Juniper SRX Notes Security Policies

1. Reverting the Default Policy
root> configure
root# edit security policies
root# delete
root# commit
root# run show security policies
 
2. Configuring Address Books
root# edit security zones security-zone untrust
root# set address-book address pod5-hr 10.0.5.0/24
root# set address-book address pod5-eng 172.16.5.0/24
root# set address-book address pod5-untrust 192.168.5.0/24
root# set address-book address remote5 172.26.26.6/32
 
root# edit security zones
root# set security-zone hr address-book address pod6-hr 10.6.6.0/24
root# set security-zone eng address-book address pod6-eng 172.16.6.0/24
Verify:
root# show address-book
 
Create 2 policy and allow all intra-zone traffic associated with your SRX to pass through your assig device.
root# edit security policies from-zone hr to-zone hr policy intrazone-hr
root# set match source-address any
root# set match destination-address any
root# set match application any
root# set then permit
Verify:
root# show
 
root# edit security policies from-zone eng to-zone eng policy intrazone-eng
root# set match source-address any
root# set match destination-address any
root# set match application any
root# set then permit
Verify:
root# show
 
 
 

Juniper SRX Notes User Authentication

Firewall User Authentication Types:
1. Pass-through authentication
   telnet ,ftp,http
2. WEBauthentication
    1st connects directly to JUNOS security platform using HTTP.
 
Authentication Server Support:
1. Local:   authentication and authorization
2. Radius: authentication and authorization
3. LDAP: authentication only
4. SecurID: authentication only
 
Firewall User Authentication configure step:
1. Create access profile:
edit access
edit profile ftp-users
set client john firewall-user password juniper123
set client nancy firewall-user password juniper456
 
2. Associate Access profile with pass-through authentication and add banner
edit access
set profile ftp-users session-options client-group ftp-group
edit firewall-authentication
set pass-through default-profile ftp-users
edit access firewall-authentication
set pass-through ftp banner login "JUNOS Rocks!!"
set pass-through ftp banner success "Login successful!!"
 
3. Configure Policy action with firewall authentication:
edit security
edit policies from-zone hr to-zone hr policy intrazone-hr
set match source-address any
set match destination-address any
set match application any
set then permit
edit policies from-zone eng to-zone eng policy intrazone-eng
set match source-address any
set match destination-address any
set application any
set then permit
edit policies from-zone hr to-zone untrust policy deny-ftp-hr
set match source-address any
set match destination-address any
set match application junos-ftp
set then reject
edit policies from-zone hr to-zone untrust policy internet-hr
set match source-address pod6-hr
set match destination-address any
set match application any
set then permit
edit policies from-zone eng to-zone untrust policy internet-eng
set match source-address pod7-eng
set match destination-address any
set match application any
set then permit
edit policies from-zone untrust to-zone hr policy remote6-to-hr
set match source-address remote6
set match destination-address pod6-hr
set match application internal-apps
set then permit
set policy remote6-to-hr scheduler-name internal-apps-scheduler
set policy remote6-to-hr then log session-init
set policy remote6-to-hr then log session-close
 
edit security policies
edit from-zone hr to-zone untrust policy outbound-ftp-auth
set match source-address pod6-hr
set match destination-address remote6
set match application junos-ftp
set then permit firewall-authentication pass-through client-match ftp-group
 
edit security policies from-zone hr to-zone untrust
insert policy outbound-ftp-auth before policy deny-ftp-hr
 
edit security policies
edit from-zone untrust to-zone hr policy inbound-ftp-auth
set match source-address remote6
set match destination-address pod6-hr
set match application junos-ftp
set then permit firewall-authentication pass-through client-match ftp-group
 
Verify and monitoring firewall user authentication:
clear firewall authentication users:
root> clear security firewall-authentication users
root>show security firewall-authentication users
root>show security firewall-authentication history
root>show log message | match RT_AUTH

Juniper SRX Note Implementing IPSec VPNs

1. Configuring a Route-Based IPSec VPN
    Configure a secure tunnel interface
root# edit interface
root# set st0 unit 0 family inet address 192.168.100.6
    Add the st0.0 interface to the untrust security zone.
root# top set security zones security-zone untrust interface st0.0
 
Create an Internet Key Exchange(IKE) Phase 1 proposal name phase1
root# top edit security ike
root# set proposal phase1 authentication-method pre-shared-keys
root# set proposal phase1 dh-group group 2
root# set proposal phase1 authentication-algorithm md5
root# set proposal phase1 encryption-algorithm 3des-cbc
root# set proposal phase1 lifetime-seconds 600
Verify:
root# show proposal phase1
 
Configure and IKE phase  1 policy named phase1-policy:
root# edit security ike
root# set policy phase1-policy mode main
root# set policy phase1-policy proposal phase1
root# set policy phase1-policy pre-shared-key ascii-text juniper
Verify:
root# show policy phase1-policy
 
Config an IKE gateway name phase1-gateway
root# edit security ike
root# set gateway phase1-gateway ike-policy phase1-policy
root# set gateway phase1-gateway address 192.168.6.2
root# set gateway phase1-gateway dead-peer-detection interval 20
root# set gateway phase1-gateway external-interface ge-0/0/1.0
Verify:
root# show gateway phase1-gateway
 
Configure IKE Phase 2:
root# edit security ipsec
root# set proposal phase2 protocol esp
root# set proposal phase2 authentication-algorithm hmac-md5-96
root# set proposal phase2 encryption-algorithm 3des-cbc
root# set proposal phase2 lifetime-seconds 3200
Verify:
root# show proposal phase2
 
Configure VPN Tunnel:
root# edit security ipsec
root# set vpn SRX5 bind-interface st0.0
root# set vpn SRX5 ike gateway phase1-gateway
root# set vpn SRX5 ike ipsec-policy phase2-policy
root# set vpn SRX5 establish-tunnels immediately
Verify:
root# show vpn SRX5
 
Configure Routing to VPN tunnel
root# edit  routing-options
root# set static route 172.16.5.0/24 next-hop st0.0
Verify:
root# show
root# edit security policies
root# show from-zone untrust to-zone eng
root# show from-zone eng to-zone untrust
 
Create a new security policy that permits traffic from the untrust zone destined to any address in your eng zone:
root# edit security policies
root# set policy ipsec match source-address pod5-eng
root# set policy ipsec match destination-address any
root# set policy ipsec match application any
root# set policy ipsec then permit
Verify:
root# show
root# edit security policies
root# show frome-zone untrust to-zone eng
root# show from-zone eng to-zone untrust
 
Create a new security policy that permits traffic from the untrust zone destined to any address in your eng zone:
root# edit from-zone untrust to-zone eng
root# set policy ipsec match source-address pod5-eng
root# set policy ipsec match destination-address any
root# set policy ipsec match application any
root# set policy ipsec then permit
Verify:
root# show
 
2. Verifying and Monitoring IPSec
root> show interface st0 terse
root> show security ike security-associations
root> show security ipsec security-associations
root> show security ipsec security-associations index 131001
root> show security ipsec statistic
root> clear security ipsec statistic
root> show security flow session
 
 
 

Juniper SRX Notes Network Address Translation

1. Interface-Based Source NAT
root>configure
root# edit security nat source
root# set rule-set internet-bound from zone hr
root# set rule-set internet-bound to zone untrust
root# edit rule-set internet-bound
root# set rule 1 match destination-address 172.16.26.6/32
root# set rule 1 then source-nat interface
root# commit and-quit
 
Verify NAT session
root> show security flow session
root> show security nat source rule all
 
 
2. Pool-Based Destination NAT
root> configure
root# edit security nat destination
root# set pool webserver address 172.16.6.10/32
root# set rule-set from-internet from zone untrust
root# edit rule-set from-internet rule 1
root# set match source-address 172.26.26.6/32
root# set match destination-address 192.168.6.50/32
root# set thendestination-nat pool webserver
 
root# edit security policy from-zone untrust to-zone eng
root# set policy webserver match source-address  remote6
root# set policy webserver match destination-address pod6-eng
root# set policy webserver match application junos-telnet
root# set policy webserver match application junos-http
root# set policy webserver then permit
 
Configure  Interface Proxy-arp
root# edit interface ge-0/0/1 unit 0 family inet address 192.168.6.2/23
root# set arp 192.168.6.50 mac 00:24:dc:d4:f4:41 publish
 
Verify result :
 root> show security flow session
root> show security nat destination pool all
 
 
3. Pool-Baced Source NAT with Overflow Pool
root> configure
root# edit security nat source
root# set pool natpool-eng port no-translation
root# set pool natpool-eng overflow-pool interface
root# set pool natpool-eng address 172.16.6.50 to 172.16.6.51
root# set pool natpool-hr port no-translation
root# set pool natpool-hr overflow-pool interface
root# set pool natpool-hr address 10.6.6.50 to 10.6.6.51
Verify config
root# edit security nat source
root# show pool natpool-eng
root# show pool natpool-hr
 
Create 2 source NAT rules
root# edit security nat source
root# set rule-set natrule-eng-hr from zone eng
root# set rule-set natrule-eng-hr to zone hr
root# set rule-set natrule-hr-eng from zone hr
root# set rule-set natrule-hr-eng to zone eng
 
root# edit security nat source rule-set natrule-eng-hr
root# set rule 2 match source-address 172.16.6.0/24
root# set rule 2 then source-nat pool natpool-hr
root# up
root# edit rule-set natrule-hr-eng
root# set rule 3 match source-address 10.6.6.0/24
root# set rule 3 then source-nat pool natpool-eng
 
Verify Configure:
root# edit security nat source
root# top show security policies from-zone hr to-zone eng
root# top show security policies from-zone eng to-zone hr
root> show security flow session
 
Add Proxy-arp in ZONE
root# edit security nat proxy-arp
root# edit interface fe-0/0/5.0
root# set address 10.6.6.50 ro 10.6.6.51
root# up
root# edit interface fe-0/0/3.0
root# set address 172.16.6.50 to 172.16.6.51
root#  up
 
 

Juniper SRX Note Screen Options

1. remove default screen protection from zone
edit security zones security-zone untrust
delete screen
edit security screen
delete
Delete everything under this level?[yes,no] yes
 
2. create a screen that blocks ICMP packets large than 1024 bytes, that name is internet-protect
edit security screen
set ids-option internet-protect icmp large
set ids-option internet-protect icmp fragment
 
set ids-option internet-protect ip record-route-option
; add protect ip record route option.
 
set ids-option internet-protect limit-session destination-ip-based 1
; limit the number of sessions to the same destination ip address to a maximun of one session.
 
3. verify screen protection
edit security screen
run show schedulers
 
apply screen into zone
edit security zones security-zone untrust
set screen internet-protect
 
Monitoring screen Protection
root> show security screen statistics zone untrust
 
root> show log message | match RT_SCREEN
 
 
 

Juniper SRX Notes Basic Operation

Enter the configuration mode of SRX devices
root> configure
root#delete
; this will delete the entire configuration
root# load factory-default
;this will load factory default configuration
root# set system root-authentication plain-text-password
new password: *******
retype new password: ********
root# commit
 
enable all interface in trust zone and can ping it
root# set security zones security-zone trust interface all host-inbound-traffic system-services ping
 
set interface ip and  bind in zone
root# set interface ge-0/0/0 unit 0 family inet address 10.0.6.1/24
root# set interface ge-0/0/1 unit 0 family inet address 192.168.6.2/24
root# set interface fe-0/0/3 unit 0 family inet address 172.16.6.1/24
root# set interface fe-0/0/5 unit 0 family inet address 10.6.6.1/24
root# show | compare
; compare old and new config different.
 
set default route
root# set routing-options static route 0/0 next-hop 192.168.6.1
root# commit
 
set static arp
root# edit interface
root# set ge-0/0/0 unit 0 family address 10.0.6.1/24 arp 10.0.6.10 mac 00:0c:29:b8:fb:31
 
 
 
 
 
 
 

Acess Control Notes-2

Strong Authentication 嚴謹驗證
During the authentication process, use 2 or more type to authentication that call strong authentication.
 
Password:
1. Static password
2. dynamic password
3. Cognitive password
 
Password’s defect
1. Non-safe may be cracked it. (weak password, brute force or dicitionary attacks)
2. Not provide Non-repudiation
3. may forgot password  and inconvenient.
 
Safe password rules:
1. 限制password最長及最短使用期限.
2. 使用與user name無關之password.
3. 使用大小寫,數字與特殊字元混合之複雜password.
4. 最少有7個字元長度.
5. 禁止使用重覆之前使用過之密碼
6. 使用鎖定原則(lockout policy).
 
Token based authentication
1. Time synchronous (時間同步裝置)
2. Event synchronous (事件同步裝置)
3. asynchronous (非同步裝置)
 
Biometries (生物特徵驗證)
1. fingerprint (指紋)
2. Iris scan (虹膜)
3. Retina (視網膜)
4. Facical scan (臉部辨識)
5. Voice (語音)
6. Signature/handwriting (簽名及手寫辨識)
7. Hand geometry/Handprint (手掌掃瞄)
 
Biometries property
1. Universality (普遍性)
2. Distinctiveness (差別性)
3. Permanence (持久性)
4. Collectability (可收集性)
 
Enterprise use the biometries to estimate element.
1. Accuracy (識別準確度)
2. Enrollment time (註冊時間)
3. Throughput rate (比對產出率)
4. Acceptability (使用者接受度,舒適度)
 
識別率準確指標
1. False rejection rate; FRR; False Negative; Type I error  (錯誤拒絕率)
2. False acceptance rate; FAR; False positive; Type II error (錯誤接受率)
3. Equal error rate; ERR; Crossover error rate; CER; Verification rate (同等錯誤率)
 
Single Sign-On; SSO
support SSO:
1. kerberos
2. SESAME
3. KRYPTOKNIGHT
4. NETSP
 
 
 
 
 
 
 
 
 

Acess Control Notes-1

The Enterprise internal need build access control that include
a. defense in depth  防禦縱深
b. multiple layer protection 多層次保護
 
Access Control:
a. Access Control Models 存取控制模型
b. Access Control Methods 存取控制方法
c. Authentication Methods 身份驗證方法
d. Intrusion Detection /Intrusion Preventive System 入侵偵測與入侵防禦系統
 
What is Access Control?
ANS: 一種限制資源存取的處理方式及程序,其目的在保護系統資源不會被非經授權者存取或授權者不當存取.
 
Access Control include three elements:
a. Subject 主體  ex: user,group, process…
b. Object 物件  ex: computer,data, database…
c. Access Model 存取模式 : define Subkect and Object relationship.
 
A good Access Control:
a. 嚴格的授權(Authorization)
b. 最低的權限賦予 ( Least Privilege)
c. 職務分離  ( Separation of Duty)
 
最低權限賦予原則 ( Rule of least privilege)
Grant subjects only enough access to object to perform required task.
 
職務分離 (separation of duty)
a. 靜態職務分離 ( Static Separation of Duty)
    also call Strong Exclusion: 具有衝突的角色不能同時分配給同一使用者.
b. 動態責任分離(dynamic separation of duty)
    also call Weak Exclusion: User可以擁有同時擁有衝突角色,但不能同時使用這些角色的權限.
 
預設禁止存取 ( default to No access)
If access is not explicitly allowd, it should be implicitly denied.
 
Access Control Models type:
a. 自由決定存取控制 (Discretionary Access Control; DAC)
b. 強制性存取控制 ( Mandatory Access Control; MAC)
c. 角色基礎的存取控制模式 (Role-Based Access Control; RBAC)
d. 規則為基礎的存取控制 (Rule-Based Access Control)
 
Discretionary Access Control;DAC
一種根據主體的身份或隸屬的群組來制定存取物件的方法. ex: windows
 
Mandatory Access Control; MAC
由system admin統一規範安全政策與資源屬性且強制執施,適合高安全度環境或單位. ex: Bclass Computer system SELinux,SUSE Linux.
 
Role-Based Access Control;RBAC
一種身份基礎的存取控制形式(A form of identity-based access control),其強調主體是否允許存取資源乃是依據使用者在公司組織內所扮演的角色或職稱來決定.
使用者(users) <->  角色 (roles) <-> 使用權限(permissions)
ex: SQL
 
Rule-based access control
依據管理員預先定義好或設定好的一群規則來決定使用者是否允許存取,一般使用者無法變更規則.
ex: firewall
 
Lattice-based Access Control
將主體與物件排列成一組元素對,並對每個元素對均設計有上限及下限(define greatest lower-bound and last upper-bound),再依據主體對於物件的存取擁有最低上限及最高下限的使用權利.
ex: 軍方或企業的安全標籤等級.
 
Access Control Techniques
access-control type:
a. Preventive Control 防範控制類型
b. Detective Control 偵測控制類型
c. Deterrent Control 嚇阻控制類型
d. Corrective Control 更正控制類型
e. Recovery Control 還原控制類型
 
Preventive Control:
企圖避免或阻止可能傷害或違反安全性的事件發生.
ex: firewall,身份驗證方法.
 
Detective Control
發現或確認可能傷害或違反安全性的事件發生.
ex: 核對和(checksum),檔案完整性檢查(file integrity checker),稽核(audit), 日誌(log).
 
Deterrent Control:
企圖阻止及制止(discourage)安全性違規的事件發生.
ex:連線時的message或警語.
 
Corrective Control:
用來修復已發生的傷害和違規事件或者修補(remedy)一些可以被他人利用以達到非經授權存取的漏洞.
 
 
Recovery Control:
恢復(restore)遺失毀損的電腦資源或能力.
ex: 災難復原,營運持續計畫,備援系統.
 
 
存取控制層面與範疇 (Access Control Categories)
a. Administrative Control  管理控制
b. Logical or Technical Control 邏輯及技術控制
c. Physical Control 實體控制
 
Administrative Control:
通常牽涉到組織安全政策的制定與落實程序,防範性的管理控制包括了
安全政策 policy
標準 Standard
指引 Guidelines
 
Logical or Technical Control
一種可以佈署到組織安全至定位而用以保護IT架構的邏輯控制.
ex: 加密技術,安全性設備,身份驗證..
 
Physical Control
限制主體不能非經授權的直接實體接觸和存取物件及環境風險的管制.
ex:
a. 機房建築物管制(Building and facility protection):雇用警衛,警戒犬…
b. 週邊安全(Perimeter Security): 圍籬(Fence),牆壁(Wall),門禁管控.
c. 纜線保護(cable Protection) 避免電磁波外洩或線路遭竊聽.
 
企業為了保護有價的資訊資產,必須同時實施這三個層面的控制方法,缺一不可,才可達成目的.
a. Administrative Controls
b. Technical Controls.
c. Physical Controls
 
三個不同的存取控製範圍整合到存取控制類型則可以組合多種不同的安全性控制技術與服務.
a. 實體防範(Physical Preventative Control): 避免主體直接接觸資源而存取之,例如識別證(badges)
b. 技術防範(Technical Preventative Control): 利用一些科技或電腦技術來避免違規事件的發生,例如資料庫檢視表  (Database View),加密,防毒軟體.
c. 管理偵測(Administrative detective Control) 一些用來檢視稽核日誌以發現某事是否發生的政策或規則.
 
限制的使用者介面(Constrained User Interface)
常見的限制使用者的介面方式有:
功能選單(Menu)限制
命令解譯器(Shell)限制
資料庫檢視表( Database View)
實物使用者介面限制(Physically Constrained interface)
 
身份驗證 (Identification Authentication)
身份驗證(Authentication)一向被視為存取控制或授權(Authorization)的基石.
有效的身份驗證乃是立論於三項因子(factors)
型一因子(Type 1 factor):利用某種只有您知道的事物(something you know)
a. 密碼 password
b. 個人身份號碼PIN
c. 口令 passphrase
型二因子(Type 2 factor):
利用一種只有您擁有或持有的東西something you have
ex: ATM Card.
型三因子(Type 3 factor)
透過人類生物上唯一的特徵或行為(Something you are)來進行身份驗證.
ex: fingerprint,retina
 
嚴謹驗證(Strong Authentication)
驗證過程透過2種或是兩種以上的因子所做的驗證稱為嚴謹認證.
 
password: 動態密碼,靜態密碼
1.靜態密碼(Static password)
2.動態密碼(Dynamic password);一次密碼(One-time password;OTP)
3.認知密碼(Cognitive password):一般用來做使用者密碼忘記時的身份認證的輔助方法.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Information security and Risk Management Notes

Information Security in Enterprise:
1. Security services and principles 資訊安全的服務與原則
2. Data classification 資訊分類
3. Security Policies 安全性政策
4. Risk assessment and management 風險評估與管理
5. Security awareness training 資訊安全認知與教育訓練
 
what is information security?
ANS: 用以保護資訊系統各項資源(include Hardware,Software,database),防止遭受變更,破壞及未經授權(unauthorized)使用資訊系統資源之一切控制措施,資訊安全須兼顧人員,程序,資料,硬體,軟體,實體環境等安全管理議題,其所含蓋範圍包括技術層面及組織管理層面.
 
Security Services:
CIA: Confidentiality,Integrity,Availability
DAD: Disclosure,Alteration,Destruction
 
 
 
 
 
 
 

Juniper M/T Router Notes

1."commit synchronize" to ensures that a configuration file on a backup Routing Engine isidentical to the file on the primary Routing Engine.
 
2. The inet.0 routing table is used to store IPv4 routes. All routing protocols place information into this table by default.
    The inet.3 routing table contains the egress IP address of a MPLS lable switched path (LSP). Routes are inserted into inet.3 by the RSVP protocol.
    
3. When router receives a label of zero it will perform a label swap.

   Our definition of each router’s role along the path of an LSP assumes the default JUNOS software behavior of penultimate hop popping (PHP).  

    

4.configure a static LSP for switched path requires that each router along the LSP be configured explicitly.
 
5. Label Request Object

    The label request object is encoded in the Path messages sent to the egress router. This object allows each router to assign a label value to the requested LSP. When the Path message is received, the local router allocates a label and stores it with the Path soft state for that LSP. When the Resv message arrives from the downstream neighbor, the label is advertised upstream in an RSVP label object.

 

6. The OSPF stub area provides for a smaller link-state database by restricting the presence of AS external LSAs (type 5) within the area. A not-so-stubby area restricts type 5 external LSAs, but still allows for some external routes to be present in the database with a new NSSA external LSA type 7.

 
7. OSPF Process in the ExStart state, the local router and its neighbor establish which router is in charge of the database synchronization process.
The higher router ID of the two neighbors controls which router becomes the master.
OPENSENT state is reached once TCP session is established. Established designates a fully operational OSPF connection
8. BGP Process States
IDLE: After the BGP process starts, a TCP session is initiated with the remote peer. The local router transitions to the Connect state and begins listening for a connection initiated by the remote peer.
CONNECT: In this state, the local router is has seen a TCP connection attempt from a peer and is waiting for the TCP session to be completed. If it is successful, the local router sends an Open message to the peer and transitions to the OPENSENT state.
ACTIVE: In the active state, the local router is trying to establish a TCP session with its peer. If the session establishes successfully, an Open message is sent and the local router transitions to the OPENSENT state.
9. The order of BGP route selection:
1. The next hop must be reachable
2. Highest local preference
3. Shortest AS Path
4. Smallest Origin attribute
5. Smallest Multiple Exit Discriminator (MED)
6. EGP routes preferred over IBGP routes
7. Smallest IGP metric to advertised BGP next-hop
8. Shortest cluster-list length if route reflection is used for IBGP
9. Smallest numerical ID
10. Smallest numerical IP address
 
10. The current BGP specification dictates three possible origin values:
IGP: The route was originally learned from an IGP on the source router. IGP is
displayed with the character "I" and is encoded as a value of 0.
EGP: The route was originally learned by the EGP protocol on the source router. EGP is
displayed with the character "E" and is encoded as a value of 1.
Incomplete: The route’s source was unkown to the initial BGP router. Incomplete is
displayed with the character "?" and is encoded as a value of 2.
 
11.