Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. This comprehensive configuration guide will allow system administrators and security professionals to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access for employees, partners, and customers...
Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. This comprehensive configuration guide will allow system administrators and security professionals to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access for employees, partners, and customers from a single platform.• Configure Juniper’s Instant Virtual Extranet (IVE)Install and set up IVE through either the command line interface (CLI) or Web-based console. • Master the “3 Rs”: Realms, Roles, and Resources Realize the potential of the “3Rs” for endpoint security, sign-in policies, and authorization of servers.• Get Inside both the Windows and Java Versions of Secure Application Manager (SAM)Learn to implement SAM, manage the end-user experience, and troubleshoot SAM in the field.• Integrate IVE with Terminal Services and Citrix Enable terminal services proxy and configure role options, configure Citrix using a custom ICA, configure terminal services resource policies and profiles, and configure terminal services and Citrix using a hosted Java applet.• Ensure Endpoint Security Use Host Checker, Cache Cleaner, Secure Virtual Workspace, and IVE/IDP integration to secure your network.• Manage the Remote Access Needs of Your Organization Configure Web access, file access and telnet/SSH access for remote users and offices.• Configure Core Networking Components through the System Menu Create clusters, manage virtual systems, and monitor logs, reports, and alerts.• Create Bullet-Proof Sign-in Policies Create standard and custom sign-in pages for both user and administrator access and Secure Meeting pages.• Use the IVE for Log-Related Tasks Perform log filtering, log management, syslog exporting, SNMP management, and system resource monitoring and reporting.
Foreword xiiiNetworking, Security, and the Firewall 1Introduction 2Understanding Networking 3The OSI Model 3Moving Data along with TCP/IP 6Understanding Security Basics 17Understanding Firewall Basics 26Types of Firewalls 26Firewall Ideologies 31DMZ Concepts 31Traffic Flow Concepts 35Networks with and without DMZs 38DMZ Design Fundamentals 41Designing End-to-End Security for Data Transmission between Hosts on the Network 42Traffic Flow and Protocol Fundamentals 43Summary 44Solutions Fast Track 45Frequently Asked Questions 46Dissecting the Juniper Firewall 49Introduction 50The Juniper Security Product Offerings 51Juniper Firewalls 52SSL VPN 53Intrusion Detection and Prevention 54Unified Access Control (UAC) 56The Juniper Firewall Core Technologies 57Zones 57Virtual Routers 57Interface Modes 58Policies 58VPN 59Intrusion Prevention 59Device Architecture 61The NetScreen and SSG Firewall Product Line 63Product Line 63Summary 85Solutions Fast Track 86Frequently Asked Questions 87Deploying Juniper Firewalls 89Introduction 90Managing Your Juniper Firewall 90Juniper Management Options 91Administrative Users 93The Local File System and the Configuration File 95Using the Command Line Interface 99Using the Web User Interface 103Securing the Management Interface 104Updating ScreenOS 118System Recovery 119Configuring Your Firewall for the First Time 121Types of Zones 122Virtual Routers 123Types of Interfaces 123Configuring Security Zones 126Configuring Your Firewall for the Network 131Binding an Interface to a Zone 132Setting Up IP Addressing 133Configuring the DHCP Client 133Using PPPoE 133Interface Speed Modes 135Port Mode Configuration 136Bridge Groups 137Configuring Basic Network Routing 140Configuring System Services 142Setting the Time 143DHCP Server 145DNS 147SNMP 149Syslog 151Web Trends 152Resources 153Summary 154Solutions Fast Track 154Frequently Asked Questions 156Policy Configuration 157Introduction 158Firewall Policies 158Theory of Access Control 160Types of Juniper Policies 162Policy Checking 164Getting Ready to Make a Policy 166Policy Components 167Zones 167Address Book Entries 168Services 172Creating Policies 176Creating a Policy 177Summary 187Solutions Fast Track 187Frequendy Asked Questions 188Advanced Policy Configuration 191Introduction 192Traffic-Shaping Fundamentals 192The Need for Traffic Shaping 192How Traffic Shaping Works 195Choosing the Traffic-Shaping Type 196Deploying Traffic Shaping on Juniper Firewalls 197Methods to Enforce Traffic Shaping 197Traffic-Shaping Mechanics 202Traffic-Shaping Examples 205Advanced Policy Options 215Counting 216Scheduling 222Summary 228Solutions Fast Track 228Frequently Asked Questions 230User Authentication 233Introduction 234User Account Types 234Authentication Users 239Internal Authentication Server 252Configuring the Local Authentication Server 253External Authentication Servers 254Policy-Based User Authentication 269Explanation of Policy-Based Authentication 269Configuring Policies with User Auth 270802.1x Authentication 277Components of 802.1x 278Enhancing Authentication 284Firewall Banner Messages 284Group Expressions 287Summary 289Solutions Fast Track 289Frequently Asked Questions 291Routing 293Introduction 294Virtual Routers 294Virtual Routers on Juniper Firewalls 295Routing Selection Process 298Equal Cost Multiple Path 299Virtual Router Properties 300Route Maps and Access Lists 306Route Redistribution 311Importing and Exporting Routes 311Static Routing 313Using Static Routes on Juniper Firewalls 314Routing Information Protocol 321RIP Overview 322RIP Informational Commands 332Open Shortest Path First 335Concepts and Terminology 336Configuring OSPF 341OSPF Informational Commands 350Border Gateway Protocol 354Overview of BGP 354Configuring BGP 358BGP Informational Commands 372Route Redistribution 375Redistributing Routes in the Juniper Firewall 375Redistributing Routes between Routing Protocols 376Redistributing Routes into BGP 380Policy-Based Routing 383Components of PBR 383Summary 393Solutions Fast Track 393Frequently Asked Questions 396Address Translation 399Introduction 400Overview of Address Translation 400Port Address Translation 401Advantages of Address Translation 402Disadvantages of Address Translation 403Juniper NAT Overview 404Juniper Packet Flow 405Source NAT 406Interface-Based Source Translation 407MIP 409Policy-Based Source NAT 417Destination NAT 428Policy-Based Destination NAT 433Summary 446Links to Sites 446Solutions Fast Track 446Frequently Asked Questions 449Transparent Mode 457Introduction 458Interface Modes 458Understanding How Transport Mode Works 459Configuring a Device to Use Transport Mode 462Transparent Mode Deployment Options 466Summary 476Solutions Fast Track 477Frequently Asked Questions 478Attack Detection and Defense 479Introduction 480Understanding Attacks 480Old Root Causes, New Attacks 482Unified Threat Management 482Vulnerability Databases 482Bug Databases 483Common Name Dictionary 483The Juniper Security Research Team 483Understanding the Anatomy of an Attack 484The Three Phases of a Hack 484Script Kiddies 484Black Hat Hackers 485Worms, Viruses, and Other Automated Malware 487Configuring Screen Settings 490UDP Data Rate Limiting 497TCP/IP Protocol Anomaly Detection 498Applying Deep Inspection 501Deep Inspection Concepts 503Deep Inspection Planning 505Getting the Database 507Using Attack Objects 510Setting Up Content Filtering 524Web Filtering 524Antivirus 532Antivirus Rules 538Understanding Application Layer Gateways 540Applying Best Practices 542Defense-in-Depth 542Zone Isolation 542Egress Filtering 543Explicit Permits, Implicit Denies 543Retain Monitoring Data 543Keeping Systems Updated 543Summary 544Solutions Fast Track 545Frequently Asked Questions 548VPN Theory and Usage 551Introduction 552Understanding IPSec 552IPSec Modes 553Protocols 553Key Management 555Security Associations 556IPSec Tunnel Negotiations 556=970 13$lPhase 1 557=970 13$lPhase 2 558Public Key Cryptography 559PKI 560Certificates 560CRLs 561How to Use VPNs in NetScreen Appliances 561Site-to-Site VPNs 561Policy-Based VPNs 563Route-Based VPNs 569Dial-Up VPNs 569L2TP VPNs 575Advanced VPN Configurations 576VPN Monitoring 577Gateway Redundancy 578Back-to-Back VPNs 579Hub and Spoke VPNs 579Multitunnel Interfaces 580Summary 580Solutions Fast Track 581Links to Sites 584Mailing Lists 584Frequently Asked Questions 584High Availability 587Introduction 588The Need for High Availability 588High-Availability Options 589Improving Availability Using NetScreen SOHO Appliances 591Failing Over between Interfaces 592Using Dual Untrust Interfaces to Provide Redundancy 592Falling Back to Dial-Up 597Restricting Policies to a Subset When Using the Serial Interface 601Using IP Tracking to Determine Failover 601Monitoring VPNs to Determine Failover 604Introducing the NetScreen Redundancy Protocol 608Virtualizing the Firewall 608Understanding NSRP States 610The Value of Dual HA Links 612Building an NSRP Cluster 613Connecting the Firewalls Directly to the Routers 613Connecting the Firewalls to Routers via Switches 615Cabling for a Full-Mesh Configuration 616Using Directly Connected HA Links 617Connecting HA Links via Switches 618Adding a NetScreen to an NSRP Cluster 619Synchronizing the Configuration 621Determining When to Fail Oven: The NSRP Ways 624Using NSRP Heartbeats 624Using Optional NSRP Monitoring 626Using NSRP Interface Monitoring 627Using NSRP Zone Monitoring 629Using NSRP IP Tracking 630Reading the Output from get nsrp 638Looking into an NSRP Cluster 638Using NSRP-Lite on Midrange Appliances 641Basic NSRP-Lite Usage 642Working with Local Interfaces in an NSRP-Lite Setup 646Creating Redundant Interfaces 652Taking Advantage of the Full NSRP 654Synchronizing State Using RTO Mirroring 655Setting Up an Active/Active Cluster 657Implementing a Full-Mesh Active/Active Setup 664Failing Over 670Failing Over Virtual Systems 671Avoiding the Split-Brain Problem 673Avoiding the No-Brain Problem 674Configuring HA through NSM 676Creating a Cluster 676Adding Members to the Cluster 677Configuring NSRP Parameters 680Configuring VSD 682Summary 682Solutions Fast Track 683Frequently Asked Questions 687Troubleshooting the Juniper Firewall 689Introduction 690Troubleshooting Methodology 690Troubleshooting Tools 692Network Troubleshooting 706Debugging the Juniper Firewall 706Debugging NAT 712Debugging VPNs 713Policy-Based VPNs 714Route-Based VPNs 714Debugging NSRP 715Debugging Traffic Shaping 715NetScreen Logging 717Traffic 717Self 718Event 718Summary 720Solutions Fast Track 720Frequently Asked Questions 723Virtual Systems 725Introduction 726What Is a Virtual System? 726Virtual System Components 726How Virtual Systems Work 728Classifying Traffic 728Virtual System Administration 729Configuring Virtual Systems 729Creating a Virtual System 729Network Interfaces 731Virtual System Profiles 739Summary 741Solutions Fast Track 742Frequently Asked Questions 743Index 745