close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
play_arrow Configuring Roles and Authentication Methods
play_arrow Configuring Administrative Credentials and Privileges
- Understanding the Associated Password Rules for an Authorized Administrator
- Configuring a Network Device Protection Profile Authorized Administrator
play_arrow Network Time Protocol
play_arrow Configuring SSH and Console Connection
play_arrow Configuring the Remote Syslog Server
- Sample Syslog Server Configuration on a Linux System
- Forwarding Logs to the External Syslog Server
play_arrow Configuring Audit Log Options
- Configuring Audit Log Options in the Evaluated Configuration
- Sample Code Audits of Configuration Changes
play_arrow Configuring Event Logging
play_arrow Configuring a Secure Logging Channel
- Creating a Secure Logging Channel
play_arrow Configuring VPNs
- Configuring VPN on a Device Running Junos OS
play_arrow Configuring Security Flow Policies
- Understanding a Security Flow Policy on a Device Running Junos OS
play_arrow Configuring Traffic Filtering Rules
play_arrow Configuring Network Attacks
play_arrow Configuring the IDP Extended Package
- IDP Extended Package Configuration Overview
play_arrow Configuring Cluster Mode
play_arrow Performing Self-Tests on a Device
- Understanding FIPS Self-Tests
play_arrow Configuration Statements

list Table of Contents

English

keyboard_arrow_right

Creating a Secure Logging Channel

date_range 09-Jun-23

arrow_backward

arrow_forward

This section describes how to place the device in an evaluated configuration to provide an encrypted communication channel over an IPsec VPN tunnel, between a device running Junos OS and a remote external storage server (syslog server).

Note:

The ssh-rsa authentication method is one of the allowed algorithms in FIPS mode.

Table 1 lists all the supported algorithms for the IPsec VPN tunnel.

Table 1: IPsec VPN Tunnel Supported Algorithms
IKE Phase1 Proposal
Authentication Method	Authentication Algorithm	DH Group	Encryption Algorithm
pre-shared-keys rsa-signatures-2048 ecdsa-signatures-256 ecdsa-signatures-384	sha-256 sha-384	group14 group19 group20 group24	aes-128-cbc aes-128-gcm aes-192-cbc aes-256-cbc aes-256-gcm

IPSec Phase2 Proposal
hmac-sha1-96 hmac-sha-256-128	group14 group19 group20 group24	ESP	aes-128-cbc aes-128-gcm aes-192-cbc aes-192-gcm aes-256-cbc aes-256-gcm

IPSec Phase2 Proposal

Authentication Algorithm

DH Group (PFS)

Encryption Method

Encryption Algorithm

hmac-sha1-96

hmac-sha-256-128

group14

group19

group20

group24

ESP

aes-128-cbc

aes-128-gcm

aes-192-cbc

aes-192-gcm

aes-256-cbc

aes-256-gcm

Configuring a Trusted Path or Channel Between a Device Running Junos OS and a Remote External Storage Server

This section describes the configuration details required to provide an encrypted communication channel between a device running Junos OS and the remote external storage server through an IPsec VPN tunnel.

Note:

The remote external storage server is a Linux-based syslog server on which the IPsec VPN Tunnel is terminated at the outbound interface Eth1. The log data transferred from the device is sent to the syslog termination interface Eth2 and the StrongSwan application to provide the IPsec VPN capability.

Table 2 lists the IPsec VPN tunnel details used in this example.

Table 2: IPsec VPN Tunnel Information
Phase 1 Proposal (P1, IKE)				Phase 2 Proposal (P2, IPSec)
Authentication Method	Authentication Algorithm	DH Group	Encryption Algorithm	Authentication Algorithm	DH Group (PFS)	Encryption Method	Encryption Algorithm
pre-shared-keys	sha-256	group14	aes-128-cbc	hmac-sha1-96	group14	ESP	aes-128-cbc

Figure 1 illustrates the encrypted communication channel between a device running Junos OS and a remote external storage server. An IPsec tunnel is established between a devices egress interface (Intf-1) and a remote syslog server outbound interface (Eth1). Data is then forwarded internally on the remote external storage server from its outbound interface Eth1; that is, the VPN endpoint to Eth2.

Figure 1: IPsec VPN Tunnel

Table 3 provides the interface and IP configuration details used in this example.

Table 3: Interface and IP Configuration Details for the Trusted Path
Device Running Junos OS	Remote Storage Server
IP Address: “Intf-2” interface: GE-0/0/1 – IP Address: 198.51.100.2 “Intf-1” interface: GE-0/0/2 - IP Address: 198.51.100.1 Enable: Syslog logging to remote syslog server	IP Address: Eth1: 198.51.100.3 Eth2: 203.0.113.1 Gateway Eth1: 198.51.100.1 Tools: SSH and Strongswan (for IPsec VPN)

To configure the trusted path or channel between a device running Junos OS and a remote external storage server:

Enable stream logging for traffic logs.
```
[edit security]
user@host#set log cache
user@host#set log mode event
user@host#set log source-address 198.51.100.2
user@host#set log stream STREAM category all
user@host#set log stream STREAM host 203.0.113.1
```
Note:
192.168.2.1 is the IP address of the syslog server outbound interface at which the IPsec VPN tunnel is terminated, and 20.20.20.2 is the IP address of the syslog server interface for which log data is destined.

Enable syslog on the device.

content_copy zoom_out_map
[edit system]
user@host#set syslog user * any emergency
user@host#set syslog host 203.0.113.1 any any
user@host#set syslog file SYSLOG any any
user@host#set syslog file SYSLOG authorization info
user@host#set syslog file SYSLOG_COMMANDS interactive-commands error
user@host#set syslog file traffic-log any any
user@host#set syslog file traffic-log match RT_FLOW_SESSION
user@host#set syslog source-address 198.51.100.2

Enable VPN on the device.

IKE setup:

content_copy zoom_out_map
[edit security]
user@host#set ike proposal IKE_Proposal authentication-method pre-shared-keys
user@host#set ike proposal IKE_Proposal dh-group group14
user@host#set ike proposal IKE_Proposal authentication-algorithm sha-256
user@host#set ike proposal IKE_Proposal encryption-algorithm aes-128-cbc
user@host#set ike policy IKE_Policy mode main
user@host#set ike policy IKE_Policy proposals IKE_Proposal
user@host#set ike policy IKE_Policy pre-shared-key ascii-text 12345
user@host#set ike gateway GW ike-policy IKE_Policy
user@host#set ike gateway GW address 198.51.100.3
user@host#set ike gateway GW local-identity inet 198.51.100.1
user@host#set ike gateway GW external-interface ge-0/0/2
user@host#set ike gateway GW version v2-only

IPsec setup:

content_copy zoom_out_map
[edit security ipsec]
user@host#set proposal IPsec_Proposal protocol esp
root@host#set proposal IPsec_Proposal authentication-algorithm hmac-sha1-96
root@host#set proposal IPsec_Proposal encryption-algorithm aes-128-cbc
root@host#set policy IPsec_Policy perfect-forward-secrecy keys group14
root@host#set policy IPsec_Policy proposals IPsec_Proposal
root@host#set vpn VPN bind-interface st0.0
root@host#set vpn VPN ike gateway GW
root@host#set vpn VPN ike ipsec-policy IPsec_Policy
root@host#set vpn VPN establish-tunnels immediately

Perform the following additional configurations on the device.

IKE trace log:

content_copy zoom_out_map
[edit security ike]
root@host#set traceoptions file IKE_Trace
root@host#set traceoptions file size 10000000
root@host#set ike traceoptions flag all

Flow trace:

content_copy zoom_out_map
[edit security flow ]
root@host#set traceoptions file DEBUG
root@host#set traceoptions file size 1000000
root@host#set traceoptions flag all

Route options:

content_copy zoom_out_map
[edit ]
root@host#set routing-options static route 203.0.113.2/24 qualified-next-hop st0.0 preference 1

Address book configuration:

content_copy zoom_out_map
[edit security address-book]
root@host#set global address trustLAN 198.51.100.0/24
root@host#set global address unTrustLAN 198.51.100.3/24

Zone configuration:

content_copy zoom_out_map
[edit security zones]
root@host#set security-zone trustZone host-inbound-traffic system-services all
root@host#set security-zone trustZone host-inbound-traffic protocols all
root@host#set security-zone trustZone interfaces ge-0/0/1.0
root@host#set security-zone unTrustZone host-inbound-traffic system-services all	 
root@host#set security-zone unTrustZone host-inbound-traffic protocols all
root@host#set security-zone unTrustZone interfaces st0.0
root@host#set security-zone unTrustZone interfaces ge-0/0/2.0

Policy configuration:

content_copy zoom_out_map
[edit security policies]
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match source-address trustLAN 
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match destination-address unTrustLAN 
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match application any
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then permit 
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-init 
root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-close
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match source-address unTrustLAN 
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match destination-address trustLAN 
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match application any
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then permit 
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-init 
root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-close

arrow_backward PREVIOUS Logging of Audit Startup

NEXT arrow_forward Configuring VPN on a Device Running Junos OS

Common Criteria Guide for SRX5400, SRX5600, and SRX5800 Devices

Creating a Secure Logging Channel

Configuring a Trusted Path or Channel Between a Device Running Junos OS and a Remote External Storage Server