JNCIE-SEC-11.a C3 Infrastructure - Pps

Infrastructure Concepts
2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives
After successfully completing this content, you will be

able to:
Describe the items that will be tested during the JNCIE-SEC
exam
Understand the basic steps of configuration of those items
Verify that your configuration meets defined objectives
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Infrastructure Concepts
Section Topics
System Tasks
Zones
Issues and Tips
Section Topics (1 of 2)
System Tasks
Login:
Users, Classes, Authentication
NTP
Services
FTP, Telnet, SSH, Web-management
SNMP
Syslog
Control
Data
Section Topics (2 of 2)
Zones
Functional zones
Management
Security zones
Template-defined, user-defined
Section Topics
System Tasks
Zones
Issues and Tips
System Infrastructure Tasks
The following items could be part of the system
infrastructure tasks
Login
Class
User
External Authentication Radius
NTP
Services
SNMP
Syslog
Login: User Accounts
You could be asked to create user accounts

What are the pre-configured classes?
Super-user, read-only, operator, unauthorized
Deny-commands Allow-commands Authorized
User Class Permissions or
Deny-configuration Allow-configuration Denied
How do you create a user with certain permissions?

#set system login class <name> permissions <permissions>
#set system login user <name> class <class> authentication
plaintext-password (Optional)
How can you verify the permission you have?

>show cli authorization
>?
Radius
You could be asked to configure a Radius Server

What information do you need?
IP address
Secret
Source address (optional)
What hierarchy is used to configure Radius?
#set system radius-server 10.250.0.254 secret xyz
source-address <address>
How do you tell the system to use Radius?

#set system authentication-order [radius password]
How does the authentication order affect user logins?
NTP (1 of 3)
You could be asked to configure NTP

What should be configured first?
Time zone, and be sure to commit.
#set system time-zone America/Phoenix
What should be configured next?
NTP server and boot-server address
#set system ntp server <add> [prefer]
#set system ntp boot-server <add>
If more than one NTP server is defined, set the prefer option
If requested, a source address can be specified
#set system ntp source-address <add>
How can you force the system to sync with NTP without
rebooting the device?
#run set date ntp <addr>
NTP (2 of 3)
You could be asked to configure NTP Authentication

What option do you need to add authentication?
#set system ntp authentication-key 1 type md5 value
jncie123
How do you apply it to NTP?
Apply key to individual NTP server
#set system ntp server <add> key 1
Apply key to all NTP servers
#set system ntp server trusted-key 1
NTP (3 of 3)
What commands can be used to verify NTP?

>show ntp associations
remote refid st t when poll reach delay offset jitter

==============================================================================
*10.210.20.130 64.6.144.6 3 - 7 64 1 1.600 -0.004 0.044
>show ntp status
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,

version="ntpd 4.2.0-a Sat Mar 24 11:49:12 UTC 2012 (1)",
processor="octeon", system="JUNOS12.1R1.9", leap=00, stratum=4,
precision=-17, rootdelay=105.025, rootdispersion=457.233, peer=59340,
refid=10.210.20.130,
reftime=d602e482.56e08181 Fri, Oct 11 2013 13:56:34.339, poll=6,
clock=d602e4cb.2f33dc8c Fri, Oct 11 2013 13:57:47.184, state=4,
offset=-0.004, frequency=4.682, jitter=1.463, stability=0.000
Services (1 of 3)
You could be asked to allow or deny specific device

services on a Junos device
Where would you control device services?
#set system services ftp

#set system services telnet
#set system services ssh
#set system services web-management http
#set system services web-management https system-
generated-certificate
Services (2 of 3)
What options can be set?

FTP, Telnet, SSH
rate-limit
connection-limit
root-login [allow | deny] (ssh only)
Web
interface <name>
port <tcp port>
Services (3 of 3)
Any other items to ensure service operations?

host-inbound-traffic
ftp
telnet
ssh
http
https
(ntp)
Potentially firewall filters
SNMP
You could be asked to configure SNMP

What is configured to allow SNMP requests?
Host-inbound-traffic
SNMP community
#set snmp community jncie authorization read-only
What do you configure to allow the Junos OS to initiate

SNMP traffic?
#set snmp trap-group jncie categories <category>
(Categories include: chassis, chassis-cluster,
configuration, link, remote-operations, routing, services,
startup and vrrp-events)
#set snmp trap-group jncie targets 10.250.0.100
Syslog (1 of 3)
You could be asked to configure syslog

What is the default for logging on a branch SRX device?
Control plane logging (the only option if sending out fxp0)
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
What do these default configurations do?

Syslog (2 of 3)
What type of logging is needed to support high speed

logging?
Data plane logging
#set security log mode stream
#set security log stream <stream-name> category <security-
content|all> severity <severity> host <add>
You do lose the ability to set match filters
Syslog (3 of 3)
What kind of options can be configured for syslog?

Size
Number
Match filters (if using control plane)
Where are these options configured?

Globally
Per file
Issues and Tips
Biggest issue is not changing ALL the required data

when copying from one router to another (i.e., source
addresses)
Make sure all names are spelled correctly
Use load merge terminal or | display
set
Section Topics
System Tasks
Zones
Issues and Tips
Zones
What are the two types of zones?

User defined (two types):
Functional zone
Managementtreats interface same as OOB port
Security zones
Interfaces must be associated with to pass traffic
System defined (three types):
Null
Every interface belongs to by defaultdoes not pass traffic
Junos-host
Global
Functional Zones
Under what hierarchy are functional zones created?

#set security zone functional-zone management
What are configured within zones?
System services
Protocols
Interface
Any data interface can be used for management
Except OOB interfaces
Screen options
Discussed in a subsequent chapter
Security Zones
Under what hierarchy are security zones created?

#set security zone security-zone <name>
What are configured within zones?
Address books
System services:
all, any-service, <service: ftp,ntp,ssh,telnet,etc>
Protocols:
all, <protocol: bgp,ospf,rip,bfd,etc>
Interfaces
Screen options
Discussed in a subsequent chapter
Verification Commands
What command can you use to verify your

configuration?
>show security zones
Security zone: TRUST
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
ge-0/0/2.0
ge-0/0/3.0
Security zone: UNTRUST

Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
ge-0/0/1.0
Section Topics
System Tasks
Zones
Issues and Tips
Issues and Tips
Issues
Making sure the appropriate services and protocols are
turned on to support the task requirements
Naming of zones is important, use the zone names provided
for you
Tips
Use copy and paste options
Summary
In this content, we:

Describes the items that will be tested during the JNCIE-SEC
exam
Listed the basic steps of configuration of those items
Verified that your configuration meets defined objectives
Infrastructure and Zones Lab
Perform initial system configuration.
Worldwide Education Services

JNCIE-SEC-11.a C3 Infrastructure - Pps

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

JNCIE-SEC-11.a C3 Infrastructure - Pps

Enviado por

Direitos autorais:

Formatos disponíveis

Infrastructure Concepts

After successfully completing this content, you will be

You could be asked to create user accounts

How do you create a user with certain permissions?

How can you verify the permission you have?

You could be asked to configure a Radius Server

How do you tell the system to use Radius?

How does the authentication order affect user logins?

You could be asked to configure NTP

You could be asked to configure NTP Authentication

What commands can be used to verify NTP?

remote refid st t when poll reach delay offset jitter

>show ntp status

status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,

You could be asked to allow or deny specific device

#set system services ftp

What options can be set?

Any other items to ensure service operations?

Potentially firewall filters

You could be asked to configure SNMP

What do you configure to allow the Junos OS to initiate

#set snmp trap-group jncie targets 10.250.0.100

You could be asked to configure syslog

What do these default configurations do?

What type of logging is needed to support high speed

You do lose the ability to set match filters

What kind of options can be configured for syslog?

Where are these options configured?

Biggest issue is not changing ALL the required data

What are the two types of zones?

Under what hierarchy are functional zones created?

Under what hierarchy are security zones created?

What command can you use to verify your

Security zone: UNTRUST

In this content, we:

Perform initial system configuration.

Você também pode gostar