Junos Security - luk.kis.p.lodz.plluk.kis.p.lodz.pl/ZiMSK/laboratorium/JunOS/JSEC_12.a_C4_Security... · Worldwide Education Services | 4-10 Policy Ordering ... vlan.104, Pkts: 19,

© 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services

Chapter 4: Security Policies

Junos Security

© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-2 Worldwide Education Services

Chapter Objectives

After successfully completing this chapter, you will be

able to:

•Explain security policy functionality

•Explain Junos ALG functionality

•Describe the components of a security policy

•Verify policies and monitor their execution

•Configure a basic security policy using the following

elements:

• Policy match conditions

• Policy actions—basic and advanced

• Policy scheduling


Agenda: Security Policies

Security Policy Overview

Junos ALGs

Policy Components

Verifying Policy Operation

Policy Scheduling and Rematching

Policy Case Study


Security Policy Defined

What is a security policy?

•A set of rules that tells a Junos security device what to do

with transit traffic between zones and within a zone

What should I do if a packet comes

in matching Criterion A?

Internet


Review: Packet Flow

Screen

Options Services

ALG S-NAT Policy D-NAT Zones Session Route

Forwarding

Per Packet Policer Per Packet Shaper

First Path

Fast Path

TCP NAT Yes

No

Flow Module

Match Session

?

Services

ALG

Per Packet Filters

Screen

Options

Ingress

Packet

Egress

Packet

Focus of this chapter

Session-based

Packet-based


Transit Traffic Examination

The Junos OS for security platforms always examines

transit traffic by using security policies

Does a security

policy match the

traffic?

Apply default

policy

No Packet in

Apply policy

actions

Yes


Local Inbound Traffic Examination

host-inbound-traffic follows this process:

Deny traffic

Apply default

policy

No

No

Yes

Is system

service or protocol

allowed into the interface of

the device?

Permit traffic

Yes

Does a security

policy match the

traffic?

Yes Does the

policy permit the

traffic?

No

Drop traffic

host-inbound-traffic

Packet in

Is the packet

destined to the incoming

interface?

Yes

No

Apply policies

actions


Default Security Policies

System-default security

policy: deny all traffic

through the device

•You can change the

default policy to permit all

traffic

Factory-default template

security policies (branch

devices only):

•Trust to trust: permit all

•Trust to untrust: permit all

•Untrust to trust: deny all

1

2

3

System-default security

policies behavior

Deny ALL transit

traffic

Factory-default security policies behavior

Trust zone Untrust zone


2

3

Security Policy:

from private zone to external zone

If Source IP address = Host B

Destination IP address = Host D

Application = SSH

then permit traffic

Internet D

B

Security Policy Conceptual Example

Steps:

1. Host B initiates SSH to Host D—Flow B D.

2. Security policy permits that flow.

3. The flow triggers reverse flow creation; both flows result in a

formed session.

4. The return traffic, Host D Host B also receives permission.

External

Zone

Private

Zone

B

Public

Zone

A

1

2

4

Source

Address Prot Source

Port

B

D

6

6

29200

22

Destination

Address Destination

Port Int

22 D

B 29200

. ge-0/0/0

ge-1/0/0

Session Table

C


Policy Ordering

Ordering:

•Order is important!

•By default, new policies go to the end of the list

•Can change the order using the insert command

•Remember the system default policy!

[edit security policies]

user@srx# insert from-zone name to-zone name policy name [before

| after] policy name


Editing Security Configurations

Like any other Junos configuration stanza, you can

perform the following actions on the security

configuration components:

•Delete

•Deactivate

•Activate

•Insert

•Annotate

•Copy

•Rename

•Search and replace




Junos ALGs

Policy Components



Policy Case Study


ALG Defined

ALGs are software processes that manage protocols

•Designed for each protocol and operate differently

• The protocols usually use dynamic client and server ports for

different parts of the communication

This application needs this port opened for

return traffic.


FTP ALG Example (1 of 3)

SRX Device

Client

FTP Server

Trust Untrust

172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21

172.20.104.10:49668 < 172.18.1.2:21 172.20.104.10:49668 < 172.18.1.2:21

SYN SYN

SYN/ACK SYN/ACK

172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21

ACK ACK



SRX Device

Client

FTP Server

Trust Untrust

172.20.104.10:56804 < 172.18.1.2:20 172.20.104.10:56804 < 172.18.1.2:20

172.20.104.10:56804 > 172.18.1.2:20 172.20.104.10:56804 > 172.18.1.2:20

PORT 172.20.104.10:56804 PORT 172.20.104.10:56804

Flow calls ALG to create a hole

SYN SYN Hits the pinhole

SYN/ACK SYN/ACK

172.20.104.10:56804 < 172.18.1.2:20

ACK

172.20.104.10:56804 < 172.18.1.2:20

ACK

Data Stream



Only one security policy is needed with the ALG

applied:

With the ALG ignored, another security policy is

needed to allow port 20

user@srx> show security flow session

Session ID: 16107, Policy name: trust-to-untrust/6, Timeout: 1800, Valid

Resource information : FTP ALG, 1, 0

In: 172.20.104.10/49668 --> 172.18.1.2/21;tcp, If: vlan.104, Pkts: 19, Bytes: 863

Out: 172.18.1.2/21 --> 172.20.104.10/49668;tcp, If: ge-0/0/3.0, Pkts: 18, Bytes: 1085

Session ID: 16139, Policy name: trust-to-untrust/6, Timeout: 2, Valid

Resource information : FTP ALG, 1, 1

In: 172.18.1.2/20 --> 172.20.104.10/56804;tcp, If: ge-0/0/3.0, Pkts: 4, Bytes: 278

Out: 172.20.104.10/56804 --> 172.18.1.2/20;tcp, If: vlan.104, Pkts: 3, Bytes: 168

Total sessions: 2


Useful ALG Commands

Viewing ALGs

•View predefined ALGs using the hidden show groups

junos-defaults security alg command

•View enabled ALGs using the show security alg

status command

•View which ALGs are active and how they are configured

with the hidden show security alg configuration

command

user@srx> show security alg status

ALG Status :

DNS : Enabled

FTP : Enabled

H323 : Enabled

MGCP : Enabled

…

user@srx> show security alg configuration

…

H323 Configuration:

Endpoint Registration Timeout : 3600

Media Source Port Any : Off

Application Screen

Unknown Message NAT packets : Deny

Unknown Message Routed packets : Deny

…


ALG Configuration (1 of 3)

Edit ALGs under the [edit security alg]

hierarchy

•Some ALGs have a few different options, but all have at a

minimum the following components:

• Disable

• Traceoptions

[edit]

user@srx# set security alg dns ?

Possible completions:

disable Disable DNS ALG

maximum-message-length Set maximum message length (512..8192 bytes)

> traceoptions DNS ALG trace options



Apply ALGs under the [edit applications

application name] hierarchy:

[edit applications application name]

user@srx# show

application-protocol ftp;

protocol tcp;

destination-port 21;



Verify that the ALG is applied using the show

security policies detail command:

user@srx> show security policies detail

…

Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 7, Scope Policy: 0

Policy Type: Configured

Sequence number: 1

From zone: trust, To zone: untrust

Source addresses:

any-ipv4: 0.0.0.0/0

any-ipv6: ::/0

Destination addresses:

any-ipv4: 0.0.0.0/0

any-ipv6: ::/0

Application: junos-ftp

IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800

Source port range: [0-0]

Destination port range: [21-21]

…




Junos ALGs

Policy Components



Policy Case Study


Policy Language

You create policies under a context

•from-zone zone-name to-zone zone-name

•Set under the [edit security policies] hierarchy

Each policy:

•Identified by user-defined name

•Composed of a match statement and a then statement

• Match criteria must include source address, destination address,

and application

• Action can be permit, deny, reject, log, or count (or combination)

•Optionally contains other advanced policy actions

• IDP, UTM (branch devices only), firewall authentication


Policy Match Criteria

Policy matching criteria:

•Source addresses

• Individual address

• Address set

•Destination addresses

• Individual address

• Address set

•Applications or application sets

• User defined

• System defined

Configured within a

zone’s address book

Configured within a

zone’s address book


Creating Address Book Entries

Commands for address book entries:

•Adding an address

to an address book:

[edit security zones]

security-zone name {

address-book {

address name1 X.X.X.X / mask;

address name2 X.X.X.X / mask;

…

}

}



address-book {

address-set name {

address name1;

address name2;

…

}

}

}

•Creating a group of

addresses, named

address sets:


IPv6 Addressing

To create an IPv6 address book entry:

•inet6 flow must be enabled

•Must perform a system reboot when enabling IPv6 flow

mode


user@srx# show


address-book {

address name2 X::X / mask;

…

}

}

user@srx# commit

warning: You have enabled/disabled inet6 flow.

You must reboot the system for your change to take effect.

If you have deployed a cluster, be sure to reboot all nodes.

configuration check succeeds

[edit security forwarding-options]

user@srx# show

family {

inet6 {

mode flow-based;

}

}


DNS Addressing

You can use a DNS name instead of an IPv4 or an

IPv6 address

•SRX device must be configured with a DNS server


user@srx# show


address-book {

address name3 {

dns-name abc.com;

…

}

}

[edit system]

user@srx# show

host-name srx;

…

name-server {

X.X.X.X;

}

…


Defining Custom Applications

Specifics of implementation:

•Many built-in applications (junos-rsh, junos-sip,

junos-bgp, junos-tacacs, and so forth)

•You can add applications, application sets, or both to the

predefined list

• No restrictions for the naming convention

• You can modify protocols, ports, inactivity timers, and so forth

[edit applications]

application name {

application-protocol alg-protocol;

protocol protocol;

source-port source-port;

destination-port destination-port;

}

…

[edit applications]

application-set name {

application name1;

application name2;

…

}


Predefined Applications

To view predefined applications, issue the show

groups junos-defaults applications

command

user@srx# show groups junos-defaults applications

#

# File Transfer Protocol

#

application junos-ftp {

application-protocol ftp;

protocol tcp;


}

…


Altering Built-In Applications (1 of 3)

Create a new application with the same name as the

built-in application under the [edit

applications] hierarchy

•The same options are available as for creating a custom

application

• Configure only what you want to change

•Reasons to change a built-in application:

• To use different ports

• To change the timeout value

• To ignore the ALG

[edit applications]

user@srx# show

application junos-ftp {

application-protocol ignore;

protocol tcp;


inactivity-timeout 3600;

}



Create a group configuration to alter predefined

applications

•Applications must all use the same protocol

• The example shown here alters the TCP timeout value on the

built-in applications junos-ftp and junos-finger

[edit groups]

user@srx# show

group-name {

applications {

application <junos-f*> inactivity-timeout 3600;

}

}

[edit]

user@srx# show apply-groups

apply-groups group-name;



To verify that your configuration changes took place,

issue the command show security flow

session extensive:

user@srx> show security flow session extensive

Session ID: 38296, Status: Normal

Flag: 0x42

Policy name: trust-to-untrust/6

Source NAT pool: Null, Application: junos-ftp/1

Maximum timeout: 3600, Current timeout: 3600

…

user@srx> show security flow session extensive

Session ID: 1615, Status: Normal

Flag: 0x40

Policy name: trust-to-untrust/6

Source NAT pool: Null, Application: junos-finger/17

Maximum timeout: 3600, Current timeout: 3600

…


Creating Policy Match Entries

Specifics:

•Group all policies

together in the

proper order,

ensuring proper

order of execution

•Apply defined

matching

parameters


from-zone zone-name to-zone zone-name {

policy name1 {

match {

source-address address-name1;

destination-address address-name1;

application application-name1;

}

…

}

policy name2 {

match {

source-address address-name2;

destination-address address-name2;

application application-name2;

}

…

}

…

}


Basic Policy Actions

Policy actions:

•permit: allows traffic flow

•deny: silently drops traffic

•reject: drops traffic and sends an ICMP unreachable

message for UDP traffic and a TCP (RST) message for TCP

traffic

Optionally log and count traffic

•Logs sent to external syslog server

• Can be stored locally on branch devices

•Counters viewable with the show security policies

detail command


Advanced Permit Settings

If the security policy allows traffic to pass, you can

also configure the following actions:

•Firewall authentication: authenticate the client prior to

forwarding the traffic

• Pass-through

• Web authentication

•IPsec VPN: perform encryption and decryption of permitted

transit traffic

•IDP: perform IDP policy evaluation

•UTM: perform UTM services such as antivirus, Web filtering,

and content filtering

• UTM services only available for branch platforms


User Role Firewall Policies

Implementing user role firewall policies

•Classify traffic based on roles

•Agentless transparent authentication

•SSO support

User

Zone

Infrastructure

Zone

1

Server

Zone

Windows Server

Active Directory

MAG Series

Device


Global Policies

What are global policies?

•Single security policy that allows traffic from any zone to any

other zone—no from-zone or to-zone configuration

•Significantly reduces the number of security contexts

•Can be used in conjunction with regular security policies

• Regular security policies take precedence

•Same matching conditions and actions as security policies

•Configure under:

• [edit security policies global policy]

•Global address book:

• [edit security address-book global]


Global Policy in Action

Using global policies

•Only one policy required to facilitate communication

between multiple zones

Global Security Policy:

If Source IP address = Host A, Host B, Host C

Destination IP address = Any

Application = HTTP

then permit traffic Internet

B

External

Zone

HR

Zone

B

IT

Zone

A

1

4

C Eng

Zone



from-zone zone-name to-zone zone-name {

policy name1 {

match {

source-address address-name;

destination-address address-name;

application application-name;

}

then {

<action>;

}

}

policy name2 {

match {

source-address address-name;

destination-address address-name;

application application-name;

}

then {

<action>;

}

}

…

}

Policy Components Summary from-zone and

to-zone context

Matching criteria

Matching criteria

Action

Action




Junos ALGs

Policy Components



Policy Case Study


Logging (1 of 3)

Control plane logging can be stored locally or sent to

an external syslog device

•Default control plane logging configuration: [edit system]

user@srx# show syslog

user * {

any emergency;

}

file messages {

any critical;

authorization info;

}

file interactive-commands {

interactive-commands error;

}


SRX Series branch devices can log data plane logs

locally or send them to an external server [edit system syslog]

user@srx# show

host 10.210.14.130 {

user info;

source-address 10.210.14.133;

}

file messages {

any any;

authorization info;

}

file default-log-messages {

any any;

structured-data;

}

Logging (2 of 3)

Default facility and severity

for data plane logs

Use this filename for NSM

Structured data format


Logging (3 of 3)

For high-end SRX Series devices, data plane logging can go to an external logging device

•Sample configuration: [edit security log]

user@srx# show

format sd-syslog;

source-address address;

stream name {

severity debug;

host {

address;

}

}

•Sample log: Jun 17 09:41:10 10.210.14.133 [RT_FLOW_SESSION_CLOSE][[email protected]:

session closed TCP FIN: 172.20.102.10/56879->172.20.202.10/23,6: test2,

55(3040) 40(2554) 9


Monitoring Policies (1 of 3)

Use log action in security policy

[edit security policies from-zone trust to-zone untrust]

user@srx# set policy 812 then log ?


+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

session-close Log at session close time

session-init Log at session init time

Use count action in security policy

•show outputs add counter

• Statistics go to logs by default



show commands:

•Use the show security policies command to view

details about policies:

• Use the detail option to display statistics—policy must have a

counter configured user@srx> show security policies ?


<[Enter]> Execute this command

detail Show the detailed information

from-zone Show the policy information matching the given source zone

policy-name Show the policy information matching the given policy name

to-zone Show the policy information matching the given destination zone

| Pipe through a command

•show security flow session

• Displays flows and associated policy names and index numbers



Use traceoptions for detailed troubleshooting: [edit security]

user@srx# show

policies {

traceoptions {

file name;

flag all;

}

flow {

traceoptions {

file name;

flag basic-datapath;

flag session;

packet-filter name {

source-prefix address-prefix;

destination-prefix address-prefix;

}

}

}




Junos ALGs

Policy Components



Policy Case Study


A scheduled policy is a policy that uses a configured

scheduler to make the policy active at specific times

Policy and scheduler relationship:

•A policy can refer to only one scheduler

•Multiple policies can refer to the same scheduler

•Policy remains active without an applied scheduler

Policy Scheduling Overview

Policy activated Policy deactivated


Policy Scheduler Components

You can configure a policy scheduler with the

following:

•Slot schedule:

• Start date and time

• Stop date and time

•Daily schedule:

• Start time

• Stop time

• All day

• Exclude option


Policy Scheduler Details

Scheduler:

•Set up the schedule for policy execution, including time and

date:

[edit schedulers]

user@srx# set scheduler name [day-of-the-week | daily] [specifics of time]


from-zone name to-zone name {

policy name {

match {

…

…

}

then {

…

}

scheduler-name name;

}

}

•Apply the scheduler

•Default behavior:

• Policies that do not

have schedulers are

always active and in

force

Apply the

scheduler


policy-rematch statement: signals the application

of policy configuration changes to existing sessions

•Default behavior:

• Deletion of policies

cause drops of

impacted

sessions

• Configuration

changes to existing

policies do not

impact sessions in

progress

policy-rematch Statement

Action on Policy

Description

Rematch Flag

Enable Disable (default)

Delete Deletes policy Drops all existing

sessions

Drops all existing

sessions

Modify action Modifies action field

of policy from

permit to either

deny or reject

Drops all existing

sessions

All existing sessions

continue

Modify address Modifies source or

destination address

Re-evaluates policy

lookup


continue

Modify application Modifies application Re-evaluates policy

lookup


continue

set security policies policy-rematch




Junos ALGs

Policy Components



Policy Case Study


Case Study: Creating Policies Between HR

and Public Zones

B

Objectives:

-Allow PC A and PC B to FTP to server C using a

custom application set

-Deny other users in the HR zone from using FTP

services in the 1.1.70/24 network; log and count

these violations

ge-0/0/1 – 10.1.1.1

ge-0/0/2 – 10.1.2.1

ge-0/0/3 – 1.1.70.1

HR

Zone

1.1.70.250

1.1.70.0/24

10.1.10.5

10.1.20.0/24

10.1.10.0/24

Public

Zone

10.1.20.5

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.70.0/24

.254 .1

ge-0/0/1

ge-0/0/2

ge-0/0/3

A

B

C


[edit security]

user@srx# show zones security-zone HR

address-book {

address PC_A 10.1.10.5/32;

address PC_B 10.1.20.5/32;

address all-10-1 10.1.0.0/16;

address-set HR_PCs {

address PC_A;

address PC_B;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

}

Case Study:

Entering Host Addresses into the HR Zone

ge-0/0/1 – 10.1.1.1

ge-0/0/2 – 10.1.2.1

ge-0/0/3 – 1.1.70.1

HR

Zone

1.1.70.250

1.1.70.0/24

10.1.10.

5

10.1.20.0/24

10.1.10.0/24

Public

Zone

10.1.20.5

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.70.0/24

.254 .1

ge-0/0/1

ge-0/0/2

ge-0/0/3

A

B

C


[edit security]

user@srx# show zones security-zone Public

address-book {

address Server_C 1.1.70.250/32;

address all-1-1-70 1.1.70/24;

address-set address-Public {

address Server_C;

}

}

interfaces {

ge-0/0/3.0;

}

Case Study: Entering Host Addresses into

the Public Zone

ge-0/0/1 – 10.1.1.1

ge-0/0/2 – 10.1.2.1

ge-0/0/3 – 1.1.70.1

HR

Zone

1.1.70.250

1.1.70.0/24

10.1.10.

5

10.1.20.0/24

10.1.10.0/24

Public

Zone

10.1.20.5

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.70.0/24

.254 .1

ge-0/0/1

ge-0/0/2

ge-0/0/3

A

B

C


Case Study: Creating the Application Set

[edit applications]

user@srx# show

application HR-telnet {

protocol tcp;

source-port 1024-65535;

destination-port telnet;

}

application-set HR-Public-applications {

application junos-ftp;

application junos-ike;

application HR-telnet;

}


[edit security]

user@srx# show policies

from-zone HR to-zone Public {

policy HR-to-Public {

match {

source-address HR_PCs;

destination-address address-Public;

application HR-Public-applications;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

. . .

Case Study: Creating Policy Entries (1 of 2)

ge-0/0/1 – 10.1.1.1

ge-0/0/2 – 10.1.2.1

ge-0/0/3 – 1.1.70.1

HR

Zone

1.1.70.250

1.1.70.0/24

10.1.10.

5

10.1.20.0/24

10.1.10.0/24

Public

Zone

10.1.20.5

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.70.0/24

.254 .1

ge-0/0/1

ge-0/0/2

ge-0/0/3

A

B

C


policy otherHR-to-Public {

match {

source-address all-10-1;

destination-address all-1-1-70;

application junos-ftp;

}

then {

deny;

log {

session-init;

}

count;

}

}

}

Case Study: Creating Policy Entries (2 of 2)

ge-0/0/1 – 10.1.1.1

ge-0/0/2 – 10.1.2.1

ge-0/0/3 – 1.1.70.1

HR

Zone

1.1.70.250

1.1.70.0/24

10.1.10.

5

10.1.20.0/24

10.1.10.0/24

Public

Zone

10.1.20.5

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.70.0/24

.254 .1

ge-0/0/1

ge-0/0/2

ge-0/0/3

A

B

C


Viewing the policy: user@srx> show security policies policy-name HR-to-Public detail

Policy: HR-to-Public, action-type: permit, State: enabled, Index: 15

Sequence number: 1

From zone: HR, To zone: Public

Source addresses:

PC-A: 10.1.10.5/32

Destination addresses:

Server_C: 1.1.70.250/32

Application: HR-Public-applications

IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800

Source port range: [0-0]

Destination port range: [21-21]

Session log: at-create, at-close

Scheduler name: schedulerHR

Policy statistics:

Input bytes : 3844 35 bps

Output bytes : 2299 21 bps

Input packets : 70 0 pps

Output packets : 43 0 pps

Session rate : 2 0 sps

Active sessions : 0

Session deletions: 2

Policy lookups : 1

Case Study: Monitoring the Policy (1 of 2)

Note: Output is abbreviated.

Source Address

Destination Address

Application Set

Traffic Statistics


Policy log from external server:

Apr 10 12:34:12 10.210.14.133 [RT_FLOW_SESSION_CREATE] [[email protected]:

session created 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public

Apr 10 12:41:22 10.210.14.133 [RT_FLOW_SESSION_CLOSE] [[email protected]:

session closed TCP FIN: 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public,

28(1236) 22(1398) 430

Case Study: Monitoring the Policy (2 of 2)

Inbound packets (bytes) Outbound packets (bytes) Elapsed time in seconds


Summary

In this chapter, we:

•Explained security policy functionality

•Explained Junos ALG functionionality

•Described the components of a security policy

•Verified policies and monitored their execution

•Configured a basic security policy using the following

elements:

• Policy match conditions

• Policy actions—basic and advanced

• Policy scheduling


Review Questions

1. What are the basic components of a policy?

2. What is the default action for every policy set?

3. What is the purpose of a scheduler within the security

stanza?

4. How can you reorder policies?


Lab 2: Security Policies

Create policies that control access between networks.

Worldwide Education Services

Documents

Junos Security - luk.kis.p.lodz.plluk.kis.p.lodz.pl/ZiMSK/laboratorium/JunOS/JSEC_12.a_C4_Security... · Worldwide Education Services | 4-10 Policy Ordering ... vlan.104, Pkts: 19,