OReilly ScreenOS cookbook feb 2008 ISBN 0596510039

The book comesdirectly from the experience of engineers who have seen andfixed every conceivable ScreenOS network topology, from smallbranch office firewalls to appliances for large core

by Stefan Brunner; Vik Davar; David Delcourt; KenDraper; Joe Kelly; Sunil Wadhwa

Publisher: O'Reilly Pub Date: February 15, 2008 Print ISBN-13: 978-0-59-651003-9 Pages: 838

of why the recipes work, so you can easily set up and keep

ScreenOS systems on track ScreenOS Cookbook gives you

real-world fixes, techniques, and configurations that save time not hypothetical situations out of a textbook The book comesdirectly from the experience of engineers who have seen andfixed every conceivable ScreenOS network topology, from smallbranch office firewalls to appliances for large core enterpriseand government, to the heavy duty protocol driven service

provider network Its easy-to-follow format enables you to findthe topic and specific recipe you need right away and match it

operating smoothly , no book matches ScreenOS Cookbook.

by Stefan Brunner; Vik Davar; David Delcourt; KenDraper; Joe Kelly; Sunil Wadhwa

Publisher: O'Reilly

Pub Date: February 15, 2008

Print ISBN-13: 978-0-59-651003-9 Pages: 838

Recipe 2.2 Use SCP to Securely Transfer Information to andfrom the Firewall

Recipe 2.3 Use the Dedicated MGT Interface to Manage theFirewall

Recipe 2.4 Control Access to the Firewall

Recipe 2.5 Manage Multiple ScreenOS Images for RemotelyManaged Firewalls

Recipe 2.6 Manage the USB Port on SSG

Chapter 3 Wireless

Recipe 3.0 Introduction

Recipe 3.1 Use MAC Filtering

Recipe 3.7 Configure Bridge Groups for Wired and WirelessNetworks

Recipe 4.10 Create Permanent Static Routes

Chapter 5 Transparent Mode

Recipe 5.0 Introduction

Recipe 5.1 Enable Transparent Mode with Two InterfacesRecipe 5.2 Enable Transparent Mode with Multiple

Recipe 8.16 A NAT Strategy for a Medium Office with DMZRecipe 8.17 Deploy a Large-Office Firewall with DMZ

Recipe 10.4 Route-Based VPN with Dynamic Peer and StaticRouting

Recipe 10.5 Redundant VPN Gateways with Static Routes

Based IP Telephony Call Session

Recipe 11.6 Configure and View ALG Inspection of a SIP-Recipe 11.7 View SIP Call and Session Counters

Recipe 11.8 View and Modify SIP ALG Settings

Recipe 11.9 View the Dynamic Port(s) Associated with aMicrosoft RPC Session

Recipe 11.10 View the Dynamic Port(s) Associated with aSun-RPC Session

Recipe 12.5 Configure Antispam with Third Parties

Recipe 12.6 Configure Custom Blacklists and Whitelists forAntispam

Recipe 12.7 Configure Internal URL Filtering

Recipe 12.8 Configure External URL Filtering

Recipe 12.9 Configure Custom Blacklists and Whitelists withURL Filtering

Recipe 12.10 Configre Deep Inspection

Recipe 13.6 Create VPN Users with the Local DatabaseRecipe 13.7 Use RADIUS for Admin Authentication

Recipe 13.8 Use LDAP for Policy-Based Authentication

Recipe 13.9 Use SecurID for Policy-Based AuthenticationChapter 14 Traffic Shaping

Recipe 16.11 Configure OSPF on Point-to-Multipoint LinksRecipe 16.12 Configure Demand Circuits

Recipe 17.6 Statically Define Prefixes to Be Advertised toEBGP Peers

Recipe 17.7 Use Route Maps to Filter Prefixes Announced toBGP Peers

Recipe 17.8 Aggregate Route Announcements to BGP PeersRecipe 17.9 Filter Route Announcements from BGP PeersRecipe 17.10 Update the BGP Routing Table Without

Recipe 18.10 Create a Stateful Failover for an IPSec TunnelRecipe 18.11 Configure NAT in an Active-Active Cluster

Recipe 18.12 Configure NAT in a VSD-Less Cluster

Recipe 18.13 Configure NSRP Between Data Centers

Recipe 18.14 Maintain NSRP Clusters

Chapter 19 Policy-Based Routing

Recipe 20.2 Use Multicast Group Policies to Enforce StatefulMulticast Forwarding

Recipe 21.2 Create Multiple VSYS ConfigurationsRecipe 21.3 VSYS and High Availability

Recipe 21.4 Create a Transparent Mode VSYSRecipe 21.5 Terminate IPSec Tunnels in the VSYSRecipe 21.6 Configure VSYS Profiles

Colophon

Index

by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, JoeKelly, and Sunil Wadhwa

Copyright © 2008 O'Reilly Media, Inc All rights reserved

Printed in the United States of America

Published by O'Reilly Media, Inc., 1005 Gravenstein HighwayNorth, Sebastopol, CA 95472

O'Reilly books may be purchased for educational, business, orsales promotional use Online editions are also available for

most titles (safari.oreilly.com) For more information, contactour corporate/institutional sales department: (800) 998-9938 orcorporate@oreilly.com

Cover Designer:

KarenMontgomery

Production

Editor:

SumitaMukherji

Interior Designer:

The Cookbook series designations, ScreenOS Cookbook, the

image of a bulldog, and related trade dress are trademarks ofO'Reilly Media, Inc

Java™ is a trademark of Sun Microsystems, Inc

Many of the designations used by manufacturers and sellers todistinguish their products are claimed as trademarks Wherethose designations appear in this book, and O'Reilly Media, Inc.was aware of a trademark claim, the designations have beenprinted in caps or initial caps

While every precaution has been taken in the preparation of thisbook, the publisher and authors assume no responsibility forerrors or omissions, or for damages resulting from the use ofthe information contained herein

This book uses RepKover™, a durable and flexible lay-flat

binding

ISBN: 978-0-596-51003-9

[M]

Stefan Brunner has been a technology consultant for more

than 15 years, helping enterprise organizations leverage

technology for their business models and deploy technologysolutions Stefan is the lead architect in Juniper Networks'

Service Layer Technology Professional Services group Prior toJuniper, Stefan worked with NetScreen Technologies as a

network security consultant Stefan holds an MBA in innovationsresearch and technology management from Ludwig-

Maximilians-University of Munich, and a certificate degree intelecommunications engineering from the University of

company He has a master's degree in electrical engineeringfrom Columbia University and a bachelor's degree in electricalengineering from The Cooper Union in New York City He is also

a CISSP and CCIE #8377 He lives in New Jersey with his wifeand two children Vik wrote Chapters Chapter 7, Chapter 11,Chapter 15, and Chapter 17

Americas He lives in New Hampshire with his wife and

daughter, and their two dogs and two cats David wrote

Chapters Chapter 1 and Chapter 2

industry, and has focused on security solutions for the past 11years He is CISSP certification #22627 and holds numerousother certifications Ken has worked at such networking

equipment manufacturers as Infotron, Gandalf, Synoptics, BayNetworks, Nortel, NetScreen, and now, Juniper Networks Hehas more than six years of experience with ScreenOS and

large-scale security solutions He has held a variety of technicalengineering positions, including systems engineer and solutionsarchitect, and he is currently a Juniper Networks consulting

engineer specializing in large-scale virtual private networks

(VPNs), firewalls, intrusion prevention, and centralized

management markets Ken lives outside Dallas with his wife andtwo dogs Ken wrote Chapters Chapter 10, Chapter 13, and

Chapter 21

Joe Kelly has been involved in data networking for more than

12 years, focusing on the realms of network security and

routing He started his career in the service provider space atIDT Corporation, where he held roles in network operations andengineering After IDT, he spent time with various network

service providers in engineering and architectural capacities In

2001, Joe joined NetScreen Technologies as a senior systemsengineer in the Financial and Service Provider verticals, where

he specialized in high-availability, high-performance networks.Joe joined Juniper Networks in 2004 with the acquisition of

NetScreen, and he is currently the technical lead on the GlobalBanking and Finance team He lives in New Jersey with his

beautiful wife, Jacqueline, and their three children, Hannah,Ben, and Tristan Joe wrote Chapters Chapter 6, Chapter 9,

Chapter 18, and Chapter 20

Sunil Wadhwa has been in the data networking industry for

more than 13 years, focusing on systems, network routing, andsecurity in enterprise and service provider organizations Hestarted his career in India at GTL Limited and SAP India, andthen held a variety of roles in technical support, network

operations, and engineering He moved to the United States

currently leads the Advance Technical Support team for JuniperNetworks, supporting enhanced services products He lives inCalifornia with his beautiful wife, Lavanya, and little angel

daughter, Sneha Sunil wrote Chapters Chapter 3, Chapter 4,and Chapter 19

See Wireless Access Point (AP).

Access Point Name (APN)

Information element (IE) included in the header of a GTPpacket that provides information regarding how to reach anetwork It is composed of a network ID and an operatorID

ACL

See Access Control List (ACL).

Address Shifting

Mechanism for creating a one-to-one mapping between anyoriginal address in one range of addresses and a specifictranslated address in another range

When two routers can exchange routing information, theyare considered to have constructed an adjacency Point-to-point networks, which have only two routers, automaticallyform an adjacency Point-to-multipoint networks are a

Aggregator

Object used to bundle multiple routes under one commonroute, generalized according to the value of the networkmask

Mechanism for accelerating the timeout process when thenumber of sessions in the session table surpasses a

specified high-watermark threshold When the number ofsessions in the table dips below a specified low-watermarkthreshold, the timeout process returns to normal

intercepts and analyzes the specified traffic, allocates

resources, and defines dynamic policies to permit the traffic

Area Border Router (ABR)

A router with at least one interface in area 0 and at leastone interface in another area

AS (AS)

See Autonomous System (AS).

AS Boundary Router

A router that connects an Autonomous System (AS) runningone routing protocol to another AS running a different

protocol See also Autonomous System (AS).

AS Number

Identification number of the local Autonomous System (AS)mapped to a Border Gateway Protocol (BGP) routing

See also Border Gateway Protocol (BGP).

AS Path String

String that acts as an identifier for an Autonomous System(AS) path It is configured alongside an AS Path access listID

Asymmetric Digital Subscriber Line (ADSL)

Digital Subscriber Line (DSL) technology that allows existingtelephone lines to carry both voice telephone service andhigh-speed digital transmission A growing number of

service providers offer ADSL service to home and businesscustomers

Atomic Aggregate

Object used by a Border Gateway Protocol (BGP) router toinform other BGP routers that the local system has selected

a generalized route

Attack Objects

network

Authentication

Ensures that digital data transmissions are delivered to theintended recipient Authentication also validates the

integrity of the message for the receiver, including its

source (where or whom it came from) The simplest form ofauthentication requires a username and password for

access to a particular account Authentication protocols canalso be based on secret-key encryption, such as the DataEncryption Standard (DES) or Triple DES (3DES), or on

group The group also uses an Exterior Gateway Protocol(EGP) to route packets to other ASs Each AS has a routingplan that indicates which destinations are reachable through

it This plan is called the Network Layer Reachability

Information (NLRI) object Border Gateway Protocol (BGP)routers periodically generate and receive NLRI updates

is a header bit transmitted by the destination terminal

requesting that the source terminal send data more slowly.BECN and FECN are intended to minimize the possibilitythat packets will be discarded (and thus have to be resent)

B-Channel

Integrated Services Digital Network (ISDN) Basic Rate

Interface (BRI) service provided by telephone service

Bgroup

See Bridge Group Interface.

Bit Error Rate (BER)

Ratio of error bits to the total number of bits received in atransmission, usually expressed as 10 to a negative power

Broadcast Network

A network that supports many routers with the capability ofcommunicating directly with one another Ethernet is anexample of a broadcast network

level proxies or application-level gateways because they are

used for file transfers Such proxies are called application-dedicated to a particular application and protocol, and areaware of the content of the packets being sent A generic

enables the transmission of multiple protocols

Classless Routing

Support for interdomain routing, regardless of the size or

Gateway Protocol (BGP), giving the network greater

flexibility See also Border Gateway Protocol (BGP).

Community

Grouping of Border Gateway Protocol (BGP) destinations Byupdating the community, you automatically update its

member destinations with new attributes

Confederation

Object inside a Border Gateway Protocol Autonomous

System (BGP AS) that is a subset of routing instances in theAuthentication Server By grouping devices into

confederations inside a BGP AS, you reduce the complexityassociated with the matrix of routing connections, known as

CRL

See Certificate Revocation List (CRL).

classified as top secret DES uses an algorithm for private-is broken up into 64-bit blocks so that each can be

combined with the key using a complex 16-step process.Although DES is fairly weak, with only one iteration,

repeating it using slightly different keys can provide

excellent security

Data Encryption Standard–Cipher Block Chaining (DES–CBC)

Message text and, if required, message signatures can beencrypted using the Data Encryption Standard (DES)

algorithm in the Cipher Block Chaining (CBC) mode of

operation The character string "DES-CBC" within an

encapsulated Privacy Enhanced Mail (PEM) header fieldindicates the use of DES–CBC

Data-Link Connection Identifier (DLCI)

Separates customer traffic in Frame Relay configurations

Dead Interval

Period that elapses before a routing instance determinesthat another routing instance is not running

Allows an IP Security (IPSec) device to verify the currentexistence and availability of other IPSec peer devices Thedevice performs this verification by sending encrypted

Internet Key Exchange (IKE) Phase 1 notification payloads(R-U-THERE) to the peers and waiting for DPD

defined in the routing table The destination network for thedefault route is represented by the network address

0.0.0.0/0

Demilitarized Zone (DMZ)

From the military term for an area between two opponentswhere fighting is prevented DMZ Ethernets connect

networks and computers controlled by different bodies

They may be external or internal External DMZ Ethernets

destination IP addresses to a single IP address (one-to-one

or many-to-one relationships) The security device also

supports the translation of one range of IP addresses toanother range (a many-to-many relationship) using addressshifting When the security device performs NAT-dst withoutaddress shifting, it can also map the destination port

number to a different predetermined port number Whenthe security device performs NAT-dst with address shifting,

Distance Vector

Routing strategy that relies on an algorithm that works byhaving routers sporadically broadcast entire copies of theirown routing table to all directly connected neighbors Thisupdate identifies the networks each router knows about,and the distance between each of those networks The

distance is measured in hop counts or the number of

routing domains that a packet must traverse between itssource device and the device it attempts to reach

207.17.137.68

DPD

operate on criteria such as IP source or destination addressrange, TCP ports, User Datagram Protocol (UDP), Internet

Control Message Protocol (ICMP), or TCP responses See also Tunneling; Virtual Private Network (VPN).

Dynamic Host Configuration Protocol (DHCP)

Method for automatically assigning IP addresses to hosts on

a network Depending on the specific device model, securitydevices can allocate dynamic IP addresses to hosts, receivedynamically assigned IP addresses, or receive DHCP

information from a DHCP server and relay the information

to hosts

Routing method that adjusts to changing network

circumstances by analyzing incoming routing update

messages If the message indicates that a network changehas occurred, the routing software recalculates routes andsends out new routing update messages These messagespopulate the network, directing routers to rerun their

algorithms and change their routing tables accordingly

There are two common forms of dynamic routing: distancevector routing and link state routing

E1 Interface

European format for digital transmission This format carriessignals at 2 Mbps (32 channels at 64 Kbps, with two

IP-level security protocols, AH and ESP, were originally

proposed by the Network Working Group focused on IP

security mechanisms, IP Security (IPSec) The term IPSec is

used loosely here to refer to packets, keys, and routes thatare associated with these protocols The IP AH protocol

provides authentication ESP provides both authenticationand encryption

Process of changing data into a form that only the intendedreceiver can read To decipher the message, the receiver ofthe encrypted data must have the proper decryption key Intraditional encryption schemes, the sender and the receiveruse the same key to encrypt and decrypt data Public-keyencryption schemes use two keys: a public key, which

anyone may use, and a corresponding private key, which ispossessed only by the person who created it With this

method, anyone may send a message encrypted with theowner's public key, but only the owner has the private keynecessary to decrypt it Data Encryption Standard (DES)and Triple DES (3DES) are two of the most popular public-key encryption schemes

Equal Cost Multipath (ECMP)

Assists with load balancing among two to four routes to thesame destination, or increases the effective bandwidth

usage among two or more destinations When enabled,security devices use the statically defined routes or

dynamically learn multiple routes to the same destinationthrough a routing protocol The security device assigns

routes of equal cost in round-robin fashion

Export Rules

When you have two or more virtual routers (VRs) on a

security device, you can configure export rules that definewhich routes on one VR are allowed to be learned by

another VR See also Import Rules.

Two peer Border Gateway Protocol (BGP) routers residing intwo different Autonomous Systems (ASs).See Border

Firewalls are used by companies that want to protect anynetwork-connected server from damage (intentional or

otherwise) by those who log in to it This could be a

dedicated computer equipped with security measures, or itcould be a software-based protection

Forward Explicit Congestion Notification (FECN)

In a Frame Relay network, FECN is a header bit transmitted

by the source (sending) terminal requesting that the

destination (receiving) terminal slow down its requests fordata Backward Explicit Congestion Notification (BECN) is aheader bit transmitted by the destination terminal

requesting that the source terminal send data more slowly.FECN and BECN are intended to minimize the possibilitythat packets will be discarded (and thus have to be resent)

when more packets arrive than can be handled See also

Backward Explicit Congestion Notification (BECN)

Wide area network (WAN) protocol that operates over avariety of network interfaces, including serial, T1/E1, andT3/E3 Frame Relay allows private networks to reduce costs

a pan-European mobile cellular radio system operating at

Gn Interface

Interface between two GPRS Support Nodes (GSNs) withinthe same Public Land Mobile Network (PLMN)

operators/carriers have abstracted these functions throughthe GPRS Roaming Exchange (GRX).This function is typicallyprovided by a third-party IP network that offers virtual

private network (VPN) services to connect the roaming

partners The GRX service provider ensures that all aspects