Сообщение

Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn - JUNOS Security [2010, PDF, ENG]

Сообщение Солнышко » 26 фев 2017, 00:31

JUNOS Security

Год: 2010
Автор: Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn
Жанр: сети
Издательство: O'Reilly Media
ISBN: 978-1449381714
Язык: Английский
Формат: PDF
Качество: Изначально компьютерное (eBook)
Интерактивное оглавление: Нет
Количество страниц: 848
Описание: Junos® Security is the complete and authorized introduction to the new Juniper Networks SRX hardware series. This book not only provides a practical, hands-on field guide to deploying, configuring, and operating SRX, it also serves as a reference to help you prepare for any of the Junos Security Certification examinations offered by Juniper Networks.

Network administrators and security professionals will learn how to use SRX Junos services gateways to address an array of enterprise data network requirements -- including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration. Junos Security is a clear and detailed roadmap to the SRX platform. The author's newer book, Juniper SRX Series, covers the SRX devices themselves.

Get up to speed on Juniper’s multi-function SRX platforms and SRX Junos software
Explore case studies and troubleshooting tips from engineers with extensive SRX experience
Become familiar with SRX security policy, Network Address Translation, and IPSec VPN configuration
Learn about routing fundamentals and high availability with SRX platforms
Discover what sets SRX apart from typical firewalls
Understand the operating system that spans the entire Juniper Networks networking hardware portfolio
Learn about the more commonly deployed branch series SRX as well as the large Data Center SRX firewalls
"I know these authors well. They are out there in the field applying the SRX's industry-leading network security to real world customers everyday. You could not learn from a more talented team of security engineers."
--Mark Bauhaus, EVP and General Manager, Juniper Networks
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
1. Introduction to the SRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Evolving into the SRX 1
ScreenOS to Junos 2
The SRX Series Platform 5
Built for Services 5
Deployment Solutions 6
Small Branch 7
Medium Branch 8
Large Branch 9
Data Center 10
Data Center Edge 10
Data Center Services Tier 13
Service Provider 15
Mobile Carriers 16
Cloud Networks 19
The Junos Enterprise Services Reference Network 21
SRX Series Product Lines 26
Branch SRX Series 27
Branch-Specific Features 27
SRX100 30
SRX200 32
SRX600 36
AX411 39
CX111 42
Branch SRX Series Hardware Overview 42
Licensing 44
Branch Summary 45
v
Data Center SRX Series 46
Data Center SRX-Specific Features 46
SPC 48
NPU 49
Data Center SRX Series Session Setup 51
Data Center SRX Series Hardware Overview 55
SRX3000 57
SRX5000 61
Summary 68
Chapter Review Questions 68
Chapter Review Answers 69
2. What Makes Junos So Special? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
OS Basics 72
FreeBSD 73
Process Separation 74
Development Model 75
Adding New Features 77
Data Plane 78
Junos Is Junos Except When It’s Junos 79
Coming from Other Products 79
ScreenOS 80
IOS and PIX OS 82
Check Point 83
Summary 84
Chapter Review Questions 85
Chapter Review Answers 85
3. Hands-On Junos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Introduction 87
Driving the Command Line 88
Operational Mode 89
Variable Length Output 90
Passing Through the Pipe 90
Seeking Immediate Help 91
Configuration Mode 94
Commit Model 100
Restarting Processes 106
Junos Automation 108
Junos Configuration Essentials 109
System Settings 109
Interfaces 113
Switching (Branch) 115
vi | Table of Contents
Zones 118
Summary 122
Chapter Review Questions 122
Chapter Review Answers 123
4. Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Security Policy Overview 125
SRX Policy Processing 128
Viewing SRX Policy Tables 130
Viewing Policy Statistics 133
Viewing Session Flows 135
Policy Structure 137
Security Zones 137
Service Configuration 139
Blocking Unwanted Traffic 143
Policy Logging 145
Troubleshooting Security Policy and Traffic Flows 149
Troubleshooting Sample 150
Troubleshooting Output 152
Turning Off Traceoptions 159
Application Layer Gateway Services 160
How to Configure an ALG 163
Policy Schedulers 168
One-Time Schedulers 170
Web and Proxy Authentication 172
Web Authentication 172
Pass-Through Authentication 174
Case Study 4-1 176
Case Study 4-2 184
Converters and Scripts 188
Summary 189
Chapter Review Questions 190
Chapter Review Answers 190
5. Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
How the SRX Processes NAT 193
Source NAT 195
Interface NAT 197
Address Pools 208
Removing PAT 216
Proxy ARP 219
Persistent NAT 223
Case Study 5-1: ISP Redundancy via PAT 227
Table of Contents | vii
Conclusion 231
Destination NAT 231
Implementing Destination NAT 232
Viewing Destination NAT 234
Tracing Destination NAT Flows 236
Case Study 5-2: Virtual IP NAT 238
Static NAT 240
Case Study 5-3: Double NAT 243
Summary 245
Chapter Review Questions 245
Chapter Review Answers 246
6. IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
VPN Architecture Overview 248
Site-to-Site IPsec VPNs 248
Hub and Spoke IPsec VPNs 249
Full Mesh VPNs 250
Multipoint VPNs 250
Remote Access VPNs 251
IPsec VPN Concepts Overview 253
IPsec Encryption Algorithms 254
IPsec Authentication Algorithms 254
IKE Version 1 Overview 255
IPSec VPN Protocol 257
IPsec VPN Mode 258
IPsec Manual Keys 258
Phase 1 IKE Negotiations 259
IKE Authentication 259
IKE Identities 260
Phase 1 IKE Negotiation Modes 261
Phase 2 IKE Negotiations 262
Perfect Forward Secrecy 263
Quick Mode 263
Proxy ID Negotiation 263
Flow Processing and IPsec VPNs 264
SRX VPN Types 264
Policy-Based VPNs 265
Route-Based VPNs 265
Other SRX VPN Components 268
Dead Peer Detection 268
VPN Monitoring 269
XAuth 269
NAT Traversal 270
viii | Table of Contents
Anti-Replay Protection 270
Fragmentation 271
Differentiated Services Code Point 272
IKE Key Lifetimes 272
Network Time Protocol 273
Certificate Validation 273
Simple Certificate Enrollment Protocol 274
Group VPN 274
Dynamic VPN 275
Selecting the Appropriate VPN Configuration 275
IPsec VPN Configuration 279
Configuring NTP 279
Certificate Preconfiguration Tasks 279
Phase 1 IKE Configuration 282
Phase 2 IKE Configuration 293
Configuring Manual Key IPsec VPNs 303
Dynamic VPN 305
VPN Verification and Troubleshooting 309
Useful VPN Commands 310
VPN Tracing and Debugging 312
Case Studies 326
Case Study 6-1: Site-to-Site VPN 326
Case Study 6-2: Remote Access VPN 335
Summary 337
Chapter Review Questions 337
Chapter Review Answers 338
7. High-Performance Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Network Protection Tools Overview 342
Firewall Filters 342
Screens 345
Security Policy 347
IPS and AppDoS 348
Protecting Against Network Reconnaissance 349
Firewall Filtering 350
Screening 350
Port Scan Screening 352
Summary 353
Protecting Against Basic IP Attacks 354
Basic IP Protections 354
Basic ICMP Protections 356
Basic TCP Protections 357
Basic Denial-of-Service Screens 358
Table of Contents | ix
Advanced Denial-of-Service and Distributed Denial-of-Service Protection 361
ICMP Floods 363
UDP Floods 364
SYN/TCP Floods 365
SYN Cookies 370
SYN-ACK-ACK Proxies 371
Session Limitation 372
AppDoS 377
Application Protection 377
SIP 378
MGCP 378
SCCP 380
Protecting the SRX 381
Summary 385
Chapter Review Questions 386
Chapter Review Answers 386
8. Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
The Need for IPS 389
How Does IPS Work? 391
IPS Packet Processing on the SRX 396
Attack Object Types 404
IPS Policy Components 408
Security Packages 416
Sensor Attributes 418
SSL Inspection 421
AppDDoS Protection 423
Custom Attack Groups and Objects 427
Configuring IPS Features on the SRX 432
Getting Started with IPS on the SRX 432
Deploying and Tuning IPS 454
First Steps to Deploying IPS 454
Building the Policy 454
Testing Your Policy 455
Actual Deployment 456
Day-to-Day IPS Management 456
Troubleshooting IPS 457
Checking IPS Status 457
Checking Security Package Version 458
IPS Attack Table 458
Application Statistics 459
IPS Counters 460
IP Action Table 461
x | Table of Contents
AppDDoS Useful Commands 462
Troubleshooting the Commit/Compilation Process 463
Case Study 8-1 466
Summary 484
Chapter Review Questions 484
Chapter Review Answers 485
9. Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
What Is UTM? 487
Application Proxy 488
Web Filtering 489
Antivirus 498
Notifications 506
Viewing the UTM Logs 508
Controlling What to Do When Things Go Wrong 514
Content Filtering 516
Antispam 521
UTM Monitoring 523
Licensing 527
Tracing UTM Sessions 528
Case Study 9-1: Small Branch Office 530
Security Policies 533
UTM Policies and Profiles 534
Summary 537
Chapter Review Questions 537
Chapter Review Answers 537
10. High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Understanding High Availability in the SRX 540
Chassis Cluster 540
The Control Plane 542
The Data Plane 543
Junos High Availability Concepts 545
Deployment Concepts 548
Configuration 554
Differences from Standalone 554
Activating JSRPD (Juniper Services Redundancy Protocol) 555
Managing Cluster Members 557
Configuring the Control Ports 558
Configuring the Fabric Links 563
Node-Specific Information 567
Configuring Heartbeat Timers 570
Redundancy Groups 571
Table of Contents | xi
Configuring Interfaces 577
Integrating Dynamic Routing 583
Upgrading the Cluster 584
Fault Monitoring 586
Interface Monitoring 586
IP Monitoring 591
Manual Failover 595
Hardware Monitoring 599
Software Monitoring 604
Preserving the Control Plane 605
Using Junos Automation 605
Troubleshooting the Cluster 606
First Steps 606
Checking Interfaces 610
Verifying the Data Plane 611
Core Dumps 615
The Dreaded Priority Zero 615
When All Else Fails 617
Summary 618
Chapter Review Questions 618
Chapter Review Answers 619
11. Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
How the SRX “Routes” IP Packets 622
Forwarding Tables 622
IP Routing 623
Asymmetric Routing 625
Address Resolution Protocol (ARP) 626
Static Routing 626
Creating a Static Route 627
Verifying a Static Route 629
Dynamic Routing 631
Configuring OSPF Routing 632
Case Study 11-1: Securing OSPF Adjacencies 646
Case Study 11-2: Redundant Paths and Routing Metrics 648
Growing OSPF Networks 651
Routing Policy 664
Case Study 11-3: Equal Cost Multipath (ECMP) 670
Internet Peering 672
Configuring BGP Peerings 674
BGP Routing Tables 682
Case Study 11-4: Internet Redundancy 683
Routing Instances 688
xii | Table of Contents
Configuring Routing Instances 689
Filter-Based Forwarding 693
Configuring Filter-Based Forwarding 694
Case Study 11-5: Dynamic Traffic Engineering 697
Summary 705
Chapter Review Questions 706
Chapter Review Answers 706
12. Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Transparent Mode Overview 709
Why Use Transparent Mode? 710
MAC Address Learning 712
Transparent Mode and Bridge Loops, Spanning Tree Protocol 712
Transparent Mode Limitations 713
Transparent Mode Components 714
Interface Modes in Transparent Mode 715
Bridge Domains 715
IRB Interfaces 716
Transparent Mode Zones 716
Transparent Mode Security Policy 717
Transparent Mode Specific Options 717
QoS in Transparent Mode 718
VLAN Rewriting 718
High Availability with Transparent Mode 718
Transparent Mode Flow Process 721
Configuring Transparent Mode 724
Configuring Transparent Mode Basics 725
Configuring Integrated Routing and Bridging 729
Configuring Transparent Mode Security Zones 731
Configuring Transparent Mode Security Policies 732
Configuring Bridging Options 736
Configuring Transparent Mode QoS 736
Configuring VLAN Rewriting 738
Transparent Mode Commands and Troubleshooting 740
The show bridge domain Command 740
The show bridge mac-table Command 741
The show l2-learning global-information Command 741
The show l2-learning global-mac-count Command 742
The show l2-learning interface Command 742
Transparent Mode Troubleshooting Steps 743
Case Study 12-1 745
Summary 752
Chapter Review Questions 752
Table of Contents | xiii
Chapter Review Answers 753
13. SRX Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
The Management Infrastructure 755
Operational Mode 756
Configuration Mode 758
J-Web 761
NSM and Junos Space 761
NETCONF 763
Scripting and Automation 766
Commit Scripts 767
Creating a Configuration Template 774
Operational Scripts 777
Event Scripts 783
Keeping Your Scripts Up-to-Date 789
Case Studies 790
Case Study 13-1: Displaying the Interface and Zone Information 791
Case Study 13-2: Zone Groups 791
Case Study 13-3: Showing the Security Policies in a Compact Format 792
Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover 793
Case Study 13-5: Track-IP Using RPM Probes 794
Case Study 13-6: Top Talkers 796
Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses 798
Case Study 13-8: High-End SRX Monitor 800
Summary 801
Chapter Review Questions 801
Chapter Review Answers 801
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

Постеры

Соцсети

 

Статистика

Автор: Солнышко
Добавлен: 26 фев 2017, 00:31
Размер: 14.02 МБ
Размер: 14 704 986 байт
Сидеров: 2
Личеров: 1
Скачали: 0
Здоровье: 100%
Раздающих: 100%
Скорость скачивания: 0 байт/сек
Скорость раздачи: 0 байт/сек
Последний сидер: 7 месяцев 13 дней 5 часов 10 минут 22 секунды назад
Последний личер: 7 месяцев 13 дней 5 часов 10 минут 22 секунды назад
Приватный: Нет (DHT включён)
Сеть и безопасность Скачать торрент
Скачать торрент
[ Размер 18.03 КБ / Просмотров 0 ]

Поделиться



  • Похожие торренты
    Ответы
    Просмотры
    Последнее сообщение

Вернуться в Сеть и безопасность