E-Book, Englisch, 512 Seiten
Cameron / Cantrell / Hemni Configuring Juniper Networks NetScreen and SSG Firewalls
1. Auflage 2006
ISBN: 978-0-08-050284-7
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 512 Seiten
ISBN: 978-0-08-050284-7
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
"Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. This comprehensive configuration guide will allow system administrators and security professionals to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access for employees, partners, and customers from a single platform.
.Configure Juniper's Instant Virtual Extranet (IVE)
Install and set up IVE through either the command line interface (CLI) or Web-based console.
.Master the 3 Rs: Realms, Roles, and Resources
Realize the potential of the 3Rs for endpoint security, sign-in policies, and authorization of servers.
.Get Inside both the Windows and Java Versions of Secure Application Manager (SAM)
Learn to implement SAM, manage the end-user experience, and troubleshoot SAM in the field.
.Integrate IVE with Terminal Services and Citrix
Enable terminal services proxy and configure role options, configure Citrix using a custom ICA, configure terminal services resource policies and profiles, and configure terminal services and Citrix using a hosted Java applet.
.Ensure Endpoint Security
Use Host Checker, Cache Cleaner, Secure Virtual Workspace, and IVE/IDP integration to secure your network.
.Manage the Remote Access Needs of Your Organization
Configure Web access, file access and telnet/SSH access for remote users and offices.
.Configure Core Networking Components through the System Menu
Create clusters, manage virtual systems, and monitor logs, reports, and alerts.
.Create Bullet-Proof Sign-in Policies
Create standard and custom sign-in pages for both user and administrator access and Secure Meeting pages.
.Use the IVE for Log-Related Tasks
Perform log filtering, log management, syslog exporting, SNMP management, and system resource monitoring and reporting."
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Configuring Juniper® Networks NetScreen® & SSG Firewalls Configuring;2
3;Copyright Page;3
4;Contents;8
5;Foreword;14
6;Chapter 1. Networking, Security, and the Firewall;16
6.1;Introduction;17
6.2;Understanding Networking;18
6.3;Understanding Security Basics;32
6.4;Understanding Firewall Basics;41
6.5;Summary;59
6.6;Solutions Fast Track;60
6.7;Frequently Asked Questions;61
7;Chapter 2. Dissecting the Juniper Firewall;64
7.1;Introduction;65
7.2;The Juniper Security Product Offerings;66
7.3;The Juniper Firewall Core Technologies;72
7.4;The NetScreen and SSG Firewall Product Line;78
7.5;Summary;100
7.6;Solutions Fast Track;101
7.7;Frequently Asked Questions;102
8;Chapter 3. Deploying Juniper Firewalls;104
8.1;Introduction;105
8.2;Managing Your Juniper Firewall;105
8.3;Configuring Your Firewall for the Network;146
8.4;Configuring System Services;157
8.5;Resources;168
8.6;Summary;169
8.7;Solutions Fast Track;169
8.8;Frequently Asked Questions;171
9;Chapter 4. Policy Configuration;172
9.1;Introduction;173
9.2;Firewall Policies;173
9.3;Policy Components;182
9.4;Creating Policies;191
9.5;Summary;202
9.6;Solutions Fast Track;202
9.7;Frequently Asked Questions;203
10;Chapter 5. Advanced Policy Configuration;206
10.1;Introduction;207
10.2;Traffic-Shaping Fundamentals;207
10.3;Deploying Traffic Shaping on Juniper Firewalls;212
10.4;Advanced Policy Options;230
10.5;Summary;243
10.6;Solutions Fast Track;243
10.7;Frequently Asked Questions;245
11;Chapter 6. User Authentication;248
11.1;Introduction;249
11.2;User Account Types;249
11.3;Policy-Based User Authentication;284
11.4;802.1x Authentication;292
11.5;Enhancing Authentication;299
11.6;Summary;304
11.7;Solutions Fast Track;304
11.8;Frequently Asked Questions;306
12;Chapter 7. Routing;308
12.1;Introduction;309
12.2;Virtual Routers;309
12.3;Static Routing;328
12.4;Routing Information Protocol;336
12.5;Open Shortest Path First;350
12.6;Border Gateway Protocol;369
12.7;Route Redistribution;390
12.8;Policy-Based Routing;398
12.9;Summary;408
12.10;Solutions Fast Track;408
12.11;Frequently Asked Questions;411
13;Chapter 8. Address Translation;414
13.1;Introduction;415
13.2;Overview of Address Translation;415
13.3;Juniper NAT Overview;419
13.4;Juniper Packet Flow;420
13.5;Source NAT;421
13.6;Destination NAT;443
13.7;Summary;461
13.8;Links to Sites;461
13.9;Solutions Fast Track;461
13.10;Frequently Asked Questions;464
14;Chapter 9. Transparent Mode;472
14.1;Introduction;473
14.2;Interface Modes;473
14.3;Understanding How Transport Mode Works;474
14.4;Configuring a Device to Use Transport Mode;477
14.5;Transparent Mode Deployment Options;481
14.6;Summary;491
14.7;Solutions Fast Track;492
14.8;Frequently Asked Questions;493
15;Chapter 10. Attack Detection and Defense;494
15.1;Introduction;495
15.2;Understanding Attacks;499
15.3;The Juniper Security Research Team;498
15.4;Worms, Viruses, and Other Automated Malware;502
15.5;TCP/IP Protocol Anomaly Detection;513
15.6;Using Attack Objects;525
15.7;Antivirus Rules;553
15.8;Understanding Application Layer Gateways;557
15.9;Keeping Systems Updated;558
15.10;Summary;559
15.11;Solutions Fast Track;560
15.12;Frequently Asked Questions;563
16;Chapter 11. VPN Theory and Usage;566
16.1;Introduction;567
16.2;IPSec Tunnel Negotiations;571
16.3;Public Key Cryptography;574
16.4;How to Use VPNs in NetScreen Appliances;576
16.5;Advanced VPN Configurations;591
16.6;Summary;595
16.7;Solutions Fast Track;596
16.8;Links to Sites;599
16.9;Mailing Lists;599
16.10;Frequently Asked Questions;599
17;Chapter 12. High Availability;602
17.1;Introduction;603
17.2;The Need for High Availability;603
17.3;High-Availability Options;604
17.4;Improving Availability Using NetScreen SOHO Appliances;606
17.5;Introducing the NetScreen Redundancy Protocol;623
17.6;Building an NSRP Cluster;628
17.7;Determining When to Fail Over: The NSRP Ways;639
17.8;Reading the Output from get nsrp;653
17.9;Using NSRP-Lite on Midrange Appliances;656
17.10;Creating Redundant Interfaces;667
17.11;Taking Advantage of the Full NSRP;669
17.12;Failing Over;685
17.13;Avoiding the Split-Brain Problem;688
17.14;Avoiding the No-Brain Problem;689
17.15;Configuring HA through NSM;691
17.16;Summary;697
17.17;Solutions Fast Track;698
17.18;Frequently Asked Questions;702
18;Chapter 13. Troubleshooting the Juniper Firewall;704
18.1;Introduction;705
18.2;Troubleshooting Methodology;705
18.3;Troubleshooting Tools;707
18.4;Network Troubleshooting;721
18.5;Debugging the Juniper Firewall;721
18.6;Debugging NAT;727
18.7;Debugging VPNs;728
18.8;Debugging NSRP;730
18.9;Debugging Traffic Shaping;730
18.10;NetScreen Logging;732
18.11;Summary;735
18.12;Solutions Fast Track;735
18.13;Frequently Asked Questions;738
19;Chapter 14. Virtual Systems;740
19.1;Introduction;741
19.2;What Is a Virtual System?;741
19.3;How Virtual Systems Work;743
19.4;Configuring Virtual Systems;744
19.5;Virtual System Profiles;754
19.6;Summary;756
19.7;Solutions Fast Track;757
19.8;Frequently Asked Questions;758
20;Index;760
Chapter 2 Dissecting the Juniper Firewall Solutions in this chapter: The Juniper Security Product Offerings The Juniper Firewall Core Technologies The NetScreen and SSG Firewall Product Line Summary Solutions Fast Track Frequently Asked Questions Introduction
This chapter will introduce you to the Juniper firewall product. We will begin by looking at all of Juniper Networks’ security products, exploring the wide range of products available, and allowing you to determine which is best suited for your security needs. A well-designed and properly implemented security infrastructure must be multitiered. Juniper Networks now offers a host of security solutions for your organization. Over the past several years Juniper has increased its product portfolio dramatically. Through both acquisition and internal development, Juniper has become a premier security vendor. Juniper Networks delivers an integrated firewall and virtual private network (VPN) solution, the NetScreen firewall. The firewall product line has several tiers of appliances and systems. These tiers allow you to choose the right hardware for your network, giving the precise fit for your needs. Juniper has recently released a new firewall product line, the Security Services Gateway (SSG). This firewall line is designed to allow you to use new enhanced software features to better help protect your network from attack. Many of the SSG firewall products also enable you to use wide area network (WAN) interfaces as well. Juniper also offers a Secure Sockets Layer (SSL) VPN product. The Secure Access series offers a clientless remote access solution as well as a collaboration tool. With a clientless VPN approach, you remove the need for software deployment and management of the remote clients. You can easily deploy the SSL portal to thousands of users in mere hours. This is a great boon to any organization. Also available in the SSL VPN product line is the secure meeting application, which allows for online collaborative meetings where users can share their desktops and engage in chat. These are secured by SSL. You can use this feature to conduct presentations or to perform remote support. It’s a great tool for any organization. In recent years, access control for desktop PCs has become increasingly important. In the past organizations have focused primarily on protecting servers from external threats. Today, new technologies allow companies to restrict access to the network itself, thereby allowing administrators to deny untrusted users from accessing the network and its available resources. Juniper today uses its Unified Access Control (UAC) product to address this industry need. The last part to the security product line is intrusion detection and prevention (IDP). Whereas some products allow you only to detect incoming malicious traffic, the IDP allows you to fully prevent it from continuing on your network. The IDP is a necessary device for any network. We will explore the core technologies of the Juniper firewalls. These are the frameworks that are used throughout this book. This discussion will give you an idea of the features of the Juniper firewall and will prepare you to actually implement these solutions on it. We will look at fundamental concepts such as zones. Zones are used to logically separate areas of the network. They allow you to take a more granular approach when you begin writing access rules to allow or deny network traffic. In the last section of the chapter, we will look thoroughly at the NetScreen and SSG firewall products. The products range from small office devices that would allow for VPN connectivity into a central location to the carrier class products that can serve as much as 12 gigabits per second (Gbps) of firewall traffic—a gigantic level of throughput for a firewall. The options provided in the Juniper firewall product line enable you to take your network to new heights. The Juniper Security Product Offerings
NetScreen is the fastest-growing firewall product line on the market today. It has clinched the number two spot among the worldwide security appliance market. The NetScreen product line is robust and competitive, and it is now part of Juniper networks. On April 16, 2004, Juniper Networks completed its purchase of NetScreen for $4 billion. Juniper chose to purchase NetScreen to enter the enterprise market space. Previously, Juniper focused on the carrier class market for high-end routers. Juniper is aiming high; it is vying directly with Cisco for the position as the number one firewall appliance vendor, as well as the number one router vendor in the world. The Juniper firewall appliance is Juniper’s firewall/VPN solution. Throughout the book, the firewall is referred to as a NetScreen firewall because Juniper chose to keep the NetScreen firewall product name for brand recognition. The other products in the NetScreen security line all kept their original names as well. The NetScreen IDP product is used to provide protection against network attacks. The IDP can alert you, log events, and capture attacks as they occur. This product offers several modes of operation that allow it to be used in one of several different network designs. It can also prevent against worms, viruses, and Trojans. The third part to the NetScreen security product line is the SSL VPN. The NetScreen Secure Access SSL VPN allows for clientless access into your network. The SSL VPN is currently the fastest-growing product line for Juniper. The Secure Access SSL VPN appliance is the market leader in its segment with 45 percent of the market share as of the first quarter of 2004. An offshoot from the SSL VPN product line is the secure meeting product. Secure Meeting can be integrated with the SSL VPN appliance, or it can be run on its own dedicated appliance. It provides Web conferencing collaboration to share your desktop and documents over the Web. The UAC product solution is the next generation of security. The UAC architecture provides network access control to client systems. The deployment architecture can be twofold. You can use the firewalls to provide enforcement or you can also use switches that are 802.1x compatible to provide access management to clients as well. Juniper Firewalls
Juniper Networks’ premier security platform is the NetScreen firewall product line. This product line provides integrated firewall and Internet Protocol Security (IPSec) VPN solutions in a single appliance. The NetScreen firewall core is based on stateful inspection technology. This technology provides a connection-oriented security model by verifying the validity of every connection while still providing a high-performance architecture. The NetScreen firewalls themselves are based on a custom-built architecture consisting of application-specific integrated circuit (ASIC) technology. ASIC is designed to perform a specific task at a higher performance level than a general-purpose processor. ASIC connects over a high-speed bus interface to the core processor of the firewall unit, a reduced instruction set computing (RISC) CPU. The firewall platform also contains additional technologies to increase your network’s security. First, the products support deep inspection. This technology allows you inspect traffic at the application level to look for application-level attacks. It can help prevent the next worm from attacking your Web servers or someone from trying to send illegal commands to your SMTP server. The deep inspection technology includes a regularly updated database as well as the capability for you to create your own custom expression-based signatures. All the appliances include the capability to create IPSec VPNs to secure your traffic. The integrated VPN technology has received both the Common Criteria and the ICSA www.icsalabs.com) firewall certifications. Thus, the IPSec VPN technologies have good cross-compatibility as well as standards compliance. Juniper also offers two client VPN solutions to pair with the NetScreen firewall. First, NetScreen-Remote provides the user with the capability to create an IPSec connection to any NetScreen firewall or any IPSec-compliant device. The second client product is NetScreen-Security Client. This product not only creates IPSec tunnels but also includes a personal firewall to secure the end user’s system. The NetScreen firewall product line leverages the technologies of Trend Micro’s and Kaspersky Lab’s antivirus software. This software allows you to scan traffic as it passes directly through the firewall, thus mitigating the risks of viruses spreading throughout your network. The latest product set for the firewall line from Juniper is the SSG. The SSG product line was designed with key ideas in mind. First, it provides at high speeds advanced security features such as antivirus protection, antispam protection, IPS capabilities, and integrated URL filtering. Second, all the SSG products allow you to use WAN interfaces on the firewall, thereby enabling you to connect your firewall directly to a T1, digital subscriber line (DSL), or ISDN (Integrated Services Digital Network) link, to name a few. It gives you the capability to bypass the need to have a router on every WAN link. Because the...
