JNCIS-Sec

JNCIS-Sec Notes

SRX_Process_Flow

  • A flow session consists of 6 elements
    • Source IP Address
    • Destination IP Address
    • Source Port
    • Destination Port
    • Protocol #
    • Session Token
  • In “Session-Based Forwarding” Each packet checks to see if an existing session exists for a flow. If so, packet hits “Fast Path”. If not, packet hits “First Path”. (Stateful)
    • TCP Session Flow timeout (default) = 30 minutes
    • UDP Session Flow timeout (default) = 1 minute
  • In “Packet-Based Forwarding” each packet bypasses the “Flow Module” above. Only the “Forwarding Lookup” is used. (Stateless)

SRX Basics

  • Control Plane
    • Implemented using Routing Engine
    • Consists of Junos kernel, chassis management, user interface, routing protocols, and some security features.
  • Data Plane
    • Branch-Office SRX’s implemented on CPU Cores and PIMs
    • High-End SRX’s implemented on IOCs, NPCs, and SPCs
      • IOC – Input/Output Card
      • NPC – Network Processing Card
      • SPC – Services Processing Card

Zones

A Zone is a collection of one or more network segments with an identical security “context”, such as “Private”, “DMZ”, “Untrust”, etc.

  • Two Zone Types
    • User-Defined (i.e. “Trust”, “Untrust”, “DMZ”)
      • Sub-Categorized Zones
        • Security-Zones (Transit Traffic)
        • Functional-Zones (i.e. FXP0 management interface)
          • Cannot be used in a Security Policy
          • Only one type of zone is allowed (management)
          • Does not have a user-defined name
    • System-Defined
      • Null Zone – all interfaces are default to this zone in high-end SRXs. No traffic is allowed to transit.
      • Junos-host – used to build granular rules for host-inbound-traffic
  • Multiple interfaces can belong to a zone. Multiple interfaces can belong to a routing-instance.
    • You cannot assign an interface to multiple zones
    • You cannot an interface to multiple routing-instances
  • Two Types of traffic
    • Transit
    • SRX host traffic
      • Traffic destined to SRX host only. (not transit)
      • Traffic allowed defined by “host-inbound-traffic”
      • “host-inbound-traffic”
        • Applied to Zone or Interface
        • Interface definitions overrides Zone definitions
  apaxson@srx-host> show security zones

“show security zones” command provides:

  • Zone Types
  • Zone Names
  • Number of interfaces bound to zones
  • interfaces bound to zones

Security Policies #

Screen and Options #

Screen -

Basic Attacks #

  • Malformed Packets
  • Spoofed Packets
  • UDP Flooding
  • Denial of Service (DoS)
  • Fragmented Packets
  • ICMP Abuse and Flooding
  • TCP Abuse and Flooding

Configuration Context and Options: #

  [edit security screen ids-option _name_]#
  • icmp
    • ip-sweep threshold 1000000 (in micro-seconds per 10 packets) – This blocks a single source from sweep scanning hosts using icmp when it sees 10 packets in 1 second.
    • large (prevents ICMP messages > 1024 bytes) – Since ICMP messages are small, this blocks large or malformed/abnormal packets
    • fragment (prevents ICMP fragmented messages) – Since ICMP messages are small, there is no need to have them fragmented
    • flood threshold 7500 (in packets per second) – This blocks multiple sources from sending 7500 packets in a second
  • ip
    • bad-option (prevents the use of bad ip options field inside an IP packet)
    • unknown-protocol (based on RFC1700. Protocols 137+ are undefined/reserved)
    • spoofing (uses Unicast Reverse Path Forwarding (URPF) Loose Checking)
    • tear-drop (fragmented packets that overlap when put together) tcp
    • tcp-sweep threshold 1,000,000 (in micro-seconds per 10 packets)
    • fin-no-ack (normal tcp acks the previous packet in order to FIN the conversation)
    • tcp-no-flag (a flag must be set in TCP e.g. FIN/ACK/SYN/RST)
    • syn-fin (you can’t start and end a TCP session in the same packet) udp
    • flood-threshold 50000 (in packets per second)
    • udp-sweep threshold 1000000 (in micro-seconds per 10 packets)

Apply the screen #

[edit]#set security zones security-zone //zonename// screen //screenname//

Useful commands #

>show screen statistics
>show security screen statistics interface //intfname//
>show security screen statistics zone //zonename//

Intro to IDS / IPS #

IDS / IPS = Intrusion Detection Service / Intrustion Protection Service

Uses signatures, patterns, and anomaly detection to identify known attacks or malformed intrusion into the system. This is a licensed/subscription service.

Terminology #

  • False Positive - Benign action that triggers an alarm
  • False Negative - Actual attack that is not detected.
  • True Positive - Actual attack that is detected.
  • True Negative - Benign action that is not alarmed.
  • Integrated Mode - Traffic is processed by NPU/SPU
  • Dedicated Mode - Traffic is processed as a separate process.
  • Inline Tap Mode - Runs process on copies of traffic (i.e. Promiscuous).
  • Protocol Anomaly Attack Object - Anomaly based detection using RFC rules (malformed packets)
  • Signature Based Attack Object - Signature/Pattern based detection based on definitions
  • Severity - Informational —> Warning —> Minor —> Major —> Critical

Useful commands #

>Show security idp security-package-version (//identifies version/date of security package//)
>Request security idp security-package download full-update (//downloads available security packages//)
>Request security idp security-package install (//installs downloaded security packages//)
>Request security idp security-package status (//shows status of the security package requests//)
>Show security idp status (//shows status of IDP on device//)

Apply the IDP/IPS

[Edit security policies from-zone //zonename// to-zone //zonename// policy //policyname//]#

#Set source-address any destination-address any application any
#Set then permit application-services idp
Share This Page : Share on TwitterShare on FacebookShare on GooglePlusShare on PinterestShare on Linkedin