Techpubs Home
Report an Error
Collapse TOC
Index
Entire manual as PDF
- About This Guide
- Support for Security Features on Different Device Types
- Introducing JUNOS Software with Enhanced Services for J-series Services Routers
- Introducing JUNOS Software for SRX-series Services Gateways
-
- Overview of SRX-series Services Gateways Running JUNOS Software
- Overview of Stateful and Stateless Data Processing
- Understanding Sessions
- Following the Data Path for a Unicast Session
-
- Session Lookup and Packet Match Criteria
- Understanding Session Creation: First-Packet Processing
- Understanding Fast-Path Processing
-
- Step 1. A Packet Arrives at the Device and the NPU Processes It.
- Step 2. The SPU for the Session Processes the Packet.
- Step 3. The SPU Forwards the Packet to the NPU.
- Step 4. The Interface Transmits the Packet From the Device.
- Step 5. A Reverse Traffic Packet Arrives at the Egress Interface and the NPU Processes It.
- Step 6. The SPU for the Session Processes the Reverse Traffic Packet.
- Step 7. The SPU Forwards the Reverse Traffic Packet to the NPU.
- 8. The Interface Transmits the Packet From the Device.
- Obtaining Information About Sessions By Using the Configuration show Command
- Obtaining Information About Sessions By Using the Operational show Command
- Using the Operational clear Command to Terminate Sessions
- Security Zones and Interfaces
-
- Zone Support on Different Device Types
- Understanding Security Zones
- Creating Security Zones
- Configuring Security Zones—Quick Configuration
- Configuring Host Inbound Traffic
- Configuring Protocols
- Configuring the TCP-Reset Parameter
- Understanding Security Zone Interfaces
- Understanding Interface Ports
- Configuring Interfaces—Quick Configuration
- Configuring a Gigabit Ethernet Interface—Quick Configuration
- Security Policies
-
- Security Policy Support on Different Device Types
- Security Policies Overview
- Understanding Policies
- Understanding Policy Ordering
- Configuring Policies—Quick Configuration
- Configuring Policies
- Verifying Policy Configuration
- Example: Configuring Security Policies—Detailed Configuration
- Configuring a Policy to Permit Traffic
- Configuring a Policy to Deny Traffic
- Reordering Policies After They Have Been Created
- Troubleshooting Policy Configuration
- Monitoring Policy Statistics
- Security Policy Address Books and Address Sets
- Security Policy Schedulers
- Security Policy Applications
-
- Policy Application Sets Overview
- Understanding the ICMP Predefined Policy Application
- Understanding Internet-Related Predefined Policy Applications
- Understanding Microsoft Predefined Policy Applications
- Understanding Dynamic Routing Protocols Predefined Policy Applications
- Understanding Streaming Video Predefined Policy Applications
- Understanding Sun RPC Predefined Policy Applications
- Understanding Security and Tunnel Predefined Policy Applications
- Understanding IP-Related Predefined Policy Applications
- Understanding Instant Messaging Predefined Policy Applications
- Understanding Management Predefined Policy Applications
- Understanding Mail Predefined Policy Applications
- Understanding UNIX Predefined Policy Applications
- Understanding Miscellaneous Predefined Policy Applications
- Understanding Custom Policy Applications
- Configuring Applications and Application Sets—Quick Configuration
- Example: Configuring Applications and Application Sets
- Example: Adding a Custom Policy Application
- Example: Modifying a Custom Policy Application
- Example: Defining a Custom Internet Control Message Protocol Application
- Understanding Policy Application Timeouts
- Setting a Policy Application Timeout
- Firewall User Authentication
-
- Firewall Authentication Support on Different Device Types
- Firewall User Authentication Overview
- Understanding Authentication Schemes
- Configuring for Pass-Through Authentication
- Configuring for Web Authentication
- Understanding Client Groups for Firewall Authentication
- Configuring for External Authentication Servers
- Understanding SecurID User Authentication
- Configuring the SecurID Server
- Displaying the Authentication Table
- Understanding Banner Customization
- Customizing a Banner
- Configuring Firewall Authentication—Quick Configuration
- Verifying Firewall User Authentication
- Attack Detection and Prevention
-
- Attack Detection and Prevention Support for Different Device Types
- Reconnaissance Deterrence Overview
- Understanding IP Address Sweeps
- Blocking IP Address Sweeps
- Understanding Port Scanning
- Blocking Port Scans
- Understanding Network Reconnaissance Using IP Options
- Detecting Packets That Use IP Options for Reconnaissance
- Understanding Operating System Probes
- Blocking Packets with SYN and FIN Flags Set
- Blocking Packets with FIN Flag/No ACK Flag Set
- Blocking Packets with No Flags Set
- Understanding Attacker Evasion Techniques
- Thwarting a FIN Scan
- Setting TCP SYN Checking
- Blocking IP Spoofing
- Blocking Packets with Either a Loose or Strict Source Route Option Set
- Detecting Packets with Either a Loose or Strict Source Route Option Set
- Suspicious Packet Attributes Overview
- Understanding ICMP Fragment Protection
- Blocking Fragmented ICMP Packets
- Understanding Large ICMP Packet Protection
- Blocking Large ICMP Packets
- Understanding Bad IP Option Protection
- Detecting and Blocking IP Packets with Incorrectly Formatted Options
- Understanding Unknown Protocol Protection
- Dropping Packets Using an Unknown Protocol
- Understanding IP Packet Fragment Protection
- Dropping Fragmented IP Packets
- Understanding SYN Fragment Protection
- Dropping IP Packets Containing SYN Fragments
- Denial-of-Service Attack Overview
- Firewall DoS Attacks Overview
- Understanding Session Table Flood Attacks
- Setting Source-Based Session Limits
- Setting Destination-Based Session Limits
- Understanding SYN-ACK-ACK Proxy Flood Attacks
- Enabling Protection Against a SYN-ACK-ACK Proxy Flood Attack
- Network DoS Attacks Overview
- Understanding SYN Flood Attacks
- Example: SYN Flood Protection
- Enabling SYN Flood Protection
- Understanding SYN Cookie Protection
- Enabling SYN Cookie Protection
- Understanding ICMP Flood Attacks
- Enabling ICMP Flood Protection
- Understanding UDP Flood Attacks
- Enabling UDP Flood Protection
- Understanding Land Attacks
- Enabling Protection Against a Land Attack
- OS-Specific DoS Attacks Overview
- Understanding Ping of Death Attacks
- Enabling Protection Against a Ping of Death Attack
- Understanding Teardrop Attacks
- Enabling Protection Against a Teardrop Attack
- Understanding WinNuke Attacks
- Enabling Protection Against a WinNuke Attack
- Configuring Firewall Screen Options—Quick Configuration
- Verifying Application Security Information Using Trace Options
- Network Address Translation
-
- NAT Support On Different Device Types
- Understanding NAT
- NAT Configuration on Different Devices
- Destination IP Address Translation Overview
- Understanding Static NAT on J-series Services Routers
- Configuring Static NAT
- Understanding NAT-Dst Policy-Based NAT on J-series Services Routers
- Example: Configuring Destination NAT on J-series Services Routers
- Understanding Rule-Based Destination NAT on SRX-series Services Gateways
- Example: Configuring Destination NAT on SRX-series Services Gateways
- Understanding NAT-Dst Allow-Incoming Table
- Example: Configuring NAT-Dst Allow-Incoming Table
- Source IP Address Translation Overview
- Understanding NAT Interface Source Pools
- Understanding NAT Source Pools with PAT
- Understanding NAT Source Pools Without PAT
- Understanding NAT Static Source Pools
- Understanding NAT Allow-Incoming Source Pools
- Understanding NAT Source Pool Sets
- Example: Configuring Source NAT on J-series Services Routers
- Example: Configuring Source NAT on SRX-series Services Gateways
- Verifying Static NAT Summary
- Example: Configuring a Persistent Address and Pool Sets
- Configuring Proxy ARP (Address Resolution Protocol) on SRX-series Services Gateways
- Verifying NAT Configuration on SRX–series Services Gateways
- Configuring Source NAT—Quick Configuration
- Configuring Destination NAT—Quick Configuration
- Configuring Interface NAT—Quick Configuration
- Configuring Firewall/NAT Flow—Quick Configuration
- Configuring Stateful Firewall or NAT Screen—Quick Configuration
- Chassis Cluster
-
- Understanding Chassis Cluster
- Understanding Chassis Cluster Formation
- Understanding Redundancy Groups
- Understanding Redundant Ethernet Interfaces
- Understanding the Control Plane
- Understanding the Data Plane
- Understanding Failover
- Hardware Setup for J-series Services Routers
- Hardware Setup for SRX-series Services Gateways
- What Happens When You Enable Chassis Cluster
- Creating a Services Router Chassis Cluster—Overview
- Creating a Services Gateway Chassis Cluster—Overview
- Setting the Node ID and Cluster ID
- Configuring the Management Interface
- Configuring a Chassis Cluster and Redundancy Groups—Quick Configuration
- Configuring Redundant Ethernet Interfaces—Quick Configuration
- Configuring a Gigabit Interface—Quick Configuration
- Configuring Chassis Cluster Information
- Configuring the Fabric
- Configuring Redundancy Groups
- Configuring Redundant Ethernet Interfaces
- Configuring Interface Monitoring
- Initiating a Manual Redundancy Group Failover
- Configuring Conditional Route Advertising
- Verifying the Chassis Cluster Configuration
- Upgrading Chassis Cluster
- Disabling Chassis Cluster
- Internet Protocol Security (IPsec)
-
- IPsec Support on Different Device Types
- Virtual Private Networks (VPNs)
- Understanding IPsec Operational Modes
- Understanding IPsec Security Protocols
- Understanding IPsec Security Associations (SAs)
- Understanding IPsec Key Management
- Understanding IKE and IPsec Packets
- Understanding IPsec Tunnel Negotiation
- Configuring VPN Global Settings
- Configuring VPN Global Settings—Quick Configuration
- Configuring an IKE IPsec Tunnel—Overview
- Configuring an IKE Phase 1 Proposal
- Configuring an IKE Phase 1 Proposal—Quick Configuration
- Configuring an IKE Policy, Authentication, and Proposal
- Configuring an IKE Policy, Authentication, and Proposal—Quick Configuration
- Configuring an IKE Gateway and Peer Authentication
- Configuring an IKE Gateway and Peer Authentication—Quick Configuration
- Configuring an IPsec Phase 2 Proposal
- Configuring an IPsec Phase 2 Proposal—Quick Configuration
- Configuring an IPsec Policy
- Configuring an IPsec Policy—Quick Configuration
- Configuring IPsec AutoKey
- Configuring IPsec Autokey—Quick Configuration
- Configuring an IPsec Manual Key VPN
- Configuring an IPsec Manual Key VPN—Quick Configuration
- Public Key Cryptography for Certificates
-
- PKI Support on Different Device Types
- Understanding Public Key Cryptography
- Understanding Certificates
- Understanding Certificate Revocation Lists
- Understanding Public Key Infrastructure
- Understanding Self-Signed Certificates
- Understanding Automatically Generated Self-Signed Certificates
- Understanding Manually Generated Self-Signed Certificates
- Using Digital Certificates
- Generating a Public-Private Key Pair
- Configuring a Certificate Authority Profile
- Enrolling a CA Certificate Online
- Enrolling a Local Certificate Online
- Generating a Local Certificate Request Manually
- Loading CA and Local Certificates Manually
- Re-enrolling Local Certificates Automatically
- Manually Loading a CRL onto the Device
- Verifying Certificate Validity
- Checking Certificate Validity Using CRLs
- Using Automatically Generated Self-Signed Certificates
- Manually Generating Self-Signed Certificates
- Deleting Certificates
- Deleting a Loaded CRL
- Application Layer Gateways (ALGs)
-
- ALG Support on Different Device Types
- Understanding Application Layer Gateways
- Configuring Application Layer Gateways—Quick Configuration
- Understanding the H.323 ALG
- Configuring the H.323 ALG—Quick Configuration
- Setting H.323 Endpoint Registration Timeout
- Setting H.323 Media Source Port Range
- Configuring H.323 Denial of Service (DoS) Attack Protection
- Allowing Unknown H.323 Message Types
- Verifying the H.323 Configuration
- Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone
- Passing H.323 ALG Traffic to a Gatekeeper in the External Zone
- Using NAT and the H.323 ALG to Enable Outgoing Calls
- Using NAT and the H.323 ALG to Enable Incoming Calls
- Understanding the SIP ALG
- SIP ALG Request Methods Overview
- Configuring the SIP ALG—Quick Configuration
- Understanding SIP ALG Call Duration and Timeouts
- Setting SIP Call Duration and Inactive Media Timeout
- Configuring SIP Denial of Service (DoS) Attack Protection
- Allowing Unknown SIP Message Types
- Disabling SIP Call ID Hiding
- Retaining SIP Hold Resources
- Understanding SIP with Network Address Translation (NAT)
- Understanding Incoming SIP Call Support Using the SIP Registrar
- Configuring Interface Source NAT for Incoming SIP Calls
- Configuring a Source NAT Pool for Incoming SIP Calls
- Configuring Static NAT for Incoming SIP Calls
- Configuring the SIP Proxy in the Private Zone
- Configuring the SIP Proxy in the Public Zone
- Configuring a Three-Zone SIP Scenario
- Verifying the SIP Configuration
- Understanding the SCCP ALG
- Configuring the SCCP ALG—Quick Configuration
- Setting SCCP Inactive Media Timeout
- Allowing Unknown SCCP Message Types
- Configuring SCCP Denial of Service (DoS) Attack Protection
- Configuring Call Manager/TFTP Server in the Private Zone
- Verifying the SCCP Configuration
- Understanding the MGCP ALG
- Configuring the MGCP ALG—Quick Configuration
- Understanding MGCP ALG Call Duration and Timeouts
- Setting MGCP Call Duration
- Setting MGCP Inactive Media Timeout
- Setting the MGCP Transaction Timeout
- Configuring MGCP Denial of Service (DoS) Attack Protection
- Allowing Unknown MGCP Message Types
- Configuring a Media Gateway in Subscribers' Homes
- Configuring Three-Zone ISP-Hosted Service Using Source and Static NAT
- Verifying the MGCP Configuration
- Understanding the RPC ALG
- Disabling and Enabling RPC ALG
- Verifying the RPC ALG Tables
- NetScreen-Remote VPN Client
- IDP Policies
-
- IDP Policy Support on Different Device Types
- IDP Policies Overview
- Understanding IDP Policy Rulebases
- Understanding IDP Policy Rules
- Understanding IDP Rule Match Conditions
- Understanding IDP Rule Objects
- Understanding IDP Rule Actions
- Understanding IDP Rule IP Actions
- Understanding IDP Rule Notifications
- Defining Rules for an IPS Rulebase
- Defining Rules for an Exempt Rulebase
- IDP Policies—Quick Configuration
- Inserting a Rule in the Rulebase
- Deactivating and Reactivating Rules in a Rulebase
- Understanding Application Sets
- Configuring Applications or Services for IDP
- Configuring Application Sets for IDP
- Enabling IDP in a Security Policy
- Understanding IDP Terminal Rules
- Setting Terminal Rules in Rulebases
- Understanding Custom Attack Objects
- Configuring Custom Attack Objects
- Configuring DSCP in an IDP Policy
- IDP Signature Database
-
- IDP Signature Database Support on Different Device Types
- Understanding the IDP Signature Database
- Using Predefined Policy Templates
- Understanding Predefined Attack Objects and Groups
- Updating the Signature Database Overview
- Updating the Signature Database Manually
- Configuring a Security Package Update—Quick Configuration
- Updating the Signature Database Automatically
- Understanding the Signature Database Version
- Verifying the Signature Database
- IDP Application Identification
-
- IDP Application Identification Support on Different Device Types
- Understanding Application Identification
- Understanding Service and Application Bindings
- Understanding Application System Cache
- Configuring IDP Policies for Application Identification
- Disabling Application Identification
- Setting Memory and Session Limits
- Verifying Application Identification
- IDP Logging
- Index