ScreenOS Cookbook

Book description

Written by key members of Juniper Network's ScreenOS development team, this one-of-a-kind Cookbook helps you troubleshoot secure networks that run ScreenOS firewall appliances. Scores of recipes address a wide range of security issues, provide step-by-step solutions, and include discussions of why the recipes work, so you can easily set up and keep ScreenOS systems on track.

ScreenOS Cookbook gives you real-world fixes, techniques, and configurations that save time -- not hypothetical situations out of a textbook. The book comes directly from the experience of engineers who have seen and fixed every conceivable ScreenOS network topology, from small branch office firewalls to appliances for large core enterprise and government, to the heavy duty protocol driven service provider network. Its easy-to-follow format enables you to find the topic and specific recipe you need right away and match it to your network and security issue.

Topics include:

  • Configuring and managing ScreenOS firewalls
  • NTP (Network Time Protocol)
  • Interfaces, Zones, and Virtual Routers
  • Mitigating Denial of Service Attacks
  • DDNS, DNS, and DHCP
  • IP Routing
  • Policy-Based Routing
  • Elements of Policies
  • Authentication
  • Application Layer Gateway (SIP, H323, RPC, RTSP, etc.,)
  • Content Security
  • Managing Firewall Policies
  • IPSEC VPN
  • RIP, OSPF, BGP, and NSRP
  • Multicast -- IGPM, PIM, Static Mroutes
  • Wireless
Along with the usage and troubleshooting recipes, you will also find plenty of tricks, special considerations, ramifications, and general discussions of interesting tangents and network extrapolation. For the accurate, hard-nosed information you require to get your ScreenOS firewall network secure and operating smoothly , no book matches ScreenOS Cookbook.

Publisher resources

View/Submit Errata

Table of contents

  1. Credits
  2. Glossary
  3. Preface
    1. Audience
    2. Assumptions This Book Makes
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari® Books Online
    6. Comments and Questions
    7. Acknowledgments
  4. 1. ScreenOS CLI, Architecture, and Troubleshooting
    1. 1.0. Introduction
    2. 1.1. ScreenOS Architecture
    3. 1.2. Troubleshoot ScreenOS
  5. 2. Firewall Configuration and Management
    1. 2.0. Introduction
    2. 2.1. Use TFTP to Transfer Information to and from the Firewall
    3. 2.2. Use SCP to Securely Transfer Information to and from the Firewall
    4. 2.3. Use the Dedicated MGT Interface to Manage the Firewall
    5. 2.4. Control Access to the Firewall
    6. 2.5. Manage Multiple ScreenOS Images for Remotely Managed Firewalls
    7. 2.6. Manage the USB Port on SSG
  6. 3. Wireless
    1. 3.0. Introduction
    2. 3.1. Use MAC Filtering
    3. 3.2. Configure the WEP Shared Key
    4. 3.3. Configure the WPA Preshared Key
    5. 3.4. Configure WPA Using 802.1x with IAS and Microsoft Active Directory
    6. 3.5. Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client
    7. 3.6. Separate Wireless Access for Corporate and Guest Users
    8. 3.7. Configure Bridge Groups for Wired and Wireless Networks
  7. 4. Route Mode and Static Routing
    1. 4.0. Introduction
    2. 4.1. View the Routing Table on the Firewall
    3. 4.2. View Routes for a Particular Prefix
    4. 4.3. View Routes in the Source-Based Routing Table
    5. 4.4. View Routes in the Source Interface-Based Routing Table
    6. 4.5. Create Blackhole Routes
    7. 4.6. Create ECMP Routing
    8. 4.7. Create Static Routes for Gateway Tracking
    9. 4.8. Export Filtered Routes to Other Virtual Routers
    10. 4.9. Change the Route Lookup Preference
    11. 4.10. Create Permanent Static Routes
  8. 5. Transparent Mode
    1. 5.0. Introduction
    2. 5.1. Enable Transparent Mode with Two Interfaces
    3. 5.2. Enable Transparent Mode with Multiple Interfaces
    4. 5.3. Configure a VLAN Trunk
    5. 5.4. Configure Retagging
    6. 5.5. Configure Bridge Groups
    7. 5.6. Manipulate the Layer 2 Forwarding Table
    8. 5.7. Configure the Management Interface in Transparent Mode
    9. 5.8. Configure the Spanning Tree Protocol (STP)
    10. 5.9. Enable Compatibility with HSRP and VRRP Routers
    11. 5.10. Configure VPNs in Transparent Mode
    12. 5.11. Configure VSYS with Transparent Mode
  9. 6. Leveraging IP Services in ScreenOS
    1. 6.0. Introduction
    2. 6.1. Set the Time on the Firewall
    3. 6.2. Set the Clock with NTP
    4. 6.3. Check NTP Status
    5. 6.4. Configure the Device’s Name Service
    6. 6.5. View DNS Entries on a Device
    7. 6.6. Use Static DNS to Provide a Common Policy for Multiple Devices
    8. 6.7. Configure the DNS Proxy for Split DNS
    9. 6.8. Use DDNS on the Firewall for VPN Creation
    10. 6.9. Configure the Firewall As a DHCP Client for Dynamic IP Environments
    11. 6.10. Configure the Firewall to Act As a DHCP Server
    12. 6.11. Automatically Learn DHCP Option Information
    13. 6.12. Configure DHCP Relay
    14. 6.13. DHCP Server Maintenance
  10. 7. Policies
    1. 7.0. Introduction
    2. 7.1. Configure an Inter-Zone Firewall Policy
    3. 7.2. Log Hits on ScreenOS Policies
    4. 7.3. Generate Log Entries at Session Initiation
    5. 7.4. Configure a Syslog Server
    6. 7.5. Configure an Explicit Deny Policy
    7. 7.6. Configure a Reject Policy
    8. 7.7. Schedule Policies to Run at a Specified Time
    9. 7.8. Change the Order of ScreenOS Policies
    10. 7.9. Disable a ScreenOS Policy
    11. 7.10. Configure an Intra-Zone Firewall Policy
    12. 7.11. Configure a Global Firewall Policy
    13. 7.12. Configure Custom Services
    14. 7.13. Configure Address and Service Groups
    15. 7.14. Configure Service Timeouts
    16. 7.15. View and Use Microsoft RPC Services
    17. 7.16. View and Use Sun-RPC Services
    18. 7.17. View the Session Table
    19. 7.18. Troubleshoot Traffic Flows
    20. 7.19. Configure a Packet Capture in ScreenOS
    21. 7.20. Determine Platform Limits on Address/Service Book Entries and Policies
  11. 8. Network Address Translation
    1. 8.0. Introduction
    2. 8.1. Configure Hide NAT
    3. 8.2. Configure Hide NAT with VoIP
    4. 8.3. Configure Static Source NAT
    5. 8.4. Configure Source NAT Pools
    6. 8.5. Link Multiple DIPs to the Same Policy
    7. 8.6. Configure Destination NAT
    8. 8.7. Configure Destination PAT
    9. 8.8. Configure Bidirectional NAT for DMZ Servers
    10. 8.9. Configure Static Bidirectional NAT with Multiple VRs
    11. 8.10. Configure Source Shift Translation
    12. 8.11. Configure Destination Shift Translation
    13. 8.12. Configure Bidirectional Network Shift Translation
    14. 8.13. Configure Conditional NAT
    15. 8.14. Configure NAT with Multiple Interfaces
    16. 8.15. Design PAT for a Home or Branch Office
    17. 8.16. A NAT Strategy for a Medium Office with DMZ
    18. 8.17. Deploy a Large-Office Firewall with DMZ
    19. 8.18. Create an Extranet with Mutual PAT
    20. 8.19. Configure NAT with Policy-Based VPN
    21. 8.20. Configure NAT with Route-Based VPN
    22. 8.21. Troubleshoot NAT Mode
    23. 8.22. Troubleshoot DIPs (Policy NAT-SRC)
    24. 8.23. Troubleshoot Policy NAT-DST
    25. 8.24. Troubleshoot VIPs
    26. 8.25. Troubleshoot MIPs
  12. 9. Mitigating Attacks with Screens and Flow Settings
    1. 9.0. Introduction
    2. 9.1. Configure SYN Flood Protection
    3. 9.2. Control UDP Floods
    4. 9.3. Detect Scan Activity
    5. 9.4. Avoid Session Table Depletion
    6. 9.5. Baseline Traffic to Prepare for Screen Settings
    7. 9.6. Use Flow Configuration for State Enforcement
    8. 9.7. Detect and Drop Illegal Packets with Screens
    9. 9.8. Prevent IP Spoofing
    10. 9.9. Prevent DoS Attacks with Screens
    11. 9.10. Use Screens to Control HTTP Content
  13. 10. IPSec VPN
    1. 10.0. Introduction
    2. 10.1. Create a Simple User-to-Site VPN
    3. 10.2. Policy-Based IPSec Tunneling with Static Peers
    4. 10.3. Route-Based IPSec Tunneling with Static Peers and Static Routes
    5. 10.4. Route-Based VPN with Dynamic Peer and Static Routing
    6. 10.5. Redundant VPN Gateways with Static Routes
    7. 10.6. Dynamic Route-Based VPN with RIPv2
    8. 10.7. Interoperability
  14. 11. Application Layer Gateways
    1. 11.0. Introduction
    2. 11.1. View the List of Available ALGs
    3. 11.2. Globally Enable or Disable an ALG
    4. 11.3. Disable an ALG in a Specific Policy
    5. 11.4. View the Control and Data Sessions for an FTP Transfer
    6. 11.5. Configure ALG Support When Running FTP on a Custom Port
    7. 11.6. Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session
    8. 11.7. View SIP Call and Session Counters
    9. 11.8. View and Modify SIP ALG Settings
    10. 11.9. View the Dynamic Port(s) Associated with a Microsoft RPC Session
    11. 11.10. View the Dynamic Port(s) Associated with a Sun-RPC Session
  15. 12. Content Security
    1. 12.0. Introduction
    2. 12.1. Configure Internal Antivirus
    3. 12.2. Configure External Antivirus with ICAP
    4. 12.3. Configure External Antivirus via Redirection
    5. 12.4. Configure Antispam
    6. 12.5. Configure Antispam with Third Parties
    7. 12.6. Configure Custom Blacklists and Whitelists for Antispam
    8. 12.7. Configure Internal URL Filtering
    9. 12.8. Configure External URL Filtering
    10. 12.9. Configure Custom Blacklists and Whitelists with URL Filtering
    11. 12.10. Configre Deep Inspection
    12. 12.11. Download Deep Inspection Signatures Manually
    13. 12.12. Develop Custom Signatures with Deep Inspection
    14. 12.13. Configure Integrated IDP
  16. 13. User Authentication
    1. 13.0. Introduction
    2. 13.1. Create Local Administrative Users
    3. 13.2. Create VSYS-Level Administrator Accounts
    4. 13.3. Create User Groups for Authentication Policies
    5. 13.4. Use Authentication Policies
    6. 13.5. Use WebAuth with the Local Database
    7. 13.6. Create VPN Users with the Local Database
    8. 13.7. Use RADIUS for Admin Authentication
    9. 13.8. Use LDAP for Policy-Based Authentication
    10. 13.9. Use SecurID for Policy-Based Authentication
  17. 14. Traffic Shaping
    1. 14.0. Introduction
    2. 14.1. Configure Policy-Level Traffic Shaping
    3. 14.2. Configure Low-Latency Queuing
    4. 14.3. Configure Interface-Level Traffic Policing
    5. 14.4. Configure Traffic Classification (Marking)
    6. 14.5. Troubleshoot QoS
  18. 15. RIP
    1. 15.0. Introduction
    2. 15.1. Configure a RIP Instance on an Interface
    3. 15.2. Advertise the Default Route via RIP
    4. 15.3. Configure RIP Authentication
    5. 15.4. Suppress RIP Route Advertisements with Passive Interfaces
    6. 15.5. Adjust RIP Timers to Influence Route Convergence Duration
    7. 15.6. Adjust RIP Interface Metrics to Influence Path Selection
    8. 15.7. Redistribute Static Routes into RIP
    9. 15.8. Redistribute Routes from OSPF into RIP
    10. 15.9. Filter Inbound RIP Routes
    11. 15.10. Configure Summary Routes in RIP
    12. 15.11. Administer RIP Version 1
    13. 15.12. Troubleshoot RIP
  19. 16. OSPF
    1. 16.0. Introduction
    2. 16.1. Configure OSPF on a ScreenOS Device
    3. 16.2. View Routes Learned by OSPF
    4. 16.3. View the OSPF Link-State Database
    5. 16.4. Configure a Multiarea OSPF Network
    6. 16.5. Set Up Stub Areas
    7. 16.6. Create a Not-So-Stubby Area (NSSA)
    8. 16.7. Control Route Propagation in OSPF
    9. 16.8. Redistribute Routes into OSPF
    10. 16.9. Make OSPF RFC 1583-Compatible Problem
    11. 16.10. Adjust OSPF Link Costs
    12. 16.11. Configure OSPF on Point-to-Multipoint Links
    13. 16.12. Configure Demand Circuits
    14. 16.13. Configure Virtual Links
    15. 16.14. Change OSPF Timers
    16. 16.15. Secure OSPF
    17. 16.16. Troubleshoot OSPF
  20. 17. BGP
    1. 17.0. Introduction
    2. 17.1. Configure BGP with an External Peer
    3. 17.2. Configure BGP with an Internal Peer
    4. 17.3. Configure BGP Peer Groups
    5. 17.4. Configure BGP Neighbor Authentication
    6. 17.5. Adjust BGP Keepalive and Hold Timers
    7. 17.6. Statically Define Prefixes to Be Advertised to EBGP Peers
    8. 17.7. Use Route Maps to Filter Prefixes Announced to BGP Peers
    9. 17.8. Aggregate Route Announcements to BGP Peers
    10. 17.9. Filter Route Announcements from BGP Peers
    11. 17.10. Update the BGP Routing Table Without Resetting Neighbor Connections
    12. 17.11. Use BGP Local_Pref for Route Selection
    13. 17.12. Configure Route Dampening
    14. 17.13. Configure BGP Communities
    15. 17.14. Configure BGP Route Reflectors
    16. 17.15. Troubleshoot BGP
  21. 18. High Availability with NSRP
    1. 18.0. Introduction
    2. 18.1. Configure an Active-Passive NSRP Cluster in Route Mode
    3. 18.2. View and Troubleshoot NSRP State
    4. 18.3. Influence the NSRP Master
    5. 18.4. Configure NSRP Monitors
    6. 18.5. Configure NSRP in Transparent Mode
    7. 18.6. Configure an Active-Active NSRP Cluster
    8. 18.7. Configure NSRP with OSPF
    9. 18.8. Provide Subsecond Failover with NSRP and BGP
    10. 18.9. Synchronize Dynamic Routes in NSRP
    11. 18.10. Create a Stateful Failover for an IPSec Tunnel
    12. 18.11. Configure NAT in an Active-Active Cluster
    13. 18.12. Configure NAT in a VSD-Less Cluster
    14. 18.13. Configure NSRP Between Data Centers
    15. 18.14. Maintain NSRP Clusters
  22. 19. Policy-Based Routing
    1. 19.0. Introduction
    2. 19.1. Traffic Load Balancing
    3. 19.2. Verify That PBR Is Working for Traffic Load Balancing
    4. 19.3. Prioritize Traffic Between IPSec Tunnels
    5. 19.4. Redirect Traffic to Mitigate Threats
    6. 19.5. Classify Traffic Using the ToS Bits
    7. 19.6. Block Unwanted Traffic with a Blackhole
    8. 19.7. View Your PBR Configuration
  23. 20. Multicast
    1. 20.0. Introduction
    2. 20.1. Allow Multicast Traffic Through a Transparent Mode Device
    3. 20.2. Use Multicast Group Policies to Enforce Stateful Multicast Forwarding
    4. 20.3. View mroute State
    5. 20.4. Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM
    6. 20.5. Connect Directly to Multicast Receivers
    7. 20.6. Use IGMP Proxy Mode to Dynamically Join Groups
    8. 20.7. Configure PIM on a Firewall
    9. 20.8. Use BSR for RP Mapping
    10. 20.9. Firewalling Between PIM Domains
    11. 20.10. Connect Two PIM Domains with Proxy RP
    12. 20.11. Manage RPF Information with Redundant Routers
    13. 20.12. PIM and High Availability
    14. 20.13. Provide Active-Active Multicast
    15. 20.14. Scale Multicast Replication
  24. 21. Virtual Systems
    1. 21.0. Introduction
    2. 21.1. Create a Route Mode VSYS
    3. 21.2. Create Multiple VSYS Configurations
    4. 21.3. VSYS and High Availability
    5. 21.4. Create a Transparent Mode VSYS
    6. 21.5. Terminate IPSec Tunnels in the VSYS
    7. 21.6. Configure VSYS Profiles
  25. About the Authors
  26. Colophon
  27. Copyright

Product information

  • Title: ScreenOS Cookbook
  • Author(s): Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa
  • Release date: February 2008
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9780596510039