Synopses & Reviews
Written by key members of Juniper Network's ScreenOS development team, this one-of-a-kind Cookbook helps you troubleshoot secure networks that run ScreenOS firewall appliances. Scores of recipes address a wide range of security issues, provide step-by-step solutions, and include discussions of why the recipes work, so you can easily set up and keep ScreenOS systems on track.
ScreenOS Cookbook gives you real-world fixes, techniques, and configurations that save time -- not hypothetical situations out of a textbook. The book comes directly from the experience of engineers who have seen and fixed every conceivable ScreenOS network topology, from small branch office firewalls to appliances for large core enterprise and government, to the heavy duty protocol driven service provider network. Its easy-to-follow format enables you to find the topic and specific recipe you need right away and match it to your network and security issue.
- Configuring and managing ScreenOS firewalls
- NTP (Network Time Protocol)
- Interfaces, Zones, and Virtual Routers
- Mitigating Denial of Service Attacks
- DDNS, DNS, and DHCP
- IP Routing
- Policy-Based Routing
- Elements of Policies
- Application Layer Gateway (SIP, H323, RPC, RTSP, etc.,)
- Content Security
- Managing Firewall Policies
- IPSEC VPN
- RIP, OSPF, BGP, and NSRP
- Multicast -- IGPM, PIM, Static Mroutes
Along with the usage and troubleshooting recipes, you will also find plenty of tricks, special considerations, ramifications, and general discussions of interesting tangents and network extrapolation. For the accurate, hard-nosed information you require to get your ScreenOS firewall network secure and operating smoothly , no book matches ScreenOS Cookbook
About the Author
Stefan Brunner has been a technology consultant for more than 15years, helping enterprises to leverage technology for their businessmodel and deploy technology solutions. Stefan is the lead architectin Juniper Networks' Service Layer Technology Professional Servicesgroup. Prior to Juniper, Stefan worked with NetScreen Technologies asa network security consultant. Stefan holds an MBA in innovationsresearch and technology management from Ludwig-Maximilians-Universityof Munich, and a certificate degree in telecommunications engineeringfrom the University of California at Berkeley. He lives with his wifeand daughter in the Hill Country of Austin, Texas.
Vik Davar has been working in the IT field for more than 15 years,holding positions in financial services firms and technologycompanies including Juniper Networks and Goldman Sachs. Vik is thepresident of 9 Networks, an IT services company. He has a master'sdegree in electrical engineering from Columbia University and abachelor's degree in electrical engineering from The Cooper Union inNew York City. He is also a CISSP and CCIE# 8377. He lives in NewJersey with his wife and two children.
David Delcourt has worked in the data communications industry for thepast 13 years for enterprise equipment vendors including CabletronSystems and NetScreen Technologies. He has held a variety ofpositions, including advanced TAC engineer, technical trainer, andproduct manager at Cabletron Systems, and senior security consultantat NetScreen Technologies. He is currently the security practicemanager in Professional Services for Juniper Networks, supporting theAmericas. He lives in New Hampshire with his wife and daughter, andtheir two dogs and two cats.
Ken Draper has spent the past 20 years in the networking industry,and has focused on security solutions for the past 11 years. He isCISSP certification #22627 and holds numerous other certifications.Ken has worked at such networking equipment manufacturers asInfotron, Gandalf, Synoptics, Bay Networks, Nortel, NetScreen, andnow Juniper Networks. He has more than six years of experience withScreenOS and large-scale security solutions, he has held a variety oftechnical engineering positions including systems engineer andsolutions architect, and he is currently a Juniper Networksconsulting engineer specializing in the large-scale virtual privatenetwork (VPN), firewall, intrusion prevention, and centralizedmanagement markets. Ken lives outside Dallas with his wife and twodogs.
Joe Kelly has been involved in data networking for more than 12years, focusing on the realms of network security and routing. Hestarted his career in the service provider space at IDT Corporation,where he held roles in network operations and engineering. After IDT,he spent time with various network service providers in engineeringand architectural capacities. In 2001, Joe joined NetScreenTechnologies as a senior systems engineer in the Financial andService Provider verticals, where he specialized in high-availability, high-performance networks. Joe joined Juniper Networksin 2004 with the acquisition of NetScreen, and he is currently thetechnical lead on the Global Banking and Finance team. He lives inNew Jersey with his beautiful wife, Jacqueline, and his threechildren, Hannah, Ben, and Tristan.
Sunil Wadhwa has been in the data networking industry for more than13 years, focusing on systems, network routing, and security inenterprise and service provider organizations. He started his careerin India at GTL Limited and SAP India, and then held a variety ofroles in technical support, network operations, and engineering. Hemoved to the United States and worked with E4E as a networkconsultant for routing and security, and then joined Juniper Networksas an advanced technical support engineer for firewall/VPN products.He currently leads the Advance Technical Support team for JuniperNetworks, supporting enhanced services products. He lives inCalifornia with his beautiful wife, Lavanya, and little angeldaughter, Sneha.
Table of Contents
Credits; Glossary; Preface; Audience; Assumptions This Book Makes; Conventions Used in This Book; Using Code Examples; Safari® Books Online; Comments and Questions; Acknowledgments; Chapter 1: ScreenOS CLI, Architecture, and Troubleshooting; 1.0 Introduction; 1.1 ScreenOS Architecture; 1.2 Troubleshoot ScreenOS; Chapter 2: Firewall Configuration and Management; 2.0 Introduction; 2.1 Use TFTP to Transfer Information to and from the Firewall; 2.2 Use SCP to Securely Transfer Information to and from the Firewall; 2.3 Use the Dedicated MGT Interface to Manage the Firewall; 2.4 Control Access to the Firewall; 2.5 Manage Multiple ScreenOS Images for Remotely Managed Firewalls; 2.6 Manage the USB Port on SSG; Chapter 3: Wireless; 3.0 Introduction; 3.1 Use MAC Filtering; 3.2 Configure the WEP Shared Key; 3.3 Configure the WPA Preshared Key; 3.4 Configure WPA Using 802.1x with IAS and Microsoft Active Directory; 3.5 Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client; 3.6 Separate Wireless Access for Corporate and Guest Users; 3.7 Configure Bridge Groups for Wired and Wireless Networks; Chapter 4: Route Mode and Static Routing; 4.0 Introduction; 4.1 View the Routing Table on the Firewall; 4.2 View Routes for a Particular Prefix; 4.3 View Routes in the Source-Based Routing Table; 4.4 View Routes in the Source Interface-Based Routing Table; 4.5 Create Blackhole Routes; 4.6 Create ECMP Routing; 4.7 Create Static Routes for Gateway Tracking; 4.8 Export Filtered Routes to Other Virtual Routers; 4.9 Change the Route Lookup Preference; 4.10 Create Permanent Static Routes; Chapter 5: Transparent Mode; 5.0 Introduction; 5.1 Enable Transparent Mode with Two Interfaces; 5.2 Enable Transparent Mode with Multiple Interfaces; 5.3 Configure a VLAN Trunk; 5.4 Configure Retagging; 5.5 Configure Bridge Groups; 5.6 Manipulate the Layer 2 Forwarding Table; 5.7 Configure the Management Interface in Transparent Mode; 5.8 Configure the Spanning Tree Protocol (STP); 5.9 Enable Compatibility with HSRP and VRRP Routers; 5.10 Configure VPNs in Transparent Mode; 5.11 Configure VSYS with Transparent Mode; Chapter 6: Leveraging IP Services in ScreenOS; 6.0 Introduction; 6.1 Set the Time on the Firewall; 6.2 Set the Clock with NTP; 6.3 Check NTP Status; 6.4 Configure the Device's Name Service; 6.5 View DNS Entries on a Device; 6.6 Use Static DNS to Provide a Common Policy for Multiple Devices; 6.7 Configure the DNS Proxy for Split DNS; 6.8 Use DDNS on the Firewall for VPN Creation; 6.9 Configure the Firewall As a DHCP Client for Dynamic IP Environments; 6.10 Configure the Firewall to Act As a DHCP Server; 6.11 Automatically Learn DHCP Option Information; 6.12 Configure DHCP Relay; 6.13 DHCP Server Maintenance; Chapter 7: Policies; 7.0 Introduction; 7.1 Configure an Inter-Zone Firewall Policy; 7.2 Log Hits on ScreenOS Policies; 7.3 Generate Log Entries at Session Initiation; 7.4 Configure a Syslog Server; 7.5 Configure an Explicit Deny Policy; 7.6 Configure a Reject Policy; 7.7 Schedule Policies to Run at a Specified Time; 7.8 Change the Order of ScreenOS Policies; 7.9 Disable a ScreenOS Policy; 7.10 Configure an Intra-Zone Firewall Policy; 7.11 Configure a Global Firewall Policy; 7.12 Configure Custom Services; 7.13 Configure Address and Service Groups; 7.14 Configure Service Timeouts; 7.15 View and Use Microsoft RPC Services; 7.16 View and Use Sun-RPC Services; 7.17 View the Session Table; 7.18 Troubleshoot Traffic Flows; 7.19 Configure a Packet Capture in ScreenOS; 7.20 Determine Platform Limits on Address/Service Book Entries and Policies; Chapter 8: Network Address Translation; 8.0 Introduction; 8.1 Configure Hide NAT; 8.2 Configure Hide NAT with VoIP; 8.3 Configure Static Source NAT; 8.4 Configure Source NAT Pools; 8.5 Link Multiple DIPs to the Same Policy; 8.6 Configure Destination NAT; 8.7 Configure Destination PAT; 8.8 Configure Bidirectional NAT for DMZ Servers; 8.9 Configure Static Bidirectional NAT with Multiple VRs; 8.10 Configure Source Shift Translation; 8.11 Configure Destination Shift Translation; 8.12 Configure Bidirectional Network Shift Translation; 8.13 Configure Conditional NAT; 8.14 Configure NAT with Multiple Interfaces; 8.15 Design PAT for a Home or Branch Office; 8.16 A NAT Strategy for a Medium Office with DMZ; 8.17 Deploy a Large-Office Firewall with DMZ; 8.18 Create an Extranet with Mutual PAT; 8.19 Configure NAT with Policy-Based VPN; 8.20 Configure NAT with Route-Based VPN; 8.21 Troubleshoot NAT Mode; 8.22 Troubleshoot DIPs (Policy NAT-SRC); 8.23 Troubleshoot Policy NAT-DST; 8.24 Troubleshoot VIPs; 8.25 Troubleshoot MIPs; Chapter 9: Mitigating Attacks with Screens and Flow Settings; 9.0 Introduction; 9.1 Configure SYN Flood Protection; 9.2 Control UDP Floods; 9.3 Detect Scan Activity; 9.4 Avoid Session Table Depletion; 9.5 Baseline Traffic to Prepare for Screen Settings; 9.6 Use Flow Configuration for State Enforcement; 9.7 Detect and Drop Illegal Packets with Screens; 9.8 Prevent IP Spoofing; 9.9 Prevent DoS Attacks with Screens; 9.10 Use Screens to Control HTTP Content; Chapter 10: IPSec VPN; 10.0 Introduction; 10.1 Create a Simple User-to-Site VPN; 10.2 Policy-Based IPSec Tunneling with Static Peers; 10.3 Route-Based IPSec Tunneling with Static Peers and Static Routes; 10.4 Route-Based VPN with Dynamic Peer and Static Routing; 10.5 Redundant VPN Gateways with Static Routes; 10.6 Dynamic Route-Based VPN with RIPv2; 10.7 Interoperability; Chapter 11: Application Layer Gateways; 11.0 Introduction; 11.1 View the List of Available ALGs; 11.2 Globally Enable or Disable an ALG; 11.3 Disable an ALG in a Specific Policy; 11.4 View the Control and Data Sessions for an FTP Transfer; 11.5 Configure ALG Support When Running FTP on a Custom Port; 11.6 Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session; 11.7 View SIP Call and Session Counters; 11.8 View and Modify SIP ALG Settings; 11.9 View the Dynamic Port(s) Associated with a Microsoft RPC Session; 11.10 View the Dynamic Port(s) Associated with a Sun-RPC Session; Chapter 12: Content Security; 12.0 Introduction; 12.1 Configure Internal Antivirus; 12.2 Configure External Antivirus with ICAP; 12.3 Configure External Antivirus via Redirection; 12.4 Configure Antispam; 12.5 Configure Antispam with Third Parties; 12.6 Configure Custom Blacklists and Whitelists for Antispam; 12.7 Configure Internal URL Filtering; 12.8 Configure External URL Filtering; 12.9 Configure Custom Blacklists and Whitelists with URL Filtering; 12.10 Configre Deep Inspection; 12.11 Download Deep Inspection Signatures Manually; 12.12 Develop Custom Signatures with Deep Inspection; 12.13 Configure Integrated IDP; Chapter 13: User Authentication; 13.0 Introduction; 13.1 Create Local Administrative Users; 13.2 Create VSYS-Level Administrator Accounts; 13.3 Create User Groups for Authentication Policies; 13.4 Use Authentication Policies; 13.5 Use WebAuth with the Local Database; 13.6 Create VPN Users with the Local Database; 13.7 Use RADIUS for Admin Authentication; 13.8 Use LDAP for Policy-Based Authentication; 13.9 Use SecurID for Policy-Based Authentication; Chapter 14: Traffic Shaping; 14.0 Introduction; 14.1 Configure Policy-Level Traffic Shaping; 14.2 Configure Low-Latency Queuing; 14.3 Configure Interface-Level Traffic Policing; 14.4 Configure Traffic Classification (Marking); 14.5 Troubleshoot QoS; Chapter 15: RIP; 15.0 Introduction; 15.1 Configure a RIP Instance on an Interface; 15.2 Advertise the Default Route via RIP; 15.3 Configure RIP Authentication; 15.4 Suppress RIP Route Advertisements with Passive Interfaces; 15.5 Adjust RIP Timers to Influence Route Convergence Duration; 15.6 Adjust RIP Interface Metrics to Influence Path Selection; 15.7 Redistribute Static Routes into RIP; 15.8 Redistribute Routes from OSPF into RIP; 15.9 Filter Inbound RIP Routes; 15.10 Configure Summary Routes in RIP; 15.11 Administer RIP Version 1; 15.12 Troubleshoot RIP; Chapter 16: OSPF; 16.0 Introduction; 16.1 Configure OSPF on a ScreenOS Device; 16.2 View Routes Learned by OSPF; 16.3 View the OSPF Link-State Database; 16.4 Configure a Multiarea OSPF Network; 16.5 Set Up Stub Areas; 16.6 Create a Not-So-Stubby Area (NSSA); 16.7 Control Route Propagation in OSPF; 16.8 Redistribute Routes into OSPF; 16.9 Make OSPF RFC 1583-Compatible Problem; 16.10 Adjust OSPF Link Costs; 16.11 Configure OSPF on Point-to-Multipoint Links; 16.12 Configure Demand Circuits; 16.13 Configure Virtual Links; 16.14 Change OSPF Timers; 16.15 Secure OSPF; 16.16 Troubleshoot OSPF; Chapter 17: BGP; 17.0 Introduction; 17.1 Configure BGP with an External Peer; 17.2 Configure BGP with an Internal Peer; 17.3 Configure BGP Peer Groups; 17.4 Configure BGP Neighbor Authentication; 17.5 Adjust BGP Keepalive and Hold Timers; 17.6 Statically Define Prefixes to Be Advertised to EBGP Peers; 17.7 Use Route Maps to Filter Prefixes Announced to BGP Peers; 17.8 Aggregate Route Announcements to BGP Peers; 17.9 Filter Route Announcements from BGP Peers; 17.10 Update the BGP Routing Table Without Resetting Neighbor Connections; 17.11 Use BGP Local_Pref for Route Selection; 17.12 Configure Route Dampening; 17.13 Configure BGP Communities; 17.14 Configure BGP Route Reflectors; 17.15 Troubleshoot BGP; Chapter 18: High Availability with NSRP; 18.0 Introduction; 18.1 Configure an Active-Passive NSRP Cluster in Route Mode; 18.2 View and Troubleshoot NSRP State; 18.3 Influence the NSRP Master; 18.4 Configure NSRP Monitors; 18.5 Configure NSRP in Transparent Mode; 18.6 Configure an Active-Active NSRP Cluster; 18.7 Configure NSRP with OSPF; 18.8 Provide Subsecond Failover with NSRP and BGP; 18.9 Synchronize Dynamic Routes in NSRP; 18.10 Create a Stateful Failover for an IPSec Tunnel; 18.11 Configure NAT in an Active-Active Cluster; 18.12 Configure NAT in a VSD-Less Cluster; 18.13 Configure NSRP Between Data Centers; 18.14 Maintain NSRP Clusters; Chapter 19: Policy-Based Routing; 19.0 Introduction; 19.1 Traffic Load Balancing; 19.2 Verify That PBR Is Working for Traffic Load Balancing; 19.3 Prioritize Traffic Between IPSec Tunnels; 19.4 Redirect Traffic to Mitigate Threats; 19.5 Classify Traffic Using the ToS Bits; 19.6 Block Unwanted Traffic with a Blackhole; 19.7 View Your PBR Configuration; Chapter 20: Multicast; 20.0 Introduction; 20.1 Allow Multicast Traffic Through a Transparent Mode Device; 20.2 Use Multicast Group Policies to Enforce Stateful Multicast Forwarding; 20.3 View mroute State; 20.4 Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM; 20.5 Connect Directly to Multicast Receivers; 20.6 Use IGMP Proxy Mode to Dynamically Join Groups; 20.7 Configure PIM on a Firewall; 20.8 Use BSR for RP Mapping; 20.9 Firewalling Between PIM Domains; 20.10 Connect Two PIM Domains with Proxy RP; 20.11 Manage RPF Information with Redundant Routers; 20.12 PIM and High Availability; 20.13 Provide Active-Active Multicast; 20.14 Scale Multicast Replication; Chapter 21: Virtual Systems; 21.0 Introduction; 21.1 Create a Route Mode VSYS; 21.2 Create Multiple VSYS Configurations; 21.3 VSYS and High Availability; 21.4 Create a Transparent Mode VSYS; 21.5 Terminate IPSec Tunnels in the VSYS; 21.6 Configure VSYS Profiles; Colophon;