- play_arrow Overview
- play_arrow Next Gen Services Overview
- play_arrow Configuration Overview
- Configuration Differences Between Adaptive Services and Next Gen Services on the MX-SPC3
- Next Gen Services Feature Configuration Overview
- How to Configure Services Interfaces for Next Gen Services
- How to Configure Interface-Style Service Sets for Next Gen Services
- How to Configure Next-Hop Style Service Sets for Next Gen Services
- How to Configure Service Set Limits for Next Gen Services
- Example: Next Gen Services Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MX-SPC3)
- Example: Configuring AutoVPN with Pre-Shared Key
- Enabling and Disabling Next Gen Services
- play_arrow Global System Logging Overview and Configuration
- Understanding Next Gen Services CGNAT Global System Logging
- Enabling Global System Logging for Next Gen Services
- Configuring Local System Logging for Next Gen Services
- Configuring System Logging to One or More Remote Servers for Next Gen Services
- System Log Error Messages for Next Gen Services
- Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow Next Gen Services SNMP MIBS and Traps
-
- play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
- play_arrow Network Address Port Translation Overview and Configuration
- play_arrow NAT46
- play_arrow Stateful NAT64 Overview and Configuration
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
- play_arrow Transitioning to IPv6 Using Softwires
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
- play_arrow Port Forwarding Overview and Configuration
- play_arrow Port Translation Features Overview and Configuration
- play_arrow Static Source NAT Overview and Configuration
- play_arrow Static Destination NAT Overview and Configuration
- play_arrow Twice NAPT Overview and Configuration
- play_arrow Twice NAT Overview and Configuration
- play_arrow Class of Service Overview and Configuration
-
- play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
-
- play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
-
- play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
-
- play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
-
- play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
- Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows
- Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services
- Inter-Chassis Services Redundancy Overview for Next Gen Services
- Configuring Inter-Chassis Services Redundancy for Next Gen Services
-
- play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
-
- play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
-
- play_arrow Configuration Statements
Stateful Firewall Overview for Next Gen Services
Services PICs employ a type of firewall called a stateful firewall. Contrasted with a stateless firewall, which inspects packets in isolation, a stateful firewall provides an extra layer of security by using state information derived from past communications and other applications to make dynamic control decisions for new communication attempts.
Stateful firewalls group relevant flows into conversations, and decide whether the conversation is allowed to be established. If a conversation is allowed, all flows within the conversation are permitted, including flows that are created during the life cycle of the conversation.
Benefits
By Inspecting the application protocol data of a flow, the stateful firewall intelligently enforces security policies and permits only the minimally required packet traffic.
Flows and Conversations
A typical Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) conversation consists of two flows: the initiation flow and the responder flow. However, some conversations, such as an FTP conversation, might consist of two control flows and many data flows.
A flow is identified by the following five properties:
Source address
Source port
Destination address
Destination port
Protocol
Stateful Firewall Rules
Stateful firewall rules govern whether the conversation is allowed to be established. A rule consists of matching conditions and actions to take.
Matching conditions include direction, source address, destination
address, and application protocol or service. In addition to the specific
values you configure, you can assign the value any
, any-ipv4
, any-ipv6
, or you can use an address-book
under services
to define address lists and ranges for
use within stateful firewall rules. Finally, you can specify matches
that result in the rule not being applied.
Actions in a stateful firewall rule include allowing the traffic or dropping the traffic.
Stateful firewall rules are directional. For each new conversation, the router software determines whether the initiation flow direction matches the rule direction.
Stateful firewall rules are ordered. The software checks the rules in the order in which you include them in the configuration. The first time the software finds a matching rule for a flow, the router implements the action specified by that rule, and ignores subsequent rules.
The stateful firewall rules are configured in relation to an interface. By default, the stateful firewall allows all sessions initiated from the hosts behind the interface to pass through the router.
Stateful Firewall Anomaly Checking
The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing:
IP anomalies:
IP version is not correct.
IP header length field is too small.
IP header length is set larger than the entire packet.
Bad header checksum.
IP total length field is shorter than header length.
Packet has incorrect IP options.
Internet Control Message Protocol (ICMP) packet length error.
Time-to-live (TTL) equals 0.
IP address anomalies:
IP packet source is broadcast or multicast.
Land attack (source IP equals destination IP).
IP fragmentation anomalies:
IP fragment overlap.
IP fragment missed.
IP fragment length error.
IP packet length is more than 64 kilobytes (KB).
Tiny fragment attack.
TCP anomalies:
TCP port 0.
TCP sequence number 0 and flags 0.
TCP sequence number 0 and FIN/PSH/RST flags set.
TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST).
Bad TCP checksum.
UDP anomalies:
UDP source or destination port 0.
UDP header length check failed.
Bad UDP checksum.
Anomalies found through stateful TCP or UDP checks:
SYN followed by SYN-ACK packets without ACK from initiator.
SYN followed by RST packets.
SYN without SYN-ACK.
Non-SYN first flow packet.
ICMP unreachable errors for SYN packets.
ICMP unreachable errors for UDP packets.
Packets dropped by stateful firewall rules.