Juniper Security Swconfig Security

JUNOS Software

Security Configuration Guide

Release

10.1

Published: 2012-06-07

Revision 01

Copyright 2012, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Security Configuration GuideRelease 10.1Copyright 2012, Juniper Networks, Inc.All rights reserved.

Revision HistoryMarch 2010R1 Junos OS 10.1

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, thesoftware license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.The software license may state conditions under which the license is automatically terminated. You should consult the license for furtherdetails. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.

Copyright 2012, Juniper Networks, Inc.ii

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.

iiiCopyright 2012, Juniper Networks, Inc.

Abbreviated Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix

Part 1 Introduction to JUNOS SoftwareChapter 1 Introducing JUNOS Software for SRX Series Services Gateways . . . . . . . . . . 3

Chapter 2 Introducing JUNOS Software for J Series Services Routers . . . . . . . . . . . . . 43

Part 2 Security Zones and InterfacesChapter 3 Security Zones and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 4 Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Part 3 Security PoliciesChapter 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Chapter 6 Security Policy Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 7 Security Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Part 4 Application Layer GatewaysChapter 8 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Chapter 9 H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter 10 SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Chapter 11 SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Chapter 12 MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 13 RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Part 5 User AuthenticationChapter 14 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Chapter 15 Infranet Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Part 6 Virtual Private NetworksChapter 16 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Chapter 17 Public Key Cryptography for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Chapter 18 Dynamic VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chapter 19 NetScreen-Remote VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

vCopyright 2012, Juniper Networks, Inc.

Part 7 Intrusion Detection and PreventionChapter 20 IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Chapter 21 Application-Level Distributed Denial of Service . . . . . . . . . . . . . . . . . . . . . . . 511

Chapter 22 IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Chapter 23 IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Chapter 24 IDP SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Chapter 25 IDP Performance and Capacity Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Chapter 26 IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Part 8 Unified Threat ManagementChapter 27 Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Chapter 28 Antispam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Chapter 29 Full Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Chapter 30 Express Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

Chapter 31 Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

Chapter 32 Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Part 9 Attack Detection and PreventionChapter 33 Attack Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687

Chapter 34 Reconnaissance Deterrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

Chapter 35 Suspicious Packet Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

Chapter 36 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729

Part 10 Chassis ClusterChapter 37 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Part 11 Network Address TranslationChapter 38 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871

Part 12 GPRSChapter 39 General Packet Radio Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Part 13 IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919

Copyright 2012, Juniper Networks, Inc.vi

JUNOS Software Security Configuration Guide

Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix

J Series and SRX Series Documentation and Release Notes . . . . . . . . . . . . . . . xxxixObjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlAudience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlSupported Routing Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlHow to Use This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlDocument Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliiDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlivRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlivOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv

Part 1 Introduction to JUNOS SoftwareChapter 1 Introducing JUNOS Software for SRX Series Services Gateways . . . . . . . . . . 3

SRX Series Services Gateways Processing Overview . . . . . . . . . . . . . . . . . . . . . . . . 3Understanding Flow-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Zones and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Flows and Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Understanding Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Class-of-Service Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Session Characteristics for SRX Series Services Gateways . . . . . . . . . . . . . . . . 7

Understanding Session Characteristics for SRX Series ServicesGateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Example: Controlling Session Termination for SRX Series ServicesGateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Example: Disabling TCP Packet Security Checks for SRX Series ServicesGateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Example: Setting the Maximum Segment Size for All TCP Sessions forSRX Series Services Gateways (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Monitoring Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . 10Understanding How to Obtain Session Information for SRX Series

Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Displaying Global Session Parameters for All SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Displaying a Summary of Sessions for SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

viiCopyright 2012, Juniper Networks, Inc.

Displaying Session and Flow Information About Sessions for SRX SeriesServices Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Displaying Session and Flow Information About a Specific Session forSRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Using Filters to Display Session and Flow Information for SRX SeriesServices Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Information Provided in Session Log Entries for SRX Series ServicesGateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Clearing Sessions for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . 17Terminating Sessions for SRX Series Services Gateways . . . . . . . . . . . . . 17Terminating a Specific Session for SRX Series Services Gateways . . . . . 17Using Filters to Specify the Sessions to Be Terminated for SRX Series

Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Data Path Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . 17Understanding Data Path Debugging for SRX Series Services

Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Debugging the Data Path (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 18

Security Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . 19Understanding Security Debugging Using Trace Options . . . . . . . . . . . . . 19Setting Security Trace Options (J-Web Point and Click CLI

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting Security Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . 20Displaying Output for Security Trace Options . . . . . . . . . . . . . . . . . . . . . . 21

Flow Debugging for SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . 22Understanding Flow Debugging Using Trace Options . . . . . . . . . . . . . . . 22Example: Setting Flow Debugging Trace Options (CLI) . . . . . . . . . . . . . . 22

Understanding SRX Series Services Gateways Central Point Architecture . . . . . . 23Load Distribution in Combo Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Sharing Processing Power and Memory in Combo Mode . . . . . . . . . . . . . . . . 23

SRX5600 and SRX5800 Services Gateways Processing Overview . . . . . . . . . . . 24Understanding First-Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Understanding the Data Path for Unicast Sessions . . . . . . . . . . . . . . . . . . . . . 27

Session Lookup and Packet Match Criteria . . . . . . . . . . . . . . . . . . . . . . . 28Understanding Session Creation: First-Packet Processing . . . . . . . . . . . 28Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Understanding Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Understanding Services Processing Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Understanding Scheduler Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Understanding Network Processor Bundling . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Network Processor Bundling Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 34SRX3400 and SRX3600 Services Gateways Processing Overview . . . . . . . . . . . 35

Components Involved in Setting up a Session . . . . . . . . . . . . . . . . . . . . . . . . 36Understanding the Data Path for Unicast Sessions . . . . . . . . . . . . . . . . . . . . 36Session Lookup and Packet Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Understanding Session Creation: First Packet Processing . . . . . . . . . . . . . . . 37Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Copyright 2012, Juniper Networks, Inc.viii


SRX210 Services Gateway Processing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 39Understanding Flow Processing and Session Management . . . . . . . . . . . . . . 39Understanding First-Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Understanding Session Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Understanding Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 2 Introducing JUNOS Software for J Series Services Routers . . . . . . . . . . . . . 43

Understanding Stateful and Stateless Data Processing for J Series ServicesRouters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Understanding Flow-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Zones and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Flows and Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Understanding Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Class-of-Service Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Session Characteristics for J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . 47Understanding Session Characteristics for J Series Services Routers . . . . . . . 47Example: Controlling Session Termination for J Series Services Routers

(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Example: Disabling TCP Packet Security Checks for J Series Services Routers

(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Example: Accommodating End-to-End TCP Communication for J Series

Services Routers (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Understanding the Data Path for J Series Services Routers . . . . . . . . . . . . . . . . . . 50

Understanding the Forwarding Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Understanding the Session-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . 51

Session Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51First-Packet Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Fast-Path Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Understanding Forwarding Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Part 2 Security Zones and InterfacesChapter 3 Security Zones and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Security Zones and Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Understanding Security Zone Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Understanding Interface Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Understanding Functional Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Understanding Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Example: Creating Security Zones (J-Web Point and Click CLI) . . . . . . . . . . . 60Example: Creating Security Zones (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Host Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Understanding How to Control Inbound Traffic Based on Traffic Types . . . . 62Supported System Services for Host Inbound Traffic . . . . . . . . . . . . . . . . . . . 63Example: Controlling Inbound Traffic Based on Traffic Types (J-Web Point

and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Example: Controlling Inbound Traffic Based on Traffic Types (CLI) . . . . . . . . 65

ixCopyright 2012, Juniper Networks, Inc.

Table of Contents

Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Understanding How to Control Inbound Traffic Based on Protocols . . . . . . . 67Example: Controlling Inbound Traffic Based on Protocols (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Example: Controlling Inbound Traffic Based on Protocols (CLI) . . . . . . . . . . 69

TCP-Reset Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Understanding How to Identify Duplicate Sessions Using the TCP-Reset

Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Example: Configuring the TCP-Reset Parameter (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Example: Configuring the TCP-Reset Parameter (CLI) . . . . . . . . . . . . . . . . . . 71

Chapter 4 Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Security Policy Address Books and Address Sets Overview . . . . . . . . . . . . . . . . . . 73Understanding Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Understanding Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Example: Configuring Address Books (J-Web Point and Click CLI) . . . . . . . . . . . . 77Example: Configuring Address Books (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Verifying Address Book Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Part 3 Security PoliciesChapter 5 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Security Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Understanding Security Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Understanding Security Policy Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Security Policies Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Example: Defining Security Policies (J-Web Point and Click CLI) . . . . . . . . . . . . . 89Example: Defining Security Policies (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Example: Configuring a Policy to Permit Traffic (CLI) . . . . . . . . . . . . . . . . . . . . . . 92Example: Configuring a Policy to Deny Traffic (J-Web Point and Click CLI) . . . . . 93Example: Configuring a Policy to Deny Traffic (CLI) . . . . . . . . . . . . . . . . . . . . . . . . 94Policy Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Understanding Security Policy Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Example: Reordering the Policies (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Verifying Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Troubleshooting Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Checking a Security Policy Commit Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Verifying a Security Policy Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Debugging Policy Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Monitoring Policy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Chapter 6 Security Policy Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Security Policy Schedulers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Example: Configuring Schedulers (J-Web Point and Click CLI) . . . . . . . . . . . . . . 102Example: Configuring Schedulers (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Example: Associating a Policy to a Scheduler (J-Web Point and Click CLI) . . . . . 105Example: Associating a Policy to a Scheduler (CLI) . . . . . . . . . . . . . . . . . . . . . . . 106Verifying Scheduled Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Copyright 2012, Juniper Networks, Inc.x


Chapter 7 Security Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Security Policy Applications Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Policy Application Sets Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Example: Configuring Applications and Application Sets (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Example: Configuring Applications and Application Sets (CLI) . . . . . . . . . . . . . . . 112Custom Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Understanding Custom Policy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 113Custom Application Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Example: Adding a Custom Policy Application (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Example: Adding a Custom Policy Application (CLI) . . . . . . . . . . . . . . . . . . . 115Example: Modifying a Custom Policy Application (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Example: Modifying a Custom Policy Application (CLI) . . . . . . . . . . . . . . . . . 117Example: Defining a Custom ICMP Application (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Example: Defining a Custom ICMP Application (CLI) . . . . . . . . . . . . . . . . . . . 119

Policy Application Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Understanding Policy Application Timeout Configuration and Lookup . . . . 120Understanding Policy Application Timeouts Contingencies . . . . . . . . . . . . . 122Example: Setting a Policy Application Timeout (CLI) . . . . . . . . . . . . . . . . . . 123

Understanding the ICMP Predefined Policy Application . . . . . . . . . . . . . . . . . . . . 124Default Behaviour of ICMP Unreachable Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Understanding Internet-Related Predefined Policy Applications . . . . . . . . . . . . . 128Understanding Microsoft Predefined Policy Applications . . . . . . . . . . . . . . . . . . 130Understanding Dynamic Routing Protocols Predefined Policy Applications . . . . 133Understanding Streaming Video Predefined Policy Applications . . . . . . . . . . . . . 133Understanding Sun RPC Predefined Policy Applications . . . . . . . . . . . . . . . . . . . 134Understanding Security and Tunnel Predefined Policy Applications . . . . . . . . . . 135Understanding IP-Related Predefined Policy Applications . . . . . . . . . . . . . . . . . . 136Understanding Instant Messaging Predefined Policy Applications . . . . . . . . . . . . 137Understanding Management Predefined Policy Applications . . . . . . . . . . . . . . . 137Understanding Mail Predefined Policy Applications . . . . . . . . . . . . . . . . . . . . . . . 139Understanding UNIX Predefined Policy Applications . . . . . . . . . . . . . . . . . . . . . . 139Understanding Miscellaneous Predefined Policy Applications . . . . . . . . . . . . . . 140

Part 4 Application Layer GatewaysChapter 8 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Understanding ALG Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

xiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Chapter 9 H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Understanding H.323 ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Understanding the Avaya H.323 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Avaya H.323 ALG-Specific Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Call Flow Details in the Avaya H.323 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

H.323 ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153H.323 ALG Endpoint Registration Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Understanding H.323 ALG Endpoint Registration Timeouts . . . . . . . . . . . . . 154Example: Setting H.323 ALG Endpoint Registration Timeouts (J-Web) . . . . 154Example: Setting H.323 ALG Endpoint Registration Timeouts (CLI) . . . . . . . 155

H.323 ALG Media Source Port Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Understanding H.323 ALG Media Source Port Ranges . . . . . . . . . . . . . . . . . . 155Example: Setting H.323 ALG Media Source Port Ranges (J-Web) . . . . . . . . 155Example: Setting H.323 ALG Media Source Port Ranges (CLI) . . . . . . . . . . . 156

H.323 ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Understanding H.323 ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . 156Example: Configuring H.323 ALG DoS Attack Protection (J-Web) . . . . . . . . . 157Example: Configuring H.323 ALG DoS Attack Protection (CLI) . . . . . . . . . . . 157

H.323 ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Understanding H.323 ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 158Example: Allowing Unknown H.323 ALG Message Types (J-Web) . . . . . . . . 158Example: Allowing Unknown H.323 ALG Message Types (CLI) . . . . . . . . . . . 159

Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone (J-WebPoint and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone (J-WebPoint and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Example: Using NAT and the H.323 ALG to Enable Incoming Calls (CLI) . . . . . . . 170Example: Using NAT and the H.323 ALG to Enable Outgoing Calls (CLI) . . . . . . . 172Verifying H.323 ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Chapter 10 SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Understanding SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177SIP ALG Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178SDP Session Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Pinhole Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Understanding SIP ALG Request Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182SIP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183SIP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Understanding SIP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . 184Example: Setting SIP ALG Call Duration and Timeouts (J-Web) . . . . . . . . . 185Example: Setting SIP ALG Call Duration and Timeouts (CLI) . . . . . . . . . . . . 186

SIP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Understanding SIP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . 186Example: Configuring SIP ALG DoS Attack Protection (J-Web) . . . . . . . . . . 187Example: Configuring SIP ALG DoS Attack Protection (CLI) . . . . . . . . . . . . . 187

Copyright 2012, Juniper Networks, Inc.xii


SIP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Understanding SIP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . 188Example: Allowing Unknown SIP ALG Message Types (J-Web) . . . . . . . . . . 188Example: Allowing Unknown SIP ALG Message Types (CLI) . . . . . . . . . . . . 189

SIP ALG Call ID Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Understanding SIP ALG Call ID Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Disabling SIP ALG Call ID Hiding (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . 190

SIP ALG Hold Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Understanding SIP ALG Hold Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Retaining SIP ALG Hold Resources (J-Web Procedure) . . . . . . . . . . . . . . . . . 191Retaining SIP ALG Hold Resources (CLI Procedure) . . . . . . . . . . . . . . . . . . . . 191

SIP ALGs and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Understanding SIP ALGs and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Outgoing Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Incoming Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Forwarded Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Re-INVITE Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Session Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Call Cancellation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Forking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195SIP Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197SIP NAT Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Classes of SIP Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Understanding Incoming SIP ALG Call Support Using the SIP Registrar andNAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Example: Configuring Interface Source NAT for Incoming SIP Calls (CLI) . . 202Example: Configuring a Source NAT Pool for Incoming SIP Calls (J-Web

Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Example: Configuring a Source NAT Pool for Incoming SIP Calls (CLI) . . . . 209Example: Configuring Static NAT for Incoming SIP Calls (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Example: Configuring Static NAT for Incoming SIP Calls (CLI) . . . . . . . . . . . 215Example: Configuring the SIP Proxy in the Private Zone and NAT in the Public

Zone (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Example: Configuring the SIP Proxy and NAT in the Public Zone (J-Web

Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Example: Configuring the SIP Proxy and NAT in the Public Zone (CLI) . . . . 224Example: Configuring a Three-Zone SIP ALG and NAT Scenario (J-Web

Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Example: Configuring a Three-Zone SIP ALG and NAT Scenario (CLI) . . . . . 232

Verifying SIP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Verifying SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Verifying SIP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Verifying SIP ALG Call Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Verifying SIP ALG Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Verifying SIP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

xiiiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Verifying the Rate of SIP ALG Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Chapter 11 SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Understanding SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239SCCP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240SCCP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

SCCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241CallManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

SCCP Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Client Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Client Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Call Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Media Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

SCCP Control Messages and RTP Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242SCCP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

SCCP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244SCCP ALG Inactive Media Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Understanding SCCP ALG Inactive Media Timeouts . . . . . . . . . . . . . . . . . . . 245Example: Setting SCCP ALG Inactive Media Timeouts (J-Web) . . . . . . . . . . 245Example: Setting SCCP ALG Inactive Media Timeouts (CLI) . . . . . . . . . . . . 246

SCCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Understanding SCCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 246Example: Allowing Unknown SCCP ALG Message Types (J-Web) . . . . . . . . 247Example: Allowing Unknown SCCP ALG Message Types (CLI) . . . . . . . . . . 247

SCCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Understanding SCCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . 248Example: Configuring SCCP ALG DoS Attack Protection (J-Web) . . . . . . . . 248Example: Configuring SCCP ALG DoS Attack Protection (CLI) . . . . . . . . . . 249

Example: Configuring the SCCP ALG CallManager/TFTP Server in the PrivateZone (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Verifying SCCP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Verifying SCCP Call Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Verifying SCCP Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Chapter 12 MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Understanding MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255MGCP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Entities in MGCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Call Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Copyright 2012, Juniper Networks, Inc.xiv


Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260MGCP ALG Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261MGCP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Understanding MGCP ALG Call Duration and Timeouts . . . . . . . . . . . . . . . . 262Example: Setting MGCP ALG Call Duration (J-Web) . . . . . . . . . . . . . . . . . . . 263Example: Setting MGCP ALG Call Duration (CLI) . . . . . . . . . . . . . . . . . . . . . 263Example: Setting MGCP ALG Inactive Media Timeout (J-Web) . . . . . . . . . . 263Example: Setting MGCP ALG Inactive Media Timeout (CLI) . . . . . . . . . . . . 264Example: Setting the MGCP ALG Transaction Timeout (J-Web) . . . . . . . . . 264Example: Setting the MGCP ALG Transaction Timeout (CLI) . . . . . . . . . . . . 265

MGCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Understanding MGCP ALG DoS Attack Protection . . . . . . . . . . . . . . . . . . . . 265Example: Configuring MGCP ALG DoS Attack Protection (J-Web) . . . . . . . 266Example: Configuring MGCP ALG DoS Attack Protection (CLI) . . . . . . . . . . 266

MGCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Understanding MGCP ALG Unknown Message Types . . . . . . . . . . . . . . . . . . 267Example: Allowing Unknown MGCP ALG Message Types (J-Web) . . . . . . . 267Example: Allowing Unknown MGCP ALG Message Types (CLI) . . . . . . . . . . 268

Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs(J-Web Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Example: Configuring Three-Zone ISP-Hosted Service Using MGCP ALGs andNAT (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Verifying MGCP ALG Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Verifying MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Verifying MGCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Verifying MGCP ALG Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Verifying MGCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Chapter 13 RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Understanding RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Sun RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Understanding Sun RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Enabling Sun RPC ALGs (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 285Enabling Sun RPC ALGs (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Sun RPC Services and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Understanding Sun RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Customizing Sun RPC Applications (CLI Procedure) . . . . . . . . . . . . . . . 286

Microsoft RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Understanding Microsoft RPC ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Enabling Microsoft RPC ALGs (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . 288Enabling Microsoft RPC ALGs (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 288Microsoft RPC Services and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Understanding Microsoft RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . 289Customizing Microsoft RPC Applications (CLI Procedure) . . . . . . . . . . 289

Verifying the Microsoft RPC ALG Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

xvCopyright 2012, Juniper Networks, Inc.

Table of Contents

Part 5 User AuthenticationChapter 14 Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Firewall User Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Understanding Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . . . . 294Example: Configuring Pass-Through Authentication (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Example: Configuring Pass-Through Authentication (CLI) . . . . . . . . . . . . . . 298

Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Understanding Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Example: Configuring Web Authentication (J-Web Point and Click CLI) . . . 302Example: Configuring Web Authentication (CLI) . . . . . . . . . . . . . . . . . . . . . 306

External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Understanding External Authentication Servers . . . . . . . . . . . . . . . . . . . . . . 308

Understanding SecurID User Authentication . . . . . . . . . . . . . . . . . . . . . 309Example: Configuring RADIUS and LDAP User Authentication (J-Web Point

and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Example: Configuring RADIUS and LDAP User Authentication (CLI) . . . . . . 313Example: Configuring SecurID User Authentication (CLI) . . . . . . . . . . . . . . . 314Example: Deleting the SecurID Node Secret File (CLI) . . . . . . . . . . . . . . . . . 315

Client Groups for Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Understanding Client Groups for Firewall Authentication . . . . . . . . . . . . . . . 316Example: Configuring Local Users for Client Groups (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Example: Configuring Local Users for Client Groups (CLI) . . . . . . . . . . . . . . . 317Example: Configuring a Default Client Group for All Users (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Example: Configuring a Default Client Group for All Users (CLI) . . . . . . . . . . 318

Firewall Authentication Banner Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Understanding Firewall Authentication Banner Customization . . . . . . . . . . 319Example: Customizing a Firewall Authentication Banner (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Example: Customizing a Firewall Authentication Banner (CLI) . . . . . . . . . . 320

Verifying Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Monitoring Users and IP Addresses in the Authentication Table . . . . . . . . . . . . . 322

Chapter 15 Infranet Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

UAC and JUNOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Understanding UAC in a JUNOS Environment . . . . . . . . . . . . . . . . . . . . . . . . 325Enabling UAC in a JUNOS Environment (CLI Procedure) . . . . . . . . . . . . . . . 327

JUNOS Enforcer and Infranet Controller Communications . . . . . . . . . . . . . . . . . 328Understanding Communications Between the JUNOS Enforcer and the

Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328Configuring Communications Between the JUNOS Enforcer and the Infranet

Controller (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Copyright 2012, Juniper Networks, Inc.xvi


JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Understanding JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . 330Testing JUNOS Enforcer Policy Access Decisions Using Test-Only Mode

(CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Verifying JUNOS Enforcer Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . 332

Displaying Infranet Controller Authentication Table Entries from theJUNOS Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Displaying Infranet Controller Resource Access Policies from the JUNOSEnforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

JUNOS Enforcer and IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Understanding JUNOS Enforcer Implementations Using IPsec . . . . . . . . . . 333Example: Configuring the Device as a JUNOS Enforcer Using IPsec (CLI) . . 334

JUNOS Enforcer and Infranet Agent Endpoint Security . . . . . . . . . . . . . . . . . . . . 340Understanding Endpoint Security Using the Infranet Agent with the JUNOS

Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Configuring Endpoint Security Using the Infranet Agent with the JUNOS

Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341JUNOS Enforcer and Infranet Controller Cluster Failover . . . . . . . . . . . . . . . . . . . 341

Understanding Communications Between JUNOS Enforcer and a Clusterof Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Configuring JUNOS Enforcer Failover Options (CLI Procedure) . . . . . . . . . . 342

Part 6 Virtual Private NetworksChapter 16 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348IPsec Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Manual Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349AutoKey IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Diffie-Hellman Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

IPsec Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350AH Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351ESP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

IPsec Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Distributed VPNs in SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . 352

Understanding IKE and IPsec Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . 353Packet Processing in Tunnel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353IKE Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355IPsec Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

IPsec VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Phase 1 Proposals for IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Understanding Phase 1 of IKE Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . . 361Main Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Aggressive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Example: Configuring an IKE Phase 1 Proposal (J-Web Point and ClickCLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Example: Configuring an IKE Phase 1 Proposal (CLI) . . . . . . . . . . . . . . . . . . 364Example: Configuring an IKE Policy (J-Web Point and Click CLI) . . . . . . . . . 365

xviiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Example: Configuring an IKE Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 366Example: Configuring an IKE Gateway (J-Web Point and Click CLI) . . . . . . . 367Example: Configuring an IKE Gateway (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 368

Phase 2 Proposals for IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Understanding Phase 2 of IKE Tunnel Negotiation . . . . . . . . . . . . . . . . . . . . 368

Proxy IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Replay Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Example: Configuring an IPsec Phase 2 Proposal (J-Web Point and ClickCLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Example: Configuring an IPsec Phase 2 Proposal (CLI) . . . . . . . . . . . . . . . . . 371Example: Configuring an IPsec Policy (J-Web Point and Click CLI) . . . . . . . . 371Example: Configuring an IPsec Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . 372Example: Configuring AutoKey IKE (J-Web Point and Click CLI) . . . . . . . . . . 373Example: Configuring AutoKey IKE (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Global SPI and VPN Monitoring Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374Understanding Global SPI and VPN Monitoring Features . . . . . . . . . . . . . . . 374Example: Configuring Global SPI and VPN Monitoring Features (J-Web Point

and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375Example: Configuring Global SPI and VPN Monitoring Features (CLI) . . . . . 376

Hub-and-Spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Understanding Hub-and-Spoke VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Hub-and-Spoke VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . 377Example: Configuring the Hub in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . 378Example: Configuring Spoke 1 in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . . 381Example: Configuring Spoke 2 in a Hub-and-Spoke VPN (CLI) . . . . . . . . . . 382

Chapter 17 Public Key Cryptography for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Understanding Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385PKI Hierarchy for a Single CA Domain or Across Domains . . . . . . . . . . . . . . 385PKI Management and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Certificates and Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Understanding Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Certificate Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Digital Certificates Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 390Enabling Digital Certificates Online: Configuration Overview . . . . . . . . 390Manually Generating Digital Certificates: Configuration Overview . . . . . 391Verifying the Validity of a Certificate: Configuration Overview . . . . . . . . 391Deleting a Certificate: Configuration Overview . . . . . . . . . . . . . . . . . . . . 391

Public-Private Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Understanding Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 392Example: Generating a Public-Private Key Pair (CLI) . . . . . . . . . . . . . . . 392

Certificate Authority Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Understanding Certificate Authority Profiles . . . . . . . . . . . . . . . . . . . . . 393Example: Configuring a Certificate Authority Profile (CLI) . . . . . . . . . . . 393

Copyright 2012, Juniper Networks, Inc.xviii


Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Understanding Online CA Certificate Enrollment . . . . . . . . . . . . . . . . . 394Enrolling a CA Certificate Online (CLI Procedure) . . . . . . . . . . . . . . . . . 394Example: Enrolling a Local Certificate Online (CLI) . . . . . . . . . . . . . . . . 395

Example: Generating a Local Certificate Request Manually (CLI) . . . . . . . . 396Example: Loading CA and Local Certificates Manually (CLI) . . . . . . . . . . . . 398Example: Reenrolling Local Certificates Automatically (CLI) . . . . . . . . . . . . 399Deleting Certificates (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Understanding Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Automatically Generating Self-Signed Certificates . . . . . . . . . . . . . . . . 402Manually Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . 402

Using Automatically Generated Self-Signed Certificates (J-Web Point andClick CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Using Automatically Generated Self-Signed Certificates (CLIProcedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Manually Generating Self-Signed Certificates (J-Web Point and Click CLIProcedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Example: Manually Generating Self-Signed Certificates (CLI) . . . . . . . . . . 404Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Understanding Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . 405Example: Manually Loading a CRL onto the Device (CLI) . . . . . . . . . . . . . . 406Example: Verifying Certificate Validity (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 406Example: Checking Certificate Validity Using CRLs (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Example: Checking Certificate Validity Using CRLs (CLI) . . . . . . . . . . . . . . . 408Deleting a Loaded CRL (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Chapter 18 Dynamic VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Dynamic VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Dynamic VPN Client Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Understanding Dynamic VPN Client Configurations . . . . . . . . . . . . . . . . . . . 414Example: Creating a Dynamic VPN Client Configuration (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Example: Creating a Dynamic VPN Client Configuration (CLI) . . . . . . . . . . . 415

Dynamic VPN Global Client Download Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 416Understanding Dynamic VPN Global Client Download Settings . . . . . . . . . 416Example: Configuring Dynamic VPN Global Client Download Settings (J-Web

Point and Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Example: Configuring Dynamic VPN Global Client Download Settings

(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Dynamic VPN and Access Manager User Experience . . . . . . . . . . . . . . . . . . . . . . 417

Understanding the Dynamic VPN and Access Manager User Experience . . . 417Connecting to the Remote Access Server for the First Time (Pre-IKE

Phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Connecting to the Remote Access Server for Subsequent Sessions (Pre-IKE

Phase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

xixCopyright 2012, Juniper Networks, Inc.

Table of Contents

Establishing an IPsec VPN Tunnel (IKE Phase) . . . . . . . . . . . . . . . . . . . . . . . 420Access Manager Client-Side Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Access Manager Client-Side System Requirements . . . . . . . . . . . . . . . . . . . 421Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . . . . . 424Access Manager Client-Side Error Messages . . . . . . . . . . . . . . . . . . . . . . . . 425Troubleshooting Access Manager Client-Side Problems . . . . . . . . . . . . . . . 428

Chapter 19 NetScreen-Remote VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

NetScreen-Remote VPN Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429System Requirements for the NetScreen-Remote Client Installation . . . . . . . . 430Installing the NetScreen-Remote Client on a PC or Laptop . . . . . . . . . . . . . . . . . 431

Starting the NetScreen-Remote Client Installation on Your PC orLaptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a CD-ROM . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a Network Share

Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Installing the NetScreen-Remote Client from a Website . . . . . . . . . . . . 432

Completing the NetScreen-Remote Client Installation on Your PC orLaptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Configuring a Firewall for Use by the NetScreen-Remote Client . . . . . . . . . . . . . 435Configuring a Security Zone for the NetScreen-Remote Client . . . . . . . . . . 435Configuring a Tunnel Interface for the NetScreen-Remote Client . . . . . . . . 436Configuring an Access Profile for XAuth for the NetScreen-Remote

Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Configuring an IKE Gateway for the NetScreen-Remote Client . . . . . . . . . . 437Configuring a Policy for the NetScreen-Remote Client . . . . . . . . . . . . . . . . . 437

Configuring the NetScreen-Remote Client for Your PC or Laptop . . . . . . . . . . . . 438Creating a Connection on the NetScreen-Remote Client . . . . . . . . . . . . . . . 438Creating a Preshared Key on the NetScreen-Remote Client . . . . . . . . . . . . . 441Defining IPsec Protocols on the NetScreen-Remote Client . . . . . . . . . . . . . 443

Encryption and Hash Algorithm Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446Logging In to the NetScreen-Remote Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Part 7 Intrusion Detection and PreventionChapter 20 IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

IDP Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451IDP Policy Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Working with IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Example: Enabling IDP in a Security Policy (J-Web Point and Click CLI) . . . . . . . 453Example: Enabling IDP in a Security Policy (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . 456IDP Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Understanding IDP Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458Understanding IDP Rule Match Conditions . . . . . . . . . . . . . . . . . . . . . . 458Understanding IDP Rule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Understanding IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461Understanding IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Copyright 2012, Juniper Networks, Inc.xx


Understanding IDP Rule Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . 463IDP Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Understanding IDP Policy Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . 464Example: Inserting a Rule in the IDP Rulebase (CLI) . . . . . . . . . . . . . . . 465Example: Deactivating and Reactivating Rules in a IDP Rulebase

(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465Understanding IDP Application-Level DDoS Rulebases . . . . . . . . . . . . . . . . 466IDP IPS Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Understanding IDP IPS Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Example: Defining Rules for an IDP IPS Rulebase (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Example: Defining Rules for an IDP IPS Rulebase (CLI) . . . . . . . . . . . . . 471

IDP Exempt Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473Understanding IDP Exempt Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . 473Example: Defining Rules for an IDP Exempt Rulebase (J-Web Point and

Click CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Example: Defining Rules for an IDP Exempt Rulebase (CLI) . . . . . . . . . 476

IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Understanding IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Example: Setting Terminal Rules in Rulebases (J-Web Point and Click

CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478Example: Setting Terminal Rules in Rulebases (CLI) . . . . . . . . . . . . . . . 479

IDP DSCP Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Understanding DSCP Rules in IDP Policies . . . . . . . . . . . . . . . . . . . . . . . 481Example: Configuring DSCP Rules in an IDP Policy (CLI) . . . . . . . . . . . . 481

IDP Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Understanding IDP Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Example: Configuring IDP Applications and Services (CLI) . . . . . . . . . . . . . 483Example: Configuring IDP Applications Sets (CLI) . . . . . . . . . . . . . . . . . . . . 484

IDP Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485Understanding Custom Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Attack Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Service and Application Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Protocol and Port Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Time Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Attack Properties (Signature Attacks) . . . . . . . . . . . . . . . . . . . . . . . . . . 493Attack Properties (Protocol Anomaly Attacks) . . . . . . . . . . . . . . . . . . . 498Attack Properties (Compound or Chain Attacks) . . . . . . . . . . . . . . . . . 499

IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Understanding IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . 502Example: Configuring IDP Protocol Decoders (CLI) . . . . . . . . . . . . . . . . 503Understanding Multiple IDP Detector Support . . . . . . . . . . . . . . . . . . . 503

IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504Understanding IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . 504Example: Configuring IDP Signature-Based Attacks (CLI) . . . . . . . . . . 505

xxiCopyright 2012, Juniper Networks, Inc.

Table of Contents

IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Understanding IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . 507Example: Configuring IDP Protocol Anomaly-Based Attacks (CLI) . . . . 507

Example: Specifying IDP Test Conditions for a Specific Protocol (CLI) . . . . 509

Chapter 21 Application-Level Distributed Denial of Service . . . . . . . . . . . . . . . . . . . . . . . 511

IDP Application-Level DDoS Attack Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511IDP Application-Level DDoS Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . 511

Understanding the Application-Level DDoS Module . . . . . . . . . . . . . . . . . . . 512Understanding the Application-Level DDoS Definition . . . . . . . . . . . . . . . . . 513Understanding the Application-Level DDoS Rule . . . . . . . . . . . . . . . . . . . . . 514Understanding Application-Level DDoS IP-Action . . . . . . . . . . . . . . . . . . . . 515Understanding Application-Level DDoS Session Action . . . . . . . . . . . . . . . . 515

Example: Enabling IDP Protection Against Application-Level DDoS Attacks(CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Chapter 22 IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Understanding the IDP Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Understanding Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . 520Downloading and Using Predefined IDP Policy Templates (CLI

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522IDP Signature Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Understanding Predefined IDP Attack Objects and Object Groups . . . . . . . 523Predefined Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524Predefined Attack Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Understanding the IDP Signature Database Version . . . . . . . . . . . . . . . . . . . 525Updating the IDP Signature Database Overview . . . . . . . . . . . . . . . . . . . . . . 525Updating the IDP Signature Database Manually Overview . . . . . . . . . . . . . . 526Example: Updating the IDP Signature Database Manually (CLI) . . . . . . . . . 527Example: Updating the Signature Database Automatically (CLI) . . . . . . . . 528

Verifying the Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Verifying the IDP Policy Compilation and Load Status . . . . . . . . . . . . . . . . . 529Verifying the IDP Signature Database Version . . . . . . . . . . . . . . . . . . . . . . . . 531

Copyright 2012, Juniper Networks, Inc.xxii


Chapter 23 IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Understanding IDP Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Understanding IDP Service and Application Bindings by Attack Objects . . . . . . 534Example: Configuring IDP Policies for Application Identification (CLI) . . . . . . . . 535Disabling Application Identification for an IDP Policy (CLI Procedure) . . . . . . . . 536IDP Application Identification for Nested Applications . . . . . . . . . . . . . . . . . . . . 537

Understanding IDP Application Identification for Nested Applications . . . . 537Activating IDP Application Identification for Nested Applications (CLI

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538Example: Adding IDP Application Information to Attack Logging for Nested

Applications (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538IDP Application System Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

Understanding the IDP Application System Cache . . . . . . . . . . . . . . . . . . . . 539Understanding IDP Application System Cache Information for Nested

Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Deactivating IDP Application System Cache Information for Nested

Application Identification (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 540Verifying IDP Application System Cache Statistics . . . . . . . . . . . . . . . . . . . . 540

IDP Memory and Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Understanding Memory and Session Limit Settings for IDP Application

Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542Example: Setting Memory and Session Limits for IDP Application

Identification (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543Verifying IDP Counters for Application Identification Processes . . . . . . . . . . . . . 543

Chapter 24 IDP SSL Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

IDP SSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547Supported IDP SSL Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548Understanding IDP Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549Understanding IDP SSL Server Key Management and Policy Configuration . . . 550Displaying IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . 550Adding IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551Deleting IDP SSL Keys and Associated Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 551Configuring an IDP SSL Inspection (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 552

Chapter 25 IDP Performance and Capacity Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Performance and Capacity Tuning for IDP Overview . . . . . . . . . . . . . . . . . . . . . . 553Configuring Session Capacity for IDP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . 554

Chapter 26 IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Understanding IDP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557IDP Log Suppression Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Understanding IDP Log Suppression Attributes . . . . . . . . . . . . . . . . . . . . . . 558Example: Configuring IDP Log Suppression Attributes (CLI) . . . . . . . . . . . . 559

Understanding IDP Log Information Usage on the Infranet Controller . . . . . . . . 559Message Filtering to the Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . 560Configuring Infranet Controller Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Understanding Application-Level DDoS Logging . . . . . . . . . . . . . . . . . . . . . . . . . 560Enabling Attack and IP-Action Logging (CLI Procedure) . . . . . . . . . . . . . . . . . . . 562

xxiiiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Part 8 Unified Threat ManagementChapter 27 Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Understanding UTM Custom Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

Understanding UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Updating UTM Licenses (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Understanding WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . 568Example: Configuring WELF Logging for UTM Features (CLI) . . . . . . . . . . . 568

Chapter 28 Antispam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Antispam Filtering Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571Server-Based Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Understanding Server-Based Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 572Server-Based Spam Filtering Configuration Overview . . . . . . . . . . . . . . . . . 573Configuring Server-Based Spam Filtering (J-Web Procedure) . . . . . . . . . . . 573Example: Configuring Server-Based Spam Filtering (CLI) . . . . . . . . . . . . . . 575

Local List Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Understanding Local List Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Local List Spam Filtering Configuration Overview . . . . . . . . . . . . . . . . . . . . . 577Configuring Local List Spam Filtering (J-Web Procedure) . . . . . . . . . . . . . . 578Example: Configuring Local List Spam Filtering (CLI) . . . . . . . . . . . . . . . . . . 581

Understanding Spam Message Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583Blocking Detected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583Tagging Detected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Monitoring Antispam Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Chapter 29 Full Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Full Antivirus Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585Full Antivirus Scanner Pattern Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Understanding Full Antivirus Pattern Updates . . . . . . . . . . . . . . . . . . . . . . . 586Full Antivirus Pattern Update Configuration Overview . . . . . . . . . . . . . . . . . 587Example: Specifying the Full Antivirus Pattern Update Server (CLI) . . . . . . 587Example: Automatically Updating Full Antivirus Patterns (J-Web) . . . . . . . 588Example: Automatically Updating Full Antivirus Patterns (CLI) . . . . . . . . . 588Manually Updating, Reloading, and Deleting Full Antivirus Patterns (

Juniper Security Swconfig Security

Documents

Transcript of Juniper Security Swconfig Security