juniper security swconfig security
TRANSCRIPT
-
JUNOS Software
Security Configuration Guide
Release
10.1
Published: 2012-06-07
Revision 01
Copyright 2012, Juniper Networks, Inc.
-
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.
This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos OS Security Configuration GuideRelease 10.1Copyright 2012, Juniper Networks, Inc.All rights reserved.
Revision HistoryMarch 2010R1 Junos OS 10.1
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, thesoftware license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.The software license may state conditions under which the license is automatically terminated. You should consult the license for furtherdetails. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.
Copyright 2012, Juniper Networks, Inc.ii
-
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.
iiiCopyright 2012, Juniper Networks, Inc.
-
Copyright 2012, Juniper Networks, Inc.iv
-
Abbreviated Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
Part 1 Introduction to JUNOS SoftwareChapter 1 Introducing JUNOS Software for SRX Series Services Gateways . . . . . . . . . . 3
Chapter 2 Introducing JUNOS Software for J Series Services Routers . . . . . . . . . . . . . 43
Part 2 Security Zones and InterfacesChapter 3 Security Zones and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 4 Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Part 3 Security PoliciesChapter 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Chapter 6 Security Policy Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 7 Security Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Part 4 Application Layer GatewaysChapter 8 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter 9 H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Chapter 10 SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 11 SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Chapter 12 MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Chapter 13 RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Part 5 User AuthenticationChapter 14 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Chapter 15 Infranet Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Part 6 Virtual Private NetworksChapter 16 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Chapter 17 Public Key Cryptography for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Chapter 18 Dynamic VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter 19 NetScreen-Remote VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
vCopyright 2012, Juniper Networks, Inc.
-
Part 7 Intrusion Detection and PreventionChapter 20 IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Chapter 21 Application-Level Distributed Denial of Service . . . . . . . . . . . . . . . . . . . . . . . 511
Chapter 22 IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Chapter 23 IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Chapter 24 IDP SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Chapter 25 IDP Performance and Capacity Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Chapter 26 IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Part 8 Unified Threat ManagementChapter 27 Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Chapter 28 Antispam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Chapter 29 Full Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Chapter 30 Express Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Chapter 31 Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Chapter 32 Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Part 9 Attack Detection and PreventionChapter 33 Attack Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Chapter 34 Reconnaissance Deterrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Chapter 35 Suspicious Packet Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Chapter 36 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Part 10 Chassis ClusterChapter 37 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Part 11 Network Address TranslationChapter 38 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Part 12 GPRSChapter 39 General Packet Radio Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
Part 13 IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Copyright 2012, Juniper Networks, Inc.vi
JUNOS Software Security Configuration Guide
-
Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
J Series and SRX Series Documentation and Release Notes . . . . . . . . . . . . . . . xxxixObjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlAudience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlSupported Routing Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlHow to Use This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlDocument Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliiDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlivRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlivOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv
Part 1 Introduction to JUNOS SoftwareChapter 1 Introducing JUNOS Software for SRX Series Services Gateways . . . . . . . . . . 3
SRX Series Services Gateways Processing Overview . . . . . . . . . . . . . . . . . . . . . . . . 3Understanding Flow-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Zones and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Flows and Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Understanding Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Class-of-Service Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Session Characteristics for SRX Series Services Gateways . . . . . . . . . . . . . . . . 7
Understanding Session Characteristics for SRX Series ServicesGateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Example: Controlling Session Termination for SRX Series ServicesGateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example: Disabling TCP Packet Security Checks for SRX Series ServicesGateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Example: Setting the Maximum Segment Size for All TCP Sessions forSRX Series Services Gateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Monitoring Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . 10Understanding How to Obtain Session Information for SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Displaying Global Session Parameters for All SRX Series Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Displaying a Summary of Sessions for SRX Series Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
viiCopyright 2012, Juniper Networks, Inc.
-
Displaying Session and Flow Information About Sessions for SRX SeriesServices Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Displaying Session and Flow Information About a Specific Session forSRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Using Filters to Display Session and Flow Information for SRX SeriesServices Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Information Provided in Session Log Entries for SRX Series ServicesGateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Clearing Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . 17Terminating Sessions for SRX Series Services Gateways . . . . . . . . . . . . . 17Terminating a Specific Session for SRX Series Services Gateways . . . . . 17Using Filters to Specify the Sessions to Be Terminated for SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Data Path Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . 17Understanding Data Path Debugging for SRX Series Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Debugging the Data Path (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 18
Security Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . 19Understanding Security Debugging Using Trace Options . . . . . . . . . . . . . 19Setting Security Trace Options (J-Web Point and Click CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting Security Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . 20Displaying Output for Security Trace Options . . . . . . . . . . . . . . . . . . . . . . 21
Flow Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . 22Understanding Flow Debugging Using Trace Options . . . . . . . . . . . . . . . 22Example: Setting Flow Debugging Trace Options (CLI) . . . . . . . . . . . . . . 22
Understanding SRX Series Services Gateways Central Point Architecture . . . . . . 23Load Distribution in Combo Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Sharing Processing Power and Memory in Combo Mode . . . . . . . . . . . . . . . . 23
SRX5600 and SRX5800 Services Gateways Processing Overview . . . . . . . . . . . 24Understanding First-Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Understanding the Data Path for Unicast Sessions . . . . . . . . . . . . . . . . . . . . . 27
Session Lookup and Packet Match Criteria . . . . . . . . . . . . . . . . . . . . . . . 28Understanding Session Creation: First-Packet Processing . . . . . . . . . . . 28Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Understanding Services Processing Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Understanding Scheduler Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Understanding Network Processor Bundling . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Network Processor Bundling Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 34SRX3400 and SRX3600 Services Gateways Processing Overview . . . . . . . . . . . 35
Components Involved in Setting up a Session . . . . . . . . . . . . . . . . . . . . . . . . 36Understanding the Data Path for Unicast Sessions . . . . . . . . . . . . . . . . . . . . 36Session Lookup and Packet Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Understanding Session Creation: First Packet Processing . . . . . . . . . . . . . . . 37Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Copyright 2012, Juniper Networks, Inc.viii
JUNOS Software Security Configuration Guide
-
SRX210 Services Gateway Processing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 39Understanding Flow Processing and Session Management . . . . . . . . . . . . . . 39Understanding First-Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Understanding Session Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 2 Introducing JUNOS Software for J Series Services Routers . . . . . . . . . . . . . 43
Understanding Stateful and Stateless Data Processing for J Series ServicesRouters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Understanding Flow-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Zones and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Flows and Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Class-of-Service Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Session Characteristics for J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . 47Understanding Session Characteristics for J Series Services Routers . . . . . . . 47Example: Controlling Session Termination for J Series Services Routers
(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Example: Disabling TCP Packet Security Checks for J Series Services Routers
(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Example: Accommodating End-to-End TCP Communication for J Series
Services Routers (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Understanding the Data Path for J Series Services Routers . . . . . . . . . . . . . . . . . . 50
Understanding the Forwarding Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Understanding the Session-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . 51
Session Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51First-Packet Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Understanding Forwarding Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Part 2 Security Zones and InterfacesChapter 3 Security Zones and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Security Zones and Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Understanding Security Zone Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Understanding Interface Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Understanding Functional Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Understanding Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Example: Creating Security Zones (J-Web Point and Click CLI) . . . . . . . . . . . 60Example: Creating Security Zones (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Host Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Understanding How to Control Inbound Traffic Based on Traffic Types . . . . 62Supported System Services for Host Inbound Traffic . . . . . . . . . . . . . . . . . . . 63Example: Controlling Inbound Traffic Based on Traffic Types (J-Web Point
and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Example: Controlling Inbound Traffic Based on Traffic Types (CLI) . . . . . . . . 65
ixCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Understanding How to Control Inbound Traffic Based on Protocols . . . . . . . 67Example: Controlling Inbound Traffic Based on Protocols (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Example: Controlling Inbound Traffic Based on Protocols (CLI) . . . . . . . . . . 69
TCP-Reset Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Understanding How to Identify Duplicate Sessions Using the TCP-Reset
Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Example: Configuring the TCP-Reset Parameter (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Example: Configuring the TCP-Reset Parameter (CLI) . . . . . . . . . . . . . . . . . . 71
Chapter 4 Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Security Policy Address Books and Address Sets Overview . . . . . . . . . . . . . . . . . . 73Understanding Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Understanding Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Example: Configuring Address Books (J-Web Point and Click CLI) . . . . . . . . . . . . 77Example: Configuring Address Books (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Verifying Address Book Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Part 3 Security PoliciesChapter 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Security Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Understanding Security Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Understanding Security Policy Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Security Policies Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Example: Defining Security Policies (J-Web Point and Click CLI) . . . . . . . . . . . . . 89Example: Defining Security Policies (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Example: Configuring a Policy to Permit Traffic (CLI) . . . . . . . . . . . . . . . . . . . . . . 92Example: Configuring a Policy to Deny Traffic (J-Web Point and Click CLI) . . . . . 93Example: Configuring a Policy to Deny Traffic (CLI) . . . . . . . . . . . . . . . . . . . . . . . . 94Policy Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Understanding Security Policy Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Example: Reordering the Policies (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Verifying Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Troubleshooting Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Checking a Security Policy Commit Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Verifying a Security Policy Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Debugging Policy Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Monitoring Policy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 6 Security Policy Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Security Policy Schedulers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Example: Configuring Schedulers (J-Web Point and Click CLI) . . . . . . . . . . . . . . 102Example: Configuring Schedulers (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Example: Associating a Policy to a Scheduler (J-Web Point and Click CLI) . . . . . 105Example: Associating a Policy to a Scheduler (CLI) . . . . . . . . . . . . . . . . . . . . . . . 106Verifying Scheduled Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Copyright 2012, Juniper Networks, Inc.x
JUNOS Software Security Configuration Guide
-
Chapter 7 Security Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Security Policy Applications Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Policy Application Sets Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Example: Configuring Applications and Application Sets (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Example: Configuring Applications and Application Sets (CLI) . . . . . . . . . . . . . . . 112Custom Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Understanding Custom Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 113Custom Application Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Example: Adding a Custom Policy Application (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Example: Adding a Custom Policy Application (CLI) . . . . . . . . . . . . . . . . . . . 115Example: Modifying a Custom Policy Application (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Example: Modifying a Custom Policy Application (CLI) . . . . . . . . . . . . . . . . . 117Example: Defining a Custom ICMP Application (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Example: Defining a Custom ICMP Application (CLI) . . . . . . . . . . . . . . . . . . . 119
Policy Application Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Understanding Policy Application Timeout Configuration and Lookup . . . . 120Understanding Policy Application Timeouts Contingencies . . . . . . . . . . . . . 122Example: Setting a Policy Application Timeout (CLI) . . . . . . . . . . . . . . . . . . 123
Understanding the ICMP Predefined Policy Application . . . . . . . . . . . . . . . . . . . . 124Default Behaviour of ICMP Unreachable Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Understanding Internet-Related Predefined Policy Applications . . . . . . . . . . . . . 128Understanding Microsoft Predefined Policy Applications . . . . . . . . . . . . . . . . . . 130Understanding Dynamic Routing Protocols Predefined Policy Applications . . . . 133Understanding Streaming Video Predefined Policy Applications . . . . . . . . . . . . . 133Understanding Sun RPC Predefined Policy Applications . . . . . . . . . . . . . . . . . . . 134Understanding Security and Tunnel Predefined Policy Applications . . . . . . . . . . 135Understanding IP-Related Predefined Policy Applications . . . . . . . . . . . . . . . . . . 136Understanding Instant Messaging Predefined Policy Applications . . . . . . . . . . . . 137Understanding Management Predefined Policy Applications . . . . . . . . . . . . . . . 137Understanding Mail Predefined Policy Applications . . . . . . . . . . . . . . . . . . . . . . . 139Understanding UNIX Predefined Policy Applications . . . . . . . . . . . . . . . . . . . . . . 139Understanding Miscellaneous Predefined Policy Applications . . . . . . . . . . . . . . 140
Part 4 Application Layer GatewaysChapter 8 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Understanding ALG Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
xiCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Chapter 9 H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Understanding H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Understanding the Avaya H.323 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Avaya H.323 ALG-Specific Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Call Flow Details in the Avaya H.323 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
H.323 ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153H.323 ALG Endpoint Registration Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Understanding H.323 ALG Endpoint Registration Timeouts . . . . . . . . . . . . . 154Example: Setting H.323 ALG Endpoint Registration Timeouts (J-Web) . . . . 154Example: Setting H.323 ALG Endpoint Registration Timeouts (CLI) . . . . . . . 155
H.323 ALG Media Source Port Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Understanding H.323 ALG Media Source Port Ranges . . . . . . . . . . . . . . . . . . 155Example: Setting H.323 ALG Media Source Port Ranges (J-Web) . . . . . . . . 155Example: Setting H.323 ALG Media Source Port Ranges (CLI) . . . . . . . . . . . 156
H.323 ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Understanding H.323 ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . 156Example: Configuring H.323 ALG DoS Attack Protection (J-Web) . . . . . . . . . 157Example: Configuring H.323 ALG DoS Attack Protection (CLI) . . . . . . . . . . . 157
H.323 ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Understanding H.323 ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 158Example: Allowing Unknown H.323 ALG Message Types (J-Web) . . . . . . . . 158Example: Allowing Unknown H.323 ALG Message Types (CLI) . . . . . . . . . . . 159
Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone (J-WebPoint and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone (J-WebPoint and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Example: Using NAT and the H.323 ALG to Enable Incoming Calls (CLI) . . . . . . . 170Example: Using NAT and the H.323 ALG to Enable Outgoing Calls (CLI) . . . . . . . 172Verifying H.323 ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Chapter 10 SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Understanding SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177SIP ALG Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178SDP Session Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Pinhole Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Understanding SIP ALG Request Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182SIP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183SIP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Understanding SIP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . 184Example: Setting SIP ALG Call Duration and Timeouts (J-Web) . . . . . . . . . 185Example: Setting SIP ALG Call Duration and Timeouts (CLI) . . . . . . . . . . . . 186
SIP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Understanding SIP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . 186Example: Configuring SIP ALG DoS Attack Protection (J-Web) . . . . . . . . . . 187Example: Configuring SIP ALG DoS Attack Protection (CLI) . . . . . . . . . . . . . 187
Copyright 2012, Juniper Networks, Inc.xii
JUNOS Software Security Configuration Guide
-
SIP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Understanding SIP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . 188Example: Allowing Unknown SIP ALG Message Types (J-Web) . . . . . . . . . . 188Example: Allowing Unknown SIP ALG Message Types (CLI) . . . . . . . . . . . . 189
SIP ALG Call ID Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Understanding SIP ALG Call ID Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Disabling SIP ALG Call ID Hiding (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . 190
SIP ALG Hold Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Understanding SIP ALG Hold Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Retaining SIP ALG Hold Resources (J-Web Procedure) . . . . . . . . . . . . . . . . . 191Retaining SIP ALG Hold Resources (CLI Procedure) . . . . . . . . . . . . . . . . . . . . 191
SIP ALGs and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Understanding SIP ALGs and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Outgoing Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Incoming Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Forwarded Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Re-INVITE Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Session Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Cancellation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Forking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197SIP NAT Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Classes of SIP Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Understanding Incoming SIP ALG Call Support Using the SIP Registrar andNAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Example: Configuring Interface Source NAT for Incoming SIP Calls (CLI) . . 202Example: Configuring a Source NAT Pool for Incoming SIP Calls (J-Web
Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Example: Configuring a Source NAT Pool for Incoming SIP Calls (CLI) . . . . 209Example: Configuring Static NAT for Incoming SIP Calls (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Example: Configuring Static NAT for Incoming SIP Calls (CLI) . . . . . . . . . . . 215Example: Configuring the SIP Proxy in the Private Zone and NAT in the Public
Zone (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Example: Configuring the SIP Proxy and NAT in the Public Zone (J-Web
Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Example: Configuring the SIP Proxy and NAT in the Public Zone (CLI) . . . . 224Example: Configuring a Three-Zone SIP ALG and NAT Scenario (J-Web
Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Example: Configuring a Three-Zone SIP ALG and NAT Scenario (CLI) . . . . . 232
Verifying SIP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Verifying SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Verifying SIP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Verifying SIP ALG Call Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Verifying SIP ALG Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Verifying SIP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
xiiiCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Verifying the Rate of SIP ALG Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter 11 SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Understanding SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239SCCP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240SCCP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
SCCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241CallManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
SCCP Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Client Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Client Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Call Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Media Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
SCCP Control Messages and RTP Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242SCCP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
SCCP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244SCCP ALG Inactive Media Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Understanding SCCP ALG Inactive Media Timeouts . . . . . . . . . . . . . . . . . . . 245Example: Setting SCCP ALG Inactive Media Timeouts (J-Web) . . . . . . . . . . 245Example: Setting SCCP ALG Inactive Media Timeouts (CLI) . . . . . . . . . . . . 246
SCCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Understanding SCCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 246Example: Allowing Unknown SCCP ALG Message Types (J-Web) . . . . . . . . 247Example: Allowing Unknown SCCP ALG Message Types (CLI) . . . . . . . . . . 247
SCCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Understanding SCCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . 248Example: Configuring SCCP ALG DoS Attack Protection (J-Web) . . . . . . . . 248Example: Configuring SCCP ALG DoS Attack Protection (CLI) . . . . . . . . . . 249
Example: Configuring the SCCP ALG CallManager/TFTP Server in the PrivateZone (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Verifying SCCP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP Call Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Verifying SCCP Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Chapter 12 MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Understanding MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255MGCP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Entities in MGCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Call Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Copyright 2012, Juniper Networks, Inc.xiv
JUNOS Software Security Configuration Guide
-
Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260MGCP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261MGCP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Understanding MGCP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . 262Example: Setting MGCP ALG Call Duration (J-Web) . . . . . . . . . . . . . . . . . . . 263Example: Setting MGCP ALG Call Duration (CLI) . . . . . . . . . . . . . . . . . . . . . 263Example: Setting MGCP ALG Inactive Media Timeout (J-Web) . . . . . . . . . . 263Example: Setting MGCP ALG Inactive Media Timeout (CLI) . . . . . . . . . . . . 264Example: Setting the MGCP ALG Transaction Timeout (J-Web) . . . . . . . . . 264Example: Setting the MGCP ALG Transaction Timeout (CLI) . . . . . . . . . . . . 265
MGCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Understanding MGCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . 265Example: Configuring MGCP ALG DoS Attack Protection (J-Web) . . . . . . . 266Example: Configuring MGCP ALG DoS Attack Protection (CLI) . . . . . . . . . . 266
MGCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Understanding MGCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 267Example: Allowing Unknown MGCP ALG Message Types (J-Web) . . . . . . . 267Example: Allowing Unknown MGCP ALG Message Types (CLI) . . . . . . . . . . 268
Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs(J-Web Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Example: Configuring Three-Zone ISP-Hosted Service Using MGCP ALGs andNAT (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Verifying MGCP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Verifying MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Verifying MGCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Verifying MGCP ALG Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Verifying MGCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Chapter 13 RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Understanding RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Sun RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Understanding Sun RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Enabling Sun RPC ALGs (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 285Enabling Sun RPC ALGs (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Sun RPC Services and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Understanding Sun RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Customizing Sun RPC Applications (CLI Procedure) . . . . . . . . . . . . . . . 286
Microsoft RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Understanding Microsoft RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Enabling Microsoft RPC ALGs (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . 288Enabling Microsoft RPC ALGs (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 288Microsoft RPC Services and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Understanding Microsoft RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . 289Customizing Microsoft RPC Applications (CLI Procedure) . . . . . . . . . . 289
Verifying the Microsoft RPC ALG Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
xvCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Part 5 User AuthenticationChapter 14 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Firewall User Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Understanding Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . . . . 294Example: Configuring Pass-Through Authentication (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Example: Configuring Pass-Through Authentication (CLI) . . . . . . . . . . . . . . 298
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Understanding Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Example: Configuring Web Authentication (J-Web Point and Click CLI) . . . 302Example: Configuring Web Authentication (CLI) . . . . . . . . . . . . . . . . . . . . . 306
External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Understanding External Authentication Servers . . . . . . . . . . . . . . . . . . . . . . 308
Understanding SecurID User Authentication . . . . . . . . . . . . . . . . . . . . . 309Example: Configuring RADIUS and LDAP User Authentication (J-Web Point
and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Example: Configuring RADIUS and LDAP User Authentication (CLI) . . . . . . 313Example: Configuring SecurID User Authentication (CLI) . . . . . . . . . . . . . . . 314Example: Deleting the SecurID Node Secret File (CLI) . . . . . . . . . . . . . . . . . 315
Client Groups for Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Understanding Client Groups for Firewall Authentication . . . . . . . . . . . . . . . 316Example: Configuring Local Users for Client Groups (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Example: Configuring Local Users for Client Groups (CLI) . . . . . . . . . . . . . . . 317Example: Configuring a Default Client Group for All Users (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Example: Configuring a Default Client Group for All Users (CLI) . . . . . . . . . . 318
Firewall Authentication Banner Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Understanding Firewall Authentication Banner Customization . . . . . . . . . . 319Example: Customizing a Firewall Authentication Banner (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Example: Customizing a Firewall Authentication Banner (CLI) . . . . . . . . . . 320
Verifying Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Monitoring Users and IP Addresses in the Authentication Table . . . . . . . . . . . . . 322
Chapter 15 Infranet Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
UAC and JUNOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Understanding UAC in a JUNOS Environment . . . . . . . . . . . . . . . . . . . . . . . . 325Enabling UAC in a JUNOS Environment (CLI Procedure) . . . . . . . . . . . . . . . 327
JUNOS Enforcer and Infranet Controller Communications . . . . . . . . . . . . . . . . . 328Understanding Communications Between the JUNOS Enforcer and the
Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328Configuring Communications Between the JUNOS Enforcer and the Infranet
Controller (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Copyright 2012, Juniper Networks, Inc.xvi
JUNOS Software Security Configuration Guide
-
JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Understanding JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . 330Testing JUNOS Enforcer Policy Access Decisions Using Test-Only Mode
(CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Verifying JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . 332
Displaying Infranet Controller Authentication Table Entries from theJUNOS Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Displaying Infranet Controller Resource Access Policies from the JUNOSEnforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
JUNOS Enforcer and IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Understanding JUNOS Enforcer Implementations Using IPsec . . . . . . . . . . 333Example: Configuring the Device as a JUNOS Enforcer Using IPsec (CLI) . . 334
JUNOS Enforcer and Infranet Agent Endpoint Security . . . . . . . . . . . . . . . . . . . . 340Understanding Endpoint Security Using the Infranet Agent with the JUNOS
Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Configuring Endpoint Security Using the Infranet Agent with the JUNOS
Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341JUNOS Enforcer and Infranet Controller Cluster Failover . . . . . . . . . . . . . . . . . . . 341
Understanding Communications Between JUNOS Enforcer and a Clusterof Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Configuring JUNOS Enforcer Failover Options (CLI Procedure) . . . . . . . . . . 342
Part 6 Virtual Private NetworksChapter 16 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348IPsec Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Manual Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349AutoKey IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Diffie-Hellman Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
IPsec Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350AH Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351ESP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
IPsec Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Distributed VPNs in SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . 352
Understanding IKE and IPsec Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . 353Packet Processing in Tunnel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353IKE Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355IPsec Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
IPsec VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Phase 1 Proposals for IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Understanding Phase 1 of IKE Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . . 361Main Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Aggressive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Example: Configuring an IKE Phase 1 Proposal (J-Web Point and ClickCLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Example: Configuring an IKE Phase 1 Proposal (CLI) . . . . . . . . . . . . . . . . . . 364Example: Configuring an IKE Policy (J-Web Point and Click CLI) . . . . . . . . . 365
xviiCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Example: Configuring an IKE Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 366Example: Configuring an IKE Gateway (J-Web Point and Click CLI) . . . . . . . 367Example: Configuring an IKE Gateway (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 368
Phase 2 Proposals for IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Understanding Phase 2 of IKE Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . 368
Proxy IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Replay Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Example: Configuring an IPsec Phase 2 Proposal (J-Web Point and ClickCLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Example: Configuring an IPsec Phase 2 Proposal (CLI) . . . . . . . . . . . . . . . . . 371Example: Configuring an IPsec Policy (J-Web Point and Click CLI) . . . . . . . . 371Example: Configuring an IPsec Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . 372Example: Configuring AutoKey IKE (J-Web Point and Click CLI) . . . . . . . . . . 373Example: Configuring AutoKey IKE (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Global SPI and VPN Monitoring Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374Understanding Global SPI and VPN Monitoring Features . . . . . . . . . . . . . . . 374Example: Configuring Global SPI and VPN Monitoring Features (J-Web Point
and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375Example: Configuring Global SPI and VPN Monitoring Features (CLI) . . . . . 376
Hub-and-Spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Understanding Hub-and-Spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Hub-and-Spoke VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . 377Example: Configuring the Hub in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . 378Example: Configuring Spoke 1 in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . . 381Example: Configuring Spoke 2 in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . 382
Chapter 17 Public Key Cryptography for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Understanding Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385PKI Hierarchy for a Single CA Domain or Across Domains . . . . . . . . . . . . . . 385PKI Management and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Certificates and Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Understanding Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Certificate Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Digital Certificates Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 390Enabling Digital Certificates Online: Configuration Overview . . . . . . . . 390Manually Generating Digital Certificates: Configuration Overview . . . . . 391Verifying the Validity of a Certificate: Configuration Overview . . . . . . . . 391Deleting a Certificate: Configuration Overview . . . . . . . . . . . . . . . . . . . . 391
Public-Private Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Understanding Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 392Example: Generating a Public-Private Key Pair (CLI) . . . . . . . . . . . . . . . 392
Certificate Authority Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Understanding Certificate Authority Profiles . . . . . . . . . . . . . . . . . . . . . 393Example: Configuring a Certificate Authority Profile (CLI) . . . . . . . . . . . 393
Copyright 2012, Juniper Networks, Inc.xviii
JUNOS Software Security Configuration Guide
-
Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Understanding Online CA Certificate Enrollment . . . . . . . . . . . . . . . . . 394Enrolling a CA Certificate Online (CLI Procedure) . . . . . . . . . . . . . . . . . 394Example: Enrolling a Local Certificate Online (CLI) . . . . . . . . . . . . . . . . 395
Example: Generating a Local Certificate Request Manually (CLI) . . . . . . . . 396Example: Loading CA and Local Certificates Manually (CLI) . . . . . . . . . . . . 398Example: Reenrolling Local Certificates Automatically (CLI) . . . . . . . . . . . . 399Deleting Certificates (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Understanding Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Automatically Generating Self-Signed Certificates . . . . . . . . . . . . . . . . 402Manually Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . 402
Using Automatically Generated Self-Signed Certificates (J-Web Point andClick CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Using Automatically Generated Self-Signed Certificates (CLIProcedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Manually Generating Self-Signed Certificates (J-Web Point and Click CLIProcedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Example: Manually Generating Self-Signed Certificates (CLI) . . . . . . . . . . 404Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Understanding Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . 405Example: Manually Loading a CRL onto the Device (CLI) . . . . . . . . . . . . . . 406Example: Verifying Certificate Validity (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 406Example: Checking Certificate Validity Using CRLs (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Example: Checking Certificate Validity Using CRLs (CLI) . . . . . . . . . . . . . . . 408Deleting a Loaded CRL (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Chapter 18 Dynamic VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Dynamic VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Dynamic VPN Client Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Understanding Dynamic VPN Client Configurations . . . . . . . . . . . . . . . . . . . 414Example: Creating a Dynamic VPN Client Configuration (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Example: Creating a Dynamic VPN Client Configuration (CLI) . . . . . . . . . . . 415
Dynamic VPN Global Client Download Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 416Understanding Dynamic VPN Global Client Download Settings . . . . . . . . . 416Example: Configuring Dynamic VPN Global Client Download Settings (J-Web
Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Example: Configuring Dynamic VPN Global Client Download Settings
(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Dynamic VPN and Access Manager User Experience . . . . . . . . . . . . . . . . . . . . . . 417
Understanding the Dynamic VPN and Access Manager User Experience . . . 417Connecting to the Remote Access Server for the First Time (Pre-IKE
Phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Connecting to the Remote Access Server for Subsequent Sessions (Pre-IKE
Phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
xixCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Establishing an IPsec VPN Tunnel (IKE Phase) . . . . . . . . . . . . . . . . . . . . . . . 420Access Manager Client-Side Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Access Manager Client-Side System Requirements . . . . . . . . . . . . . . . . . . . 421Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . . . . . 424Access Manager Client-Side Error Messages . . . . . . . . . . . . . . . . . . . . . . . . 425Troubleshooting Access Manager Client-Side Problems . . . . . . . . . . . . . . . 428
Chapter 19 NetScreen-Remote VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
NetScreen-Remote VPN Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429System Requirements for the NetScreen-Remote Client Installation . . . . . . . . 430Installing the NetScreen-Remote Client on a PC or Laptop . . . . . . . . . . . . . . . . . 431
Starting the NetScreen-Remote Client Installation on Your PC orLaptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a CD-ROM . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a Network Share
Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a Website . . . . . . . . . . . . 432
Completing the NetScreen-Remote Client Installation on Your PC orLaptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Configuring a Firewall for Use by the NetScreen-Remote Client . . . . . . . . . . . . . 435Configuring a Security Zone for the NetScreen-Remote Client . . . . . . . . . . 435Configuring a Tunnel Interface for the NetScreen-Remote Client . . . . . . . . 436Configuring an Access Profile for XAuth for the NetScreen-Remote
Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Configuring an IKE Gateway for the NetScreen-Remote Client . . . . . . . . . . 437Configuring a Policy for the NetScreen-Remote Client . . . . . . . . . . . . . . . . . 437
Configuring the NetScreen-Remote Client for Your PC or Laptop . . . . . . . . . . . . 438Creating a Connection on the NetScreen-Remote Client . . . . . . . . . . . . . . . 438Creating a Preshared Key on the NetScreen-Remote Client . . . . . . . . . . . . . 441Defining IPsec Protocols on the NetScreen-Remote Client . . . . . . . . . . . . . 443
Encryption and Hash Algorithm Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446Logging In to the NetScreen-Remote Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Part 7 Intrusion Detection and PreventionChapter 20 IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
IDP Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451IDP Policy Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Working with IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Example: Enabling IDP in a Security Policy (J-Web Point and Click CLI) . . . . . . . 453Example: Enabling IDP in a Security Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 456IDP Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Understanding IDP Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458Understanding IDP Rule Match Conditions . . . . . . . . . . . . . . . . . . . . . . 458Understanding IDP Rule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Understanding IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Understanding IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Copyright 2012, Juniper Networks, Inc.xx
JUNOS Software Security Configuration Guide
-
Understanding IDP Rule Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . 463IDP Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Understanding IDP Policy Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . 464Example: Inserting a Rule in the IDP Rulebase (CLI) . . . . . . . . . . . . . . . 465Example: Deactivating and Reactivating Rules in a IDP Rulebase
(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465Understanding IDP Application-Level DDoS Rulebases . . . . . . . . . . . . . . . . 466IDP IPS Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Understanding IDP IPS Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Example: Defining Rules for an IDP IPS Rulebase (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Example: Defining Rules for an IDP IPS Rulebase (CLI) . . . . . . . . . . . . . 471
IDP Exempt Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473Understanding IDP Exempt Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . 473Example: Defining Rules for an IDP Exempt Rulebase (J-Web Point and
Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Example: Defining Rules for an IDP Exempt Rulebase (CLI) . . . . . . . . . 476
IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Understanding IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Example: Setting Terminal Rules in Rulebases (J-Web Point and Click
CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478Example: Setting Terminal Rules in Rulebases (CLI) . . . . . . . . . . . . . . . 479
IDP DSCP Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Understanding DSCP Rules in IDP Policies . . . . . . . . . . . . . . . . . . . . . . . 481Example: Configuring DSCP Rules in an IDP Policy (CLI) . . . . . . . . . . . . 481
IDP Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Understanding IDP Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Example: Configuring IDP Applications and Services (CLI) . . . . . . . . . . . . . 483Example: Configuring IDP Applications Sets (CLI) . . . . . . . . . . . . . . . . . . . . 484
IDP Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485Understanding Custom Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Attack Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Service and Application Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Protocol and Port Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Time Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Attack Properties (Signature Attacks) . . . . . . . . . . . . . . . . . . . . . . . . . . 493Attack Properties (Protocol Anomaly Attacks) . . . . . . . . . . . . . . . . . . . 498Attack Properties (Compound or Chain Attacks) . . . . . . . . . . . . . . . . . 499
IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Understanding IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . 502Example: Configuring IDP Protocol Decoders (CLI) . . . . . . . . . . . . . . . . 503Understanding Multiple IDP Detector Support . . . . . . . . . . . . . . . . . . . 503
IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504Understanding IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . 504Example: Configuring IDP Signature-Based Attacks (CLI) . . . . . . . . . . 505
xxiCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Understanding IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . 507Example: Configuring IDP Protocol Anomaly-Based Attacks (CLI) . . . . 507
Example: Specifying IDP Test Conditions for a Specific Protocol (CLI) . . . . 509
Chapter 21 Application-Level Distributed Denial of Service . . . . . . . . . . . . . . . . . . . . . . . 511
IDP Application-Level DDoS Attack Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511IDP Application-Level DDoS Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . 511
Understanding the Application-Level DDoS Module . . . . . . . . . . . . . . . . . . . 512Understanding the Application-Level DDoS Definition . . . . . . . . . . . . . . . . . 513Understanding the Application-Level DDoS Rule . . . . . . . . . . . . . . . . . . . . . 514Understanding Application-Level DDoS IP-Action . . . . . . . . . . . . . . . . . . . . 515Understanding Application-Level DDoS Session Action . . . . . . . . . . . . . . . . 515
Example: Enabling IDP Protection Against Application-Level DDoS Attacks(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Chapter 22 IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Understanding the IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Understanding Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . 520Downloading and Using Predefined IDP Policy Templates (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522IDP Signature Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Understanding Predefined IDP Attack Objects and Object Groups . . . . . . . 523Predefined Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524Predefined Attack Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Understanding the IDP Signature Database Version . . . . . . . . . . . . . . . . . . . 525Updating the IDP Signature Database Overview . . . . . . . . . . . . . . . . . . . . . . 525Updating the IDP Signature Database Manually Overview . . . . . . . . . . . . . . 526Example: Updating the IDP Signature Database Manually (CLI) . . . . . . . . . 527Example: Updating the Signature Database Automatically (CLI) . . . . . . . . 528
Verifying the Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Verifying the IDP Policy Compilation and Load Status . . . . . . . . . . . . . . . . . 529Verifying the IDP Signature Database Version . . . . . . . . . . . . . . . . . . . . . . . . 531
Copyright 2012, Juniper Networks, Inc.xxii
JUNOS Software Security Configuration Guide
-
Chapter 23 IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Understanding IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Understanding IDP Service and Application Bindings by Attack Objects . . . . . . 534Example: Configuring IDP Policies for Application Identification (CLI) . . . . . . . . 535Disabling Application Identification for an IDP Policy (CLI Procedure) . . . . . . . . 536IDP Application Identification for Nested Applications . . . . . . . . . . . . . . . . . . . . 537
Understanding IDP Application Identification for Nested Applications . . . . 537Activating IDP Application Identification for Nested Applications (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538Example: Adding IDP Application Information to Attack Logging for Nested
Applications (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538IDP Application System Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Understanding the IDP Application System Cache . . . . . . . . . . . . . . . . . . . . 539Understanding IDP Application System Cache Information for Nested
Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Deactivating IDP Application System Cache Information for Nested
Application Identification (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 540Verifying IDP Application System Cache Statistics . . . . . . . . . . . . . . . . . . . . 540
IDP Memory and Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Understanding Memory and Session Limit Settings for IDP Application
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542Example: Setting Memory and Session Limits for IDP Application
Identification (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543Verifying IDP Counters for Application Identification Processes . . . . . . . . . . . . . 543
Chapter 24 IDP SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
IDP SSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547Supported IDP SSL Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548Understanding IDP Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549Understanding IDP SSL Server Key Management and Policy Configuration . . . 550Displaying IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . 550Adding IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551Deleting IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 551Configuring an IDP SSL Inspection (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 552
Chapter 25 IDP Performance and Capacity Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Performance and Capacity Tuning for IDP Overview . . . . . . . . . . . . . . . . . . . . . . 553Configuring Session Capacity for IDP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . 554
Chapter 26 IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Understanding IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557IDP Log Suppression Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Understanding IDP Log Suppression Attributes . . . . . . . . . . . . . . . . . . . . . . 558Example: Configuring IDP Log Suppression Attributes (CLI) . . . . . . . . . . . . 559
Understanding IDP Log Information Usage on the Infranet Controller . . . . . . . . 559Message Filtering to the Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . 560Configuring Infranet Controller Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Understanding Application-Level DDoS Logging . . . . . . . . . . . . . . . . . . . . . . . . . 560Enabling Attack and IP-Action Logging (CLI Procedure) . . . . . . . . . . . . . . . . . . . 562
xxiiiCopyright 2012, Juniper Networks, Inc.
Table of Contents
-
Part 8 Unified Threat ManagementChapter 27 Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Understanding UTM Custom Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Understanding UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Updating UTM Licenses (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Understanding WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . 568Example: Configuring WELF Logging for UTM Features (CLI) . . . . . . . . . . . 568
Chapter 28 Antispam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Antispam Filtering Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571Server-Based Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Understanding Server-Based Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 572Server-Based Spam Filtering Configuration Overview . . . . . . . . . . . . . . . . . 573Configuring Server-Based Spam Filtering (J-Web Procedure) . . . . . . . . . . . 573Example: Configuring Server-Based Spam Filtering (CLI) . . . . . . . . . . . . . . 575
Local List Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Understanding Local List Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Local List Spam Filtering Configuration Overview . . . . . . . . . . . . . . . . . . . . . 577Configuring Local List Spam Filtering (J-Web Procedure) . . . . . . . . . . . . . . 578Example: Configuring Local List Spam Filtering (CLI) . . . . . . . . . . . . . . . . . . 581
Understanding Spam Message Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583Blocking Detected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583Tagging Detected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Monitoring Antispam Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Chapter 29 Full Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Full Antivirus Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585Full Antivirus Scanner Pattern Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Understanding Full Antivirus Pattern Updates . . . . . . . . . . . . . . . . . . . . . . . 586Full Antivirus Pattern Update Configuration Overview . . . . . . . . . . . . . . . . . 587Example: Specifying the Full Antivirus Pattern Update Server (CLI) . . . . . . 587Example: Automatically Updating Full Antivirus Patterns (J-Web) . . . . . . . 588Example: Automatically Updating Full Antivirus Patterns (CLI) . . . . . . . . . 588Manually Updating, Reloading, and Deleting Full Antivirus Patterns (