JNCIE-SEC-11.a C9 UTMandScreeningOptions - Pps

Unified Threat Management
and Screen Options
2014 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Objectives
After successfully completing this content, you will be

able to:
Identify items that could be tested during the
JNCIE-SEC exam
Describe the basic configuration steps for those items
Verify that your configuration meets the defined objectives
2014 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2
Agenda: Unified Threat Management and
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
UTM Topics
Web filtering
Anti-Virus
Content filtering
Not listed as a tested category
Antispam
Not listed as a tested category
UTM Overview
Could be asked to implement any one of the multiple

versions of Web filtering and Anti-Virus
Should understand what is found under the
junos-defaults options
Remember to apply UTM policy to security policy to
complete the task
Common UTM Components
Major components of UTM:

Custom objects
Custom categories
Whitelist and blacklists
Feature profiles
UTM policy
Security policy
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
Web Filtering
Four types of Web filtering:

Juniper-Local
Websense-Redirect
Surf-Control-Integrated
Juniper-Enhanced
Web Filtering Implementation
Which common UTM components could be used for

Web filtering?
Custom objects
URL-patterns
Custom-url-categories
Feature profile
Type Web filtering
Apply url-whitelist and/or url-blacklist
Set feature profile options
Create UTM policy
Apply custom or pre-defined profile
Apply UTM policy to security policy
Custom Objects (1 of 2)
Three rules for creating URL objects:

Precede all wildcard URLs with http://
Only use a * at the start of the URL, followed by a .
Only use ? at the end of the URL
Examples:
Valid values: Invalid values:
http://*.dwwtc.com www.dwwtc.c??
http://www.dwwtc.??? http://*dwwtc.com
172.16.10.5
www.dwwtc.com
Custom Objects (2 of 2)
Where are custom objects created?

[edit security utm custom-objects]
#set url-patterns good-urls [http://*.dwwtc.com http://www.dwwtc.???]
#set url-patterns bad-urls [http://*.baddomain.com 10.5.6.10]
Custom Category
Where are custom URL objects used?

Used within custom-url-categories
#set custom-url-category white-url-objects value good-urls
#set custom-url-category black-url-objects value bad-urls
Where are custom-url-categories referenced?

Referenced after url-whitelist or url-blacklist option
Whitelist/blacklist checking is performed first
[edit security utm feature-profile web-filtering]

#set url-whitelist white-url-objects
#set url-blacklist black-url-objects
Profiles: Juniper-local
Limited functionality
No license required
Only uses url-whitelist and url-blacklist to validate
traffic
Feature-specific options
Custom block message
Default setting
Fallback options
If no match to whitelist or blacklist exists, the default
is to permit traffic
Juniper-local Configuration
Create custom-objects (url-patterns)

Create custom-url-category
Set the Web-filtering feature-profile options
Type
URL whitelist and/or blacklist
#set type juniper-local
Configure juniper-local profile options (optional)
Juniper-local Profile Options
Custom-block-message
[edit security utm feature-profile web-filtering juniper-local profile my_local]
#set custom-block-message You have been blocked
Default: when no match to either whitelist or blacklist

#set default [ permit | log-and-permit | block ]
Fallback-settings: when Web-filter engine cannot

complete its duties
#set fallback-settings default block
#set fallback-settings too-many-requests log-and-permit
Profiles: Websense-redirect
Requires standalone server to perform filtering

Does not require an Internet connection
SRX sends only the HTTP URL request to server
Decision is based on site classification
Decision to permit or block is made at server
Does not require a license
Server connectivity information must be defined
Websense-redirect Configuration

Type
#set type websense-redirect
Configure websense-redirect profile options

(not optional)
Websense-redirect Profile Options
Account
Fallback-settings
Default
Server-connectivity
Too-many-requests
Timeout
Server
Host
Port
Socket
Timeout
Profiles: Surfcontrol-integrated
Requires an Internet connection to send URL requests, which
return a site classification
Surfcontrol profile determines the action to be taken on traffic
Uses UDP port 9020
Does not support safe-search or URL reputation
Requires a license
A local cache can store previous matches to reduce traffic to the
Internet
Surfcontrol-integrated Configuration

Type
#set type surfcontrol-integrated
Configure surfcontrol-integrated profile options
Surfcontrol-integrated Profile Options
Cache
Size
Timeout
Categories (category to action mapping)
Default action
Fallback-settings
Default; server-connectivity; too-many-requests; timeout
Server
Host
Port
Timeout
Profiles: Juniper-enhanced
Requires an Internet connection to send URL requests

which returns a site classification
Offers additional categorization and a reputation-based
score
Can force search engines to only use safe searches
Local policy determines action taken on traffic
Uses UDP port 9020
Requires a license
A local cache can store previous matches to reduce
traffic to the Internet
Juniper-enhanced Configuration

Type
#set type juniper-enhanced
Configure juniper-enhanced profile options
Juniper-enhanced Profile Options
Cache (size and timeout)

Categories (category to action mapping)
No-safe-search
Site reputation action (reputation to action mapping)
Default action
Fallback-settings
Default; server-connectivity; too-many-requests; timeout
Server (host and port)
Timeout
Configure the UTM Policy
Configure a UTM policy

[edit security utm utm-policy my-policy]
#set web-filtering http-profile <custom-profile-name>
or
#set web-filtering http-profile <predefined-profile-name>
Pre-defined profiles include:

junos-wf-local-default
junos-wf-websense-default
junos-wf-cpa-default
junos-wf-enhanced-default
Security Policy

#set security policies from zone <> to zone <> policy <>
match source-address any destination-address any
application junos-http
then permit application-services utm-policy <utm-policy-
name>
Web Filtering Verification
Basic
>show log messages | match WF
>show security utm web-filtering statistics
>show security utm web-filtering status
Screen Options
Overview of UTM
Web Filtering
Anti-Virus
Screen Options
Anti-Virus
What are the three Anti-Virus engines Juniper

supports?
Sophos
KasperskyFull File
KasperskyExpress
Initial Steps
What is needed for Anti-Virus to work?
A license
You might need to verify a license is installed. How?

>show system license
You might need to verify the signature file is loaded. How?

>show security utm anti-virus status
You might need to ensure the regular pattern file receives

regular updates
#set security utm anti-virus feature-profile anti-virus
<eng> pattern-update
Configuring Anti-Virus
Create custom objects

URL patterns and categories
Filename extensions
MIME-patterns
Build feature profiles
Sophos
Full file based
Express
Create UTM policy
Apply profile to policy
Create Anti-Virus Custom Objects
URL custom objects/categories

MIME-patterns
Prefix must have a / at the end of the string
#set mime-pattern good-mime value [ video/ audio/ app/ ]
#set mime-pattern check-anyway value [app/perlscript
app/javascript]
File extensionsKaspersky-engine only

#set filename-extensions file-ext-list [ .zip .tar .vbs ]
Apply Custom Objects
URL-patterns
Covered in Web-filtering (used by all AV engines)
MIME patterns used by all Anti-Virus engines
[edit security utm custom-objects feature-profile anti-virus]
#set mime-whitelist list good-mime
#set mime-whitelist exception check-anyway
Filename-extensions
[edit security utm feature-profile anti-virus kaspersky-lab engine]
#set profile kaspersky scan-options scan-extension file-ext-list
Profiles: Sophos
Requires a license
Less CPU intensive than full-file
Good for lower-end devices because it uses less memory
Requires an Internet connection for in-the-cloud URI and hashed
content checking
Communicates to the server using DNS messages
Uses a local internal cache to maintain query responses from
the external server to improve lookup performance
Supports HTTP, FTP, SMTP, IMAP, and POP3
Profiles: Kaspersky Full Anti-Virus
Requires a license
Full Anti-Virus file is loaded into the SRX
Does not need an Internet connection for file checking, but
needs access to update files
Performs pattern matching, execution analysis and some file
heuristics
Profiles: Juniper Express
Requires a license
Stripped-down version of the Kaspersky Full Anti-Virus
Does not need an Internet connection for file checking, but
needs access to update files
Performs only packet-based string matching
Anti-Virus Feature Profiles
Set profile type

[edit security utm feature-profile anti-virus]
#set type sophos-engine (for Sophos)
#set sophos-engine pattern-update
or
#set type kaspersky-lab-engine (for Kaspersky Full File)
#set kaspersky-la-engine pattern-update
or
#set type juniper-express-engine (for Juniper Express)
#set juniper-express-engine pattern-update
Anti-Virus Feature Profiles: Options
Set custom profile options

Fallback-options
Content-size, corrupt-file, decompress-layer
Default, Password-file, timeout
Engine-not-ready, out-of-resources, too-many-requests
Notification-options
Fallback-block, fallback-non-block, virus-detection
Custom-message (-subject), (no-) notify-mail-sender
Scan-options
Content size-limit, decompress-layer-limit, scan-extension,
Scan-mode, time-out, (no-) intelligent-prescreening
Trickling timeout (only applies to HTTP)
UTM Policy
Configure a UTM policy

#set anti-virus <protocol> <custom-profile-name>
or
#set anti-virus <protocol> <predefined-profile-name>
Protocols supported:
HTTP, FTP, IMAP, POP3, SMTP
Pre-defined profiles include:
junos-av-defaults (Kaspersky)
junos-eav-defaults (Express Engine)
junos-sophos-av-defaults (Sophos)
Security Policy

match source-address any destination-address any
application [ junos-http junos-ftp junos-pop3 junos-imap
junos-smtp ]
then permit application-services utm-policy <utm-policy-
name>
Anti-Virus Verification
Basic
>show log messages | match AV_VIRUS
>show security utm anti-virus statistics
>show security utm anti-virus status
Issues and Tips
You can view existing examples of configurations

by viewing the default profiles
#show groups junos-defaults security utm feature-profile ?
web-filtering
anit-virus
Remember to apply your UTM policy to the security

policy
Screen Options
Overview of UTM
Web Filtering
Antivirus
Screen Options
Screening Options Overview
Prevent or monitor various attacks

ICMP
IP
TCP
UDP
Manage sessions
Configure security flow options
Screening Options: Attack Types
Reconnaissance
Denial of service
Suspicious packet
Configured under the security screen hierarchy

Default is to drop offending traffic
Can configure to alarm-without drop
Applied to a security zone
Reconnaissance Attacks (1 of 2)
Hierarchical level
[edit security screen ids-option <name>]
Protect against > 10 ICMP packets
icmp ip-sweep threshold <microseconds>
Protect against > 10 ports scanned
tcp port-scan threshold <microseconds>
Protect against use of IP options
ip record-route-option
ip timestamp-option
ip security-option
ip stream-option
Reconnaissance Attacks (2 of 2)
Hierarchical level
Protect against operating system probes
tcp syn-fin
tcp fin-no-ack
tcp tcp-no-flag
Denial-of-Service Attacks (1 of 2)
Hierarchical level
Set session limits
limit-session source-ip-based 250
limit-session destination-ip-based 250
Protect against SYN flooding
tcp syn-flood alarm-threshold 750 (per second)
tcp syn-flood attack-threshold 1000 (per second)
timeout 10 (seconds)
Setting the protection mode
[edit security flow]
syn-flood-protection-mode syn-proxy (no spoofing)
syn-flood-protection-mode syn-cookie (if spoofing suspected)
Denial-of-Service Attacks (2 of 2)
Protect against SYN-ACK-ACK Proxy Flood
tcp syn-ack-ack-proxy threshold <x> # of conn.
Protect against ICMP floods
icmp flood threshold <packets per second>
Protect against UDP floods
udp flood threshold <packets per second>
Protect against odd traffic
tcp land (Land attacksource and destination are same address)
tcp winnuke (Packet is sent to port 139 with urgent flag set)
icmp ping-death (Ping-of-death oversized ICMP packets)
ip tear-drop (Teardrop fragmented packet reassembly issues)
Suspicious Packets
Protect against packet fragments
ip block-frag
ip tear-drop (fragmented packet reassembly issues)
tcp syn-frag (syn packet should never be a fragment)
Protect against improper use of ip-options
ip bad-option
Protect against use of unknown protocols
ip unknown-protocol (protocols greater than 137)
Protect against spoofing
ip spoofing
Apply Screen Options in a Zone
Hierarchical level
[edit security zone security-zone <name>]
screen <ids-option-name>
Screen Verification Commands
Basic verification
>show security zones <name>
>show security screen statistics zone <name>
>show security screen ids-option <ids-option-name>
Summary
In this content, we:

Identified items that could be tested during the
JNCIE-SEC exam
Described the basic steps of configuration of those items
Verified that your configuration meets the defined objectives
UTM and Screen Options Lab
Apply screening to your network.

Configure Web filtering and anti-virus.
Worldwide Education Services

JNCIE-SEC-11.a C9 UTMandScreeningOptions - Pps

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

JNCIE-SEC-11.a C9 UTMandScreeningOptions - Pps

Caricato da

Copyright:

Formati disponibili

Unified Threat Management

and Screen Options

After successfully completing this content, you will be

Could be asked to implement any one of the multiple

Major components of UTM:

Four types of Web filtering:

Which common UTM components could be used for

Three rules for creating URL objects:

Where are custom objects created?

Where are custom URL objects used?

Where are custom-url-categories referenced?

[edit security utm feature-profile web-filtering]

Create custom-objects (url-patterns)

Configure juniper-local profile options (optional)

Default: when no match to either whitelist or blacklist

Fallback-settings: when Web-filter engine cannot

Requires standalone server to perform filtering

Create custom-objects (url-patterns)

Configure websense-redirect profile options

Create custom-objects (url-patterns)

Configure surfcontrol-integrated profile options

Requires an Internet connection to send URL requests

Create custom-objects (url-patterns)

Configure juniper-enhanced profile options

Cache (size and timeout)

Configure a UTM policy

Pre-defined profiles include:

Apply UTM policy to security policy

What are the three Anti-Virus engines Juniper

You might need to verify a license is installed. How?

You might need to verify the signature file is loaded. How?

You might need to ensure the regular pattern file receives

Create custom objects

URL custom objects/categories

File extensionsKaspersky-engine only

Set profile type

Set custom profile options

Configure a UTM policy

Apply UTM policy to security policy

You can view existing examples of configurations

Remember to apply your UTM policy to the security

Prevent or monitor various attacks

Configured under the security screen hierarchy

Applied to a security zone

In this content, we:

Apply screening to your network.

Potrebbero piacerti anche