Upload
phamkhue
View
244
Download
4
Embed Size (px)
Citation preview
© 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter 4: Security Policies
Junos Security
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-2 Worldwide Education Services
Chapter Objectives
After successfully completing this chapter, you will be
able to:
•Explain security policy functionality
•Explain Junos ALG functionality
•Describe the components of a security policy
•Verify policies and monitor their execution
•Configure a basic security policy using the following
elements:
• Policy match conditions
• Policy actions—basic and advanced
• Policy scheduling
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-3 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-4 Worldwide Education Services
Security Policy Defined
What is a security policy?
•A set of rules that tells a Junos security device what to do
with transit traffic between zones and within a zone
What should I do if a packet comes
in matching Criterion A?
Internet
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-5 Worldwide Education Services
Review: Packet Flow
Screen
Options Services
ALG S-NAT Policy D-NAT Zones Session Route
Forwarding
Per Packet Policer Per Packet Shaper
First Path
Fast Path
TCP NAT Yes
No
Flow Module
Match Session
?
Services
ALG
Per Packet Filters
Screen
Options
Ingress
Packet
Egress
Packet
Focus of this chapter
Session-based
Packet-based
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-6 Worldwide Education Services
Transit Traffic Examination
The Junos OS for security platforms always examines
transit traffic by using security policies
Does a security
policy match the
traffic?
Apply default
policy
No Packet in
Apply policy
actions
Yes
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-7 Worldwide Education Services
Local Inbound Traffic Examination
host-inbound-traffic follows this process:
Deny traffic
Apply default
policy
No
No
Yes
Is system
service or protocol
allowed into the interface of
the device?
Permit traffic
Yes
Does a security
policy match the
traffic?
Yes Does the
policy permit the
traffic?
No
Drop traffic
host-inbound-traffic
Packet in
Is the packet
destined to the incoming
interface?
Yes
No
Apply policies
actions
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-8 Worldwide Education Services
Default Security Policies
System-default security
policy: deny all traffic
through the device
•You can change the
default policy to permit all
traffic
Factory-default template
security policies (branch
devices only):
•Trust to trust: permit all
•Trust to untrust: permit all
•Untrust to trust: deny all
1
2
3
System-default security
policies behavior
Deny ALL transit
traffic
Factory-default security policies behavior
Trust zone Untrust zone
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-9 Worldwide Education Services
2
3
Security Policy:
from private zone to external zone
If Source IP address = Host B
Destination IP address = Host D
Application = SSH
then permit traffic
Internet D
B
Security Policy Conceptual Example
Steps:
1. Host B initiates SSH to Host D—Flow B D.
2. Security policy permits that flow.
3. The flow triggers reverse flow creation; both flows result in a
formed session.
4. The return traffic, Host D Host B also receives permission.
External
Zone
Private
Zone
B
Public
Zone
A
1
2
4
Source
Address Prot Source
Port
B
D
6
6
29200
22
Destination
Address Destination
Port Int
22 D
B 29200
. ge-0/0/0
ge-1/0/0
Session Table
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-10 Worldwide Education Services
Policy Ordering
Ordering:
•Order is important!
•By default, new policies go to the end of the list
•Can change the order using the insert command
•Remember the system default policy!
[edit security policies]
user@srx# insert from-zone name to-zone name policy name [before
| after] policy name
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-11 Worldwide Education Services
Editing Security Configurations
Like any other Junos configuration stanza, you can
perform the following actions on the security
configuration components:
•Delete
•Deactivate
•Activate
•Insert
•Annotate
•Copy
•Rename
•Search and replace
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-12 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-13 Worldwide Education Services
ALG Defined
ALGs are software processes that manage protocols
•Designed for each protocol and operate differently
• The protocols usually use dynamic client and server ports for
different parts of the communication
This application needs this port opened for
return traffic.
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-14 Worldwide Education Services
FTP ALG Example (1 of 3)
SRX Device
Client
FTP Server
Trust Untrust
172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21
172.20.104.10:49668 < 172.18.1.2:21 172.20.104.10:49668 < 172.18.1.2:21
SYN SYN
SYN/ACK SYN/ACK
172.20.104.10:49668 > 172.18.1.2:21 172.20.104.10:49668 > 172.18.1.2:21
ACK ACK
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-15 Worldwide Education Services
FTP ALG Example (2 of 3)
SRX Device
Client
FTP Server
Trust Untrust
172.20.104.10:56804 < 172.18.1.2:20 172.20.104.10:56804 < 172.18.1.2:20
172.20.104.10:56804 > 172.18.1.2:20 172.20.104.10:56804 > 172.18.1.2:20
PORT 172.20.104.10:56804 PORT 172.20.104.10:56804
Flow calls ALG to create a hole
SYN SYN Hits the pinhole
SYN/ACK SYN/ACK
172.20.104.10:56804 < 172.18.1.2:20
ACK
172.20.104.10:56804 < 172.18.1.2:20
ACK
Data Stream
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-16 Worldwide Education Services
FTP ALG Example (3 of 3)
Only one security policy is needed with the ALG
applied:
With the ALG ignored, another security policy is
needed to allow port 20
user@srx> show security flow session
Session ID: 16107, Policy name: trust-to-untrust/6, Timeout: 1800, Valid
Resource information : FTP ALG, 1, 0
In: 172.20.104.10/49668 --> 172.18.1.2/21;tcp, If: vlan.104, Pkts: 19, Bytes: 863
Out: 172.18.1.2/21 --> 172.20.104.10/49668;tcp, If: ge-0/0/3.0, Pkts: 18, Bytes: 1085
Session ID: 16139, Policy name: trust-to-untrust/6, Timeout: 2, Valid
Resource information : FTP ALG, 1, 1
In: 172.18.1.2/20 --> 172.20.104.10/56804;tcp, If: ge-0/0/3.0, Pkts: 4, Bytes: 278
Out: 172.20.104.10/56804 --> 172.18.1.2/20;tcp, If: vlan.104, Pkts: 3, Bytes: 168
Total sessions: 2
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-17 Worldwide Education Services
Useful ALG Commands
Viewing ALGs
•View predefined ALGs using the hidden show groups
junos-defaults security alg command
•View enabled ALGs using the show security alg
status command
•View which ALGs are active and how they are configured
with the hidden show security alg configuration
command
user@srx> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
…
user@srx> show security alg configuration
…
H323 Configuration:
Endpoint Registration Timeout : 3600
Media Source Port Any : Off
Application Screen
Unknown Message NAT packets : Deny
Unknown Message Routed packets : Deny
…
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-19 Worldwide Education Services
ALG Configuration (1 of 3)
Edit ALGs under the [edit security alg]
hierarchy
•Some ALGs have a few different options, but all have at a
minimum the following components:
• Disable
• Traceoptions
[edit]
user@srx# set security alg dns ?
Possible completions:
disable Disable DNS ALG
maximum-message-length Set maximum message length (512..8192 bytes)
> traceoptions DNS ALG trace options
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-20 Worldwide Education Services
ALG Configuration (2 of 3)
Apply ALGs under the [edit applications
application name] hierarchy:
[edit applications application name]
user@srx# show
application-protocol ftp;
protocol tcp;
destination-port 21;
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-21 Worldwide Education Services
ALG Configuration (3 of 3)
Verify that the ALG is applied using the show
security policies detail command:
user@srx> show security policies detail
…
Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 7, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
…
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-22 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-23 Worldwide Education Services
Policy Language
You create policies under a context
•from-zone zone-name to-zone zone-name
•Set under the [edit security policies] hierarchy
Each policy:
•Identified by user-defined name
•Composed of a match statement and a then statement
• Match criteria must include source address, destination address,
and application
• Action can be permit, deny, reject, log, or count (or combination)
•Optionally contains other advanced policy actions
• IDP, UTM (branch devices only), firewall authentication
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-24 Worldwide Education Services
Policy Match Criteria
Policy matching criteria:
•Source addresses
• Individual address
• Address set
•Destination addresses
• Individual address
• Address set
•Applications or application sets
• User defined
• System defined
Configured within a
zone’s address book
Configured within a
zone’s address book
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-25 Worldwide Education Services
Creating Address Book Entries
Commands for address book entries:
•Adding an address
to an address book:
[edit security zones]
security-zone name {
address-book {
address name1 X.X.X.X / mask;
address name2 X.X.X.X / mask;
…
}
}
[edit security zones]
security-zone name {
address-book {
address-set name {
address name1;
address name2;
…
}
}
}
•Creating a group of
addresses, named
address sets:
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-26 Worldwide Education Services
IPv6 Addressing
To create an IPv6 address book entry:
•inet6 flow must be enabled
•Must perform a system reboot when enabling IPv6 flow
mode
[edit security zones]
user@srx# show
security-zone name {
address-book {
address name2 X::X / mask;
…
}
}
user@srx# commit
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
configuration check succeeds
[edit security forwarding-options]
user@srx# show
family {
inet6 {
mode flow-based;
}
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-27 Worldwide Education Services
DNS Addressing
You can use a DNS name instead of an IPv4 or an
IPv6 address
•SRX device must be configured with a DNS server
[edit security zones]
user@srx# show
security-zone name {
address-book {
address name3 {
dns-name abc.com;
…
}
}
[edit system]
user@srx# show
host-name srx;
…
name-server {
X.X.X.X;
}
…
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-28 Worldwide Education Services
Defining Custom Applications
Specifics of implementation:
•Many built-in applications (junos-rsh, junos-sip,
junos-bgp, junos-tacacs, and so forth)
•You can add applications, application sets, or both to the
predefined list
• No restrictions for the naming convention
• You can modify protocols, ports, inactivity timers, and so forth
[edit applications]
application name {
application-protocol alg-protocol;
protocol protocol;
source-port source-port;
destination-port destination-port;
}
…
[edit applications]
application-set name {
application name1;
application name2;
…
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-29 Worldwide Education Services
Predefined Applications
To view predefined applications, issue the show
groups junos-defaults applications
command
user@srx# show groups junos-defaults applications
#
# File Transfer Protocol
#
application junos-ftp {
application-protocol ftp;
protocol tcp;
destination-port 21;
}
…
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-30 Worldwide Education Services
Altering Built-In Applications (1 of 3)
Create a new application with the same name as the
built-in application under the [edit
applications] hierarchy
•The same options are available as for creating a custom
application
• Configure only what you want to change
•Reasons to change a built-in application:
• To use different ports
• To change the timeout value
• To ignore the ALG
[edit applications]
user@srx# show
application junos-ftp {
application-protocol ignore;
protocol tcp;
destination-port 6021;
inactivity-timeout 3600;
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-32 Worldwide Education Services
Altering Built-In Applications (2 of 3)
Create a group configuration to alter predefined
applications
•Applications must all use the same protocol
• The example shown here alters the TCP timeout value on the
built-in applications junos-ftp and junos-finger
[edit groups]
user@srx# show
group-name {
applications {
application <junos-f*> inactivity-timeout 3600;
}
}
[edit]
user@srx# show apply-groups
apply-groups group-name;
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-33 Worldwide Education Services
Altering Built-In Applications (3 of 3)
To verify that your configuration changes took place,
issue the command show security flow
session extensive:
user@srx> show security flow session extensive
Session ID: 38296, Status: Normal
Flag: 0x42
Policy name: trust-to-untrust/6
Source NAT pool: Null, Application: junos-ftp/1
Maximum timeout: 3600, Current timeout: 3600
…
user@srx> show security flow session extensive
Session ID: 1615, Status: Normal
Flag: 0x40
Policy name: trust-to-untrust/6
Source NAT pool: Null, Application: junos-finger/17
Maximum timeout: 3600, Current timeout: 3600
…
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-34 Worldwide Education Services
Creating Policy Match Entries
Specifics:
•Group all policies
together in the
proper order,
ensuring proper
order of execution
•Apply defined
matching
parameters
[edit security policies]
from-zone zone-name to-zone zone-name {
policy name1 {
match {
source-address address-name1;
destination-address address-name1;
application application-name1;
}
…
}
policy name2 {
match {
source-address address-name2;
destination-address address-name2;
application application-name2;
}
…
}
…
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-35 Worldwide Education Services
Basic Policy Actions
Policy actions:
•permit: allows traffic flow
•deny: silently drops traffic
•reject: drops traffic and sends an ICMP unreachable
message for UDP traffic and a TCP (RST) message for TCP
traffic
Optionally log and count traffic
•Logs sent to external syslog server
• Can be stored locally on branch devices
•Counters viewable with the show security policies
detail command
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-36 Worldwide Education Services
Advanced Permit Settings
If the security policy allows traffic to pass, you can
also configure the following actions:
•Firewall authentication: authenticate the client prior to
forwarding the traffic
• Pass-through
• Web authentication
•IPsec VPN: perform encryption and decryption of permitted
transit traffic
•IDP: perform IDP policy evaluation
•UTM: perform UTM services such as antivirus, Web filtering,
and content filtering
• UTM services only available for branch platforms
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-38 Worldwide Education Services
User Role Firewall Policies
Implementing user role firewall policies
•Classify traffic based on roles
•Agentless transparent authentication
•SSO support
User
Zone
Infrastructure
Zone
1
Server
Zone
Windows Server
Active Directory
MAG Series
Device
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-39 Worldwide Education Services
Global Policies
What are global policies?
•Single security policy that allows traffic from any zone to any
other zone—no from-zone or to-zone configuration
•Significantly reduces the number of security contexts
•Can be used in conjunction with regular security policies
• Regular security policies take precedence
•Same matching conditions and actions as security policies
•Configure under:
• [edit security policies global policy]
•Global address book:
• [edit security address-book global]
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-40 Worldwide Education Services
Global Policy in Action
Using global policies
•Only one policy required to facilitate communication
between multiple zones
Global Security Policy:
If Source IP address = Host A, Host B, Host C
Destination IP address = Any
Application = HTTP
then permit traffic Internet
B
External
Zone
HR
Zone
B
IT
Zone
A
1
4
C Eng
Zone
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-41 Worldwide Education Services
[edit security policies]
from-zone zone-name to-zone zone-name {
policy name1 {
match {
source-address address-name;
destination-address address-name;
application application-name;
}
then {
<action>;
}
}
policy name2 {
match {
source-address address-name;
destination-address address-name;
application application-name;
}
then {
<action>;
}
}
…
}
Policy Components Summary from-zone and
to-zone context
Matching criteria
Matching criteria
Action
Action
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-42 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-43 Worldwide Education Services
Logging (1 of 3)
Control plane logging can be stored locally or sent to
an external syslog device
•Default control plane logging configuration: [edit system]
user@srx# show syslog
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-44 Worldwide Education Services
SRX Series branch devices can log data plane logs
locally or send them to an external server [edit system syslog]
user@srx# show
host 10.210.14.130 {
user info;
source-address 10.210.14.133;
}
file messages {
any any;
authorization info;
}
file default-log-messages {
any any;
structured-data;
}
Logging (2 of 3)
Default facility and severity
for data plane logs
Use this filename for NSM
Structured data format
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-45 Worldwide Education Services
Logging (3 of 3)
For high-end SRX Series devices, data plane logging can go to an external logging device
•Sample configuration: [edit security log]
user@srx# show
format sd-syslog;
source-address address;
stream name {
severity debug;
host {
address;
}
}
•Sample log: Jun 17 09:41:10 10.210.14.133 [RT_FLOW_SESSION_CLOSE][[email protected]:
session closed TCP FIN: 172.20.102.10/56879->172.20.202.10/23,6: test2,
55(3040) 40(2554) 9
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-46 Worldwide Education Services
Monitoring Policies (1 of 3)
Use log action in security policy
[edit security policies from-zone trust to-zone untrust]
user@srx# set policy 812 then log ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
session-close Log at session close time
session-init Log at session init time
Use count action in security policy
•show outputs add counter
• Statistics go to logs by default
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-47 Worldwide Education Services
Monitoring Policies (2 of 3)
show commands:
•Use the show security policies command to view
details about policies:
• Use the detail option to display statistics—policy must have a
counter configured user@srx> show security policies ?
Possible completions:
<[Enter]> Execute this command
detail Show the detailed information
from-zone Show the policy information matching the given source zone
policy-name Show the policy information matching the given policy name
to-zone Show the policy information matching the given destination zone
| Pipe through a command
•show security flow session
• Displays flows and associated policy names and index numbers
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-48 Worldwide Education Services
Monitoring Policies (3 of 3)
Use traceoptions for detailed troubleshooting: [edit security]
user@srx# show
policies {
traceoptions {
file name;
flag all;
}
flow {
traceoptions {
file name;
flag basic-datapath;
flag session;
packet-filter name {
source-prefix address-prefix;
destination-prefix address-prefix;
}
}
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-49 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-50 Worldwide Education Services
A scheduled policy is a policy that uses a configured
scheduler to make the policy active at specific times
Policy and scheduler relationship:
•A policy can refer to only one scheduler
•Multiple policies can refer to the same scheduler
•Policy remains active without an applied scheduler
Policy Scheduling Overview
Policy activated Policy deactivated
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-51 Worldwide Education Services
Policy Scheduler Components
You can configure a policy scheduler with the
following:
•Slot schedule:
• Start date and time
• Stop date and time
•Daily schedule:
• Start time
• Stop time
• All day
• Exclude option
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-52 Worldwide Education Services
Policy Scheduler Details
Scheduler:
•Set up the schedule for policy execution, including time and
date:
[edit schedulers]
user@srx# set scheduler name [day-of-the-week | daily] [specifics of time]
[edit security policies]
from-zone name to-zone name {
policy name {
match {
…
…
}
then {
…
}
scheduler-name name;
}
}
•Apply the scheduler
•Default behavior:
• Policies that do not
have schedulers are
always active and in
force
Apply the
scheduler
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-53 Worldwide Education Services
policy-rematch statement: signals the application
of policy configuration changes to existing sessions
•Default behavior:
• Deletion of policies
cause drops of
impacted
sessions
• Configuration
changes to existing
policies do not
impact sessions in
progress
policy-rematch Statement
Action on Policy
Description
Rematch Flag
Enable Disable (default)
Delete Deletes policy Drops all existing
sessions
Drops all existing
sessions
Modify action Modifies action field
of policy from
permit to either
deny or reject
Drops all existing
sessions
All existing sessions
continue
Modify address Modifies source or
destination address
Re-evaluates policy
lookup
All existing sessions
continue
Modify application Modifies application Re-evaluates policy
lookup
All existing sessions
continue
set security policies policy-rematch
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-55 Worldwide Education Services
Agenda: Security Policies
Security Policy Overview
Junos ALGs
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-56 Worldwide Education Services
Case Study: Creating Policies Between HR
and Public Zones
B
Objectives:
-Allow PC A and PC B to FTP to server C using a
custom application set
-Deny other users in the HR zone from using FTP
services in the 1.1.70/24 network; log and count
these violations
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1
ge-0/0/3 – 1.1.70.1
HR
Zone
1.1.70.250
1.1.70.0/24
10.1.10.5
10.1.20.0/24
10.1.10.0/24
Public
Zone
10.1.20.5
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.70.0/24
.254 .1
ge-0/0/1
ge-0/0/2
ge-0/0/3
A
B
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-57 Worldwide Education Services
[edit security]
user@srx# show zones security-zone HR
address-book {
address PC_A 10.1.10.5/32;
address PC_B 10.1.20.5/32;
address all-10-1 10.1.0.0/16;
address-set HR_PCs {
address PC_A;
address PC_B;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
Case Study:
Entering Host Addresses into the HR Zone
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1
ge-0/0/3 – 1.1.70.1
HR
Zone
1.1.70.250
1.1.70.0/24
10.1.10.
5
10.1.20.0/24
10.1.10.0/24
Public
Zone
10.1.20.5
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.70.0/24
.254 .1
ge-0/0/1
ge-0/0/2
ge-0/0/3
A
B
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-58 Worldwide Education Services
[edit security]
user@srx# show zones security-zone Public
address-book {
address Server_C 1.1.70.250/32;
address all-1-1-70 1.1.70/24;
address-set address-Public {
address Server_C;
}
}
interfaces {
ge-0/0/3.0;
}
Case Study: Entering Host Addresses into
the Public Zone
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1
ge-0/0/3 – 1.1.70.1
HR
Zone
1.1.70.250
1.1.70.0/24
10.1.10.
5
10.1.20.0/24
10.1.10.0/24
Public
Zone
10.1.20.5
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.70.0/24
.254 .1
ge-0/0/1
ge-0/0/2
ge-0/0/3
A
B
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-59 Worldwide Education Services
Case Study: Creating the Application Set
[edit applications]
user@srx# show
application HR-telnet {
protocol tcp;
source-port 1024-65535;
destination-port telnet;
}
application-set HR-Public-applications {
application junos-ftp;
application junos-ike;
application HR-telnet;
}
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-60 Worldwide Education Services
[edit security]
user@srx# show policies
from-zone HR to-zone Public {
policy HR-to-Public {
match {
source-address HR_PCs;
destination-address address-Public;
application HR-Public-applications;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
. . .
Case Study: Creating Policy Entries (1 of 2)
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1
ge-0/0/3 – 1.1.70.1
HR
Zone
1.1.70.250
1.1.70.0/24
10.1.10.
5
10.1.20.0/24
10.1.10.0/24
Public
Zone
10.1.20.5
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.70.0/24
.254 .1
ge-0/0/1
ge-0/0/2
ge-0/0/3
A
B
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-61 Worldwide Education Services
policy otherHR-to-Public {
match {
source-address all-10-1;
destination-address all-1-1-70;
application junos-ftp;
}
then {
deny;
log {
session-init;
}
count;
}
}
}
Case Study: Creating Policy Entries (2 of 2)
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1
ge-0/0/3 – 1.1.70.1
HR
Zone
1.1.70.250
1.1.70.0/24
10.1.10.
5
10.1.20.0/24
10.1.10.0/24
Public
Zone
10.1.20.5
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.70.0/24
.254 .1
ge-0/0/1
ge-0/0/2
ge-0/0/3
A
B
C
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-62 Worldwide Education Services
Viewing the policy: user@srx> show security policies policy-name HR-to-Public detail
Policy: HR-to-Public, action-type: permit, State: enabled, Index: 15
Sequence number: 1
From zone: HR, To zone: Public
Source addresses:
PC-A: 10.1.10.5/32
Destination addresses:
Server_C: 1.1.70.250/32
Application: HR-Public-applications
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Session log: at-create, at-close
Scheduler name: schedulerHR
Policy statistics:
Input bytes : 3844 35 bps
Output bytes : 2299 21 bps
Input packets : 70 0 pps
Output packets : 43 0 pps
Session rate : 2 0 sps
Active sessions : 0
Session deletions: 2
Policy lookups : 1
Case Study: Monitoring the Policy (1 of 2)
Note: Output is abbreviated.
Source Address
Destination Address
Application Set
Traffic Statistics
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-63 Worldwide Education Services
Policy log from external server:
Apr 10 12:34:12 10.210.14.133 [RT_FLOW_SESSION_CREATE] [[email protected]:
session created 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public
Apr 10 12:41:22 10.210.14.133 [RT_FLOW_SESSION_CLOSE] [[email protected]:
session closed TCP FIN: 10.1.10.5/60557->1.1.70.250/21,6: HR-to-Public,
28(1236) 22(1398) 430
Case Study: Monitoring the Policy (2 of 2)
Inbound packets (bytes) Outbound packets (bytes) Elapsed time in seconds
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-64 Worldwide Education Services
Summary
In this chapter, we:
•Explained security policy functionality
•Explained Junos ALG functionionality
•Described the components of a security policy
•Verified policies and monitored their execution
•Configured a basic security policy using the following
elements:
• Policy match conditions
• Policy actions—basic and advanced
• Policy scheduling
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-65 Worldwide Education Services
Review Questions
1. What are the basic components of a policy?
2. What is the default action for every policy set?
3. What is the purpose of a scheduler within the security
stanza?
4. How can you reorder policies?
© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4-66 Worldwide Education Services
Lab 2: Security Policies
Create policies that control access between networks.
Worldwide Education Services