Escolar Documentos
Profissional Documentos
Cultura Documentos
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-2
Agenda: Security Policies
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-3
Security Policy Defined
What should I do
if a packet comes
in matching
Criterion A?
Internet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-4
Review: Packet Flow
Focus of this chapter
Forwarding
Flow Module
Session-based SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Ingress Egress
Packet Packet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-5
Transit Traffic Examination
Yes
Apply policy
actions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-6
Local Inbound Traffic Examination
host-inbound-traffic follows this process:
Is the packet Yes
Packet in destined to the incoming
interface?
No
Yes
Apply policies
actions Is system
Does the Yes service or protocol No
policy permit the Deny traffic
allowed into the interface of
traffic? the device?
No
Yes
Drop traffic
Permit traffic
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-7
Default Security Policies
Factory-default template
2
security policies (branch Trust zone Untrust
zone
devices only): 1
2
Application = SSH
2 Zone
then permit traffic
A
B 3
Public
4 Session Table Zone
Source Source Destination Destination Prot Int C
Address Port Address Port
B 29200 D 22 6 ge-0/0/0
.
B
Ordering:
•Order is important!
•By default, new policies go to the end of the list
•Can change the order using the insert command
•Remember the system default policy!
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-10
Editing Security Configurations
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-11
Agenda: Security Policies
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-12
Policy Language
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-13
Policy Match Criteria
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-14
Creating Address Book Entries
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-15
Defining Custom Applications
Specifics of implementation:
•Many built-in applications (junos-rsh, junos-sip,
junos-bgp, junos-tacacs, and so forth)
•You can add applications, application sets, or both to the
predefined list
• No restrictions for the naming convention
• You can modify protocols, ports, inactivity timers, and so forth
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-16
Creating Policy Match Entries
…
}
…
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-17
Basic Policy Actions
Policy actions:
• permit: allows traffic flow
• deny: silently drops traffic
• reject: drops traffic and sends an ICMP unreachable
message for UDP traffic and a TCP (RST) message for TCP
traffic
Optionally log and count traffic
•Logs sent to external syslog server
• Can be stored locally on branch devices
•Counters viewable with the show security policies
detail command
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-18
Advanced Permit Settings
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-19
Policy Components Summary
[edit security policies] from-zone and
from-zone zone-name to-zone zone-name { to-zone context
policy name1 {
match {
source-address address-name;
destination-address address-name; Matching criteria
application application-name;
}
then {
<action>;
} Action
}
policy name2 {
match {
source-address address-name;
destination-address address-name;
application application-name; Matching criteria
}
then {
<action>; Action
}
}
…
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-21
Agenda: Security Policies
Security Policy Overview
Policy Components
Verifying Policy Operation
Policy Scheduling and Rematching
Policy Case Study
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-22
Logging (1 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-23
Logging (2 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-24
Logging (3 of 3)
•Sample log:
Jun 17 09:41:10 10.210.14.133 [RT_FLOW_SESSION_CLOSE][junos@2636.1.1.1.2.36:
session closed TCP FIN: 172.20.102.10/56879->172.20.202.10/23,6: test2,
55(3040) 40(2554) 9
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-25
Monitoring Policies (1 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-26
Monitoring Policies (2 of 3)
show commands:
•Use the show security policies command to view
details about policies:
user@host> show security policies ?
Possible completions:
<[Enter]> Execute this command
detail Show the detailed information
from-zone Show the policy information matching the given source zone
policy-name Show the policy information matching the given policy name
to-zone Show the policy information matching the given destination zone
| Pipe through a command
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-27
Monitoring Policies (3 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-28
Agenda: Security Policies
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-29
Policy Scheduling Overview
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-30
Policy Scheduler Components
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-31
Policy Scheduler Details
Scheduler:
•Set up the schedule for policy execution, including time and
date:
set schedulers scheduler name [day-of-the-week | daily] [specifics of time]
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-32
policy-rematch Statement
progress
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-33
Agenda: Security Policies
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-35
Case Study: Creating Policies Between HR
and Public Zones
Objectives:
10.1.10.0/24 HR -Allow PC A and PC B to FTP to server C using a
.1 .254 custom application set
Zone
A -Deny other users in the HR zone from using FTP
services in the 1.1.70/24 network; log and count
these violations
10.1.10.5 10.1.1.0/24
ge-0/0/1
ge-0/0/2
10.1.20.0/24
10.1.2.0/24 ge-0/0/3
1.1.7.0/24
B 1.1.70.0/24
.1 .254
.254 .1
10.1.20.5 C
Public
ge-0/0/1 – 10.1.1.1 B
ge-0/0/2 – 10.1.2.1
Zone 1.1.70.250
ge-0/0/3 – 1.1.7.1
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-36
Case Study:
Entering Host Addresses into the HR Zone
[edit security]
user@host# show zones security-zone HR
address-book {
address PC_A 10.1.10.5/32;
address PC_B 10.1.20.5/32;
address all-10-1 10.1.0.0/16;
address-set HR_PCs {
address PC_A; 10.1.10.0/24
.1 .254 HR
address PC_B; A Zone
10.1.10. 10.1.1.0/24
} 5
ge-0/0/1
} ge-0/0/2
10.1.20.0/24
interfaces { 10.1.2.0/24 ge-0/0/3
1.1.7.0/24 1.1.70.0/24
B
ge-0/0/1.0; .1 .254
10.1.20.5 .254 .1
C
ge-0/0/2.0; Public
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1 Zone 1.1.70.250
} ge-0/0/3 – 1.1.7.1
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-37
Case Study: Entering Host Addresses into
the Public Zone
[edit security]
user@host# show zones security-zone Public
address-book {
address Server_C 1.1.70.250/32;
address all-1-1-70 1.1.70/24;
address-set address-Public {
address Server_C;
} 10.1.10.0/24
.1 .254 HR
} A Zone
10.1.10. 10.1.1.0/24
interfaces { 5
ge-0/0/1
ge-0/0/3.0; ge-0/0/2
10.1.20.0/24
} 10.1.2.0/24 ge-0/0/3
1.1.7.0/24 1.1.70.0/24
B
.1 .254
10.1.20.5 .254 .1
C
Public
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1 Zone 1.1.70.250
ge-0/0/3 – 1.1.7.1
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-38
Case Study: Creating the Application Set
[edit applications]
user@host# show
application HR-telnet {
protocol tcp;
source-port 1024-65535;
destination-port telnet;
}
application-set HR-Public-applications {
application junos-ftp;
application junos-ike;
application HR-telnet;
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-39
Case Study: Creating Policy Entries (1 of 2)
[edit security]
user@host# show policies
from-zone HR to-zone Public {
policy HR-to-Public {
match {
source-address HR_PCs;
destination-address address-Public;
application HR-Public-applications;
}
10.1.10.0/24
then { .1 .254 HR
A Zone
permit;
10.1.10. 10.1.1.0/24
log {
5
session-init; ge-0/0/1
ge-0/0/2
session-close; 10.1.20.0/24
10.1.2.0/24 ge-0/0/3
} 1.1.7.0/24 1.1.70.0/24
B
count; .1 .254
10.1.20.5 .254 .1
C
} Public
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1 Zone 1.1.70.250
}
ge-0/0/3 – 1.1.7.1
. . .
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-40
Case Study: Creating Policy Entries (2 of 2)
policy otherHR-to-Public {
match {
source-address all-10-1;
destination-address all-1-1-70;
application junos-ftp;
}
then { 10.1.10.0/24
HR
.1 .254
deny; A Zone
10.1.10. 10.1.1.0/24
log { 5
ge-0/0/1
session-init; ge-0/0/2
} 10.1.20.0/24
10.1.2.0/24 ge-0/0/3
1.1.7.0/24 1.1.70.0/24
count; B
.1 .254
10.1.20.5 .254 .1
C
} Public
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1 Zone 1.1.70.250
} ge-0/0/3 – 1.1.7.1
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-41
Case Study: Creating a Scheduler
[edit]
user@host# show schedulers
scheduler schedulerHR {
daily {
start-time 09:00:00 stop-time 17:00:00;
}
sunday exclude;
saturday exclude;
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-42
Case Study: Applying a Scheduler
[edit]
user@host# show security policies
from-zone HR to-zone Public {
policy HR-to-Public {
match {
source-address HR-PCs;
destination-address address-Public;
application HR-Public-applications;
}
then {
permit ;
log {
session-close;
}
count;
}
scheduler-name schedulerHR;
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-43
Case Study: Check Your Knowledge
Questions:
•Will the policies illustrated in the previous example be
sufficient to permit FTP traffic between the HR Zone and the
Public Zone? Explain your reasoning.
•Will network administrators be able to use Telnet to access
the Junos security device? Explain your reasoning.
10.1.10.0/24
.1 .254 HR
A Zone
10.1.10. 10.1.1.0/24
5
ge-0/0/1
ge-0/0/2
10.1.20.0/24
10.1.2.0/24 ge-0/0/3
1.1.7.0/24 1.1.70.0/24
B
.1 .254
10.1.20.5 .254 .1
C
Public
ge-0/0/1 – 10.1.1.1
ge-0/0/2 – 10.1.2.1 Zone 1.1.70.250
ge-0/0/3 – 1.1.7.1
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-44
Case Study: Monitoring the Policy (1 of 2)
Viewing the policy:
user@host> show security policies policy-name HR-to-Public detail
Policy: HR-to-Public, action-type: permit, State: enabled, Index: 15
Sequence number: 1
From zone: HR, To zone: Public
Source addresses:
PC-A: 10.1.10.5/32
Destination addresses:
Server_C: 1.1.70.250/32
Application: HR-Public-applications
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Session log: at-create, at-close
Scheduler name: schedulerHR
Policy statistics:
Input bytes : 3844 35 bps
Output bytes : 2299 21 bps
Input packets : 70 0 pps
Output packets : 43 0 pps
Session rate : 2 0 sps
Active sessions : 0
Session deletions: 2
Policy lookups : 1
Note: Output is abbreviated.
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-45
Case Study: Monitoring the Policy (2 of 2)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-46
Summary
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-47
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-48
Lab 2: Security Policies
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4-49
Worldwide Education Services