Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
12.a
Student Guide
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
This one-day course includes detailed coverage of Web filtering, antivirus, antispam, and content
filtering. Through demonstrations and hands-on labs, students will gain experience in configuring
and monitoring the Unified Threat Management (UTM) features of the Junos operating system. This
course is based on the Junos OS Release 12.1X46-D15.3.
Objectives
After successfully completing this course, you should be able to:
• Describe the challenges that branch offices present to network managers.
• List the major features that UTM offers.
• Explain how each major feature addresses the challenges of the branch office.
• List the SRX Series Services Gateways on which UTM is available.
• Describe the UTM features that require specific licenses.
• Define terms used in the creation of effective antispam UTM policies.
• Describe the process by which UTM examines traffic for spam.
• Describe the overall process of configuring an antispam UTM policy.
• Describe the kinds of information available from the device when it has detected
spam.
• Describe how the antivirus process examines traffic.
• Describe the differences between full file-based antivirus versus express antivirus.
• Describe the settings that are required for configuring antivirus protection.
• Explain how antivirus settings affect scanning performance and effectiveness.
• Describe options available for scanning supported protocols.
• List the general steps required to configure antivirus.
• Describe the statistical information available to verify antivirus functionality.
• Describe content filtering and Web filtering and their purpose.
• List and describe each of the parameters used when configuring Web filtering and
content filtering.
• Describe the basic steps necessary to configure Web filtering and content filtering.
• Monitor Web filtering and content filtering.
Intended Audience
This course benefits individuals responsible for implementing and monitoring the UTM features
available on branch SRX Series Services Gateways and J Series Services Routers.
Course Level
Junos Unified Threat Management is an intermediate-level course.
Prerequisites
Students should have basic networking knowledge and an understanding of the Open Systems
Interconnection (OSI) model and the TCP/IP protocol suite. Students should also have working
knowledge of security policies.
Students should also attend the Introduction to the Junos Operating System (IJOS), Junos Routing
Essentials (JRE), and Junos Security (JSEC) courses prior to attending this class.
Day 1
Chapter 1: Course Introduction
Chapter 2: UTM Overview
Lab 1: Initial Setup
Chapter 3: Antispam
Lab 2: Antispam
Chapter 4: Full File-Based Antivirus and Express Antivirus
Lab 3: Antivirus
Chapter 5: Content Filtering and Web Filtering
Lab 4: Content Filtering and Web Filtering
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type
config.ini in the Filename field.
CLI Undefined Text where the variable’s value is Type set policy policy-name.
the user’s discretion or text where
ping 10.0.x.y
the variable’s value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
We Will Discuss:
• Objectives and course content information;
• Additional Juniper Networks, Inc. courses; and
• The Juniper Networks Certification Program.
Introductions
The slide asks several questions for you to answer during class introductions.
Course Contents
The slide lists the topics we discuss in this course.
Prerequisites
The slide lists the prerequisites for this course.
Additional Resources
The slide provides links to additional resources available to assist you in the installation, configuration, and operation of
Juniper Networks products.
Satisfaction Feedback
Juniper Networks uses an electronic survey system to collect and analyze your comments and feedback. Depending on the
class you are taking, please complete the survey at the end of the class, or be sure to look for an e-mail about two weeks
from class completion that directs you to complete an online survey form. (Be sure to provide us with your current e-mail
address.)
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance for taking the time to
help us improve our educational offerings.
Courses
You can access the latest Education Services offerings covering a wide range of platforms at
http://www.juniper.net/training/technical_education/.
Junos Genius
The Junos Genius application takes certification exam preparation to a new level. With Junos Genius you can practice for
your exam with flashcards, simulate a live exam in a timed challenge, and even build a virtual network with device
achievements earned by challenging Juniper instructors. Download the app now and Unlock your Genius today!
Find Us Online
The slide lists some online resources to learn and share information about Juniper Networks.
Find Us Online
The slide lists some online resources to learn and share information about Juniper Networks.
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice them now so that your
instructor can best address your needs during class.
This chapter contains no review questions.
We Will Discuss:
• The challenges that branch offices present to network managers;
• The major features of Unified Threat Management (UTM);
• How each major feature addresses the challenges of the branch office;
• The SRX hardware devices on which UTM is available; and
• The UTM features that require specific licenses.
UTM Overview
The slide highlights the topic we discuss next.
Antispam
The SRX Series for the branch provides comprehensive UTM features to protect against network-level and application-level
attacks, and simultaneously stops content-based attacks. The antispam feature tags or blocks unwanted e-mail traffic by
scanning inbound and outbound SMTP e-mail traffic.
Antivirus
The antivirus feature uses a scanning engine and virus signature databases to protect against virus-infected files, trojans,
worms, spyware, and other malicious code.
Content Filtering
Content filtering provides basic data loss prevention functionality. Content filtering filters traffic based on MIME type, file
extension, and protocol commands.
Web Filtering
Web filtering is an option that can use either a local Websense server or Internet-based SurfControl server. Web filtering is
critical as a service for tracking productivity and corporate user behavior.
Design Basics
The slide highlights the topic we discuss next.
Design Considerations
Some UTM features require additional CPU processing, such as antivirus. Available memory and CPU cycles limit the number
of files that can be simultaneously scanned, as well as the size of files that can be scanned. Different antivirus options exist
to accommodate different levels of CPU and memory usage. We discuss antivirus options in more detail in Chapter 4.
Configuration Components
The custom-objects hierarchy level is where you first begin to implement UTM on the SRX device. Custom objects are
global parameters for all UTM features, and are used to create object lists. These object lists contain the building blocks of IP
addresses, domain names, e-mail addresses, URL websites, and so on, used in the different UTM feature profiles. The
majority of UTM settings are configured within the feature profile. The feature profile defines the operation of each UTM
feature. For example, the antivirus feature profile settings control how a protocol is scanned, and what the action will be
when spam is identified. The UTM policy is the central point where all the different feature profiles of UTM are applied.
Security policies reference the UTM policy so that as traffic passes between zones, the SRX device can offer the increased
security that UTM provides.
Hardware Support
The slide highlights the topic we discuss next.
Licensing Features
Licensing
The slide illustrates which UTM features require a license.
We Discussed:
• The security challenges of branch offices;
• The features which UTM offers;
• How each UTM feature addresses the challenges of the branch office;
• The SRX hardware devices on which UTM is available; and
• The UTM features which require specific licenses.
Review Questions
1.
2.
3.
Chapter 3: Antispam
Junos Unified Threat Management
We Will Discuss:
• Antispam methods and terminology;
• How Unified Threat Management (UTM) examines traffic for spam;
• The configuration of an effective antispam UTM policy; and
• The verification and monitoring of an antispam operation.
What Is Spam?
Spam consists of unwanted e-mail messages. These e-mail messages are usually sent by commercial, malicious, or fraudulent
entities. Antispam is the ability to prevent spam before it enters the network. Antispam is one of several features—including
content filtering, antivirus, and Web filtering—that make up Juniper’s UTM suite on the SRX Series Services Gateway device. The
antispam feature examines transmitted e-mail messages to identify spam. When the device detects a message deemed to be
spam, it blocks the e-mail message or tags the e-mail message header or subject with a preprogrammed string. Note that the
antispam feature is not meant to replace an existing antispam server on the network, but to complement it. Two methods for
performing antispam on the SRX device exist, which we discuss next.
Whitelist
The slide defines whitelists and blacklists. A whitelist identifies known good e-mail senders that you want the SRX device to
accept. The e-mail messages that match a source on the whitelist are deemed harmless. A match allows the e-mail traffic
through the SRX device.
Blacklist
A blacklist contains the e-mail sources that you want the device to reject. The e-mail messages that match the blacklist are
deemed malicious. A match either blocks the e-mail message or tags the message, depending on the action specified in the
antispam profile configuration. The tag option allows you to configure a message in the e-mail subject line, or in the protocol
header of the packet. When you choose to tag the subject line, a user-defined string is added at the beginning of the subject
of the e-mail. When you choose to tag the header, a user-defined string is added to the protocol header of the packet.
You can configure entries on either list by IP address, e-mail address, or domain name. You can use asterisk * or question
mark ? wildcards on the local lists. You must precede all wildcard URLs with http://. You can only use the asterisk * wildcard
character if it is at the beginning of the URL and is followed by a period. You can only use the question mark ? wildcard
character at the end of the URL. The following wildcard syntax is supported: http://*.juniper.net. The following wildcard
syntax is not supported: http://*.
SMTP
End users use SMTP to send outbound e-mail, but they do not use SMTP to receive e-mail. On the slide diagram, User 1 is
sending an e-mail to User 2. The arrows show the path of the e-mail message. SMTP is used to send User 1’s e-mail message
to her local e-mail server. SMTP is again used to relay the message across the Internet to User 2’s local e-mail server. After
User 2’s e-mail server receives the inbound e-mail message, the client connection between User 2 and his local e-mail
server synchronizes through either Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP). This distinction
is important because as of Junos OS Release 12.1, the antispam feature supports filtering only on SMTP. It does not support
antispam filtering on POP3 nor IMAP.
Identifying Spam
Identifying spam means identifying the senders of spam e-mail. The SBL server filters on an IP-based blacklist, and it
considers IP addresses included in the lists to be invalid addresses for mail servers. Criteria must be met to list an e-mail
server’s IP address as spam.
The SBL criteria to determine spam includes the following:
• Running an open relay service;
• Running an open proxy (of various kinds);
• Zombie hosts;
• Dynamic IP range (which will unlikely host a mail server); and
• A confirmed spam source (known IPs owned by spammers).
When no positive identification exists for spam on an e-mail message, the e-mail message passes normally.
Configuring Antispam
The slide highlights the topic we will discuss next.
Configuring Antispam
To prevent or reduce the volume of spam messages you receive, you must configure custom objects, an antispam profile, and a
UTM policy.
If you are using local list spam filtering, you must configure whitelists and blacklists under custom objects. If you are using only
server-based spam filtering, you do not have to configure the local lists under custom objects.
The antispam feature-profile is where you apply any local lists that are configured. The feature-profile also
includes the configuration for the default spam action. Note that when you configure the antispam profile, you must either
enable or disable the SBL server.
Next, you create a UTM policy that references the antispam profile. Finally, you assign the UTM policy to a security policy.
Monitoring Antispam
The slide introduces the commands to verify and monitor antispam operation on an SRX device. The first of these
commands shows how many e-mails are scanned, tagged, or dropped:
user@srx> show security utm anti-spam statistics
UTM Anti Spam statistics:
Total connections: 3
Denied connections: 0
Total greetings: 3
Denied greetings: 0
Total e-mail scanned: 3
White list hit: 1
Black list hit: 2
Spam total: 2
Spam tagged: 2
Spam dropped: 0
DNS errors: 0
Timeout errors: 0
Return errors: 0
Invalid parameter errors: 0
DNS Server:
Primary : 208.67.222.222, Src Interface: ge-0/0/0
Secondary: 0.0.0.0, Src Interface: ge-0/0/8
Ternary : 0.0.0.0, Src Interface: ge-0/0/9
This command is especially helpful when verifying the SBL server status. From the output of this command, we see that the
domain name used to reach the SBL server is msgsecurity.juniper.net, and we see also that the DNS server is specified. The
output of this command also lists the source interface used to reach the DNS server.
In addition, an SRX device creates log messages each time spam is identified. Use the pipe symbol (|) and match option to
display only the antispam log messages.
show log messages | match antispam
The slide shows two examples of log messages, both reporting that spam has been identified for nancy@utm.juniper.net. The
first log results from the spam action configured as block. When this action is configured, the log message states Deny
reason. The second message results from the spam action configured as tag-subject. When this action is configured,
the log message states Tag email subject reason.
Case Study
The slide highlights the topic we will discuss next.
UTM Configuration
The first part of the UTM configuration is the custom objects. The local whitelist and blacklist have been defined. In this
configuration, the whitelist is named white and the blacklist black. The white list contains the domain name xyz.com.
The black list contains the e-mail address spam@xyz.com. Because of how the lists are processed, this configuration
accomplishes the objective in the case study. The e-mail address spam@xyz.com will be blocked, whereas all other e-mails
from xyz.com will be allowed.
The next part of the configuration is the antispam feature-profile. You apply the whitelist and blacklist using the
address-whitelist and address-blacklist commands. You create the antispam feature profile under the [edit
security utm feature-profile anti-spam sbl] hierarchy. This profile allows you to enable the SBL server and
define the default spam action. In this case study, we enable the SBL server and specify the default action to tag the subject
line of the spam e-mail messages.
We Discussed:
• Antispam methods and terminology;
• How UTM examines traffic for spam;
• The configuration of antispam profiles, custom objects, and UTM policies; and
• The verification and monitoring of an antispam operation.
Review Questions
1.
2.
3.
Antispam Lab
The slide provides the objective for this lab.
We Will Discuss:
• How the antivirus process examines traffic;
• Differences between full file-based and express antivirus;
• Antivirus configuration settings;
• Available scanning options for supported protocols; and
• Verifying antivirus functionality.
Antivirus Terminology
The slide lists the topics we will discuss. We discuss the highlighted topic first.
What Is a Virus?
A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Malicious viruses erase
files, lock up end host systems, or otherwise interfere with network operation. Other viruses merely infect files and
overwhelm the target host or network with bogus data. Additional virus-related threats include trojans, rootkits, and other
types of malicious code. Viruses are usually spread by attaching themselves as files or scripts inside protocol traffic.
What Is Antivirus?
Antivirus is an established part of the Unified Threat Management (UTM) suite on the Junos operating system, and is an
important part of any enterprise network security strategy. The antivirus feature of the branch SRX gateway prevents viruses
at the gateway before they enter the network. The SRX device uses an antivirus module that includes both a scan engine and
a virus signature database. The antivirus module compares network traffic against known virus types. If a virus is detected,
the file is dropped, and the originator of the traffic is notified. Antivirus scanning is a separately licensed subscription
service. When your antivirus license key expires, you can continue to use locally stored antivirus signatures without any
updates. But in that case, if the local database is deleted, antivirus scanning is disabled. Administrators can choose
between two different types of antivirus scanning methods. Only one type of scanning method can be applied at a time.
Pattern Matching
The antivirus module for full file-based and express antivirus contains a database with virus signature patterns. The SRX
device checks files against the database for a match. This process is known as pattern matching. Both full file-based
scanning and express scanning perform pattern matching against a virus signature database, but in different ways. Full
file-based antivirus software pattern matching is where the CPU is responsible for performing the task of pattern matching.
The express antivirus scanning engine offloads the pattern-matching operation to a hardware engine, the Content Security
Accelerator (CSA), which significantly reduces CPU and memory usage. The CSA hardware engine is available on the
SRX210, SRX220, SRX240, and SRX650 platforms, and yields higher data throughput performance at the expense of
somewhat lower catch rates. Platforms not equipped with a CSA can still perform software pattern matching, but
performance will be lower (UTM always requires the high-memory option).
Pattern Updates
The virus database must stay current to continually match against new virus threats. Pattern update options are used for
either full file-based or express scanning to allow control of the antivirus engine and signature database updates. To
manually update the virus signature database, specify the URL of the database server. If you do not specify a URL, a default
URL is provided,
http://update.juniper-updates.net/AV. We discuss the pattern update configuration later in the chapter. The antivirus and
malware database for Sophos antivirus is stored on SXL servers.
Continued on the next page.
Intelligent Prescreening
One technique used to increase the effectiveness of antivirus scanning is intelligent prescreening. Full file-based scanning
begins to scan data after the SRX device has received all the packets of a file. Express scanning begins to scan data packets
as they are received, but still scans all the packets of the file. Intelligent prescreening tells the antivirus scan engine to use
the first packet or the first several packets of a file to determine if the file could possibly contain malicious code. The scan
engine does a quick check on these first packets. If it finds that the file is unlikely infected, then the file is safe to bypass the
normal scanning procedure. It is not necessary to store and scan the whole file. Intelligent prescreening behaves the same
for both full file-based and express antivirus scanning. By default, intelligent prescreening is enabled to improve antivirus
scanning performance. You can disable it with the following command:
set security utm feature-profile anti-virus
kaspersky-lab-engine|juniper-express-engine profile profile-name scan-options
no-intelligent-prescreening
Note that the Sophos antivirus method does not provide the same intelligent prescreening detection as full file-based and
express antivirus scanning. Sophos does provide a similar solution that is part of the Sophos engine and cannot be turned
on and off.
Antivirus Operation
The slide highlights the topic we discuss next.
The scanning options for full file-based scanning allow you to configure one of two different scan modes: all or
by-extension. When the scan mode is set to all, the antivirus scanning engine scans every file regardless of the file
extension. The diagram on the slide shows both inbound and outbound traffic passing different file types through an
SRX240. Each of the file types shown are processed for antivirus scanning. Note that, if you have an SRX device protecting
an internal network that has no HTTP traffic, or has Web servers that are not accessible to the outside world, you might want
to turn off URI checking. If the Web servers are not accessible to the outside world, it is unlikely that they contain URI
information that is in the Sophos URI database.
Session Throttling
Session throttling restricts the amount of traffic a single source can consume at one time. The limit is an integer with 100 as
the default setting. This integer refers to the maximum allowed sessions from a single source. You can change this default
limit, but understand that if this limit is set high, the setting is comparable to no limit.
Antivirus Whitelists
When the SRX antivirus module parses traffic, it can identify file types that are not considered harmful and should not be
scanned. HTTP MIME headers and URL information can be used to obtain information about the file type being carried. The
URL whitelist is used in the Web filtering UTM feature, where URLs or IP addresses are always not scanned. The URL whitelist
specifies traffic that can bypass antivirus scanning. The SRX device also uses MIME types to decide which traffic can bypass
antivirus scanning. The slide shows the order of HTTP processing with regards to antivirus scanning. URL whitelists are
matched against first, followed by MIME whitelists. If no match occurs on either whitelist, the antivirus feature profile
settings are followed for virus scanning. The URL and MIME whitelists are only valid for HTTP traffic.
This slide demonstrates how to configure the UTM custom objects using the Junos Web user interface (J-Web). To access the
UTM configuration workspace, select the Configuration tab at the top and then select Security > UTM > Custom
Objects from the sidebar menu. You begin by configuring the custom objects so that they can be used in the feature profile
and UTM policies.
Monitoring Antivirus
The slide highlights the topic we discuss next.
Verify Licensing
A license must be used for successful antivirus operation. The top of the slide shows the output for the show system
license command. The output shows which licenses have been installed. In this case, it shows that the
av_key_kaspersky_engine license has been successfully installed. If the SRX device does not have a license for antivirus, the
show security utm anti-virus status command will display that a license is not installed. Note that the Sophos
antivirus scanning feature is a separately licensed subscription service. Also, the pattern lookup database is located on
remote servers maintained by Sophos, so when your antivirus license key expires, functionality will no longer work. You have
a 30-day grace period in which to update your license.
We Discussed:
• How the antivirus process examines traffic;
• Differences between full file-based and express antivirus;
• Antivirus configuration settings;
• Available scanning options for supported protocols; and
• Verifying antivirus functionality.
Review Questions
1.
2.
3.
Antivirus Lab
The slide provides the objectives for this lab.
We Will Discuss:
• The purpose of content filtering and Web filtering;
• The parameters used to configure content filtering and Web filtering;
• Configuring content filtering and Web filtering; and,
• Monitoring content filtering and Web filtering.
Content Filtering
Content filtering is a feature that allows or blocks traffic based on the Multipurpose Internet Mail Extension (MIME) type, file
extension, protocol commands, and embedded object type. This feature is supported for HTTP, FTP, and mail protocols such
as SMTP, Post Office Protocol 3 (POP3), and Internet Message Access Protocol (IMAP).
Once content is blocked, users can be notified by a custom message or e-mail depending on the protocol.
This feature does not require a license.
Web Filtering
Web filtering or URL filtering provides the ability to permit or deny access to specific URLs based on the category to which
they belong. The Web filter intercepts HTTP requests, and a decision is then made with the HTTP request on an external
server (SurfControl or Websense), or on the SRX device (whitelist or blacklist) to permit or block the request.
Web filtering acts as a first line of defense. If a website is a known source of malware, what is easier than blocking access to
that site?
The supported three deployment options:
• SurfControl: This option uses an in-the-cloud server which keeps a database of categories for websites.
• Websense: This option uses a locally administrated server which keeps a database of categories and Web
filtering policies.
• Local lists: This option uses configured whitelists and blacklists on the SRX device.
Once traffic has been blocked, the client can receive a custom message in the Web browser.
This solution has the advantage of minimizing processing delays because the database is locally stored. The disadvantages are
an administrator to keep the database current and multiple servers if you want redundancy.
We Discussed:
• The purpose of content filtering and Web filtering;
• The parameters used to configure content filtering and Web filtering;
• Configuring content filtering and Web filtering; and
• Monitoring content filtering and Web filtering.
Review Questions
1.
2.
3.