418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page i Configuring Juniper Networks ® NetScreen & SSG Firewalls ® Rob Cameron Technical Editor Brad Woodberg Mohan Krishnamurthy Madwachar Mike Swarm Neil R Wyler Matthew Albers Ralph Bonnell FOREWORD BY SCOTT KRIENS CEO, JUNIPER NETWORKS 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page ii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 5489IJJLPP CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Configuring Networks NetScreen & SSG Firewalls Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication ISBN-10: 1-59749-118-7 ISBN-13: 978-1-59749-118-1 Publisher: Andrew Williams Acquisitions Editor: Gary Byrne Technical Editor: Rob Cameron Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editors: Mike McGee, Sandy Jolley Indexer: Nara Wood Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iii Lead Author and Technical Editor Rob Cameron (JNCIS-FWV, JNCIA-M, CCSP, CCSE+) is a Security Solutions Engineer for Juniper Networks He currently works to design security solutions for Juniper Networks that are considered best practice designs Rob specializes in network security architecture, firewall deployment, risk management, and high-availability designs His background includes five years of security consulting for more than 300 customers.This is Rob’s second book; the previous one being Configuring NetScreen Firewalls (ISBN: 1-93226639-9) published by Syngress Publishing in 2004 Contributing Authors Matthew Albers (CCNP, CCDA, JNCIA-M, JNCIS-FWV, JNCIA-IDP) is a senior systems engineer for Juniper Networks He currently serves his enterprise customers in the Northern Ohio marketplace His specialties include routing platforms, WAN acceleration, firewall/VPNs, intrusion prevention, strategic network planning, network architecture and design, and network troubleshooting and optimization Matthew’s background includes positions as a senior engineer at First Virtual Communications, Lucent Technologies, and Bay Networks Matthew wrote Chapter and cowrote Chapter 11 iii 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iv Ralph Bonnell (CISSP, LPIC-2, CCSI, CCNA, MCSE: Security) is a senior information security consultant at Accuvant in Denver, CO His primary responsibilities include the deployment of various network security products and product training His specialties include NetScreen deployments, Linux client and server deployments, Check Point training, firewall clustering, and PHP Web programming Ralph also runs a Linux consulting firm called Linux Friendly Before moving to Colorado, Ralph was a senior security engineer and instructor at Mission Critical Systems, a Gold Check Point partner and training center in South Florida Ralph cowrote Chapter 11 Mohan Krishnamurthy Madwachar (JNCIA-FWV, CWNA, and CCSA) is AVP-Infrastructure Services for ADG Infotek, Inc., Almoayed Group, Bahrain Almoayed Group is a leading systems integration group that has branches in seven countries and executes projects in nearly 15 countries Mohan is a key contributor to the company’s infrastructure services division and plays a key role in the organization’s network security and training initiatives Mohan has a strong networking, security, and training background His tenure with companies such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in implementing large and complex network and security projects Mohan holds leading IT industry certifications and is a member of the IEEE and PMI Mohan would like to dedicate his contributions to this book to his sister, Geetha Prakash, and her husband, C.V Prakash, and their son, Pragith Prakash Mohan has coauthored the book Designing and Building Enterprise DMZs (ISBN: 1-597491004), published by Syngress Publishing He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert Mohan wrote Chapter 12 iv 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page v Mike Swarm is a Security Solutions Engineer at Juniper Networks Mike consults with Juniper’s technical field and customer communities worldwide on security design practices Mike has over a decade of experience focused on network security Prior to Juniper Networks and its NetScreen Technologies acquisition, Mike has been a Systems Engineer at FTP Software and Firefox Communications Mike wrote Chapter 10 Brad Woodberg (JNCIS-FWV, JNCIS-M, JNCIA-IDP, JNCIASSL, CCNP) is a Security Consultant at Networks Group Inc in Brighton, MI At Networks Group his primary focus is designing and implementing security solutions for clients ranging from small business to Fortune 500 companies His main areas of expertise include network perimeter security, intrusion prevention, security analysis, and network infrastructure Outside of work he has a great interest in proof-of-concept vulnerability analysis, open source integration/development, and computer architecture Brad currently holds a bachelor’s degree in Computer Engineering from Michigan State University, and he participates with local security organizations He also mentors and gives lectures to students interested in the computer network field Brad wrote Chapters 5–8 and contributed to Chapter 13 He also assisted in the technical editing of several chapters Neil R Wyler (JNCIS-FWV, JNCIA-SSL) is an Information Security Engineer and Researcher located on the Wasatch Front in Utah He is the co-owner of two Utah-based businesses, which include a consulting firm with clients worldwide and a small software start-up He is currently doing contract work for Juniper Networks, working with the company’s Security Products Group Neil is a staff member of the Black Hat Security Briefings and Def Con hacker conference He has spoken at numerous security conferences and been the subject of various online, print, film, and tele- v 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page vi vision interviews regarding different areas of information security He was the Lead Author and Technical Editor of Aggressive Network Self-Defense (Syngress, 1-931836-20-5) and serves on the advisory board for a local technical college Neil cowrote Chapter 13 vi 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page vii Contents Foreword xiii Chapter Networking, Security, and the Firewall Introduction Understanding Networking The OSI Model Moving Data along with TCP/IP Understanding Security Basics 17 Understanding Firewall Basics 26 Types of Firewalls 26 Firewall Ideologies 31 DMZ Concepts 31 Traffic Flow Concepts 35 Networks with and without DMZs 38 DMZ Design Fundamentals 41 Designing End-to-End Security for Data Transmission between Hosts on the Network 42 Traffic Flow and Protocol Fundamentals 43 Summary 44 Solutions Fast Track 45 Frequently Asked Questions 46 Chapter Dissecting the Juniper Firewall 49 Introduction 50 The Juniper Security Product Offerings 51 Juniper Firewalls 52 SSL VPN 53 Intrusion Detection and Prevention 54 Unified Access Control (UAC) 56 The Juniper Firewall Core Technologies 57 Zones 57 Virtual Routers 57 Interface Modes 58 Policies 58 VPN 59 Intrusion Prevention 59 Device Architecture 61 The NetScreen and SSG Firewall Product Line 63 Product Line 63 Summary 85 Solutions Fast Track 86 Frequently Asked Questions 87 Chapter Deploying Juniper Firewalls 89 Introduction 90 Managing Your Juniper Firewall 90 Juniper Management Options 91 Administrative Users 93 The Local File System and the Configuration File 95 Using the Command Line Interface 99 Using the Web User Interface 103 Securing the Management Interface 104 Updating ScreenOS 118 System Recovery 119 Configuring Your Firewall for the First Time 121 Types of Zones 122 vii 418_NetScrn_SSG_TOC.qxd viii 11/7/06 6:39 PM Page viii Contents Virtual Routers 123 Types of Interfaces 123 Configuring Security Zones 126 Configuring Your Firewall for the Network 131 Binding an Interface to a Zone 132 Setting Up IP Addressing 133 Configuring the DHCP Client 133 Using PPPoE 133 Interface Speed Modes 135 Port Mode Configuration 136 Bridge Groups 137 Configuring Basic Network Routing 140 Configuring System Services 142 Setting the Time 143 DHCP Server 145 DNS 147 SNMP 149 Syslog 151 Web Trends 152 Resources 153 Summary 154 Solutions Fast Track 154 Frequently Asked Questions 156 Chapter Policy Configuration 157 Introduction 158 Firewall Policies 158 Theory of Access Control 160 Types of Juniper Policies 162 Policy Checking 164 Getting Ready to Make a Policy 166 Policy Components 167 Zones 167 Address Book Entries 168 Services 172 Creating Policies 176 Creating a Policy 177 Summary 187 Solutions Fast Track 187 Frequently Asked Questions 188 Chapter Advanced Policy Configuration 191 Introduction 192 Traffic-Shaping Fundamentals 192 The Need for Traffic Shaping 192 How Traffic Shaping Works 195 Choosing the Traffic-Shaping Type 196 Deploying Traffic Shaping on Juniper Firewalls 197 Methods to Enforce Traffic Shaping 197 Traffic-Shaping Mechanics 202 Traffic-Shaping Examples 205 Advanced Policy Options 215 Counting 216 Scheduling 222 Summary 228 Solutions Fast Track 228 Frequently Asked Questions 230 Chapter User Authentication 233 Introduction 234 User Account Types 234 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page ix Contents Authentication Users 239 Internal Authentication Server 252 Configuring the Local Authentication Server 253 External Authentication Servers 254 Policy-Based User Authentication 269 Explanation of Policy-Based Authentication 269 Configuring Policies with User Auth 270 802.1x Authentication 277 Components of 802.1x 278 Enhancing Authentication 284 Firewall Banner Messages 284 Group Expressions 287 Summary 289 Solutions Fast Track 289 Frequently Asked Questions 291 Chapter Routing 293 Introduction 294 Virtual Routers 294 Virtual Routers on Juniper Firewalls 295 Routing Selection Process 298 Equal Cost Multiple Path 299 Virtual Router Properties 300 Route Maps and Access Lists 306 Route Redistribution 311 Importing and Exporting Routes 311 Static Routing 313 Using Static Routes on Juniper Firewalls 314 Routing Information Protocol 321 RIP Overview 322 RIP Informational Commands 332 Open Shortest Path First 335 Concepts and Terminology 336 Configuring OSPF 341 OSPF Informational Commands 350 Border Gateway Protocol 354 Overview of BGP 354 Configuring BGP 358 BGP Informational Commands 372 Route Redistribution 375 Redistributing Routes in the Juniper Firewall 375 Redistributing Routes between Routing Protocols 376 Redistributing Routes into BGP 380 Policy-Based Routing 383 Components of PBR 383 Summary 393 Solutions Fast Track 393 Frequently Asked Questions 396 Chapter Address Translation 399 Introduction 400 Overview of Address Translation 400 Port Address Translation 401 Advantages of Address Translation 402 Disadvantages of Address Translation 403 Juniper NAT Overview 404 Juniper Packet Flow 405 Source NAT 406 Interface-Based Source Translation 407 MIP 409 ix ...418_NetScrn _SSG_ FM.qxd 11/7/06 6:37 PM Page i Configuring Juniper Networks ® NetScreen & SSG Firewalls ® Rob Cameron Technical Editor Brad Woodberg... IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Configuring Networks NetScreen & SSG Firewalls Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except... to how Juniper Networks VPN, firewall, and intrusion prevention products are built and how they will work for you —Scott Kriens, CEO, Juniper Networks November 2006 xiii 418_NetScrn _SSG_ Fore.qxd