JNCIA Study Guide - Firewall Filters - Juniper Networks may already be familiar with the role a packet filter plays in a network; ... a filter designed to deny ICMP pings ... JNCIA

  • View

  • Download

Embed Size (px)

Text of JNCIA Study Guide - Firewall Filters - Juniper Networks may already be familiar with the role a...

  • JNCIAJuniper Networks Certified Internet Associate

    Study Guide - Chapter 10

    by Joseph M. Soricelliwith John L. Hammond, Galina Diker Pildush,Thomas E. Van Meter, and Todd M. Warble

    This book was originally developed by Juniper Networks Inc. in conjunction with Sybex Inc. It is being offered in electronic format because the original book (ISBN: 0-7821-4071-8) is now out of print. Every effort has been made to remove the original publisher's name and references to the original bound book and its accompanying CD. The original paper book may still be available in used book stores or by contacting, John Wiley & Sons, Publishers. www.wiley.com.

    Copyright 2003-6 by Juniper Networks Inc. All rights reserved.

    This publication may be used in assisting students to prepare for a Juniper JNCIA exam but Juniper Networks Inc. cannot warrant that use of this publication will ensure passing the relevant exam.

  • Chapter


    Firewall Filters


    Describe firewall filter conceptsinput; output; match conditions; actions; action modifiers; syntax

    Identify the differences between a transit firewall filter and a Routing Engine firewall filter

    Identify CLI commands used to monitor and troubleshoot firewall filter operation

  • Firewall filters in a networking environment perform many func-tions, including restricting access to specific network resources. Additionally, filters are associated with protecting the network

    against denial-of-service (DoS) attacks and preventing spoofing of legal IP addresses. The JUNOS software also uses firewall filters to provide you with accounting information and to enable features such as filter-based forwarding.

    This wide range of topics is a lot to cover in a single chapter, so we focus on the basic con-struction and application of a firewall filter on a Juniper Networks router. First, we examine why firewall filters are needed and when it is appropriate to implement them. We then see how to construct and apply a firewall filter, and discuss the differences between using a filter on user transit traffic versus protecting the Routing Engine. Finally, we demonstrate some JUNOS soft-ware CLI commands used to monitor and troubleshoot the firewall filter operation.

    Firewall Filter Overview

    Before we begin to examine the details of implementing and configuring a firewall filter in the JUNOS software, we should first discuss the larger picture of network security. The concept of network security means different things to different people. To some, guaranteeing that a packets contents are secure and unreadable is security. This is the driving precept behind the IP Security (IPSec) protocols developed by the Internet Engineering Task Force (IETF). Other network administrators would like to ensure that only acceptable personnel access specific services. Generally speaking, a stateful firewall controls this type of access, examining the Layer 3 and Layer 4 headers as well as the packets data. The firewall normally has the ability to check domain name service (DNS) queries, validate web browser requests, and monitor that TCP sessions do not remain active longer than required by the applications. Neither function is the focus of this chapter. Instead, we examine a final form of securitythe packet filter.

    You may already be familiar with the role a packet filter plays in a network; other router ven-dors often call this an

    access list

    . The JUNOS software uses the term

    firewall filter

    to describe the function of examining only the Layer 3 and Layer 4 headers on a packet-by-packet basis. The filter makes a decision, based on rules you configure, as to whether the packet should be forwarded or dropped by the router. The important distinction between a firewall filter and a stateful firewall is that the filter doesnt examine the packets data nor does it monitor the activ-ity of the TCP sessions transiting the router. The filter simply makes the binary decision about forwarding the packet, allowing you to control access to resources in your network.

  • Implementing a Firewall Filter


    Implementing a Firewall Filter

    Although we understand the general function of a packet filter in examining a packets headers, it is important to comprehend how the filter is implemented on a Juniper Networks router. The firewall filter utilizes the functionality of the custom-designed

    Internet Processor ASIC

    . Our dis-cussion of a packets flow through the Packet Forwarding Engine in Chapter 1, The Compo-nents of a Juniper Networks Router, detailed that the Internet Processor ASIC receives only the notification cell to perform its route lookup. This cell contains the Layer 3 and Layer 4 header information required by the filter, but it does not hold any information about the packets data. While this lack of data keeps the router from performing stateful firewall activities, realize that stateful monitoring is not the role your router should perform in the network.

    The Internet Processor ASIC provides industry-leading forwarding rates for transit user traf-fic while simultaneously supporting complex filtering, packet sampling, and rate-limiting fea-tures. The Internet Processor ASIC supports a wealth of Layer 3 and Layer 4 packet-matching conditions, actions, and action modifiers using a JUNOS software syntax that is quite similar to the syntax of the policy framework discussed in Chapter 4, Routing Policy.

    Each Juniper Networks M-series and T-series router contains an Internet Processor ASIC. You can verify its existence by using the

    show chassis hardware



    show chassis hardware

    Hardware inventory:

    Item Version Part number Serial number Description

    Chassis 50375 M5

    Midplane REV 03 710-002650 HF1437

    Power Supply A Rev 04 740-002497 LK22981 AC

    Display REV 04 710-001995 HF1278

    Host 8a00000749a99a01 teknor

    FEB REV 08 710-002503 AL0781 Internet Processor II

    FPC 0

    PIC 0 REV 04 750-002992 HC5418 4x F/E, 100 BASE-TX

    PIC 1 REV 03 750-002971 HE5256 4x OC-3 SONET, MM

    Implementing a firewall filter within the JUNOS software is a two-step process: You first define the firewall filter and then apply it to an interface. The filter definition uses various match conditions, including the incoming interface on the router, IP address fields, protocol types, port numbers, and other header bit fields. As a packet matches the specified conditions, actions are performed to accept, discard, log, count, or sample the packet.

    Writing the Firewall Filter

    Although there are two steps to implementing a firewall filter, we focus on writing the filter in this section. Simply put, you may not apply a filter until it is built. We examine the various components of a firewall filter at a high level and see how the router evaluates the filter. We

  • 432

    Chapter 10

    Firewall Filters

    then explore the possible match conditions and the actions to be taken if there is a match within the filter.

    Processing Filters

    Much like a routing policy, a firewall filter has a specific set of rules that govern its processing within the JUNOS software. Unlike a policy, however, only a single firewall filter may be applied to any interface. Consequently, there is no concept of a firewall filter chain. The router evaluates all packets individually against the specific filter applied to each interface.

    We use the generic term


    throughout this chapter to represent both the

    physical and logical portions of an interface in the JUNOS software.

    The JUNOS software provides a very systematic method for constructing a firewall filter. This allows you the maximum scalability and flexibility in using the routers capabilities. You configure a filter for IPv4 packets within the

    [edit firewall family inet]

    configuration hierarchy. The basic syntax of a firewall filter is:

    firewall {

    family inet {







    from {




    then {










    The JUNOS software requires the use of terms in a firewall filter and each term may contain both match criteria and actions. The router evaluates the configured match conditions to deter-mine whether an IP packet meets all of the criteria of the filter. If it does, the router performs any defined actions for the filter. The specific match conditions and actions are discussed in the Match Conditions and Actions sections, respectively, later in this chapter.

    The JUNOS software allows you to customize the names of your firewall filters so you can easily identify their purpose at a later time. For example, a filter designed to deny ICMP pings from Customer A might be named



  • Implementing a Firewall Filter


    We recommend that you assign self-explanatory names to your filters so that their purpose is evident at a glance. A defined naming structure can help you

    accomplish this goal.

    Segmenting Filters

    The lack of a firewall filter chain within the JUNOS software means that you have to write com-plex filters with multiple terms to accomplish your goals. The basic firewall filter syntax is si