juniper ssg-140

Concepts & Examples ScreenOS Reference Guide

Volume 1: Overview

Release 6.2.0, Rev. 02

Juniper Networks, Inc.1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net

Copyright NoticeCopyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

ii

Table of ContentsVolume 1: OverviewAbout the Concepts & Examples ScreenOS Reference Guide xlvii

Volume Organization ................................................................................... xlix Document Conventions................................................................................... lv Web User Interface Conventions ............................................................. lv Command Line Interface Conventions ..................................................... lv Naming Conventions and Character Types ............................................. lvi Illustration Conventions ......................................................................... lvii Requesting Technical Support ....................................................................... lvii Self-Help Online Tools and Resources.................................................... lviii Opening a Case with JTAC ..................................................................... lviii Document Feedback .................................................................................... lviii Master Index...........................................................................................................IX-I

Volume 2: FundamentalsAbout This Volume ix

Document Conventions.................................................................................... x Web User Interface Conventions .............................................................. x Command Line Interface Conventions ...................................................... x Naming Conventions and Character Types .............................................. xi Illustration Conventions .......................................................................... xii Requesting Technical Support ........................................................................ xii Self-Help Online Tools and Resources..................................................... xiii Opening a Case with JTAC ...................................................................... xiii Document Feedback ..................................................................................... xiii Chapter 1 ScreenOS Architecture 1

Security Zones ................................................................................................. 2 Security Zone Interfaces................................................................................... 3 Physical Interfaces..................................................................................... 3 Subinterfaces............................................................................................. 3 Virtual Routers ................................................................................................. 4 Policies.............................................................................................................5 Virtual Private Networks .................................................................................. 6 Virtual Systems ................................................................................................9 Packet-Flow Sequence.................................................................................... 10 Jumbo Frames................................................................................................ 13Table of Contents

iii


ScreenOS Architecture Example..................................................................... 14 Example: (Part 1) Enterprise with Six Zones............................................ 14 Example: (Part 2) Interfaces for Six Zones ............................................... 16 Example: (Part 3) Two Routing Domains ................................................. 18 Example: (Part 4) Policies ........................................................................ 20 Chapter 2 Zones 25

Viewing Preconfigured Zones......................................................................... 26 Security Zones ............................................................................................... 28 Global Zone ............................................................................................. 28 SCREEN Options...................................................................................... 28 Binding a Tunnel Interface to a Tunnel Zone.................................................. 29 Configuring Security Zones and Tunnel Zones ............................................... 30 Creating a Zone ....................................................................................... 30 Modifying a Zone..................................................................................... 31 Deleting a Zone ....................................................................................... 32 Function Zones ..............................................................................................33 Chapter 3 Interfaces 35

Interface Types ..............................................................................................36 Logical Interfaces..................................................................................... 36 Physical Interfaces ............................................................................ 36 Wireless Interfaces............................................................................ 36 Bridge Group Interfaces..................................................................... 37 Subinterfaces .................................................................................... 37 Aggregate Interfaces ......................................................................... 37 Redundant Interfaces ........................................................................ 37 Virtual Security Interfaces .................................................................38 Function Zone Interfaces ......................................................................... 38 Management Interfaces..................................................................... 38 High Availability Interfaces................................................................ 38 Tunnel Interfaces..................................................................................... 39 Deleting Tunnel Interfaces ................................................................ 42 Viewing Interfaces ......................................................................................... 43 Configuring Security Zone Interfaces ............................................................. 44 Binding an Interface to a Security Zone ................................................... 45 Unbinding an Interface from a Security Zone .......................................... 46 Addressing an L3 Security Zone Interface................................................ 47 Public IP Addresses ........................................................................... 47 Private IP Addresses.......................................................................... 48 Addressing an Interface .................................................................... 48 Modifying Interface Settings .................................................................... 49 Creating a Subinterface in the Root System ............................................. 50 Deleting a Subinterface............................................................................ 51 Creating a Secondary IP Address ................................................................... 51 Backup System Interfaces .............................................................................. 52 Configuring a Backup Interface................................................................ 53 Configuring an IP Tracking Backup Interface..................................... 53 Configuring a Tunnel-if Backup Interface .......................................... 54 Configuring a Route Monitoring Backup Interface ............................. 57 Loopback Interfaces ....................................................................................... 58 Creating a Loopback Interface .................................................................59 Setting the Loopback Interface for Management...................................... 59

iv

Table of Contents

Table of Contents

Setting BGP on a Loopback Interface ....................................................... 59 Setting VSIs on a Loopback Interface....................................................... 60 Setting the Loopback Interface as a Source Interface ............................... 60 Interface State Changes.................................................................................. 61 Physical Connection Monitoring .............................................................. 63 Tracking IP Addresses ............................................................................. 63 Interface Monitoring ................................................................................ 68 Monitoring Two Interfaces ................................................................ 70 Monitoring an Interface Loop ............................................................ 71 Security Zone Monitoring ........................................................................ 74 Down Interfaces and Traffic Flow ............................................................ 75 Failure on the Egress Interface .......................................................... 76 Failure on the Ingress Interface ......................................................... 77 Chapter 4 Interface Modes 81

Transparent Mode.......................................................................................... 82 Zone Settings........................................................................................... 83 VLAN Zone........................................................................................ 83 Predefined Layer 2 Zones .................................................................83 Traffic Forwarding ................................................................................... 83 Forwarding IPv6 traffic ..................................................................... 84 Unknown Unicast Options ....................................................................... 85 Flood Method.................................................................................... 86 ARP/Trace-Route Method .................................................................. 87 Configuring VLAN1 Interface for Management .................................. 90 Configuring Transparent Mode.......................................................... 92 NAT Mode...................................................................................................... 95 Inbound and Outbound NAT Traffic ........................................................ 97 Interface Settings..................................................................................... 98 Configuring NAT Mode ............................................................................ 98 Route Mode..................................................................................................101 Interface Settings...................................................................................102 Configuring Route Mode ........................................................................102 Chapter 5 Building Blocks for Policies 105

Addresses ....................................................................................................105 Address Entries .....................................................................................106 Adding an Address ..........................................................................106 Modifying an Address .....................................................................107 Deleting an Address ........................................................................107 Address Groups .....................................................................................107 Creating an Address Group .............................................................109 Editing an Address Group Entry ......................................................110 Removing a Member and a Group...................................................110 Services........................................................................................................110 Predefined Services ...............................................................................111 Internet Control Messaging Protocol ...............................................112 Handling ICMP Unreachable Errors .................................................114 Internet-Related Predefined Services...............................................115 Microsoft Remote Procedure Call Services ......................................116 Dynamic Routing Protocols.............................................................118 Streaming Video..............................................................................118 Sun Remote Procedure Call Services ...............................................119

Table of Contents

v


Security and Tunnel Services ..........................................................119 IP-Related Services..........................................................................120 Instant Messaging Services..............................................................120 Management Services .....................................................................120 Mail Services ...................................................................................121 UNIX Services .................................................................................121 Miscellaneous Services ....................................................................122 Custom Services ....................................................................................122 Adding a Custom Service ................................................................123 Modifying a Custom Service............................................................124 Removing a Custom Service............................................................124 Setting a Service Timeout ......................................................................124 Service Timeout Configuration and Lookup.....................................124 Contingencies .................................................................................125 Example..........................................................................................126 Defining a Custom Internet Control Message Protocol Service...............127 Remote Shell Application Layer Gateway...............................................128 Sun Remote Procedure Call Application Layer Gateway.........................128 Typical RPC Call Scenario................................................................128 Customizing Sun RPC Services ........................................................129 Customizing Microsoft Remote Procedure Call Application Layer Gateway.. 129 Real-Time Streaming Protocol Application Layer Gateway.....................131 Dual-Stack Environment .................................................................132 RTSP Request Methods ...................................................................132 RTSP Status Codes ..........................................................................134 Configuring a Media Server in a Private Domain .............................135 Configuring a Media Server in a Public Domain ..............................137 Stream Control Transmission Protocol Application Layer Gateway ........139 Point-to-Point Tunneling Protocol Application Layer Gateway ...............139 Configuring the PPTP ALG...............................................................141 Service Groups.......................................................................................141 Modifying a Service Group ..............................................................142 Removing a Service Group ..............................................................143 Dynamic IP Pools.........................................................................................143 Port Address Translation .......................................................................144 Creating a DIP Pool with PAT ................................................................145 Modifying a DIP Pool .............................................................................146 Sticky DIP Addresses .............................................................................146 Using DIP in a Different Subnet .............................................................147 Using a DIP on a Loopback Interface .....................................................152 Creating a DIP Group.............................................................................156 Setting a Recurring Schedule........................................................................159 Chapter 6 Policies 161

Basic Elements.............................................................................................162 Three Types of Policies ................................................................................163 Interzone Policies ..................................................................................163 Intrazone Policies ..................................................................................163 Global Policies .......................................................................................164 Policy Set Lists .............................................................................................165 Policies Defined ...........................................................................................166 Policies and Rules..................................................................................166 Anatomy of a Policy ..............................................................................167vi

Table of Contents

Table of Contents

ID....................................................................................................168 Zones ..............................................................................................168 Addresses .......................................................................................168 Wildcard Addresses.........................................................................168 Services...........................................................................................169 Action .............................................................................................169 Application......................................................................................170 Name ..............................................................................................170 VPN Tunneling ................................................................................170 L2TP Tunneling ...............................................................................171 Deep Inspection ..............................................................................171 Placement at the Top of the Policy List ...........................................171 Session Limiting..............................................................................171 Source Address Translation.............................................................172 Destination Address Translation......................................................172 No Hardware Session ......................................................................172 User Authentication ........................................................................172 HA Session Backup .........................................................................174 Web Filtering ..................................................................................174 Logging ...........................................................................................175 Counting .........................................................................................175 Traffic Alarm Threshold ..................................................................175 Schedules........................................................................................175 Antivirus Scanning ..........................................................................175 Traffic Shaping................................................................................176 Policies Applied............................................................................................177 Viewing Policies.....................................................................................177 Searching Policies..................................................................................177 Creating Policies ....................................................................................178 Creating Interzone Policies Mail Service ..........................................178 Creating an Interzone Policy Set .....................................................181 Creating Intrazone Policies..............................................................185 Creating a Global Policy ..................................................................187 Entering a Policy Context ......................................................................188 Multiple Items per Policy Component....................................................188 Setting Address Negation.......................................................................189 Modifying and Disabling Policies ...........................................................192 Policy Verification..................................................................................192 Reordering Policies................................................................................193 Removing a Policy .................................................................................194 Chapter 7 Traffic Shaping 195

Managing Bandwidth at the Policy Level ......................................................195 Setting Traffic Shaping .................................................................................196 Setting Service Priorities ..............................................................................199 Traffic Shaping for an ALG ...........................................................................200 Setting Priority Queuing ...............................................................................201 Ingress Policing ............................................................................................205 Shaping Traffic on Virtual Interfaces ............................................................206 Interface-Level Traffic Shaping ..............................................................206 Policy-Level Traffic Shaping ...................................................................208 Packet Flow ...........................................................................................208 Example: Route-Based VPN with Ingress Policing ..................................209 Example: Policy-Based VPN with Ingress Policing..................................212Table of Contents

vii


Traffic Shaping Using a Loopback Interface .................................................216 DSCP Marking and Shaping..........................................................................216 Enabling Differentiated Services Code Point ...................................217 Chapter 8 System Parameters 219

Domain Name System Support ....................................................................219 DNS Lookup ..........................................................................................220 DNS Status Table ...................................................................................221 Setting the DNS Server and Refresh Schedule .................................221 Setting a DNS Refresh Interval ........................................................222 Dynamic Domain Name System............................................................222 Setting Up DDNS for a Dynamic DNS Server...................................223 Setting Up DDNS for a DDO Server .................................................224 Proxy DNS Address Splitting..................................................................225 Dynamic Host Configuration Protocol ..........................................................227 Configuring a DHCP Server....................................................................229 Customizing DHCP Server Options .................................................232 Placing the DHCP Server in an NSRP Cluster...................................234 DHCP Server Detection ...................................................................234 Enabling DHCP Server Detection ....................................................234 Disabling DHCP Server Detection....................................................234 Assigning a Security Device as a DHCP Relay Agent ..............................235 Forwarding All DHCP Packets .........................................................239 Configuring Next-Server-IP..............................................................239 Using a Security Device as a DHCP Client..............................................240 Propagating TCP/IP Settings ..................................................................242 Configuring DHCP in Virtual Systems ....................................................244 Setting DHCP Message Relay in Virtual Systems ..........................................244 Point-to-Point Protocol over Ethernet ...........................................................245 Setting Up PPPoE ..................................................................................245 Configuring PPPoE on Primary and Backup Untrust Interfaces..............248 Configuring Multiple PPPoE Sessions over a Single Interface .................249 PPPoE and High Availability ..................................................................252 License Keys ................................................................................................252 Configuration Files .......................................................................................253 Uploading Configuration Files................................................................253 Downloading Configuration Files ...........................................................254 Registration and Activation of Subscription Services ....................................254 Trial Service...........................................................................................255 Updating Subscription Keys...................................................................255 Adding Antivirus, Web Filtering, Antispam, and Deep Inspection to an Existing or a New Device ................................................................256 System Clock ...............................................................................................256 Date and Time.......................................................................................257 Daylight Saving Time.............................................................................257 Time Zone .............................................................................................257 Network Time Protocol..........................................................................258 Configuring Multiple NTP Servers....................................................258 Configuring a Backup NTP Server....................................................258 Device as an NTP Server .................................................................259 Maximum Time Adjustment............................................................259 NTP and NSRP ................................................................................260 Setting a Maximum Time Adjustment Value to an NTP Server ........260 Securing NTP Servers ......................................................................260viii

Table of Contents

Table of Contents

Index..........................................................................................................................IX-I

Volume 3: AdministrationAbout This Volume vii

Document Conventions.................................................................................. vii Web User Interface Conventions ............................................................ vii Command Line Interface Conventions ................................................... viii Naming Conventions and Character Types ............................................ viii Illustration Conventions ............................................................................ x Requesting Technical Support .......................................................................... x Self-Help Online Tools and Resources....................................................... xi Opening a Case with JTAC ........................................................................ xi Document Feedback ....................................................................................... xi Chapter 1 Administration 1

Federal Information Processing Standards (FIPS) ............................................. 2 Power-On Self-Test .................................................................................... 2 Config-Data Integrity Test ...................................................................3 Firmware Integrity Test....................................................................... 3 Self-Test on Demand by Administrator......................................................3 Self-Test After Key Generation ...................................................................4 Periodic Self-Test ....................................................................................... 4 Management with the Web User Interface ....................................................... 5 WebUI Help ............................................................................................... 5 Copying the Help Files to a Local Drive ............................................... 6 Pointing the WebUI to the New Help Location .................................... 6 HyperText Transfer Protocol...................................................................... 7 Session ID.................................................................................................. 7 Secure Sockets Layer ................................................................................. 8 SSL Configuration.............................................................................. 10 Redirecting HTTP to SSL ................................................................... 11 Management with the Command Line Interface ............................................ 12 Telnet ...................................................................................................... 12 Securing Telnet Connections ................................................................... 13 Secure Shell ............................................................................................. 14 Client Requirements.......................................................................... 15 Basic SSH Configuration on the Device ............................................. 16 Authentication .................................................................................. 17 Binding a PKA key to administrator .................................................. 18 Binding a PKA certificate to administrator ........................................ 19 SSH and Vsys .................................................................................... 19 Host Key ........................................................................................... 20 Host Certificate ................................................................................. 20 Example: SSHv1 with PKA for Automated Logins ............................. 21 Secure Copy ............................................................................................ 22 Serial Console.......................................................................................... 23 Remote Console ...................................................................................... 24 Remote Console Using V.92 Modem Port.......................................... 24 Remote Console Using an AUX Port.................................................. 25 Modem Port ............................................................................................ 26 Management with the Network and Security Manager ................................... 26Table of Contents

ix


Initiating Connectivity Between NSM Agent and the MGT System ........... 27 Enabling, Disabling, and Unsetting NSM Agent........................................ 28 Setting the Primary Server IP Address of the Management System ......... 29 Setting Alarm and Statistics Reporting..................................................... 29 Configuration Synchronization ................................................................ 30 Example: Viewing the Configuration State ........................................ 31 Example: Retrieving the Configuration Hash..................................... 31 Retrieving the Configuration Timestamp ................................................. 31 Controlling Administrative Traffic .................................................................. 32 MGT and VLAN1 Interfaces...................................................................... 33 Example: Administration Through the MGT Interface .......................33 Example: Administration Through the VLAN1 Interface .................... 33 Setting Administrative Interface Options ................................................. 34 Setting Manage IPs for Multiple Interfaces ............................................... 35 Levels of Administration ................................................................................ 37 Root Administrator .................................................................................. 37 Role Attributes .................................................................................. 38 Read/Write Administrator........................................................................ 39 Read-Only Administrator......................................................................... 39 Virtual System Administrator................................................................... 39 Virtual System Read-Only Administrator ................................................. 40 Defining Admin Users .................................................................................... 40 Example: Adding a Read-Only Admin ..................................................... 40 Example: Modifying an Admin ................................................................ 40 Example: Deleting an Admin ................................................................... 41 Example: Configuring Admin Accounts for Dialup Connections............... 41 Example: Clearing an Admins Sessions .................................................. 42 Securing Administrative Traffic ...................................................................... 42 Changing the Port Number ...................................................................... 43 Changing the Admin Login Name and Password ..................................... 44 Example: Changing an Admin Users Login Name and Password ..... 45 Example: Changing Your Own Password .......................................... 45 Setting the Minimum Length of the Root Admin Password ............... 46 Resetting the Device to the Factory Default Settings................................ 46 Restricting Administrative Access ............................................................ 47 Example: Restricting Administration to a Single Workstation............ 47 Example: Restricting Administration to a Subnet .............................. 47 Restricting the Root Admin to Console Access .................................. 47 Monitoring Admin access.................................................................. 48 VPN Tunnels for Administrative Traffic....................................................49 Administration Through a Route-Based Manual Key VPN Tunnel ...... 50 Administration Through a Policy-Based Manual Key VPN Tunnel...... 53 Password Policy ............................................................................................. 57 Setting a Password Policy ........................................................................ 57 Removing a Password Policy ................................................................... 58 Viewing a Password Policy ...................................................................... 58 Recovering from a Rejected Default Admin Password ............................. 58 Creating a Login Banner................................................................................. 59 Chapter 2 Monitoring Security Devices 61

Storing Log Information ................................................................................. 61 Event Log ....................................................................................................... 63 Viewing the Event Log by Severity Level and Keyword............................ 64 Sorting and Filtering the Event Log.......................................................... 65x

Table of Contents

Table of Contents

Downloading the Event Log..................................................................... 66 Example: Downloading the Entire Event Log .................................... 66 Example: Downloading the Event Log for Critical Events .................. 66 Traffic Log...................................................................................................... 67 Viewing the Traffic Log ............................................................................ 68 Example: Viewing Traffic Log Entries................................................ 68 Sorting and Filtering the Traffic Log .................................................. 68 Example: Sorting the Traffic Log by Time ......................................... 69 Removing the Reason for Close Field ...................................................... 70 Self Log .......................................................................................................... 72 Viewing the Self Log ................................................................................ 72 Sorting and Filtering the Self Log ...................................................... 72 Example: Filtering the Self Log by Time ............................................ 73 Storing Debug Information ...................................................................... 73 Downloading the Self Log ........................................................................ 74 Downloading the Asset Recovery Log ............................................................ 74 Traffic Alarms ................................................................................................ 75 Example: Policy-Based Intrusion Detection.............................................. 75 Example: Compromised System Notification........................................... 76 Example: Sending Email Alerts................................................................ 77 Security Alarms and Audit Logs...................................................................... 77 Enabling Security Alarms......................................................................... 78 Viewing Security Alarms ................................................................... 79 Acknowledging Security Alarms ........................................................ 80 Setting Potential-Violation Security Alarms .............................................. 80 Example: Configuring a Device to Trigger a Potential-Violation Alarm .. 81 Configuring Exclude Rules ....................................................................... 81 Example: Setting an Exclude Rule to Exclude an Event for the Audit Log 81 Syslog ............................................................................................................ 82 Example: Enabling Multiple Syslog Servers.............................................. 83 Enabling WebTrends for Notification Events ........................................... 83 Simple Network Management Protocol .......................................................... 84 Implementation Overview ....................................................................... 87 Defining a Read/Write SNMP Community ............................................... 88 Configuring a MIB Filter in the SNMP Community ................................... 89 Example............................................................................................ 89 VPN Tunnels for Self-Initiated Traffic ............................................................. 90 Example: Self-Generated Traffic Through a Route-Based Tunnel.............. 92 Example: Self-Generated Traffic Through a Policy-Based Tunnel ............. 98 Viewing Screen Counters .............................................................................104 Index..........................................................................................................................IX-I

Volume 4: Attack Detection and Defense MechanismsAbout This Volume ix

Document Conventions.................................................................................... x Web User Interface Conventions .............................................................. x Command Line Interface Conventions ...................................................... x Naming Conventions and Character Types .............................................. xi

Table of Contents

xi


Illustration Conventions .......................................................................... xii Requesting Technical Support ........................................................................ xii Self-Help Online Tools and Resources..................................................... xiii Opening a Case with JTAC ...................................................................... xiii Document Feedback ..................................................................................... xiii Chapter 1 Protecting a Network 1

Stages of an Attack........................................................................................... 2 Detection and Defense Mechanisms ................................................................ 2 Exploit Monitoring ........................................................................................... 5 Example: Monitoring Attacks from the Untrust Zone................................. 5 Chapter 2 Reconnaissance Deterrence 7

IP Address Sweep ............................................................................................ 8 Port Scanning................................................................................................... 9 TCP/UDP Sweep Protection............................................................................ 10 Network Reconnaissance Using IP Options ....................................................11 Operating System Probes............................................................................... 14 SYN and FIN Flags Set ............................................................................. 14 FIN Flag Without ACK Flag ...................................................................... 15 TCP Header Without Flags Set .................................................................16 Evasion Techniques ....................................................................................... 16 FIN Scan .................................................................................................. 16 Non-SYN Flags......................................................................................... 17 IP Spoofing ..............................................................................................20 Example: L3 IP Spoof Protection ....................................................... 21 Example: L2 IP Spoof Protection ....................................................... 24 IP Source Route Options.......................................................................... 25 Chapter 3 Denial of Service Attack Defenses 29

Firewall DoS Attacks ...................................................................................... 30 Session Table Flood ................................................................................. 30 Source-Based and Destination-Based Session Limits ......................... 30 Example: Source-Based Session Limiting .......................................... 32 Example: Destination-Based Session Limiting ................................... 32 Aggressive Aging............................................................................... 33 Example: Aggressively Aging Out Sessions........................................ 34 CPU Protection with Blacklisting DoS Attack Traffic .......................... 35 Example............................................................................................ 36 Prioritizing Critical Traffic .................................................................37 SYN-ACK-ACK Proxy Flood ...................................................................... 38 Network DoS Attacks ..................................................................................... 40 SYN Flood................................................................................................ 40 Example: SYN Flood Protection ........................................................ 46 SYN Cookie..............................................................................................50 ICMP Flood ..............................................................................................52 UDP Flood ............................................................................................... 53 Land Attack ............................................................................................. 54 OS-Specific DoS Attacks ................................................................................. 55 Ping of Death........................................................................................... 55 Teardrop Attack....................................................................................... 56 WinNuke ................................................................................................. 57

xii

Table of Contents

Table of Contents

Chapter 4

Content Monitoring and Filtering

59

Fragment Reassembly.................................................................................... 60 Malicious URL Protection......................................................................... 60 Application Layer Gateway ...................................................................... 61 Example: Blocking Malicious URLs in Packet Fragments ................... 62 Antivirus Scanning ......................................................................................... 64 External AV Scanning .............................................................................. 64 Scanning Modes................................................................................ 65 Load-Balancing ICAP Scan Servers ....................................................65 Internal AV Scanning ............................................................................... 66 AV Scanning of IM Traffic ........................................................................ 67 IM Clients.......................................................................................... 67 IM Server .......................................................................................... 68 IM Protocols ...................................................................................... 69 Instant Messaging Security Issues ..................................................... 69 IM Security Issues ............................................................................. 69 Scanning Chat Messages ................................................................... 70 ......................................................................................................... 70 Scanning File Transfers ..................................................................... 70 AV Scanning Results ................................................................................ 71 Policy-Based AV Scanning ....................................................................... 72 Scanning Application Protocols................................................................ 73 Scanning FTP Traffic ......................................................................... 74 Scanning HTTP Traffic ...................................................................... 75 Scanning IMAP and POP3 Traffic ...................................................... 77 Scanning SMTP Traffic ...................................................................... 79 Redirecting Traffic to ICAP AV Scan Servers...................................... 81 Updating the AV Pattern Files for the Embedded Scanner .......................82 Subscribing to the AV Signature Service ............................................ 82 Updating AV Patterns from a Server.................................................. 83 Updating AV Patterns from a Proxy Server ....................................... 85 AV Scanner Global Settings...................................................................... 85 AV Resource Allotment ..................................................................... 85 Fail-Mode Behavior ........................................................................... 86 AV Warning Message ........................................................................ 86 AV Notify Mail................................................................................... 87 Maximum Content Size and Maximum Messages (Internal AV Only) 87 HTTP Keep-Alive ............................................................................... 88 HTTP Trickling (Internal AV Only) ..................................................... 89 AV Profiles............................................................................................... 90 Assigning an AV Profile to a Firewall Policy....................................... 91 Initiating an AV Profile for Internal AV .............................................. 92 Example: (Internal AV) Scanning for All Traffic Types .......................92 Example: AV Scanning for SMTP and HTTP Traffic Only................... 92 AV Profile Settings............................................................................. 93 Antispam Filtering.......................................................................................... 98 Blacklists and Whitelists .......................................................................... 98 Basic Configuration.................................................................................. 99 Filtering Spam Traffic........................................................................ 99 Dropping Spam Messages .................................................................99 Defining a Blacklist ................................................................................100 Defining a Whitelist ...............................................................................100 Defining a Default Action.......................................................................101 Enabling a Spam-Blocking List Server ....................................................101Table of Contents

xiii


Testing Antispam...................................................................................101 Web Filtering ...............................................................................................102 Using the CLI to Initiate Web-Filtering Modes ........................................102 Integrated Web Filtering ........................................................................103 SurfControl Servers .........................................................................104 Web-Filtering Cache........................................................................104 Configuring Integrated Web Filtering ..............................................105 Example: Integrated Web Filtering..................................................110 Redirect Web Filtering ...........................................................................112 Virtual System Support....................................................................113 Configuring Redirect Web Filtering .................................................114 Example: Redirect Web Filtering.....................................................117 Chapter 5 Deep Inspection 121

Overview .....................................................................................................122 Attack Object Database Server .....................................................................126 Predefined Signature Packs ...................................................................126 Updating Signature Packs ......................................................................127 Before You Start Updating Attack Objects .......................................128 Immediate Update ..........................................................................128 Automatic Update ...........................................................................129 Automatic Notification and Immediate Update ...............................130 Manual Update................................................................................131 Updating DI Patterns from a Proxy Server ......................................133 Attack Objects and Groups ...........................................................................134 Supported Protocols ..............................................................................135 Stateful Signatures .................................................................................137 TCP Stream Signatures ..........................................................................138 Protocol Anomalies................................................................................139 Attack Object Groups.............................................................................139 Changing Severity Levels.................................................................140 Disabling Attack Objects........................................................................141 Attack Actions..............................................................................................142 Example: Attack ActionsClose Server, Close, Close Client ............143 Brute Force Attack Actions ....................................................................150 Brute Force Attack Objects..............................................................151 Brute Force Attack Target................................................................151 Brute Force Attack Timeout.............................................................151 Example 1.......................................................................................152 Example 2.......................................................................................152 Example 3.......................................................................................153 Attack Logging .............................................................................................153 Example: Disabling Logging per Attack Group.................................153 Mapping Custom Services to Applications ....................................................155 Example: Mapping an Application to a Custom Service...................156 Example: Application-to-Service Mapping for HTTP Attacks ............158 Customized Attack Objects and Groups........................................................159 User-Defined Stateful Signature Attack Objects......................................159 Regular Expressions........................................................................160 Example: User-Defined Stateful Signature Attack Objects ...............161 TCP Stream Signature Attack Objects ....................................................163 Example: User-Defined Stream Signature Attack Object..................164 Configurable Protocol Anomaly Parameters ..........................................165 Example: Modifying Parameters .....................................................165xiv

Table of Contents

Table of Contents

Negation ......................................................................................................166 Example: Attack Object Negation....................................................166 Granular Blocking of HTTP Components ......................................................171 ActiveX Controls....................................................................................172 Java Applets...........................................................................................172 EXE Files ...............................................................................................172 ZIP Files.................................................................................................172 Example: Blocking Java Applets and .exe Files................................173 Chapter 6 Intrusion Detection and Prevention 175

IDP-Capable Security Devices.......................................................................176 Traffic Flow in an IDP-Capable Device .........................................................177 Configuring Intrusion Detection and Prevention ..........................................179 Preconfiguration Tasks ..........................................................................179 Example 1: Basic IDP Configuration ......................................................180 Example 2: Configuring IDP for Active/Passive Failover ........................182 Example 3: Configuring IDP for Active/Active Failover ..........................184 Configuring Security Policies ........................................................................186 About Security Policies ..........................................................................186 Managing Security Policies ....................................................................187 Installing Security Policies .....................................................................187 Using IDP Rulebases ....................................................................................187 Role-Based Administration of IDP Rulebases .........................................188 Configuring Objects for IDP Rules..........................................................188 Using Security Policy Templates ............................................................189 Enabling IDP in Firewall Rules .....................................................................190 Enabling IDP..........................................................................................191 Specifying Inline or Inline Tap Mode .....................................................191 Configuring IDP Rules ..................................................................................191 Adding the IDP Rulebase .......................................................................193 Matching Traffic ....................................................................................194 Source and Destination Zones.........................................................194 Source and Destination Address Objects .........................................194 Example: Setting Source and Destination........................................195 Example: Setting Multiple Sources and Destinations .......................195 Services...........................................................................................195 Example: Setting Default Services ...................................................196 Example: Setting Specific Services ..................................................196 Example: Setting Nonstandard Services ..........................................197 Terminal Rules ................................................................................198 Example: Setting Terminal Rules.....................................................199 Defining Actions ....................................................................................200 Setting Attack Objects............................................................................202 Adding Attack Objects Individually..................................................202 Adding Attack Objects by Category .................................................202 Example: Adding Attack Objects by Service ....................................202 Adding Attack Objects by Operating System ...................................202 Adding Attack Objects by Severity ..................................................203 Setting IP Actions ..................................................................................203 Choosing an IP Action .....................................................................204 Choosing a Blocking Option ............................................................204 Setting Logging Options ..................................................................204 Setting Timeout Options .................................................................204 Setting Notification ................................................................................205Table of Contents

xv


Setting Logging ...............................................................................205 Setting an Alert ...............................................................................205 Logging Packets ..............................................................................205 Setting Severity......................................................................................206 Setting Targets.......................................................................................206 Entering Comments...............................................................................206 Configuring Exempt Rules............................................................................206 Adding the Exempt Rulebase.................................................................207 Defining a Match ...................................................................................208 Source and Destination Zones.........................................................208 Source and Destination Address Objects .........................................208 Example: Exempting a Source/Destination Pair ..............................209 Setting Attack Objects............................................................................209 Example: Exempting Specific Attack Objects ..................................209 Setting Targets.......................................................................................209 Entering Comments...............................................................................210 Creating an Exempt Rule from the Log Viewer ......................................210 Configuring Backdoor Rules .........................................................................211 Adding the Backdoor Rulebase ..............................................................211 Defining a Match ...................................................................................212 Source and Destination Zones.........................................................212 Source and Destination Address Objects .........................................213 Services...........................................................................................213 Setting the Operation ............................................................................213 Setting Actions.......................................................................................213 Setting Notification ................................................................................214 Setting Logging ...............................................................................214 Setting an Alert ...............................................................................214 Logging Packets ..............................................................................214 Setting Severity......................................................................................215 Setting Targets.......................................................................................215 Entering Comments...............................................................................215 Configuring IDP Attack Objects ....................................................................215 About IDP Attack Object Types..............................................................215 Signature Attack Objects .................................................................216 Protocol Anomaly Attack Objects ....................................................216 Compound Attack Objects...............................................................216 Viewing Predefined IDP Attack Objects and Groups ..............................216 Viewing Predefined Attacks.............................................................217 Viewing Predefined Groups .............................................................218 Creating Custom IDP Attack Objects......................................................218 Creating a Signature Attack Object..................................................220 Creating a Protocol Anomaly Attack................................................225 Creating a Compound Attack ..........................................................226 Editing a Custom Attack Object.......................................................228 Deleting a Custom Attack Object.....................................................228 Creating Custom IDP Attack Groups ......................................................229 Configuring Static Groups................................................................229 Configuring Dynamic Groups ..........................................................230 Example: Creating a Dynamic Group ..............................................231 Updating Dynamic Groups ..............................................................232 Editing a Custom Attack Group .......................................................233 Deleting a Custom Attack Group .....................................................233 Configuring the Device as a Standalone IDP Device .....................................233

xvi

Table of Contents

Table of Contents

Enabling IDP..........................................................................................233 Example: Configuring a Firewall Rule for Standalone IDP ...............234 Configuring Role-Based Administration .................................................234 Example: Configuring an IDP-Only Administrator ...........................235 Managing IDP ..............................................................................................236 About Attack Database Updates.............................................................236 Downloading Attack Database Updates .................................................236 Using Updated Attack Objects .........................................................237 Updating the IDP Engine.................................................................237 Viewing IDP Logs...................................................................................239 ISG-IDP Devices ...........................................................................................240 Compiling a Policy.................................................................................240 Policy Size Multiplier .......................................................................240 Unloading Existing Policies .............................................................241 Chapter 7 Suspicious Packet Attributes 243

ICMP Fragments ..........................................................................................244 Large ICMP Packets......................................................................................245 Bad IP Options .............................................................................................246 Unknown Protocols......................................................................................247 IP Packet Fragments ....................................................................................248 SYN Fragments ............................................................................................249 Appendix A Contexts for User-Defined Signatures A-I

Index..........................................................................................................................IX-I

Volume 5: Virtual Private NetworksAbout This Volume vii

Document Conventions................................................................................. viii Web User Interface Conventions ........................................................... viii Command Line Interface Conventions ................................................... viii Naming Conventions and Character Types .............................................. ix Illustration Conventions ............................................................................ x Requesting Technical Support .......................................................................... x Self-Help Online Tools and Resources....................................................... xi Opening a Case with JTAC ........................................................................ xi Document Feedback ....................................................................................... xi Chapter 1 Internet Protocol Security 1

Introduction to Virtual Private Networks .......................................................... 2 IPsec Concepts................................................................................................. 3 Modes........................................................................................................ 4 Transport Mode .................................................................................. 4 Tunnel Mode ....................................................................................... 4 Protocols ................................................................................................... 5 Authentication Header ........................................................................ 6 Encapsulating Security Payload........................................................... 6 Key Management ...................................................................................... 7 Manual Key ......................................................................................... 7Table of Contents

xvii


AutoKey IKE........................................................................................ 7 Key Protection .................................................................................... 8 Security Associations ................................................................................. 8 Tunnel Negotiation........................................................................................... 9 Phase 1...................................................................................................... 9 Main and Aggressive Modes .............................................................. 10 Diffie-Hellman Exchange................................................................... 11 Phase 2.................................................................................................... 11 Perfect Forward Secrecy ................................................................... 12 Replay Protection.............................................................................. 12 IKE and IPsec Packets .................................................................................... 13 IKE Packets ............................................................................................. 13 IPsec Packets........................................................................................... 16 IKE Version 2........................................................................................... 18 Initial Exchanges............................................................................... 18 CREATE_CHILD_SA Exchange .......................................................... 20 Informational Exchanges .................................................................. 20 Enabling IKEv2 on a Security Device ....................................................... 20 Example: Configuring an IKEv2 Gateway .......................................... 21 Authentication Using Extensible Authentication Protocol .................. 25 IKEv2 EAP Passthrough ........................................................................... 26 Example............................................................................................ 26 Chapter 2 Public Key Cryptography 29

Introduction to Public Key Cryptography ....................................................... 30 Signing a Certificate................................................................................. 30 Verifying a Digital Signature .................................................................... 30 Elliptic Curve Digital Signature Algorithm ................................................ 31 Public Key Infrastructure................................................................................ 33 Certificates and CRLs ..................................................................................... 35 Requesting a Certificate Manually............................................................ 37 Loading Certificates and Certificate Revocation Lists ............................... 39 Configuring CRL Settings ......................................................................... 40 Obtaining a Local Certificate Automatically ............................................. 41 Automatic Certificate Renewal.................................................................44 Key-Pair Generation................................................................................. 45 Online Certificate Status Protocol................................................................... 45 Specifying a Certificate Revocation Check Method .................................. 46 Viewing Status Check Attributes .............................................................. 47 Specifying an Online Certificate Status Protocol Responder URL ............. 47 Removing Status Check Attributes........................................................... 47 Self-Signed Certificates................................................................................... 48 Certificate Validation ............................................................................... 49 Manually Creating Self-Signed Certificates ............................................... 50 Setting an Admin-Defined Self-Signed Certificate .................................... 51 Certificate Auto-Generation...................................................................... 55 Deleting Self-Signed Certificates .............................................................. 56 Chapter 3 Virtual Private Network Guidelines 59

Cryptographic Options ................................................................................... 60 Site-to-Site Cryptographic Options ........................................................... 60 Dialup VPN Options................................................................................. 67 Cryptographic Policy ......................................................................... 74

xviii

Table of Contents

Table of Contents

Route-Based and Policy-Based Tunnels .......................................................... 75 Packet Flow: Site-to-Site VPN ......................................................................... 76 Tunnel Configuration Guidelines .................................................................... 82 Route-Based Virtual Private Network Security Considerations ........................ 84 Null Route................................................................................................ 84 Dialup or Leased Line .............................................................................. 86 VPN Failover to Leased Line or Null Route............................................... 87 Decoy Tunnel Interface ........................................................................... 89 Virtual Router for Tunnel Interfaces......................................................... 90 Reroute to Another Tunnel ...................................................................... 90 Chapter 4 Site-to-Site Virtual Private Networks 91

Site-to-Site VPN Configurations ...................................................................... 92 Route-Based Site-to-Site VPN, AutoKey IKE ............................................. 98 Policy-Based Site-to-Site VPN, AutoKey IKE ...........................................107 Route-Based Site-to-Site VPN, Dynamic Peer .........................................113 Policy-Based Site-to-Site VPN, Dynamic Peer.........................................121 Route-Based Site-to-Site VPN, Manual Key.............................................130 Policy-Based Site-to-Site VPN, Manual Key.............................................136 Dynamic IKE Gateways Using FQDN ...........................................................141 Aliases ...................................................................................................142 Setting AutoKey IKE Peer with FQDN ....................................................143 VPN Sites with Overlapping Addresses.........................................................152 Transparent Mode VPN ................................................................................163 Transport Mode IPsec VPN...........................................................................169 GW-1 Configuration ...............................................................................170 GW-2 Configuration ...............................................................................171 Chapter 5 Dialup Virtual Private Networks 173

Dialup ..........................................................................................................174 Policy-Based Dialup VPN, AutoKey IKE..................................................174 Route-Based Dialup VPN, Dynamic Peer................................................180 Policy-Based Dialup VPN, Dynamic Peer ...............................................187 Bidirectional Policies for Dialup VPN Users............................................192 Group IKE ID................................................................................................197 Group IKE ID with Certificates ...............................................................197 Wildcard and Container ASN1-DN IKE ID Types....................................199 Creating a Group IKE ID (Certificates) ....................................................201 Setting a Group IKE ID with Preshared Keys..........................................206 Shared IKE ID ..............................................................................................212 Chapter 6 Layer 2 Tunneling Protocol 219

Introduction to L2TP ....................................................................................219 Packet Encapsulation and Decapsulation .....................................................222 Encapsulation ........................................................................................222 Decapsulation........................................................................................223 Setting L2TP Parameters ..............................................................................225 L2TP and L2TP-over-IPsec............................................................................227 Configuring L2TP...................................................................................227 Configuring L2TP-over-IPsec..................................................................232 Configuring an IPsec Tunnel to Secure Management Traffic ..................239 Bidirectional L2TP-over-IPsec ................................................................241

Table of Contents

xix


Chapter 7

Advanced Virtual Private Network Features

247

NAT-Traversal ..............................................................................................248 Probing for NAT.....................................................................................249 Traversing a NAT Device .......................................................................251 UDP Checksum......................................................................................253 Keepalive Packets..................................................................................253 Initiator/Responder Symmetry ..............................................................253 Enabling NAT-Traversal .........................................................................255 Using IKE IDs with NAT-Traversal..........................................................256 VPN Monitoring ...........................................................................................258 Rekey and Optimization Options...........................................................259 Source Interface and Destination Address .............................................260 Policy Considerations ............................................................................261 Configuring the VPN Monitoring Feature ...............................................261 SNMP VPN Monitoring Objects and Traps .............................................269 Multiple Tunnels per Tunnel Interface ..........................................................271 Route-to-Tunnel Mapping ......................................................................271 Remote Peers Addresses ......................................................................273 Manual and Automatic Table Entries .....................................................274 Manual Table Entries.......................................................................274 Automatic Table Entries ..................................................................274 Setting VPNs on a Tunnel Interface to Overlapping Subnets............276 Binding Automatic Route and NHTB Table Entries ..........................294 Using OSPF for Automatic Route Table Entries ...............................306 Redundant VPN Gateways............................................................................307 VPN Groups ...........................................................................................308 Monitoring Mechanisms ........................................................................309 IKE Heartbeats ................................................................................310 Dead Peer Detection .......................................................................310 IKE Recovery Procedure..................................................................311 TCP SYN-Flag Checking .........................................................................313 Creating Redundant VPN Gateways.................................................314 Creating Back-to-Back VPNs .........................................................................320 Creating Hub-and-Spoke VPNs .....................................................................327 Chapter 8 AutoConnect-Virtual Private Networks 337

Overview .....................................................................................................337 How It Works...............................................................................................337 NHRP Messages.....................................................................................338 AC-VPN Tunnel Initiation .......................................................................339 Configuring AC-VPN ..............................................................................340 Network Address Translation ..........................................................340 Configuration on the Hub................................................................340 Configuration on Each Spoke ..........................................................341 Example ................................................................................................342

xx

Table of Contents

Table of Contents

Index............................

juniper ssg-140

Documents