pte presenting en ear The cota
‘epresants the seman, The user eres the psaardn pst format At
‘splays monerypod form won you vw the contigurton,
‘Associating the Access Profile with an Authentication Type
The arcossprofe must associate with Web authentication usingtho samo
angst stele a8 pase rout aeration Te ide shows base
trample of tis comigration JUNOS Sastnae ap alows ou to set 9 customized
‘ener that wi plato the ender Web auhentatan supports ecstonied
Danner for svoeaetu autenteaton ntUNOS for Scutiy Pasorms
Web Authentication Configuration (4 of 4)
= Configure policy action with firewall authentication:
‘Applying Web Authentication as Policy Acton
Pass twougn and Web authenteation ae enabed icing secur poles: T be
‘jet to rewal user autem, ae mst gn ih te poly misting
fonatrs and nave a extended ato of pei spetiing te ype of renal
rteton to use The sie sows an exame of oppivng We ews
favtnontoation oa securty poly
‘Sapte 18 + Frew Una aonUNOS for Scout Pltoems
Web Redirect
= Use pass-through authentication but redirect users to
Web authentication using an HTTP redirect response
+ Works like Web authentication but user need not know
address of the JUNOS security platform
* User is redirected to same interface
+ Intertace and eyster must be enabed for Web authentication
‘ACleaner Method of Web Authentication
Direct aecssngte device tough a bronsar befor gaining sores to a ramets
‘Repurce ke burdereamT alle burdon, UNOS Software allows Wed
‘even. Teste lusates te contain of Web eareton, Wh Wed
‘eatin enaole, the device respands othe wer device with on HTT reek
‘message, wc ells the er dove to oe HTP to acess the UNOS scary
ator at partcular adress. UNOS oftware uss the adres of he iace on
‘heh the ial user eavest was rcoved, You must erabe Web auhontition fo
thine snd forthe sen fa sox you wos for tndaré WedUNOS fr SecutyPatforms
Agenda: Firewall User Authentication
* Firewall User Authentication Overview
» Pass-Through Authentication
Web Authentication
Client Groups
"Using External Authentication Servers
* Verifying Firewall User Authentication
iient Groups
The sd his tho tpi wo cus et.Client Groups
= Aclient
group is a list of groups to which a client belongs
+ Create user groups or client groups to manage a number of
firewall users
ary.e
con)
eerie
Et
ce)
on
Using client Groups
Acton you sis of groups associated wth a eet. lent groups alow fr casio:
‘management of muti frewal uses. Secuny pole referonces cor ops inthe
Samemannerin whch eorencos indi cont he sie shows» spe
foneeptal example of wing eet groups to manage mutile wer. The nex two
Sides ute Us example or lstrsig the coniguraon of len soups
FORT TRG RTORIGRIOS > ORTOP ET{NOS or Seu atoms
Configuring Client Groups (4. of 2)
jate a user with a number of client groups:
‘Adding Clent Groups to a User
The slid roves an example coniguaton of tee users assoc wth various
|youps A rumba of gua (contained in square backs ne example
entrain ropresenta cht ou.
“aaa 5-Z2 + Frew er RATER ee
Muniper{UNOS or Saunt Pistons
Configuring Client Groups (2 of 2)
® Reference a group within a security polioy:
Configuring 8 Policy to Use Client Groups
‘Once cent groups have Deen organize, groups cane referenced ina secu palley
‘tn teal authentcaton. Group can be used place onal cents. The
Soe martes the use of clot goup na secu poe nts example, Grou-A
‘fom the previous sides subject pass tnoughauthontaton,NOS or Seouty Paton
Check Your Knowledge
' Referencing the previous two slides, which users have
telnet access to the engineering network resource?
"What happens if user, user2, and user3 have the
same source address because of source NAT?
‘Which Usors Have Telnet Access tothe Engineering Resource?
Inthe reference example congwatin, revall autores enabled and the
secur pally spect ny clot gu Group. Cent group Group assontos
‘rth mel and user, Thecetore user and ver? nave anesthe engineering
‘emote network resoure (fey utente scent.
‘What if ll Taree Users Use the Same Source IP Address?
Frowal user autenatio based on the soe IP sre. we dass
‘ater ns ehaper once eval authentic sucess subsequent sessions
‘fom te same sous IP ares rena subjects frerautereation win the
‘le urecut period. this explo, user or usr2 wore te authenticator, 0/3
‘ould also be ate to acon the remot nginoering reste.
rar S28 + Fro Uae NARETISRIOT
(uniper’UNOS for SecutyPatforms
Using Default Client Groups
* A default client group associates all users within a
profile to a client group
+ Only relevant to clients that are not configured with a client
g70up at the client level
Default lent Groups
UNOS Sofware alos the configuration of delat lent group to seve a 3
‘eat all users within a sons rol. Thi setup alms ese of mangement
by emegorung users n sess pees. rower oct does nex asso wh 8
ler group anda dof cent goup outs, the use assoctos wan the eeu,
‘ler group. The cont goup can const fen or mae ous.
Juniper’ "Frewal User Aatanaton =