Buying Options
ScreenOS Cookbook
Print $54.99
Add to Cart
Print+Ebook $60.49
Add to Cart
Ebook $43.99
(Mobi, PDF, ePub)
Add to Cart
Safari Books Online
Add to Cart
What is this?
Print £42.50
Add to Cart
What is this?

ScreenOS Cookbook

By
Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, et al.
Publisher:
O'Reilly Media
Released:
February 2008
Pages:
848
Press Release
Description
In the only book that completely covers ScreenOS, six key members of Juniper Network's ScreenOS development team help you troubleshoot secure networks using ScreenOS firewall appliances. Over 200 recipes address a wide range of security issues, provide step-by-step solutions, and include discussions of why the recipes work, so you can easily set up and keep ScreenOS systems on track. The easy-to-follow format enables you to find the topic and specific recipe you need right away.

Full Description
Table of Contents

  1. Chapter 1 ScreenOS CLI, Architecture, and Troubleshooting

    1. Introduction

    2. ScreenOS Architecture

    3. Troubleshoot ScreenOS

  2. Chapter 2 Firewall Configuration and Management

    1. Introduction

    2. Use TFTP to Transfer Information to and from the Firewall

    3. Use SCP to Securely Transfer Information to and from the Firewall

    4. Use the Dedicated MGT Interface to Manage the Firewall

    5. Control Access to the Firewall

    6. Manage Multiple ScreenOS Images for Remotely Managed Firewalls

    7. Manage the USB Port on SSG

  3. Chapter 3 Wireless

    1. Introduction

    2. Use MAC Filtering

    3. Configure the WEP Shared Key

    4. Configure the WPA Preshared Key

    5. Configure WPA Using 802.1x with IAS and Microsoft Active Directory

    6. Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client

    7. Separate Wireless Access for Corporate and Guest Users

    8. Configure Bridge Groups for Wired and Wireless Networks

  4. Chapter 4 Route Mode and Static Routing

    1. Introduction

    2. View the Routing Table on the Firewall

    3. View Routes for a Particular Prefix

    4. View Routes in the Source-Based Routing Table

    5. View Routes in the Source Interface-Based Routing Table

    6. Create Blackhole Routes

    7. Create ECMP Routing

    8. Create Static Routes for Gateway Tracking

    9. Export Filtered Routes to Other Virtual Routers

    10. Change the Route Lookup Preference

    11. Create Permanent Static Routes

  5. Chapter 5 Transparent Mode

    1. Introduction

    2. Enable Transparent Mode with Two Interfaces

    3. Enable Transparent Mode with Multiple Interfaces

    4. Configure a VLAN Trunk

    5. Configure Retagging

    6. Configure Bridge Groups

    7. Manipulate the Layer 2 Forwarding Table

    8. Configure the Management Interface in Transparent Mode

    9. Configure the Spanning Tree Protocol (STP)

    10. Enable Compatibility with HSRP and VRRP Routers

    11. Configure VPNs in Transparent Mode

    12. Configure VSYS with Transparent Mode

  6. Chapter 6 Leveraging IP Services in ScreenOS

    1. Introduction

    2. Set the Time on the Firewall

    3. Set the Clock with NTP

    4. Check NTP Status

    5. Configure the Device's Name Service

    6. View DNS Entries on a Device

    7. Use Static DNS to Provide a Common Policy for Multiple Devices

    8. Configure the DNS Proxy for Split DNS

    9. Use DDNS on the Firewall for VPN Creation

    10. Configure the Firewall As a DHCP Client for Dynamic IP Environments

    11. Configure the Firewall to Act As a DHCP Server

    12. Automatically Learn DHCP Option Information

    13. Configure DHCP Relay

    14. DHCP Server Maintenance

  7. Chapter 7 Policies

    1. Introduction

    2. Configure an Inter-Zone Firewall Policy

    3. Log Hits on ScreenOS Policies

    4. Generate Log Entries at Session Initiation

    5. Configure a Syslog Server

    6. Configure an Explicit Deny Policy

    7. Configure a Reject Policy

    8. Schedule Policies to Run at a Specified Time

    9. Change the Order of ScreenOS Policies

    10. Disable a ScreenOS Policy

    11. Configure an Intra-Zone Firewall Policy

    12. Configure a Global Firewall Policy

    13. Configure Custom Services

    14. Configure Address and Service Groups

    15. Configure Service Timeouts

    16. View and Use Microsoft RPC Services

    17. View and Use Sun-RPC Services

    18. View the Session Table

    19. Troubleshoot Traffic Flows

    20. Configure a Packet Capture in ScreenOS

    21. Determine Platform Limits on Address/Service Book Entries and Policies

  8. Chapter 8 Network Address Translation

    1. Introduction

    2. Configure Hide NAT

    3. Configure Hide NAT with VoIP

    4. Configure Static Source NAT

    5. Configure Source NAT Pools

    6. Link Multiple DIPs to the Same Policy

    7. Configure Destination NAT

    8. Configure Destination PAT

    9. Configure Bidirectional NAT for DMZ Servers

    10. Configure Static Bidirectional NAT with Multiple VRs

    11. Configure Source Shift Translation

    12. Configure Destination Shift Translation

    13. Configure Bidirectional Network Shift Translation

    14. Configure Conditional NAT

    15. Configure NAT with Multiple Interfaces

    16. Design PAT for a Home or Branch Office

    17. A NAT Strategy for a Medium Office with DMZ

    18. Deploy a Large-Office Firewall with DMZ

    19. Create an Extranet with Mutual PAT

    20. Configure NAT with Policy-Based VPN

    21. Configure NAT with Route-Based VPN

    22. Troubleshoot NAT Mode

    23. Troubleshoot DIPs (Policy NAT-SRC)

    24. Troubleshoot Policy NAT-DST

    25. Troubleshoot VIPs

    26. Troubleshoot MIPs

  9. Chapter 9 Mitigating Attacks with Screens and Flow Settings

    1. Introduction

    2. Configure SYN Flood Protection

    3. Control UDP Floods

    4. Detect Scan Activity

    5. Avoid Session Table Depletion

    6. Baseline Traffic to Prepare for Screen Settings

    7. Use Flow Configuration for State Enforcement

    8. Detect and Drop Illegal Packets with Screens

    9. Prevent IP Spoofing

    10. Prevent DoS Attacks with Screens

    11. Use Screens to Control HTTP Content

  10. Chapter 10 IPSec VPN

    1. Introduction

    2. Create a Simple User-to-Site VPN

    3. Policy-Based IPSec Tunneling with Static Peers

    4. Route-Based IPSec Tunneling with Static Peers and Static Routes

    5. Route-Based VPN with Dynamic Peer and Static Routing

    6. Redundant VPN Gateways with Static Routes

    7. Dynamic Route-Based VPN with RIPv2

    8. Interoperability

  11. Chapter 11 Application Layer Gateways

    1. Introduction

    2. View the List of Available ALGs

    3. Globally Enable or Disable an ALG

    4. Disable an ALG in a Specific Policy

    5. View the Control and Data Sessions for an FTP Transfer

    6. Configure ALG Support When Running FTP on a Custom Port

    7. Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session

    8. View SIP Call and Session Counters

    9. View and Modify SIP ALG Settings

    10. View the Dynamic Port(s) Associated with a Microsoft RPC Session

    11. View the Dynamic Port(s) Associated with a Sun-RPC Session

  12. Chapter 12 Content Security

    1. Introduction

    2. Configure Internal Antivirus

    3. Configure External Antivirus with ICAP

    4. Configure External Antivirus via Redirection

    5. Configure Antispam

    6. Configure Antispam with Third Parties

    7. Configure Custom Blacklists and Whitelists for Antispam

    8. Configure Internal URL Filtering

    9. Configure External URL Filtering

    10. Configure Custom Blacklists and Whitelists with URL Filtering

    11. Configre Deep Inspection

    12. Download Deep Inspection Signatures Manually

    13. Develop Custom Signatures with Deep Inspection

    14. Configure Integrated IDP

  13. Chapter 13 User Authentication

    1. Introduction

    2. Create Local Administrative Users

    3. Create VSYS-Level Administrator Accounts

    4. Create User Groups for Authentication Policies

    5. Use Authentication Policies

    6. Use WebAuth with the Local Database

    7. Create VPN Users with the Local Database

    8. Use RADIUS for Admin Authentication

    9. Use LDAP for Policy-Based Authentication

    10. Use SecurID for Policy-Based Authentication

  14. Chapter 14 Traffic Shaping

    1. Introduction

    2. Configure Policy-Level Traffic Shaping

    3. Configure Low-Latency Queuing

    4. Configure Interface-Level Traffic Policing

    5. Configure Traffic Classification (Marking)

    6. Troubleshoot QoS

  15. Chapter 15 RIP

    1. Introduction

    2. Configure a RIP Instance on an Interface

    3. Advertise the Default Route via RIP

    4. Configure RIP Authentication

    5. Suppress RIP Route Advertisements with Passive Interfaces

    6. Adjust RIP Timers to Influence Route Convergence Duration

    7. Adjust RIP Interface Metrics to Influence Path Selection

    8. Redistribute Static Routes into RIP

    9. Redistribute Routes from OSPF into RIP

    10. Filter Inbound RIP Routes

    11. Configure Summary Routes in RIP

    12. Administer RIP Version 1

    13. Troubleshoot RIP

  16. Chapter 16 OSPF

    1. Introduction

    2. Configure OSPF on a ScreenOS Device

    3. View Routes Learned by OSPF

    4. View the OSPF Link-State Database

    5. Configure a Multiarea OSPF Network

    6. Set Up Stub Areas

    7. Create a Not-So-Stubby Area (NSSA)

    8. Control Route Propagation in OSPF

    9. Redistribute Routes into OSPF

    10. Make OSPF RFC 1583-Compatible Problem

    11. Adjust OSPF Link Costs

    12. Configure OSPF on Point-to-Multipoint Links

    13. Configure Demand Circuits

    14. Configure Virtual Links

    15. Change OSPF Timers

    16. Secure OSPF

    17. Troubleshoot OSPF

  17. Chapter 17 BGP

    1. Introduction

    2. Configure BGP with an External Peer

    3. Configure BGP with an Internal Peer

    4. Configure BGP Peer Groups

    5. Configure BGP Neighbor Authentication

    6. Adjust BGP Keepalive and Hold Timers

    7. Statically Define Prefixes to Be Advertised to EBGP Peers

    8. Use Route Maps to Filter Prefixes Announced to BGP Peers

    9. Aggregate Route Announcements to BGP Peers

    10. Filter Route Announcements from BGP Peers

    11. Update the BGP Routing Table Without Resetting Neighbor Connections

    12. Use BGP Local_Pref for Route Selection

    13. Configure Route Dampening

    14. Configure BGP Communities

    15. Configure BGP Route Reflectors

    16. Troubleshoot BGP

  18. Chapter 18 High Availability with NSRP

    1. Introduction

    2. Configure an Active-Passive NSRP Cluster in Route Mode

    3. View and Troubleshoot NSRP State

    4. Influence the NSRP Master

    5. Configure NSRP Monitors

    6. Configure NSRP in Transparent Mode

    7. Configure an Active-Active NSRP Cluster

    8. Configure NSRP with OSPF

    9. Provide Subsecond Failover with NSRP and BGP

    10. Synchronize Dynamic Routes in NSRP

    11. Create a Stateful Failover for an IPSec Tunnel

    12. Configure NAT in an Active-Active Cluster

    13. Configure NAT in a VSD-Less Cluster

    14. Configure NSRP Between Data Centers

    15. Maintain NSRP Clusters

  19. Chapter 19 Policy-Based Routing

    1. Introduction

    2. Traffic Load Balancing

    3. Verify That PBR Is Working for Traffic Load Balancing

    4. Prioritize Traffic Between IPSec Tunnels

    5. Redirect Traffic to Mitigate Threats

    6. Classify Traffic Using the ToS Bits

    7. Block Unwanted Traffic with a Blackhole

    8. View Your PBR Configuration

  20. Chapter 20 Multicast

    1. Introduction

    2. Allow Multicast Traffic Through a Transparent Mode Device

    3. Use Multicast Group Policies to Enforce Stateful Multicast Forwarding

    4. View mroute State

    5. Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM

    6. Connect Directly to Multicast Receivers

    7. Use IGMP Proxy Mode to Dynamically Join Groups

    8. Configure PIM on a Firewall

    9. Use BSR for RP Mapping

    10. Firewalling Between PIM Domains

    11. Connect Two PIM Domains with Proxy RP

    12. Manage RPF Information with Redundant Routers

    13. PIM and High Availability

    14. Provide Active-Active Multicast

    15. Scale Multicast Replication

  21. Chapter 21 Virtual Systems

    1. Introduction

    2. Create a Route Mode VSYS

    3. Create Multiple VSYS Configurations

    4. VSYS and High Availability

    5. Create a Transparent Mode VSYS

    6. Terminate IPSec Tunnels in the VSYS

    7. Configure VSYS Profiles

  1. Colophon

View Full Table of Contents
Product Details
Title:
ScreenOS Cookbook
By:
Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa
Publisher:
O'Reilly Media
Formats:
  • Print
  • Ebook
  • Safari Books Online
Print Release:
February 2008
Ebook Release:
December 2008
Pages:
848
Print ISBN:
978-0-596-51003-9
| ISBN 10:
0-596-51003-9
Ebook ISBN:
978-0-596-15925-2
| ISBN 10:
0-596-15925-0
Customer Reviews
About the Authors

  1. Stefan Brunner

    Stefan Brunner has been a technology consultant for more than 15 years, helping enterprises to leverage technology for their business model and deploy technology solutions. Stefan is the lead architect in Juniper Networks' Service Layer Technology Professional Services group. Prior to Juniper, Stefan worked with NetScreen Technologies as a network security consultant. Stefan holds an MBA in innovations research and technology management from Ludwig-Maximilians-University of Munich, and a certificate degree in telecommunications engineering from the University of California at Berkeley. He lives with his wife and daughter in the Hill Country of Austin, Texas.

    View Stefan Brunner's full profile page.

  2. Vik Davar

    Vik Davar has been working in the IT field for more than 15 years, holding positions in financial services firms and technology companies including Juniper Networks and Goldman Sachs. Vik is the president of 9 Networks, an IT services company. He has a master's degree in electrical engineering from Columbia University and a bachelor's degree in electrical engineering from The Cooper Union in New York City. He is also a CISSP and CCIE# 8377. He lives in New Jersey with his wife and two children.

    View Vik Davar's full profile page.

  3. David Delcourt

    David Delcourt has worked in the data communications industry for the past 13 years for enterprise equipment vendors including Cabletron Systems and NetScreen Technologies. He has held a variety of positions, including advanced TAC engineer, technical trainer, and product manager at Cabletron Systems, and senior security consultant at NetScreen Technologies. He is currently the security practice manager in Professional Services for Juniper Networks, supporting the Americas. He lives in New Hampshire with his wife and daughter, and their two dogs and two cats.

    View David Delcourt's full profile page.

  4. Ken Draper

    Ken Draper has spent the past 20 years in the networking industry, and has focused on security solutions for the past 11 years. He is CISSP certification #22627 and holds numerous other certifications. Ken has worked at such networking equipment manufacturers as Infotron, Gandalf, Synoptics, Bay Networks, Nortel, NetScreen, and now Juniper Networks. He has more than six years of experience with ScreenOS and large-scale security solutions, he has held a variety of technical engineering positions including systems engineer and solutions architect, and he is currently a Juniper Networks consulting engineer specializing in the large-scale virtual private network (VPN), firewall, intrusion prevention, and centralized management markets. Ken lives outside Dallas with his wife and two dogs.

    View Ken Draper's full profile page.

  5. Joe Kelly

    Joe Kelly has been involved in data networking for more than 12 years, focusing on the realms of network security and routing. He started his career in the service provider space at IDT Corporation, where he held roles in network operations and engineering. After IDT, he spent time with various network service providers in engineering and architectural capacities. In 2001, Joe joined NetScreen Technologies as a senior systems engineer in the Financial and Service Provider verticals, where he specialized in high- availability, high-performance networks. Joe joined Juniper Networks in 2004 with the acquisition of NetScreen, and he is currently the technical lead on the Global Banking and Finance team. He lives in New Jersey with his beautiful wife, Jacqueline, and his three children, Hannah, Ben, and Tristan.

    View Joe Kelly's full profile page.

  6. Sunil Wadhwa

    Sunil Wadhwa has been in the data networking industry for more than 13 years, focusing on systems, network routing, and security in enterprise and service provider organizations. He started his career in India at GTL Limited and SAP India, and then held a variety of roles in technical support, network operations, and engineering. He moved to the United States and worked with E4E as a network consultant for routing and security, and then joined Juniper Networks as an advanced technical support engineer for firewall/VPN products. He currently leads the Advance Technical Support team for Juniper Networks, supporting enhanced services products. He lives in California with his beautiful wife, Lavanya, and little angel daughter, Sneha.

    View Sunil Wadhwa's full profile page.

    7. View All Authors

Colophon

The animal on the cover of ScreenOS Cookbook is a bulldog (Canis familiaris). Compact in size with short, stocky limbs that account for its peculiar walk, the modern bulldog usually has a friendly temperament, due largely to the recent work of breeders, that belies its aggressive reputation.

The dog is sometimes known as the English bulldog, perhaps for its ancestry: it was bred in England from a cross between a mastiff and a pug. But the name has other origins. In the 1600s, the dog--then bred for the qualities of "ferocity and courage"--was frequently used for bullbaiting, a violent spectator sport in which a bull tied by the horns with a long rope in the center of an arena defended itself from the attack of a bulldog by attempting to gore the dog's abdomen. So ferocious was the bulldog that even after sustaining such an injury the dog would often continue fighting.

Before its name became common, the bulldog was known as Bondogge, Bolddogge, and then Banddogge, a name popularized by Shakespeare in Henry VI: "The time when screech owls cry and Banddogges howl and spirits walk and ghosts break up their graves." Yet bullbaiting began well before Shakespeare, around the 13th century in England, when the Lord of Stamford came across two bulls fighting over a cow in a meadow. Upon seeing the fight, a local butcher's dogs chased the bulls through the village and reportedly slaughtered the bulls after a brutal battle.

The Lord of Stamford enjoyed the fight so much that he offered the meadow where the fight began to the area's Butcher's Union so that the union would put on a bullbaiting fight there each year six weeks before Christmas. It was not until 1835 that the House of Commons banned the sport, citing animal cruelty. Today, while the bulldog is beloved and typically well provided for, many rescue shelters exist to save strays and bulldogs that can no longer be cared for by their owners.

The cover image is from Dover Animals. The cover font is Adobe ITC Garamond. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed.

  • Book cover of ScreenOS Cookbook
Got a Question?
icons
Favicon Service and support by Satisfaction