As we expand networks to include new services, we must continually strive to
secure them. It is not an inherently easy thing to do.
First, we need to balance growth and total security without duplicating
operations. Second, our networks need to support the mobility of our work-forces as the number of remote sites that are connected continues to multiply.
And finally, while one cannot predict what will be needed for tomorrow, we
must build in the flexibility to adapt to whatever unknown priorities may arise
in the near future.
These challenges are why Juniper Networks is so focused on providing mis-sion-critical products for today with the capacity to adapt for tomorrow’s
shifting priorities. And the authors of this book have done a wonderful job col-lecting and collating what we need to know to make intelligent networking
decisions.
Delivering performance and extensibility is one of the key traits of Juniper
Networks.We allow networks to grow without duplicating operations, all the
while securing them from multiple levels of potential attack. As you read
through this book, please remember that performance and flexibility are funda-mental to how Juniper Networks’ VPN, firewall, and intrusion prevention
products are built and how they will work for you
769 trang |
Chia sẻ: ttlbattu | Lượt xem: 3157 | Lượt tải: 4
Bạn đang xem trước 20 trang tài liệu Configuring Juniper Networks NetScreen & SSG Firewalls, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Juniper Networks
NetScreen &
SSG Firewalls
Configuring
Rob Cameron Technical Editor
Brad Woodberg
Mohan Krishnamurthy Madwachar
Mike Swarm
Neil R. Wyler
Matthew Albers
Ralph Bonnell
FOREWORD
BY SCOTT KRIENS
CEO, JUNIPER NETWORKS
®
®
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page i
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS
IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow the
exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to
you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The
Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to
Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this
book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 5489IJJLPP
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Configuring Networks NetScreen & SSG Firewalls
Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act
of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in
a database or retrieval system, without the prior written permission of the publisher, with the exception that the
program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
1 2 3 4 5 6 7 8 9 0
ISBN-10: 1-59749-118-7
ISBN-13: 978-1-59749-118-1
Publisher:Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Gary Byrne Copy Editors: Mike McGee, Sandy Jolley
Technical Editor: Rob Cameron Indexer: Nara Wood
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at
Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page ii
iii
Lead Author
and Technical Editor
Rob Cameron ( JNCIS-FWV, JNCIA-M, CCSP, CCSE+) is a
Security Solutions Engineer for Juniper Networks. He currently
works to design security solutions for Juniper Networks that are
considered best practice designs. Rob specializes in network security
architecture, firewall deployment, risk management, and high-avail-
ability designs. His background includes five years of security con-
sulting for more than 300 customers.This is Rob’s second book; the
previous one being Configuring NetScreen Firewalls (ISBN: 1-932266-
39-9) published by Syngress Publishing in 2004.
Matthew Albers (CCNP, CCDA, JNCIA-M, JNCIS-FWV,
JNCIA-IDP) is a senior systems engineer for Juniper Networks. He
currently serves his enterprise customers in the Northern Ohio
marketplace. His specialties include routing platforms, WAN acceler-
ation, firewall/VPNs, intrusion prevention, strategic network plan-
ning, network architecture and design, and network troubleshooting
and optimization. Matthew’s background includes positions as a
senior engineer at First Virtual Communications, Lucent
Technologies, and Bay Networks.
Matthew wrote Chapter 1 and cowrote Chapter 11.
Contributing Authors
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iii
iv
Ralph Bonnell (CISSP, LPIC-2, CCSI, CCNA, MCSE: Security) is
a senior information security consultant at Accuvant in Denver, CO.
His primary responsibilities include the deployment of various net-
work security products and product training. His specialties include
NetScreen deployments, Linux client and server deployments,
Check Point training, firewall clustering, and PHP Web program-
ming. Ralph also runs a Linux consulting firm called Linux
Friendly. Before moving to Colorado, Ralph was a senior security
engineer and instructor at Mission Critical Systems, a Gold Check
Point partner and training center in South Florida.
Ralph cowrote Chapter 11.
Mohan Krishnamurthy Madwachar ( JNCIA-FWV, CWNA, and
CCSA) is AVP-Infrastructure Services for ADG Infotek, Inc.,
Almoayed Group, Bahrain.Almoayed Group is a leading systems
integration group that has branches in seven countries and executes
projects in nearly 15 countries. Mohan is a key contributor to the
company’s infrastructure services division and plays a key role in the
organization’s network security and training initiatives. Mohan has a
strong networking, security, and training background. His tenure
with companies such as Schlumberger Omnes and Secure Network
Solutions India adds to his experience and expertise in imple-
menting large and complex network and security projects.
Mohan holds leading IT industry certifications and is a member
of the IEEE and PMI.
Mohan would like to dedicate his contributions to this book to
his sister, Geetha Prakash, and her husband, C.V. Prakash, and their
son, Pragith Prakash.
Mohan has coauthored the book Designing and Building
Enterprise DMZs (ISBN: 1-597491004), published by Syngress
Publishing. He also writes in newspaper columns on various subjects
and has contributed to leading content companies as a technical
writer and a subject matter expert.
Mohan wrote Chapter 12.
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iv
vMike Swarm is a Security Solutions Engineer at Juniper
Networks. Mike consults with Juniper’s technical field and customer
communities worldwide on security design practices. Mike has over
a decade of experience focused on network security. Prior to
Juniper Networks and its NetScreen Technologies acquisition, Mike
has been a Systems Engineer at FTP Software and Firefox
Communications.
Mike wrote Chapter 10.
Brad Woodberg ( JNCIS-FWV, JNCIS-M, JNCIA-IDP, JNCIA-
SSL, CCNP) is a Security Consultant at Networks Group Inc. in
Brighton, MI.At Networks Group his primary focus is designing
and implementing security solutions for clients ranging from small
business to Fortune 500 companies. His main areas of expertise
include network perimeter security, intrusion prevention, security
analysis, and network infrastructure. Outside of work he has a great
interest in proof-of-concept vulnerability analysis, open source inte-
gration/development, and computer architecture.
Brad currently holds a bachelor’s degree in Computer
Engineering from Michigan State University, and he participates
with local security organizations. He also mentors and gives lectures
to students interested in the computer network field.
Brad wrote Chapters 5–8 and contributed to Chapter 13. He also
assisted in the technical editing of several chapters.
Neil R.Wyler ( JNCIS-FWV, JNCIA-SSL) is an Information
Security Engineer and Researcher located on the Wasatch Front in
Utah. He is the co-owner of two Utah-based businesses, which
include a consulting firm with clients worldwide and a small soft-
ware start-up. He is currently doing contract work for Juniper
Networks, working with the company’s Security Products Group.
Neil is a staff member of the Black Hat Security Briefings and Def
Con hacker conference. He has spoken at numerous security con-
ferences and been the subject of various online, print, film, and tele-
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page v
vi
vision interviews regarding different areas of information security.
He was the Lead Author and Technical Editor of Aggressive Network
Self-Defense (Syngress, 1-931836-20-5) and serves on the advisory
board for a local technical college.
Neil cowrote Chapter 13.
418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page vi
vii
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1 Networking, Security, and the Firewall . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Understanding Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
The OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Moving Data along with TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Understanding Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Understanding Firewall Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Firewall Ideologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
DMZ Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Traffic Flow Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Networks with and without DMZs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
DMZ Design Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Designing End-to-End Security for
Data Transmission between Hosts on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Traffic Flow and Protocol Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Chapter 2 Dissecting the Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
The Juniper Security Product Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Unified Access Control (UAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
The Juniper Firewall Core Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Device Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
The NetScreen and SSG Firewall Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Chapter 3 Deploying Juniper Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Managing Your Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Juniper Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
The Local File System and the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Using the Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Securing the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Updating ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Configuring Your Firewall for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Types of Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page vii
viii Contents
Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Types of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Configuring Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Configuring Your Firewall for the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Binding an Interface to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Setting Up IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Configuring the DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Using PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Interface Speed Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Port Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Bridge Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Configuring Basic Network Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configuring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Web Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Chapter 4 Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Theory of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Types of Juniper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Policy Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Getting Ready to Make a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Chapter 5 Advanced Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 191
Introduction . . . . . . . . . . . . . .