Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Unified Threat Management and
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3
UTM Topics
Web filtering
Anti-Virus
Content filtering
Not listed as a tested category
Antispam
Not listed as a tested category
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 4
UTM Overview
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5
Common UTM Components
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 6
Agenda: Unified Threat Management and
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 7
Web Filtering
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 8
Web Filtering Implementation
Examples:
Valid values: Invalid values:
http://*.dwwtc.com www.dwwtc.c??
http://www.dwwtc.??? http://*dwwtc.com
172.16.10.5
www.dwwtc.com
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 10
Custom Objects (2 of 2)
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 11
Custom Category
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 12
Profiles: Juniper-local
Limited functionality
No license required
Only uses url-whitelist and url-blacklist to validate
traffic
Feature-specific options
Custom block message
Default setting
Fallback options
If no match to whitelist or blacklist exists, the default
is to permit traffic
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 13
Juniper-local Configuration
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 14
Juniper-local Profile Options
Custom-block-message
[edit security utm feature-profile web-filtering juniper-local profile my_local]
#set custom-block-message You have been blocked
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 15
Profiles: Websense-redirect
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 16
Websense-redirect Configuration
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 17
Websense-redirect Profile Options
Account
Custom-block-message
Fallback-settings
Default
Server-connectivity
Too-many-requests
Timeout
Server
Host
Port
Socket
Timeout
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 18
Profiles: Surfcontrol-integrated
Requires an Internet connection to send URL requests, which
return a site classification
Surfcontrol profile determines the action to be taken on traffic
Uses UDP port 9020
Does not support safe-search or URL reputation
Requires a license
A local cache can store previous matches to reduce traffic to the
Internet
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 19
Surfcontrol-integrated Configuration
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 20
Surfcontrol-integrated Profile Options
Cache
Size
Timeout
Categories (category to action mapping)
Custom-block-message
Default action
Fallback-settings
Default; server-connectivity; too-many-requests; timeout
Server
Host
Port
Timeout
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 21
Profiles: Juniper-enhanced
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 22
Juniper-enhanced Configuration
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 23
Juniper-enhanced Profile Options
or
[edit security utm utm-policy my-policy]
#set web-filtering http-profile <predefined-profile-name>
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 25
Security Policy
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 26
Web Filtering Verification
Basic
>show log messages | match WF
>show security utm web-filtering statistics
>show security utm web-filtering status
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 27
Agenda: Unified Threat Management and
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 28
Anti-Virus
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 29
Initial Steps
What is needed for Anti-Virus to work?
A license
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 30
Configuring Anti-Virus
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 32
Apply Custom Objects
URL-patterns
Covered in Web-filtering (used by all AV engines)
MIME patterns used by all Anti-Virus engines
[edit security utm custom-objects feature-profile anti-virus]
#set mime-whitelist list good-mime
#set mime-whitelist exception check-anyway
Filename-extensions
[edit security utm feature-profile anti-virus kaspersky-lab engine]
#set profile kaspersky scan-options scan-extension file-ext-list
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 33
Profiles: Sophos
Requires a license
Less CPU intensive than full-file
Good for lower-end devices because it uses less memory
Requires an Internet connection for in-the-cloud URI and hashed
content checking
Communicates to the server using DNS messages
Uses a local internal cache to maintain query responses from
the external server to improve lookup performance
Supports HTTP, FTP, SMTP, IMAP, and POP3
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 34
Profiles: Kaspersky Full Anti-Virus
Requires a license
Full Anti-Virus file is loaded into the SRX
Does not need an Internet connection for file checking, but
needs access to update files
Performs pattern matching, execution analysis and some file
heuristics
Supports HTTP, FTP, SMTP, IMAP, and POP3
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 35
Profiles: Juniper Express
Requires a license
Stripped-down version of the Kaspersky Full Anti-Virus
Does not need an Internet connection for file checking, but
needs access to update files
Performs only packet-based string matching
Supports HTTP, FTP, SMTP, IMAP, and POP3
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 36
Anti-Virus Feature Profiles
or
#set type kaspersky-lab-engine (for Kaspersky Full File)
#set kaspersky-la-engine pattern-update
or
#set type juniper-express-engine (for Juniper Express)
#set juniper-express-engine pattern-update
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 37
Anti-Virus Feature Profiles: Options
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 38
UTM Policy
or
#set anti-virus <protocol> <predefined-profile-name>
Protocols supported:
HTTP, FTP, IMAP, POP3, SMTP
Pre-defined profiles include:
junos-av-defaults (Kaspersky)
junos-eav-defaults (Express Engine)
junos-sophos-av-defaults (Sophos)
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 39
Security Policy
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 40
Anti-Virus Verification
Basic
>show log messages | match AV_VIRUS
>show security utm anti-virus statistics
>show security utm anti-virus status
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 41
Issues and Tips
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 42
Agenda: Unified Threat Management and
Screen Options
Overview of UTM
Web Filtering
Antivirus
Screen Options
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 43
Screening Options Overview
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 44
Screening Options: Attack Types
Reconnaissance
Denial of service
Suspicious packet
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 45
Reconnaissance Attacks (1 of 2)
Hierarchical level
[edit security screen ids-option <name>]
Protect against > 10 ICMP packets
icmp ip-sweep threshold <microseconds>
Protect against > 10 ports scanned
tcp port-scan threshold <microseconds>
Protect against use of IP options
ip record-route-option
ip timestamp-option
ip security-option
ip stream-option
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 46
Reconnaissance Attacks (2 of 2)
Hierarchical level
[edit security screen ids-option <name>]
Protect against operating system probes
tcp syn-fin
tcp fin-no-ack
tcp tcp-no-flag
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 47
Denial-of-Service Attacks (1 of 2)
Hierarchical level
[edit security screen ids-option <name>]
Set session limits
limit-session source-ip-based 250
limit-session destination-ip-based 250
Protect against SYN flooding
tcp syn-flood alarm-threshold 750 (per second)
tcp syn-flood attack-threshold 1000 (per second)
timeout 10 (seconds)
Setting the protection mode
[edit security flow]
syn-flood-protection-mode syn-proxy (no spoofing)
syn-flood-protection-mode syn-cookie (if spoofing suspected)
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 48
Denial-of-Service Attacks (2 of 2)
Protect against SYN-ACK-ACK Proxy Flood
tcp syn-ack-ack-proxy threshold <x> # of conn.
Protect against ICMP floods
icmp flood threshold <packets per second>
Protect against UDP floods
udp flood threshold <packets per second>
Protect against odd traffic
tcp land (Land attacksource and destination are same address)
tcp winnuke (Packet is sent to port 139 with urgent flag set)
icmp ping-death (Ping-of-death oversized ICMP packets)
ip tear-drop (Teardrop fragmented packet reassembly issues)
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 49
Suspicious Packets
Protect against packet fragments
ip block-frag
ip tear-drop (fragmented packet reassembly issues)
tcp syn-frag (syn packet should never be a fragment)
Protect against improper use of ip-options
ip bad-option
Protect against use of unknown protocols
ip unknown-protocol (protocols greater than 137)
Protect against spoofing
ip spoofing
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 50
Apply Screen Options in a Zone
Hierarchical level
[edit security zone security-zone <name>]
screen <ids-option-name>
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 51
Screen Verification Commands
Basic verification
>show security zones <name>
>show security screen statistics zone <name>
>show security screen ids-option <ids-option-name>
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 52
Summary
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 53
UTM and Screen Options Lab
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 54
Worldwide Education Services