Configuring Juniper Networks NetScreen & SSG Firewalls

Juniper Networks NetScreen & SSG Firewalls Configuring Rob Cameron Technical Editor Brad Woodberg Mohan Krishnamurthy Madwachar Mike Swarm Neil R. Wyler Matthew Albers Ralph Bonnell FOREWORD BY SCOTT KRIENS CEO, JUNIPER NETWORKS ® ® 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page i Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 5489IJJLPP 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Configuring Networks NetScreen & SSG Firewalls Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10: 1-59749-118-7 ISBN-13: 978-1-59749-118-1 Publisher:Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Gary Byrne Copy Editors: Mike McGee, Sandy Jolley Technical Editor: Rob Cameron Indexer: Nara Wood Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585. 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page ii iii Lead Author and Technical Editor Rob Cameron ( JNCIS-FWV, JNCIA-M, CCSP, CCSE+) is a Security Solutions Engineer for Juniper Networks. He currently works to design security solutions for Juniper Networks that are considered best practice designs. Rob specializes in network security architecture, firewall deployment, risk management, and high-avail- ability designs. His background includes five years of security con- sulting for more than 300 customers.This is Rob’s second book; the previous one being Configuring NetScreen Firewalls (ISBN: 1-932266- 39-9) published by Syngress Publishing in 2004. Matthew Albers (CCNP, CCDA, JNCIA-M, JNCIS-FWV, JNCIA-IDP) is a senior systems engineer for Juniper Networks. He currently serves his enterprise customers in the Northern Ohio marketplace. His specialties include routing platforms, WAN acceler- ation, firewall/VPNs, intrusion prevention, strategic network plan- ning, network architecture and design, and network troubleshooting and optimization. Matthew’s background includes positions as a senior engineer at First Virtual Communications, Lucent Technologies, and Bay Networks. Matthew wrote Chapter 1 and cowrote Chapter 11. Contributing Authors 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iii iv Ralph Bonnell (CISSP, LPIC-2, CCSI, CCNA, MCSE: Security) is a senior information security consultant at Accuvant in Denver, CO. His primary responsibilities include the deployment of various net- work security products and product training. His specialties include NetScreen deployments, Linux client and server deployments, Check Point training, firewall clustering, and PHP Web program- ming. Ralph also runs a Linux consulting firm called Linux Friendly. Before moving to Colorado, Ralph was a senior security engineer and instructor at Mission Critical Systems, a Gold Check Point partner and training center in South Florida. Ralph cowrote Chapter 11. Mohan Krishnamurthy Madwachar ( JNCIA-FWV, CWNA, and CCSA) is AVP-Infrastructure Services for ADG Infotek, Inc., Almoayed Group, Bahrain.Almoayed Group is a leading systems integration group that has branches in seven countries and executes projects in nearly 15 countries. Mohan is a key contributor to the company’s infrastructure services division and plays a key role in the organization’s network security and training initiatives. Mohan has a strong networking, security, and training background. His tenure with companies such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in imple- menting large and complex network and security projects. Mohan holds leading IT industry certifications and is a member of the IEEE and PMI. Mohan would like to dedicate his contributions to this book to his sister, Geetha Prakash, and her husband, C.V. Prakash, and their son, Pragith Prakash. Mohan has coauthored the book Designing and Building Enterprise DMZs (ISBN: 1-597491004), published by Syngress Publishing. He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert. Mohan wrote Chapter 12. 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iv vMike Swarm is a Security Solutions Engineer at Juniper Networks. Mike consults with Juniper’s technical field and customer communities worldwide on security design practices. Mike has over a decade of experience focused on network security. Prior to Juniper Networks and its NetScreen Technologies acquisition, Mike has been a Systems Engineer at FTP Software and Firefox Communications. Mike wrote Chapter 10. Brad Woodberg ( JNCIS-FWV, JNCIS-M, JNCIA-IDP, JNCIA- SSL, CCNP) is a Security Consultant at Networks Group Inc. in Brighton, MI.At Networks Group his primary focus is designing and implementing security solutions for clients ranging from small business to Fortune 500 companies. His main areas of expertise include network perimeter security, intrusion prevention, security analysis, and network infrastructure. Outside of work he has a great interest in proof-of-concept vulnerability analysis, open source inte- gration/development, and computer architecture. Brad currently holds a bachelor’s degree in Computer Engineering from Michigan State University, and he participates with local security organizations. He also mentors and gives lectures to students interested in the computer network field. Brad wrote Chapters 5–8 and contributed to Chapter 13. He also assisted in the technical editing of several chapters. Neil R.Wyler ( JNCIS-FWV, JNCIA-SSL) is an Information Security Engineer and Researcher located on the Wasatch Front in Utah. He is the co-owner of two Utah-based businesses, which include a consulting firm with clients worldwide and a small soft- ware start-up. He is currently doing contract work for Juniper Networks, working with the company’s Security Products Group. Neil is a staff member of the Black Hat Security Briefings and Def Con hacker conference. He has spoken at numerous security con- ferences and been the subject of various online, print, film, and tele- 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page v vi vision interviews regarding different areas of information security. He was the Lead Author and Technical Editor of Aggressive Network Self-Defense (Syngress, 1-931836-20-5) and serves on the advisory board for a local technical college. Neil cowrote Chapter 13. 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page vi vii Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter 1 Networking, Security, and the Firewall . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Understanding Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 The OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Moving Data along with TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Understanding Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Understanding Firewall Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Firewall Ideologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 DMZ Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Traffic Flow Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Networks with and without DMZs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 DMZ Design Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Designing End-to-End Security for Data Transmission between Hosts on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Traffic Flow and Protocol Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Chapter 2 Dissecting the Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 The Juniper Security Product Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Unified Access Control (UAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 The Juniper Firewall Core Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Device Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 The NetScreen and SSG Firewall Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Chapter 3 Deploying Juniper Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Managing Your Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Juniper Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 The Local File System and the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Using the Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Securing the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Updating ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Configuring Your Firewall for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Types of Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page vii viii Contents Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Types of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Configuring Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Configuring Your Firewall for the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Binding an Interface to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Setting Up IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Configuring the DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Using PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Interface Speed Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Port Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Bridge Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Configuring Basic Network Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Configuring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Web Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Chapter 4 Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Theory of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Types of Juniper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Policy Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Getting Ready to Make a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Chapter 5 Advanced Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 191 Introduction . . . . . . . . . . . . . .