Concepts&Examples ScreenOSReferenceGuide · Self-HelpOnlineToolsandResources...
Transcript of Concepts&Examples ScreenOSReferenceGuide · Self-HelpOnlineToolsandResources...
Concepts & ExamplesScreenOS Reference Guide
Overview
Release
6.3.0, Rev. 02
Published: 2012-12-10
Revision 02
Copyright © 2012, Juniper Networks, Inc.
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Copyright © 2009, Juniper Networks, Inc.All rights reserved.
Revision HistoryDecember 2012—Revision 02
Content subject to change. The information in this document is current as of the date listed in the revision history.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software andmay contain prohibitionsagainst certain uses. The software license may state conditions under which the license is automatically terminated. You should consultthe license for further details.
For complete product documentation, please see the Juniper NetworksWebsite atwww.juniper.net/techpubs.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.
Copyright © 2012, Juniper Networks, Inc.ii
Abbreviated Table of Contents
Part 1 Overview
Chapter 1 About the Concepts & Examples ScreenOS Reference Guide . . . . . . . . . . . . 3
iiiCopyright © 2012, Juniper Networks, Inc.
Table of Contents
Part 1 Overview
Chapter 1 About the Concepts & Examples ScreenOS Reference Guide . . . . . . . . . . . . 3
Part Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Web User Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Command Line Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Naming Conventions and Character Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Illustration Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Document Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
vCopyright © 2012, Juniper Networks, Inc.
List of Figures
Part 1 Overview
Chapter 1 About the Concepts & Examples ScreenOS Reference Guide . . . . . . . . . . . . 3
Figure 1: Key Features in ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Images in Illustrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
viiCopyright © 2012, Juniper Networks, Inc.
PART 1
Overview
• About the Concepts & Examples ScreenOS Reference Guide on page 3
1Copyright © 2012, Juniper Networks, Inc.
CHAPTER 1
About the Concepts & ExamplesScreenOS Reference Guide
Juniper Networks security devices integrate the following firewall, virtual private network
(VPN), and traffic-shaping features toprovide flexible protection for security zoneswhen
connecting to the Internet:
• Firewall: A firewall screens traffic crossing the boundary between a private LAN andthe public network, such as the Internet.
• Layered Security: The layered security solution is deployed at different locations torepel attacks. If one layer fails, the next one catches the attack. Some functions help
protect remote locations with site-to-site VPNs. Devices deployed at the perimeter
repel network-basedattacks. Another layer, using IntrusionDetectionPrevention (IDP)
and Deep Inspection, automatically detects and prevents attacks from inflicting
damages.
Network segmentation, the final security layer (also known as virtualization), divides
the network up into secure domains to protect critical resources from unauthorized
roaming users and network attacks.
• ContentSecurity:Protectsusers frommaliciousURLsandprovidesembeddedantivirus
scanning andWeb filtering. In addition, works with third-party products to provide
external antivirus scanning, antispam, andWeb filtering.
• VPN:AVPNprovides a secure communications channel between two ormore remotenetwork appliances.
• Integrated Networking Functions: Dynamic routing protocols learn reachability andadvertise dynamically changing network topologies. In addition, traffic-shaping
functionality allows administrativemonitoring and control of traffic passing across the
Juniper Networks firewall to maintain a network’s quality-of-service (QoS) level.
• CentralizedManagement: The Network and Security Manager (NSM) tool simplifiesconfiguration, deployment, andmanagement of security devices.
• Redundancy: High availability of interfaces, routing paths, security devices, and—onhigh-end Juniper Networks devices—power supplies and fans, to avoid a single point
of failure in any of these areas.
3Copyright © 2012, Juniper Networks, Inc.
NOTE: For information about Juniper Networks compliance with FederalInformation Processing Standards (FIPS) and for instructions on settinga FIPS-compliant security device in FIPSmode, see the platform-specificCryptographic Module Security Policy document on the documentationCD.
Figure 1: Key Features in ScreenOS
TheScreenOSsystemprovidesall the featuresneeded tosetupandmanageanysecurity
appliance or system. This document is a reference guide for configuring andmanaging
a Juniper Networks security device through ScreenOS.
• Part Organization on page 4
• Document Conventions on page 10
• Requesting Technical Support on page 12
• Document Feedback on page 13
Part Organization
TheConcepts&ExamplesScreenOSReferenceGuide is amulti-partmanual. The following
information outlines and summarizes the material in each part:
Copyright © 2012, Juniper Networks, Inc.4
Overview
Part 1: Overview
• Providesahigh level descriptionof thecontents forConceptsandExamplesCombined
Reference Guide .
Part 2: Fundamentals
• ScreenOS Architecture presents the fundamental elements of the architecture in
ScreenOS and concludes with a four-part example illustrating an enterprise-based
configuration incorporatingmostof thoseelements. In thisandall subsequentchapters,
each concept is accompanied by illustrative examples.
• Zones explains security zones, tunnel zones, and function zones.
• Interfaces describes the various physical, logical, and virtual interfaces on security
devices.
• InterfaceModesexplains theconceptsbehind transparent,NetworkAddressTranslation
(NAT), and route interface operational modes.
• BuildingBlocks forPoliciesdiscusses theelementsused for creatingpolicies andvirtual
privatenetworks (VPNs): addresses (includingVIPaddresses), services, andDIPpools.
It also presents several example configurations that support the H.323 protocol.
• Policies explores the components and functions of policies and offers guidance on
their creation and application.
• Traffic Shaping explains how you can prioritize services andmanage bandwidth at the
interface and policy levels.
• System Parameters presents the concepts behind Domain Name System (DNS)
addressing, using Dynamic Host Configuration Protocol (DHCP) to assign or relay
TCP/IP settings, downloading and uploading system configurations and software, and
setting the system clock.
Part 3: Administration
• Administration explains the different means available for managing a security device
both locally and remotely. This chapter also explains the privileges pertaining to each
of the four levels of network administrators that can be defined.
• MonitoringSecurityDevicesexplainsvariousmonitoringmethodsandprovidesguidance
in interpreting monitoring output.
5Copyright © 2012, Juniper Networks, Inc.
Chapter 1: About the Concepts & Examples ScreenOS Reference Guide
Part 4: Attack Detection and Defense Mechanisms
• Protecting a Network outlines the basic stages of an attack and the firewall options
available to combat the attacker at each stage.
• Reconnaissance Deterrence describes the options available for blocking IP address
sweeps, port scans, and attempts to discover the type of operating system (OS) of a
targeted system.
• Denial of Service Attack Defenses explains firewall, network, and OS-specific DoS
attacks and how ScreenOSmitigates such attacks.
• ContentMonitoringandFilteringdescribeshowtoprotect users frommaliciousuniform
resource locators (URLs) and how to configure the security device to work with third
party products to provide antivirus scanning, antispam, andWeb filtering.
• Deep Inspection describes how to configure the Juniper Networks security device to
obtain Deep Inspection (DI) attack object updates, how to create user-defined attack
objects and attack object groups, and how to apply DI at the policy level.
• IntrusionDetectionandPreventiondescribes JuniperNetworks IntrusionDetectionand
Prevention (IDP) technology, which can both detect and stop attacks when deployed
inline to your network. The chapter describes how to apply IDP at the policy level to
dropmalicious packets or connections before the attacks can enter your network.
• Suspicious Packet Attributes presents several SCREEN options that protect network
resources from potential attacks indicated by unusual IP and ICMP packet attributes.
• Contexts for User Defined Signatures, provides descriptions of contexts that you can
specify when defining a stateful signature attack object.
Part 5: Virtual Private Networks
• Internet Protocol Security provides background information about IPsec, presents a
flow sequence for Phase 1 in IKE negotiations in aggressive andmain modes, and
concludes with information about IKE and IPsec packet encapsulation.
• PublicKeyCryptographyprovidesan introduction topublic key cryptography, certificate
use, and certificate revocation list (CRL) use within the context of Public Key
Infrastructure (PKI).
• VirtualPrivateNetworkGuidelinesoffers someuseful information tohelp in theselection
of the available VPN options. It also presents a packet flow chart to demystify VPN
packet processing.
• Site-to-SiteVirtualPrivateNetworksprovidesextensiveexamplesofVPNconfigurations
connecting two private networks.
• Dialup Virtual Private Networks provides extensive examples of client-to-LAN
communication using AutoKey IKE. It also details group IKE ID and shared IKE ID
configurations.
• Layer 2 Tunneling Protocol explains Layer 2 Tunneling Protocol (L2TP) and provides
configuration examples for L2TP and L2TP-over-IPsec.
Copyright © 2012, Juniper Networks, Inc.6
Overview
• Advanced Virtual Private Network Features contains information and examples for
the more advanced VPN configurations, such as NAT-Traversal, VPNmonitoring,
binding multiple tunnels to a single tunnel interface, and hub-and-spoke and
back-to-back tunnel designs.
• AutoConnect-Virtual Private Networks describes how ScreenOS uses Next Hop
ResolutionProtocol (NHRP)messages toenablesecuritydevices tosetupAutoConnect
VPNs as needed. The chapter provides an example of a typical scenario in which
AC-VPNmight be used.
Part 6: Voice-over-Internet Protocol
• H.323Application Layer Gateway describes theH.323 protocol and provides examples
of typical scenarios.
• Session Initiation Protocol Application Layer Gateway describes the Session Initiation
Protocol (SIP) and shows how the SIP ALG processes calls in route and Network
Address Translation (NAT)modes. Examples of typical scenarios follow a summary
of the SIP architecture.
• Media Gateway Control Protocol Application Layer Gateway presents an overview of
theMediaGatewayControlProtocol (MGCP)ALGand lists the firewall security features
of the implementation. Examples of typical scenarios follow a summary of the MGCP
architecture.
• Skinny Client Control Protocol Application Layer Gateway presents an overview of the
Skinny Client Control Protocol (SCCP) ALG and lists the firewall security features of
the implementation. Examples of typical scenarios follow a summary of the SCCP
architecture.
• Apple iChat Application Layer Gateway presents an overview of the AppleiChat ALG
and lists the firewall security features of the implementation. Examples of typical
scenarios follow a summary of the AppleiChat architecture.
Part 7: Routing
• Static Routing describes the ScreenOS routing table, the basic routing process on the
security device, and how to configure static routes on security devices.
• Routing explains how to configure virtual routers on security devices and how to
redistribute routing table entries between protocols or between virtual routers.
• Open Shortest Path First describes how to configure the OSPF
• Routing Information Protocol describes how to configure the RIP dynamic routing
protocol on security devices.
• Border Gateway Protocol describes how to configure the BGP
• Policy Based Routing describes policy based routing (PBR). PBR provides a flexible
routing mechanism for data forwarding over networks that rely on Application Layer
support such as for antivirus (AV), deep inspection (DI), or Web filtering.
• Multicast Routing introduces basic multicast routing concepts.
7Copyright © 2012, Juniper Networks, Inc.
Chapter 1: About the Concepts & Examples ScreenOS Reference Guide
• Internet Group Management Protocol describes how to configure the Internet Group
Management Protocol (IGMP) on security devices.
• Protocol Independent Multicast explains how to configure Protocol Independent
Multicast - Sparse Mode (PIM-SM) and Protocol Independent Multicast - Source
Specific Multicast (PIM-SSM) on Juniper Networks security devices.
• ICMP Router Discovery Protocol explains how to set up an Internet Control Messages
Protocol (ICMP)message exchange between a host and a router.
Part 8: Address Translation
• Address Translation gives an overview of the various translation options, which are
covered in detail in subsequent chapters.
• Source Network Address Translation describes NAT-src, the translation of the source
IP address in a packet header, with and without Port Address Translation (PAT).
• Destination Network Address Translation describes NAT-dst, the translation of the
destination IP address in a packet header, with and without destination port address
mapping. This section also includes information about the packet flow when doing
NAT-src, routing considerations, and address shifting.
• Mapped and Virtual Addresses describes the mapping of one destination IP address
to another based on IP address alone (mapped IP) or based on destination IP address
and destination port number (virtual IP).
Part 9: User Authentication
• Authentication details the various authentication methods and uses that ScreenOS
supports.
• Authentication Servers presents the options of using one of four possible types of
external authentication server—RADIUS, SecurID, TACACS+, or LDAP—or the internal
database and shows how to configure the security device to work with each type.
• Infranet Authentication details how the security device is deployed in a unified access
control (UAC) solution. JuniperNetworks unified access control solution (UAC) secures
and assures the delivery of applications and services across an enterprise infranet.
• Authentication Users explains how to define profiles for authentication users and how
toadd themtousergroupsstoredeither locallyoronanexternalRADIUSauthentication
server.
• IKE,XAuth, andL2TPUsersexplainshowtodefine IKE,XAuth, andL2TPusers.Although
the XAuth section focuses primarily on using the security device as an XAuth server, it
also includes a subsection on configuring select security devices to act as an XAuth
client.
• Extensible Authentication for Wireless and Ethernet Interfaces explains the options
available for and examples of how to use the Extensible Authentication Protocol to
provide authentication for Ethernet and wireless interfaces.
Part 10: Virtual Systems
Copyright © 2012, Juniper Networks, Inc.8
Overview
• Virtual Systems discusses virtual systems and profiles, objects, and administrative
tasks.
• Traffic Sorting explains how ScreenOS sorts traffic.
• VLAN-Based Traffic Classification describes VLAN-based traffic classification for
virtual systems, and VLAN retagging.
• IP-BasedTrafficClassificationexplains IP-based traffic classification for virtual systems.
Part 11: High Availability
• NetScreenRedundancyProtocol explainshowtocable, configure, andmanage Juniper
Networks security devices in a redundant group to provide high availability (HA) using
NetScreen Redundancy Protocol (NSRP).
• InterfaceRedundancyandFailoverdescribes thevariousways inwhich JuniperNetworks
security devices provide interface redundancy.
Part 12: WAN, DSL, Dial, andWireless
• Wide Area Networks describes how to configure a wide area network (WAN).
• Digital Subscriber Line describes the asymmetric digital subscriber line (ADSL) and
G.symmetrical digital subscriber line (G.SHDSL) interfaces.
• ISP Failover and Dial Recovery describes how to set priority and define conditions for
ISP failover and how to configure a dialup recovery solution.
• Wireless Local Area Network describes the wireless interfaces on Juniper Networks
wireless devices and provides example configurations.
• Wireless Information lists available channels, frequencies, and regulatory domainsand
lists the channels that are available on wireless devices for each country.
Part 13: General Packet Radio Service
• GPRS describes the GPRS Tunneling Protocol (GTP) features in ScreenOS and
demonstrateshowtoconfigureGTP functionalityona JuniperNetworks securitydevice.
Part 14: Dual-Stack Architecture with IPv6
• InternetProtocolVersion6 Introductionexplains IPv6headers, concepts, and tunneling
guidelines.
• IPv6 Configuration explains how to configure an interface for operation as an IPv6
router or host.
• ConnectionandNetworkServicesexplainshowtoconfigureDynamicHostConfiguration
protocol version 6 (DHCPv6), Domain Name Services (DNS), Point-to-Point Protocol
over Ethernet (PPPoE), and fragmentation.
• Static and Dynamic Routing explains how to set up static and dynamic routing. This
chapter explains ScreenOS support for Routing Information Protocol-Next Generation
(RIPng).
9Copyright © 2012, Juniper Networks, Inc.
Chapter 1: About the Concepts & Examples ScreenOS Reference Guide
• Address Translation explains how to use Network Address Translation (NAT) with
dynamic IP (DIP) andmapped-IP (MIP) addresses to traverse IPv4/IPv6 boundaries.
• IPv6 in an IPv4 Environment explains manual and dynamic tunneling.
• IPSec Tunneling explains how to configure IPsec tunneling to connect dissimilar hosts.
• IPv6XAuthUser Authentication explains how to configureRemoteAuthenticationDial
In User Service (RADIUS) and IPsec Access Session (IAS) management.
• Switching lists options for using the security device as a switch to pass IPv6 traffic.
Document Conventions
This document uses the conventions described in the following sections:
• Web User Interface Conventions on page 10
• Command Line Interface Conventions on page 10
• Naming Conventions and Character Types on page 11
• Illustration Conventions on page 12
WebUser Interface Conventions
TheWebuser interface (WebUI) contains a navigational path and configuration settings.
To enter configuration settings, begin by clicking amenu item in the navigation tree on
the left side of the screen. As you proceed, your navigation path appears at the top of
the screen, with each page separated by angle brackets.
The following example shows theWebUI path and parameters for defining an address:
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: addr_1IP Address/Domain Name:IP/Netmask: (select), 10.2.2.5/32
Zone: Untrust
To open Online Help for configuration settings, click the question mark (?) in the upper
right of the screen.
The navigation tree also provides a Help > Config Guide configuration page to help you
configure security policies and Internet Protocol Security (IPsec). Select an option from
the list, and follow the instructions on the page. Click the ? character in the upper rightfor Online Help on the Config Guide.
Command Line Interface Conventions
The following conventions are used to present the syntax of command line interface
(CLI) commands in text and examples.
In text, commands are in boldface type and variables are in italic type.
In examples:
Copyright © 2012, Juniper Networks, Inc.10
Overview
• Variables are in italic type.
• Anything inside square brackets [ ] is optional.
• Anything inside braces { } is required.
• If there is more than one choice, each choice is separated by a pipe ( | ). For example,
the following commandmeans “set the management options for the ethernet1, the
ethernet2, or the ethernet3 interface” :
NOTE: When entering a keyword, you only have to type enough letters toidentify the word uniquely. Typing set adm uwhee j12fmt54will enter thecommand set admin userwheezer j12fmt54. However, all the commandsdocumented in this guide are presented in their entirety.
Naming Conventions and Character Types
ScreenOS employs the following conventions regarding the names of objects—such as
addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels, and
zones—defined in ScreenOS configurations:
• If a name string includes one ormore spaces, the entire stringmust be enclosedwithin
double quotes; for example:
set address trust “local LAN” 10.1.1.0/24
• Any leading spaces or trailing text within a set of double quotes are trimmed; for
example, “ local LAN ” becomes “local LAN” .
• Multiple consecutive spaces are treated as a single space.
• Name strings are case-sensitive, althoughmany CLI keywords are case-insensitive.
For example, “local LAN” is different from “local lan” .
ScreenOS supports the following character types:
• Single-bytecharacter sets (SBCS)andmultiple-bytecharacter sets (MBCS). Examples
of SBCS are ASCII, European, and Hebrew. Examples of MBCS—also referred to as
double-byte character sets (DBCS)—are Chinese, Korean, and Japanese.
• ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double quotes
( “ ), which have special significance as an indicator of the beginning or end of a name
string that includes spaces.
NOTE: A console connection only supports SBCS. TheWebUI supportsboth SBCS andMBCS, depending on the character sets that your browsersupports.
11Copyright © 2012, Juniper Networks, Inc.
Chapter 1: About the Concepts & Examples ScreenOS Reference Guide
Illustration Conventions
Figure 2 on page 12 shows the basic set of images used in illustrations throughout this
guide.
Figure 2: Images in Illustrations
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Copyright © 2012, Juniper Networks, Inc.12
Overview
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings—http://www.juniper.net/customers/support/
• Search for known bugs—Find product
documentation—http://www.juniper.net/techpubs/
• Find solutions andanswer questions using our KnowledgeBase— http://kb.juniper.net/
• Download the latest versions of software and review your release notes—
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications—
http://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum—
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Manager—
http://www.juniper.net/customers/cm/
• To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool—
https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Manager tool in the CSC at http://www.juniper.net/customers/cm/.
• Call 1-888-314-JTAC (1-888-314-5822—toll free in USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/customers/support/requesting-support/.
Document Feedback
If you find any errors or omissions in this document, contact Juniper Networks at
13Copyright © 2012, Juniper Networks, Inc.
Chapter 1: About the Concepts & Examples ScreenOS Reference Guide