Publisher Description

Written by key members of Juniper Network's ScreenOS development team, this one-of-a-kind Cookbook helps you troubleshoot secure networks that run ScreenOS firewall appliances. Scores of recipes address a wide range of security issues, provide step-by-step solutions, and include discussions of why the recipes work, so you can easily set up and keep ScreenOS systems on track.ScreenOS Cookbook gives you real-world fixes, techniques, and configurations that save time -- not hypothetical situations out of a textbook. The book comes directly from the experience of engineers who have seen and fixed every conceivable ScreenOS network topology, from small branch office firewalls to appliances for large core enterprise and government, to the heavy duty protocol driven service provider network. Its easy-to-follow format enables you to find the topic and specific recipe you need right away and match it to your network and security issue.Topics include: * Configuring and managing ScreenOS firewalls * NTP (Network Time Protocol) * Interfaces, Zones, and Virtual Routers * Mitigating Denial of Service Attacks * DDNS, DNS, and DHCP * IP Routing * Policy-Based Routing * Elements of Policies * Authentication * Application Layer Gateway (SIP, H323, RPC, RTSP, etc.,) * Content Security * Managing Firewall Policies * IPSEC VPN * RIP, OSPF, BGP, and NSRP * Multicast -- IGPM, PIM, Static Mroutes * WirelessAlong with the usage and troubleshooting recipes, you will also find plenty of tricks, special considerations, ramifications, and general discussions of interesting tangents and network extrapolation. For the accurate, hard-nosed information you require to get your ScreenOS firewall network secure and operating smoothly , no book matches ScreenOS Cookbook.

Author Biography

Stefan Brunner has been a technology consultant for more than 15 years, helping enterprises to leverage technology for their business model and deploy technology solutions. Stefan is the lead architect in Juniper Networks' Service Layer Technology Professional Services group. Prior to Juniper, Stefan worked with NetScreen Technologies as a network security consultant. Stefan holds an MBA in innovations research and technology management from Ludwig-Maximilians-University of Munich, and a certificate degree in telecommunications engineering from the University of California at Berkeley. He lives with his wife and daughter in the Hill Country of Austin, Texas.Vik Davar has been working in the IT field for more than 15 years, holding positions in financial services firms and technology companies including Juniper Networks and Goldman Sachs. Vik is the president of 9 Networks, an IT services company. He has a master's degree in electrical engineering from Columbia University and a bachelor's degree in electrical engineering from The Cooper Union in New York City. He is also a CISSP and CCIE# 8377. He lives in New Jersey with his wife and two children.David Delcourt has worked in the data communications industry for the past 13 years for enterprise equipment vendors including Cabletron Systems and NetScreen Technologies. He has held a variety of positions, including advanced TAC engineer, technical trainer, and product manager at Cabletron Systems, and senior security consultant at NetScreen Technologies. He is currently the security practice manager in Professional Services for Juniper Networks, supporting the Americas. He lives in New Hampshire with his wife and daughter, and their two dogs and two cats.Ken Draper has spent the past 20 years in the networking industry, and has focused on security solutions for the past 11 years. He is CISSP certification #22627 and holds numerous other certifications. Ken has worked at such networking equipment manufacturers as Infotron, Gandalf, Synoptics, Bay Networks, Nortel, NetScreen, and now Juniper Networks. He has more than six years of experience with ScreenOS and large-scale security solutions, he has held a variety of technical engineering positions including systems engineer and solutions architect, and he is currently a Juniper Networks consulting engineer specializing in the large-scale virtual private network (VPN), firewall, intrusion prevention, and centralized management markets. Ken lives outside Dallas with his wife and two dogs.Joe Kelly has been involved in data networking for more than 12 years, focusing on the realms of network security and routing. He started his career in the service provider space at IDT Corporation, where he held roles in network operations and engineering. After IDT, he spent time with various network service providers in engineering and architectural capacities. In 2001, Joe joined NetScreen Technologies as a senior systems engineer in the Financial and Service Provider verticals, where he specialized in high- availability, high-performance networks. Joe joined Juniper Networks in 2004 with the acquisition of NetScreen, and he is currently the technical lead on the Global Banking and Finance team. He lives in New Jersey with his beautiful wife, Jacqueline, and his three children, Hannah, Ben, and Tristan.Sunil Wadhwa has been in the data networking industry for more than 13 years, focusing on systems, network routing, and security in enterprise and service provider organizations. He started his career in India at GTL Limited and SAP India, and then held a variety of roles in technical support, network operations, and engineering. He moved to the United States and worked with E4E as a network consultant for routing and security, and then joined Juniper Networks as an advanced technical support engineer for firewall/VPN products. He currently leads the Advance Technical Support team for Juniper Networks, supporting enhanced services products. He lives in California with his beautiful wife, Lavanya, and little angel daughter, Sneha.

Table of Contents

Inhaltsverzeichnis
Credits
Preface
1. ScreenOS CLI, Architecture, and Troubleshooting
      1.1 ScreenOS Architecture
      1.2 Troubleshoot ScreenOS
2. Firewall Configuration and Management
      2.1 Use TFTP to Transfer Information to and from the Firewall
      2.2 Use SCP to Securely Transfer Information to and from the Firewall
      2.3 Use the Dedicated MGT Interface to Manage the Firewall
      2.4 Control Access to the Firewall
      2.5 Manage Multiple ScreenOS Images for Remotely Managed Firewalls
      2.6 Manage the USB Port on SSG
3. Wireless
      3.1 Use MAC Filtering
      3.2 Configure the WEP Shared Key
      3.3 Configure the WPA Preshared Key
      3.4 Configure WPA Using 802.1x with IAS and Microsoft Active Directory
      3.5 Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client
      3.6 Separate Wireless Access for Corporate and Guest Users
      3.7 Configure Bridge Groups for Wired and Wireless Networks
4. Route Mode and Static Routing
      4.1 View the Routing Table on the Firewall
      4.2 View Routes for a Particular Prefix
      4.3 View Routes in the Source-Based Routing Table
      4.4 View Routes in the Source Interface-Based Routing Table
      4.5 Create Blackhole Routes
      4.6 Create ECMP Routing
      4.7 Create Static Routes for Gateway Tracking
      4.8 Export Filtered Routes to Other Virtual Routers
      4.9 Change the Route Lookup Preference
      4.10 Create Permanent Static Routes
5. Transparent Mode
      5.1 Enable Transparent Mode with Two Interfaces
      5.2 Enable Transparent Mode with Multiple Interfaces
      5.3 Configure a VLAN Trunk
      5.4 Configure Retagging
      5.5 Configure Bridge Groups
      5.6 Manipulate the Layer 2 Forwarding Table
      5.7 Configure the Management Interface in Transparent Mode
      5.8 Configure the Spanning Tree Protocol (STP)
      5.9 Enable Compatibility with HSRP and VRRP Routers
      5.10 Configure VPNs in Transparent Mode
      5.11 Configure VSYS with Transparent Mode
6. Leveraging IP Services in ScreenOS
      6.1 Set the Time on the Firewall
      6.2 Set the Clock with NTP
      6.3 Check NTP Status
      6.4 Configure the Device's Name Service
      6.5 View DNS Entries on a Device
      6.6 Use Static DNS to Provide a Common Policy for Multiple Devices
      6.7 Configure the DNS Proxy for Split DNS
      6.8 Use DDNS on the Firewall for VPN Creation
      6.9 Configure the Firewall As a DHCP Client for Dynamic IP Environments
      6.10 Configure the Firewall to Act As a DHCP Server
      6.11 Automatically Learn DHCP Option Information
      6.12 Configure DHCP Relay
      6.13 DHCP Server Maintenance
7. Policies
      7.1 Configure an Inter-Zone Firewall Policy
      7.2 Log Hits on ScreenOS Policies
      7.3 Generate Log Entries at Session Initiation
      7.4 Configure a Syslog Server
      7.5 Configure an Explicit Deny Policy
      7.6 Configure a Reject Policy
      7.7 Schedule Policies to Run at a Specified Time
      7.8 Change the Order of ScreenOS Policies
      7.9 Disable a ScreenOS Policy
      7.10 Configure an Intra-Zone Firewall Policy
      7.11 Configure a Global Firewall Policy
      7.12 Configure Custom Services
      7.13 Configure Address and Service Groups
      7.14 Configure Service Timeouts
      7.15 View and Use Microsoft RPC Services
      7.16 View and Use Sun-RPC Services
      7.17 View the Session Table
      7.18 Troubleshoot Traffic Flows
      7.19 Configure a Packet Capture in ScreenOS
      7.20 Determine Platform Limits on Address/Service Book Entries and Policies
8. Network Address Translation
      8.1 Configure Hide NAT
      8.2 Configure Hide NAT with VoIP
      8.3 Configure Static Source NAT
      8.4 Configure Source NAT Pools
      8.5 Link Multiple DIPs to the Same Policy
      8.6 Configure Destination NAT
      8.7 Configure Destination PAT
      8.8 Configure Bidirectional NAT for DMZ Servers
      8.9 Configure Static Bidirectional NAT with Multiple VRs
      8.10 Configure Source Shift Translation
      8.11 Configure Destination Shift Translation
      8.12 Configure Bidirectional Network Shift Translation
      8.13 Configure Conditional NAT
      8.14 Configure NAT with Multiple Interfaces
      8.15 Design PAT for a Home or Branch Office
      8.16 A NAT Strategy for a Medium Office with DMZ
      8.17 Deploy a Large-Office Firewall with DMZ
      8.18 Create an Extranet with Mutual PAT
      8.19 Configure NAT with Policy-Based VPN
      8.20 Configure NAT with Route-Based VPN
      8.21 Troubleshoot NAT Mode
      8.22 Troubleshoot DIPs (Policy NAT-SRC)
      8.23 Troubleshoot Policy NAT-DST
      8.24 Troubleshoot VIPs
      8.25 Troubleshoot MIPs
9. Mitigating Attacks with Screens and Flow Settings
      9.1 Configure SYN Flood Protection
      9.2 Control UDP Floods
      9.3 Detect Scan Activity
      9.4 Avoid Session Table Depletion
      9.5 Baseline Traffic to Prepare for Screen Settings
      9.6 Use Flow Configuration for State Enforcement
      9.7 Detect and Drop Illegal Packets with Screens
      9.8 Prevent IP Spoofing
      9.9 Prevent DoS Attacks with Screens
      9.10 Use Screens to Control HTTP Content
10. IPSec VPN
      10.1 Create a Simple User-to-Site VPN
      10.2 Policy-Based IPSec Tunneling with Static Peers
      10.3 Route-Based IPSec Tunneling with Static Peers and Static Routes
      10.4 Route-Based VPN with Dynamic Peer and Static Routing
      10.5 Redundant VPN Gateways with Static Routes
      10.6 Dynamic Route-Based VPN with RIPv2
      10.7 Interoperability
11. Application Layer Gateways
      11.1 View the List of Available ALGs
      11.2 Globally Enable or Disable an ALG
      11.3 Disable an ALG in a Specific Policy
      11.4 View the Control and Data Sessions for an FTP Transfer
      11.5 Configure ALG Support When Running FTP on a Custom Port
      11.6 Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session
      11.7 View SIP Call and Session Counters
      11.8 View and Modify SIP ALG Settings
      11.9 View the Dynamic Port(s) Associated with a Microsoft RPC Session
      11.10 View the Dynamic Port(s) Associated with a Sun-RPC Session
12. Content Security
      12.1 Configure Internal Antivirus
      12.2 Configure External Antivirus with ICAP
      12.3 Configure External Antivirus via Redirection
      12.4 Configure Antispam
      12.5 Configure Antispam with Third Parties
      12.6 Configure Custom Blacklists and Whitelists for Antispam
      12.7 Configure Internal URL Filtering
      12.8 Configure External URL Filtering
      12.9 Configure Custom Blacklists and Whitelists with URL Filtering
      12.10 Configure Deep Inspection
      12.11 Download Deep Inspection Signatures Manually
      12.12 Develop Custom Signatures with Deep Inspection
      12.13 Configure Integrated IDP
13. User Authentication
      13.1 Create Local Administrative Users
      13.2 Create VSYS-Level Administrator Accounts
      13.3 Create User Groups for Authentication Policies
      13.4 Use Authentication Policies
      13.5 Use WebAuth with the Local Database
      13.6 Create VPN Users with the Local Database
      13.7 Use RADIUS for Admin Authentication
      13.8 Use LDAP for Policy-Based Authentication
      13.9 Use SecurID for Policy-Based Authentication
14. Traffic Shaping
      14.1 Configure Policy-Level Traffic Shaping
      14.2 Configure Low-Latency Queuing
      14.3 Configure Interface-Level Traffic Policing
      14.4 Configure Traffic Classification (Marking)
      14.5 Troubleshoot QoS
15. RIP
      15.1 Configure a RIP Instance on an Interface
      15.2 Advertise the Default Route via RIP
      15.3 Configure RIP Authentication
      15.4 Suppress RIP Route Advertisements with Passive Interfaces
      15.5 Adjust RIP Timers to Influence Route Convergence Duration
      15.6 Adjust RIP Interface Metrics to Influence Path Selection
      15.7 Redistribute Static Routes into RIP
      15.8 Redistribute Routes from OSPF into RIP
      15.9 Filter Inbound RIP Routes
      15.10 Configure Summary Routes in RIP
      15.11 Administer RIP Version 1
      15.12 Troubleshoot RIP
16. OSPF
      16.1 Configure OSPF on a ScreenOS Device
      16.2 View Routes Learned by OSPF
      16.3 View the OSPF Link-State Database
      16.4 Configure a Multiarea OSPF Network
      16.5 Set Up Stub Areas
      16.6 Create a Not-So-Stubby Area (NSSA)
      16.7 Control Route Propagation in OSPF
      16.8 Redistribute Routes into OSPF
      16.9 Make OSPF RFC 1583-Compatible
      16.10 Adjust OSPF Link Costs
      16.11 Configure OSPF on Point-to-Multipoint Links
      16.12 Configure Demand Circuits
      16.13 Configure Virtual Links
      16.14 Change OSPF Timers
      16.15 Secure OSPF
      16.16 Troubleshoot OSPF
17. BGP
      17.1 Configure BGP with an External Peer
      17.2 Configure BGP with an Internal Peer
      17.3 Configure BGP Peer Groups
      17.4 Configure BGP Neighbor Authentication
      17.5 Adjust BGP Keepalive and Hold Timers
      17.6 Statically Define Prefixes to Be Advertised to EBGP Peers
      17.7 Use Route Maps to Filter Prefixes Announced to BGP Peers
      17.8 Aggregate Route Announcements to BGP Peers
      17.9 Filter Route Announcements from BGP Peers
      17.10 Update the BGP Routing Table Without Resetting Neighbor Connections
      17.11 Use BGP Local_Pref for Route Selection
      17.12 Configure Route Dampening
      17.13 Configure BGP Communities
      17.14 Configure BGP Route Reflectors
      17.15 Troubleshoot BGP
18. High Availability with NSRP
      18.1 Configure an Active-Passive NSRP Cluster in Route Mode
      18.2 View and Troubleshoot NSRP State
      18.3 Influence the NSRP Master
      18.4 Configure NSRP Monitors
      18.5 Configure NSRP in Transparent Mode
      18.6 Configure an Active-Active NSRP Cluster
      18.7 Configure NSRP with OSPF
      18.8 Provide Subsecond Failover with NSRP and BGP
      18.9 Synchronize Dynamic Routes in NSRP
      18.10 Create a Stateful Failover for an IPSec Tunnel
      18.11 Configure NAT in an Active-Active Cluster
      18.12 Configure NAT in a VSD-Less Cluster
      18.13 Configure NSRP Between Data Centers
      18.14 Maintain NSRP Clusters
19. Policy-Based Routing
      19.1 Traffic Load Balancing
      19.2 Verify That PBR Is Working for Traffic Load Balancing
      19.3 Prioritize Traffic Between IPSec Tunnels
      19.4 Redirect Traffic to Mitigate Threats
      19.5 Classify Traffic Using the ToS Bits
      19.6 Block Unwanted Traffic with a Blackhole
      19.7 View Your PBR Configuration
20. Multicast
      20.1 Allow Multicast Traffic Through a Transparent Mode Device
      20.2 Use Multicast Group Policies to Enforce Stateful Multicast Forwarding
      20.3 View mroute State
      20.4 Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM
      20.5 Connect Directly to Multicast Receivers
      20.6 Use IGMP Proxy Mode to Dynamically Join Groups
      20.7 Configure PIM on a Firewall
      20.8 Use BSR for RP Mapping
      20.9 Firewalling Between PIM Domains
      20.10 Connect Two PIM Domains with Proxy RP
      20.11 Manage RPF Information with Redundant Routers
      20.12 PIM and High Availability
      20.13 Provide Active-Active Multicast
      20.14 Scale Multicast Replication
21. Virtual Systems
      21.1 Create a Route Mode VSYS
      21.2 Create Multiple VSYS Configurations
      21.3 VSYS and High Availability
      21.4 Create a Transparent Mode VSYS
      21.5 Terminate IPSec Tunnels in the VSYS
      21.6 Configure VSYS Profiles
Glossary
Index

Details