Concepts&Examples ScreenOSReferenceGuide · Self-HelpOnlineToolsandResources...

Concepts & ExamplesScreenOS Reference Guide

Overview

Release

6.3.0, Rev. 02

Published: 2012-12-10

Revision 02

Copyright © 2012, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Copyright © 2009, Juniper Networks, Inc.All rights reserved.

Revision HistoryDecember 2012—Revision 02

Content subject to change. The information in this document is current as of the date listed in the revision history.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions.

Generally speaking, the software license restricts the manner in which you are permitted to use the software andmay contain prohibitionsagainst certain uses. The software license may state conditions under which the license is automatically terminated. You should consultthe license for further details.

For complete product documentation, please see the Juniper NetworksWebsite atwww.juniper.net/techpubs.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.

Copyright © 2012, Juniper Networks, Inc.ii

www.juniper.net/techpubs

http://www.juniper.net/support/eula.html

Abbreviated Table of Contents

Part 1 Overview

Chapter 1 About the Concepts & Examples ScreenOS Reference Guide . . . . . . . . . . . . 3

iiiCopyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.iv

Overview

Table of Contents

Part 1 Overview


Part Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Web User Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Command Line Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Naming Conventions and Character Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Illustration Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Document Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

vCopyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.vi

Overview

List of Figures

Part 1 Overview


Figure 1: Key Features in ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 2: Images in Illustrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

viiCopyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.viii

Overview

PART 1

Overview

• About the Concepts & Examples ScreenOS Reference Guide on page 3

1Copyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.2

Overview

CHAPTER 1

About the Concepts & ExamplesScreenOS Reference Guide

Juniper Networks security devices integrate the following firewall, virtual private network

(VPN), and traffic-shaping features toprovide flexible protection for security zoneswhen

connecting to the Internet:

• Firewall: A firewall screens traffic crossing the boundary between a private LAN andthe public network, such as the Internet.

• Layered Security: The layered security solution is deployed at different locations torepel attacks. If one layer fails, the next one catches the attack. Some functions help

protect remote locations with site-to-site VPNs. Devices deployed at the perimeter

repel network-basedattacks. Another layer, using IntrusionDetectionPrevention (IDP)

and Deep Inspection, automatically detects and prevents attacks from inflicting

damages.

Network segmentation, the final security layer (also known as virtualization), divides

the network up into secure domains to protect critical resources from unauthorized

roaming users and network attacks.

• ContentSecurity:Protectsusers frommaliciousURLsandprovidesembeddedantivirus

scanning andWeb filtering. In addition, works with third-party products to provide

external antivirus scanning, antispam, andWeb filtering.

• VPN:AVPNprovides a secure communications channel between two ormore remotenetwork appliances.

• Integrated Networking Functions: Dynamic routing protocols learn reachability andadvertise dynamically changing network topologies. In addition, traffic-shaping

functionality allows administrativemonitoring and control of traffic passing across the

Juniper Networks firewall to maintain a network’s quality-of-service (QoS) level.

• CentralizedManagement: The Network and Security Manager (NSM) tool simplifiesconfiguration, deployment, andmanagement of security devices.

• Redundancy: High availability of interfaces, routing paths, security devices, and—onhigh-end Juniper Networks devices—power supplies and fans, to avoid a single point

of failure in any of these areas.


NOTE: For information about Juniper Networks compliance with FederalInformation Processing Standards (FIPS) and for instructions on settinga FIPS-compliant security device in FIPSmode, see the platform-specificCryptographic Module Security Policy document on the documentationCD.

Figure 1: Key Features in ScreenOS

TheScreenOSsystemprovidesall the featuresneeded tosetupandmanageanysecurity

appliance or system. This document is a reference guide for configuring andmanaging

a Juniper Networks security device through ScreenOS.

• Part Organization on page 4

• Document Conventions on page 10

• Requesting Technical Support on page 12

• Document Feedback on page 13

Part Organization

TheConcepts&ExamplesScreenOSReferenceGuide is amulti-partmanual. The following

information outlines and summarizes the material in each part:


Overview

Part 1: Overview

• Providesahigh level descriptionof thecontents forConceptsandExamplesCombined

Reference Guide .

Part 2: Fundamentals

• ScreenOS Architecture presents the fundamental elements of the architecture in

ScreenOS and concludes with a four-part example illustrating an enterprise-based

configuration incorporatingmostof thoseelements. In thisandall subsequentchapters,

each concept is accompanied by illustrative examples.

• Zones explains security zones, tunnel zones, and function zones.

• Interfaces describes the various physical, logical, and virtual interfaces on security

devices.

• InterfaceModesexplains theconceptsbehind transparent,NetworkAddressTranslation

(NAT), and route interface operational modes.

• BuildingBlocks forPoliciesdiscusses theelementsused for creatingpolicies andvirtual

privatenetworks (VPNs): addresses (includingVIPaddresses), services, andDIPpools.

It also presents several example configurations that support the H.323 protocol.

• Policies explores the components and functions of policies and offers guidance on

their creation and application.

• Traffic Shaping explains how you can prioritize services andmanage bandwidth at the

interface and policy levels.

• System Parameters presents the concepts behind Domain Name System (DNS)

addressing, using Dynamic Host Configuration Protocol (DHCP) to assign or relay

TCP/IP settings, downloading and uploading system configurations and software, and

setting the system clock.

Part 3: Administration

• Administration explains the different means available for managing a security device

both locally and remotely. This chapter also explains the privileges pertaining to each

of the four levels of network administrators that can be defined.

• MonitoringSecurityDevicesexplainsvariousmonitoringmethodsandprovidesguidance

in interpreting monitoring output.


Chapter 1: About the Concepts & Examples ScreenOS Reference Guide

Part 4: Attack Detection and Defense Mechanisms

• Protecting a Network outlines the basic stages of an attack and the firewall options

available to combat the attacker at each stage.

• Reconnaissance Deterrence describes the options available for blocking IP address

sweeps, port scans, and attempts to discover the type of operating system (OS) of a

targeted system.

• Denial of Service Attack Defenses explains firewall, network, and OS-specific DoS

attacks and how ScreenOSmitigates such attacks.

• ContentMonitoringandFilteringdescribeshowtoprotect users frommaliciousuniform

resource locators (URLs) and how to configure the security device to work with third

party products to provide antivirus scanning, antispam, andWeb filtering.

• Deep Inspection describes how to configure the Juniper Networks security device to

obtain Deep Inspection (DI) attack object updates, how to create user-defined attack

objects and attack object groups, and how to apply DI at the policy level.

• IntrusionDetectionandPreventiondescribes JuniperNetworks IntrusionDetectionand

Prevention (IDP) technology, which can both detect and stop attacks when deployed

inline to your network. The chapter describes how to apply IDP at the policy level to

dropmalicious packets or connections before the attacks can enter your network.

• Suspicious Packet Attributes presents several SCREEN options that protect network

resources from potential attacks indicated by unusual IP and ICMP packet attributes.

• Contexts for User Defined Signatures, provides descriptions of contexts that you can

specify when defining a stateful signature attack object.

Part 5: Virtual Private Networks

• Internet Protocol Security provides background information about IPsec, presents a

flow sequence for Phase 1 in IKE negotiations in aggressive andmain modes, and

concludes with information about IKE and IPsec packet encapsulation.

• PublicKeyCryptographyprovidesan introduction topublic key cryptography, certificate

use, and certificate revocation list (CRL) use within the context of Public Key

Infrastructure (PKI).

• VirtualPrivateNetworkGuidelinesoffers someuseful information tohelp in theselection

of the available VPN options. It also presents a packet flow chart to demystify VPN

packet processing.

• Site-to-SiteVirtualPrivateNetworksprovidesextensiveexamplesofVPNconfigurations

connecting two private networks.

• Dialup Virtual Private Networks provides extensive examples of client-to-LAN

communication using AutoKey IKE. It also details group IKE ID and shared IKE ID

configurations.

• Layer 2 Tunneling Protocol explains Layer 2 Tunneling Protocol (L2TP) and provides

configuration examples for L2TP and L2TP-over-IPsec.


Overview

• Advanced Virtual Private Network Features contains information and examples for

the more advanced VPN configurations, such as NAT-Traversal, VPNmonitoring,

binding multiple tunnels to a single tunnel interface, and hub-and-spoke and

back-to-back tunnel designs.

• AutoConnect-Virtual Private Networks describes how ScreenOS uses Next Hop

ResolutionProtocol (NHRP)messages toenablesecuritydevices tosetupAutoConnect

VPNs as needed. The chapter provides an example of a typical scenario in which

AC-VPNmight be used.

Part 6: Voice-over-Internet Protocol

• H.323Application Layer Gateway describes theH.323 protocol and provides examples

of typical scenarios.

• Session Initiation Protocol Application Layer Gateway describes the Session Initiation

Protocol (SIP) and shows how the SIP ALG processes calls in route and Network

Address Translation (NAT)modes. Examples of typical scenarios follow a summary

of the SIP architecture.

• Media Gateway Control Protocol Application Layer Gateway presents an overview of

theMediaGatewayControlProtocol (MGCP)ALGand lists the firewall security features

of the implementation. Examples of typical scenarios follow a summary of the MGCP

architecture.

• Skinny Client Control Protocol Application Layer Gateway presents an overview of the

Skinny Client Control Protocol (SCCP) ALG and lists the firewall security features of

the implementation. Examples of typical scenarios follow a summary of the SCCP

architecture.

• Apple iChat Application Layer Gateway presents an overview of the AppleiChat ALG

and lists the firewall security features of the implementation. Examples of typical

scenarios follow a summary of the AppleiChat architecture.

Part 7: Routing

• Static Routing describes the ScreenOS routing table, the basic routing process on the

security device, and how to configure static routes on security devices.

• Routing explains how to configure virtual routers on security devices and how to

redistribute routing table entries between protocols or between virtual routers.

• Open Shortest Path First describes how to configure the OSPF

• Routing Information Protocol describes how to configure the RIP dynamic routing

protocol on security devices.

• Border Gateway Protocol describes how to configure the BGP

• Policy Based Routing describes policy based routing (PBR). PBR provides a flexible

routing mechanism for data forwarding over networks that rely on Application Layer

support such as for antivirus (AV), deep inspection (DI), or Web filtering.

• Multicast Routing introduces basic multicast routing concepts.



• Internet Group Management Protocol describes how to configure the Internet Group

Management Protocol (IGMP) on security devices.

• Protocol Independent Multicast explains how to configure Protocol Independent

Multicast - Sparse Mode (PIM-SM) and Protocol Independent Multicast - Source

Specific Multicast (PIM-SSM) on Juniper Networks security devices.

• ICMP Router Discovery Protocol explains how to set up an Internet Control Messages

Protocol (ICMP)message exchange between a host and a router.

Part 8: Address Translation

• Address Translation gives an overview of the various translation options, which are

covered in detail in subsequent chapters.

• Source Network Address Translation describes NAT-src, the translation of the source

IP address in a packet header, with and without Port Address Translation (PAT).

• Destination Network Address Translation describes NAT-dst, the translation of the

destination IP address in a packet header, with and without destination port address

mapping. This section also includes information about the packet flow when doing

NAT-src, routing considerations, and address shifting.

• Mapped and Virtual Addresses describes the mapping of one destination IP address

to another based on IP address alone (mapped IP) or based on destination IP address

and destination port number (virtual IP).

Part 9: User Authentication

• Authentication details the various authentication methods and uses that ScreenOS

supports.

• Authentication Servers presents the options of using one of four possible types of

external authentication server—RADIUS, SecurID, TACACS+, or LDAP—or the internal

database and shows how to configure the security device to work with each type.

• Infranet Authentication details how the security device is deployed in a unified access

control (UAC) solution. JuniperNetworks unified access control solution (UAC) secures

and assures the delivery of applications and services across an enterprise infranet.

• Authentication Users explains how to define profiles for authentication users and how

toadd themtousergroupsstoredeither locallyoronanexternalRADIUSauthentication

server.

• IKE,XAuth, andL2TPUsersexplainshowtodefine IKE,XAuth, andL2TPusers.Although

the XAuth section focuses primarily on using the security device as an XAuth server, it

also includes a subsection on configuring select security devices to act as an XAuth

client.

• Extensible Authentication for Wireless and Ethernet Interfaces explains the options

available for and examples of how to use the Extensible Authentication Protocol to

provide authentication for Ethernet and wireless interfaces.

Part 10: Virtual Systems


Overview

• Virtual Systems discusses virtual systems and profiles, objects, and administrative

tasks.

• Traffic Sorting explains how ScreenOS sorts traffic.

• VLAN-Based Traffic Classification describes VLAN-based traffic classification for

virtual systems, and VLAN retagging.

• IP-BasedTrafficClassificationexplains IP-based traffic classification for virtual systems.

Part 11: High Availability

• NetScreenRedundancyProtocol explainshowtocable, configure, andmanage Juniper

Networks security devices in a redundant group to provide high availability (HA) using

NetScreen Redundancy Protocol (NSRP).

• InterfaceRedundancyandFailoverdescribes thevariousways inwhich JuniperNetworks

security devices provide interface redundancy.

Part 12: WAN, DSL, Dial, andWireless

• Wide Area Networks describes how to configure a wide area network (WAN).

• Digital Subscriber Line describes the asymmetric digital subscriber line (ADSL) and

G.symmetrical digital subscriber line (G.SHDSL) interfaces.

• ISP Failover and Dial Recovery describes how to set priority and define conditions for

ISP failover and how to configure a dialup recovery solution.

• Wireless Local Area Network describes the wireless interfaces on Juniper Networks

wireless devices and provides example configurations.

• Wireless Information lists available channels, frequencies, and regulatory domainsand

lists the channels that are available on wireless devices for each country.

Part 13: General Packet Radio Service

• GPRS describes the GPRS Tunneling Protocol (GTP) features in ScreenOS and

demonstrateshowtoconfigureGTP functionalityona JuniperNetworks securitydevice.

Part 14: Dual-Stack Architecture with IPv6

• InternetProtocolVersion6 Introductionexplains IPv6headers, concepts, and tunneling

guidelines.

• IPv6 Configuration explains how to configure an interface for operation as an IPv6

router or host.

• ConnectionandNetworkServicesexplainshowtoconfigureDynamicHostConfiguration

protocol version 6 (DHCPv6), Domain Name Services (DNS), Point-to-Point Protocol

over Ethernet (PPPoE), and fragmentation.

• Static and Dynamic Routing explains how to set up static and dynamic routing. This

chapter explains ScreenOS support for Routing Information Protocol-Next Generation

(RIPng).



• Address Translation explains how to use Network Address Translation (NAT) with

dynamic IP (DIP) andmapped-IP (MIP) addresses to traverse IPv4/IPv6 boundaries.

• IPv6 in an IPv4 Environment explains manual and dynamic tunneling.

• IPSec Tunneling explains how to configure IPsec tunneling to connect dissimilar hosts.

• IPv6XAuthUser Authentication explains how to configureRemoteAuthenticationDial

In User Service (RADIUS) and IPsec Access Session (IAS) management.

• Switching lists options for using the security device as a switch to pass IPv6 traffic.

Document Conventions

This document uses the conventions described in the following sections:

• Web User Interface Conventions on page 10

• Command Line Interface Conventions on page 10

• Naming Conventions and Character Types on page 11

• Illustration Conventions on page 12

WebUser Interface Conventions

TheWebuser interface (WebUI) contains a navigational path and configuration settings.

To enter configuration settings, begin by clicking amenu item in the navigation tree on

the left side of the screen. As you proceed, your navigation path appears at the top of

the screen, with each page separated by angle brackets.

The following example shows theWebUI path and parameters for defining an address:

Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:

Address Name: addr_1IP Address/Domain Name:IP/Netmask: (select), 10.2.2.5/32

Zone: Untrust

To open Online Help for configuration settings, click the question mark (?) in the upper

right of the screen.

The navigation tree also provides a Help > Config Guide configuration page to help you

configure security policies and Internet Protocol Security (IPsec). Select an option from

the list, and follow the instructions on the page. Click the ? character in the upper rightfor Online Help on the Config Guide.

Command Line Interface Conventions

The following conventions are used to present the syntax of command line interface

(CLI) commands in text and examples.

In text, commands are in boldface type and variables are in italic type.

In examples:


Overview

• Variables are in italic type.

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). For example,

the following commandmeans “set the management options for the ethernet1, the

ethernet2, or the ethernet3 interface” :

NOTE: When entering a keyword, you only have to type enough letters toidentify the word uniquely. Typing set adm uwhee j12fmt54will enter thecommand set admin userwheezer j12fmt54. However, all the commandsdocumented in this guide are presented in their entirety.

Naming Conventions and Character Types

ScreenOS employs the following conventions regarding the names of objects—such as

addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels, and

zones—defined in ScreenOS configurations:

• If a name string includes one ormore spaces, the entire stringmust be enclosedwithin

double quotes; for example:

set address trust “local LAN” 10.1.1.0/24

• Any leading spaces or trailing text within a set of double quotes are trimmed; for

example, “ local LAN ” becomes “local LAN” .

• Multiple consecutive spaces are treated as a single space.

• Name strings are case-sensitive, althoughmany CLI keywords are case-insensitive.

For example, “local LAN” is different from “local lan” .

ScreenOS supports the following character types:

• Single-bytecharacter sets (SBCS)andmultiple-bytecharacter sets (MBCS). Examples

of SBCS are ASCII, European, and Hebrew. Examples of MBCS—also referred to as

double-byte character sets (DBCS)—are Chinese, Korean, and Japanese.

• ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double quotes

( “ ), which have special significance as an indicator of the beginning or end of a name

string that includes spaces.

NOTE: A console connection only supports SBCS. TheWebUI supportsboth SBCS andMBCS, depending on the character sets that your browsersupports.



Illustration Conventions

Figure 2 on page 12 shows the basic set of images used in illustrations throughout this

guide.

Figure 2: Images in Illustrations

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.


Overview

http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings—http://www.juniper.net/customers/support/

• Search for known bugs—Find product

documentation—http://www.juniper.net/techpubs/

• Find solutions andanswer questions using our KnowledgeBase— http://kb.juniper.net/

• Download the latest versions of software and review your release notes—

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications—

http://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum—

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Manager—

http://www.juniper.net/customers/cm/

• To verify service entitlement by product serial number, use our Serial Number

Entitlement (SNE) Tool—

https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Manager tool in the CSC at http://www.juniper.net/customers/cm/.

• Call 1-888-314-JTAC (1-888-314-5822—toll free in USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/customers/support/requesting-support/.

Document Feedback

If you find any errors or omissions in this document, contact Juniper Networks at

[email protected].



http://www.juniper.net/customers/support/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://www.juniper.net/alerts/

http://www.juniper.net/company/communities/


https://tools.juniper.net/SerialNumberEntitlementSearch/


http://www.juniper.net/customers/support/requesting-support/

mailto:[email protected]


Overview

Concepts&Examples ScreenOSReferenceGuide · Self-HelpOnlineToolsandResources...

Documents

Transcript of Concepts&Examples ScreenOSReferenceGuide · Self-HelpOnlineToolsandResources...