Junos Security. A Guide to Junos for the SRX Services Gateways and Security Certification - Helion
ISBN: 978-14-493-9958-0
stron: 848, Format: ebook
Data wydania: 2010-08-16
Księgarnia: Helion
Cena książki: 211,65 zł (poprzednio: 246,10 zł)
Oszczędzasz: 14% (-34,45 zł)
Junos® Security is the complete and authorized introduction to the new Juniper Networks SRX hardware series. This book not only provides a practical, hands-on field guide to deploying, configuring, and operating SRX, it also serves as a reference to help you prepare for any of the Junos Security Certification examinations offered by Juniper Networks.
Network administrators and security professionals will learn how to use SRX Junos services gateways to address an array of enterprise data network requirements -- including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration. Junos Security is a clear and detailed roadmap to the SRX platform. The author's newer book, Juniper SRX Series, covers the SRX devices themselves.
- Get up to speed on Juniper’s multi-function SRX platforms and SRX Junos software
- Explore case studies and troubleshooting tips from engineers with extensive SRX experience
- Become familiar with SRX security policy, Network Address Translation, and IPSec VPN configuration
- Learn about routing fundamentals and high availability with SRX platforms
- Discover what sets SRX apart from typical firewalls
- Understand the operating system that spans the entire Juniper Networks networking hardware portfolio
- Learn about the more commonly deployed branch series SRX as well as the large Data Center SRX firewalls
"I know these authors well. They are out there in the field applying the SRX's industry-leading network security to real world customers everyday. You could not learn from a more talented team of security engineers."
--Mark Bauhaus, EVP and General Manager, Juniper Networks
Osoby które kupowały "Junos Security. A Guide to Junos for the SRX Services Gateways and Security Certification", wybierały także:
- Spring Security. Kurs video. Metody zabezpieczania aplikacji webowych 69,00 zł, (31,05 zł -55%)
- Cyberbezpieczeństwo w bashu. Jak za pomocą wiersza poleceń prowadzić działania zaczepne i obronne 69,00 zł, (34,50 zł -50%)
- Informatyka w kryminalistyce. Praktyczny przewodnik. Wydanie II 149,00 zł, (74,50 zł -50%)
- Wojny w cyberprzestrzeni. Koncepcje, strategie i taktyki, dzięki którym przetrwasz i ocalisz swoją organizację 58,98 zł, (29,49 zł -50%)
- Bezpieczeństwo nowoczesnych aplikacji internetowych. Przewodnik po zabezpieczeniach 58,98 zł, (29,49 zł -50%)
Spis treści
Junos Security. A Guide to Junos for the SRX Services Gateways and Security Certification eBook -- spis treści
- Junos Security
- SPECIAL OFFER: Upgrade this ebook with OReilly
- A Note Regarding Supplemental Files
- Foreword
- Preface
- This Books Assumptions About You
- Whats In This Book?
- Juniper Networks Technical Certification Program (JNTCP)
- Topology for This Book
- Conventions Used in This Book
- Using Code Examples
- Wed Like to Hear from You/How to Contact Us/Comments and Questions
- Safari Books Online
- About the Tech Reviewers
- Acknowledgments
- From Rob Cameron
- From Tim Eberhard
- From Patricio Giecco
- From Glen Gibson
- From James Quinn
- From Brad Woodberg
- 1. Introduction to the SRX
- Evolving into the SRX
- ScreenOS to Junos
- Inherited ScreenOS features
- Device management
- ScreenOS to Junos
- The SRX Series Platform
- Built for Services
- Deployment Solutions
- Small Branch
- Medium Branch
- Large Branch
- Data Center
- Data Center Edge
- Data Center Services Tier
- Service Provider
- Mobile Carriers
- Cloud Networks
- The Junos Enterprise Services Reference Network
- SRX Series Product Lines
- Branch SRX Series
- Branch-Specific Features
- SRX100
- SRX200
- Interface modules for the SRX200 line
- SRX600
- Interface modules for the SRX600 line
- AX411
- CX111
- Branch SRX Series Hardware Overview
- Licensing
- Branch Summary
- Data Center SRX Series
- Data Center SRX-Specific Features
- SPC
- NPU
- Data Center SRX Series Session Setup
- Data Center SRX Series Hardware Overview
- SRX3000
- IOC modules
- SRX5000
- IOC modules
- Summary
- Chapter Review Questions
- Chapter Review Answers
- Evolving into the SRX
- 2. What Makes Junos So Special?
- OS Basics
- FreeBSD
- Process Separation
- Development Model
- Adding New Features
- Data Plane
- Junos Is Junos Except When Its Junos
- Coming from Other Products
- ScreenOS
- IOS and PIX OS
- Check Point
- Summary
- Chapter Review Questions
- Chapter Review Answers
- OS Basics
- 3. Hands-On Junos
- Introduction
- Driving the Command Line
- Operational Mode
- Variable Length Output
- Passing Through the Pipe
- Seeking Immediate Help
- Configuration Mode
- Commit Model
- Restarting Processes
- Junos Automation
- Junos Configuration Essentials
- System Settings
- Interfaces
- Switching (Branch)
- Zones
- Summary
- Chapter Review Questions
- Chapter Review Answers
- 4. Security Policy
- Security Policy Overview
- SRX Policy Processing
- Viewing SRX Policy Tables
- Viewing Policy Statistics
- Viewing Session Flows
- Policy Structure
- Security Zones
- Service Configuration
- Blocking Unwanted Traffic
- Policy Logging
- Troubleshooting Security Policy and Traffic Flows
- Troubleshooting Sample
- Troubleshooting Output
- Turning Off Traceoptions
- Application Layer Gateway Services
- How to Configure an ALG
- Policy Schedulers
- One-Time Schedulers
- Web and Proxy Authentication
- Web Authentication
- Pass-Through Authentication
- Case Study 4-1
- Case Study 4-2
- Converters and Scripts
- Summary
- Chapter Review Questions
- Chapter Review Answers
- 5. Network Address Translation
- How the SRX Processes NAT
- Source NAT
- Interface NAT
- Implementing a source NAT rule-set
- Viewing interface NAT in the session table
- Viewing traffic flow logs for interface NAT
- Operational commands for interface NAT
- Tracing interface NAT flows
- Address Pools
- Implementing a source NAT address pool
- Viewing pool NAT in the session table
- Viewing traffic flow logs for pool NAT
- Operational commands for pool NAT
- Tracing pool NAT flows
- Removing PAT
- Implementing source NAT without PAT
- Viewing source NAT without PAT
- Proxy ARP
- Implementing proxy ARP
- Viewing proxy ARP in action
- Persistent NAT
- Implementing persistent NAT
- Viewing persistent NAT in action
- Case Study 5-1: ISP Redundancy via PAT
- Implementing redundant ISP PAT
- Conclusion
- Interface NAT
- Destination NAT
- Implementing Destination NAT
- Viewing Destination NAT
- Tracing Destination NAT Flows
- Case Study 5-2: Virtual IP NAT
- Implementing VIP NAT
- Static NAT
- Case Study 5-3: Double NAT
- Summary
- Chapter Review Questions
- Chapter Review Answers
- 6. IPsec VPN
- VPN Architecture Overview
- Site-to-Site IPsec VPNs
- Hub and Spoke IPsec VPNs
- Full Mesh VPNs
- Multipoint VPNs
- Remote Access VPNs
- IPsec VPN Concepts Overview
- IPsec Encryption Algorithms
- IPsec Authentication Algorithms
- IKE Version 1 Overview
- IKE Phase 1
- IKE Phase 2
- IPSec VPN Protocol
- IPsec VPN Mode
- IPsec Manual Keys
- Phase 1 IKE Negotiations
- IKE Authentication
- Preshared key authentication
- Certificate authentication
- IKE Identities
- Phase 1 IKE Negotiation Modes
- Main mode
- Aggressive mode
- IKE Authentication
- Phase 2 IKE Negotiations
- Perfect Forward Secrecy
- Quick Mode
- Proxy ID Negotiation
- Flow Processing and IPsec VPNs
- SRX VPN Types
- Policy-Based VPNs
- Route-Based VPNs
- Numbered versus unnumbered st0 interfaces
- Point-to-point versus point-to-multipoint VPNs
- Special point-to-multipoint attributes
- Point-to-multipoint NHTB
- Other SRX VPN Components
- Dead Peer Detection
- VPN Monitoring
- XAuth
- NAT Traversal
- Anti-Replay Protection
- Fragmentation
- Differentiated Services Code Point
- IKE Key Lifetimes
- Network Time Protocol
- Certificate Validation
- Simple Certificate Enrollment Protocol
- Group VPN
- Dynamic VPN
- Selecting the Appropriate VPN Configuration
- IPsec VPN Configuration
- Configuring NTP
- Certificate Preconfiguration Tasks
- Phase 1 IKE Configuration
- Configuring Phase 1 proposals
- Configuration for Remote-Office1 proposal with preshared keys
- Configuration for Remote-Office1 proposal with certificates
- Configuring Phase 1 policies
- Configuring Phase 1 IKE policy with preshared key, Main mode
- Configuring Phase 1 IKE policy with preshared key, Aggressive mode
- Configuring Phase 1 IKE policy with certificates
- Configuring Phase 1 gateways
- Configuring an IKE gateway with static IP address and DPD
- Configuring dynamic gateways and remote access clients
- Configuring an IKE gateway with a dynamic IP address
- Configuring an IKE remote access client
- Configuring Phase 1 proposals
- Phase 2 IKE Configuration
- Configuring Phase 2 proposals
- Configuring a Phase 2 proposal for remote offices and client connections
- Configuring Phase 2 IPsec policy
- Configuring an IPsec policy defining the Phase 2 proposal
- Configuring common IPsec VPN components
- Configuring a common site-to-site VPN component
- Configuring policy-based VPNs
- Configuring a policy-based VPN for the East Branch to the Central site VPN
- Configuring route-based VPNs
- Configuring Phase 2 proposals
- Configuring Manual Key IPsec VPNs
- Configuring a manual key IPsec VPN
- Dynamic VPN
- VPN Verification and Troubleshooting
- Useful VPN Commands
- show security ike security-associations
- show security ipsec security-associations
- show security ipsec statistics
- VPN Tracing and Debugging
- VPN troubleshooting process
- Configuring and analyzing VPN tracing
- Troubleshooting a site-to-site VPN
- Troubleshooting a remote access VPN
- Useful VPN Commands
- Case Studies
- Case Study 6-1: Site-to-Site VPN
- Case Study 6-2: Remote Access VPN
- Summary
- Chapter Review Questions
- Chapter Review Answers
- VPN Architecture Overview
- 7. High-Performance Attack Mitigation
- Network Protection Tools Overview
- Firewall Filters
- Screens
- Security Policy
- IPS and AppDoS
- Protecting Against Network Reconnaissance
- Firewall Filtering
- Screening
- Port Scan Screening
- Summary
- Protecting Against Basic IP Attacks
- Basic IP Protections
- Basic ICMP Protections
- Basic TCP Protections
- Basic Denial-of-Service Screens
- Advanced Denial-of-Service and Distributed Denial-of-Service Protection
- ICMP Floods
- UDP Floods
- SYN/TCP Floods
- SYN Cookies
- SYN-ACK-ACK Proxies
- Session Limitation
- AppDoS
- Application Protection
- SIP
- MGCP
- SCCP
- Protecting the SRX
- Summary
- Chapter Review Questions
- Chapter Review Answers
- Network Protection Tools Overview
- 8. Intrusion Prevention
- The Need for IPS
- How Does IPS Work?
- Licensing
- IPS and antivirus
- What is the difference between full IPS and deep inspection/IPS lite?
- Is it IDP or IPS?
- False positives and false negatives in IPS
- Management IPS functionality on the SRX
- Stages of a system compromise
- IPS Packet Processing on the SRX
- Packet processing path
- Direction-specific detection
- SRX IPS modes
- SRX deployment options
- Attack Object Types
- Application contexts
- Predefined attack objects and groups
- Custom attack objects and groups
- Severities
- Signature performance impacts
- IPS Policy Components
- Rulebases
- Match criteria
- Then actions
- IPS actions
- Notification actions
- Packet logging
- IP actions
- Targets and timeouts
- Terminate Match
- Security Packages
- Attack database
- Attack object updates versus full updates
- Application objects
- Detector engines
- Policy templates
- Scheduling updates
- Sensor Attributes
- Logging sensor attributes
- Application identification attributes
- Flow attributes
- Reassembler attributes
- IPS attributes
- Global attributes
- Detector attributes
- SSL inspection attributes
- SSL Inspection
- SSL decryption/inspection overview
- Alternatives to SSL decryption and inspection
- AppDDoS Protection
- AppDDoS profiles
- Custom Attack Groups and Objects
- Static attack groups
- Dynamic attack groups
- Custom attack objects
- How Does IPS Work?
- Configuring IPS Features on the SRX
- Getting Started with IPS on the SRX
- Getting started example
- Configuring automatic updates
- Useful IPS files
- Configuring static and dynamic attack groups
- Creating a custom attack object
- Creating, activating, and referencing IPS
- Exempt rulebase
- AppDDoS protection
- SSL decryption
- Configuring IPS modes
- Getting Started with IPS on the SRX
- Deploying and Tuning IPS
- First Steps to Deploying IPS
- Building the Policy
- Testing Your Policy
- Actual Deployment
- Day-to-Day IPS Management
- Troubleshooting IPS
- Checking IPS Status
- Checking Security Package Version
- IPS Attack Table
- Application Statistics
- IPS Counters
- IP Action Table
- AppDDoS Useful Commands
- Troubleshooting the Commit/Compilation Process
- Case Study 8-1
- Summary
- Chapter Review Questions
- Chapter Review Answers
- The Need for IPS
- 9. Unified Threat Management
- What Is UTM?
- Application Proxy
- Web Filtering
- Configuring web filtering using SurfControl
- Configuring web filtering using Websense redirect
- Creating custom category lists
- Using local classification only
- Antivirus
- Kaspersky full antivirus
- Juniper Express antivirus
- Sophos in-the-cloud antivirus
- Antivirus trickling
- Whitelists
- Notifications
- Viewing the UTM Logs
- Controlling What to Do When Things Go Wrong
- Content Filtering
- Filtering FTP traffic
- Filtering HTTP traffic
- Antispam
- UTM Monitoring
- Licensing
- Tracing UTM Sessions
- Case Study 9-1: Small Branch Office
- Security Policies
- UTM Policies and Profiles
- Summary
- Chapter Review Questions
- Chapter Review Answers
- What Is UTM?
- 10. High Availability
- Understanding High Availability in the SRX
- Chassis Cluster
- The Control Plane
- The Data Plane
- Junos High Availability Concepts
- Cluster ID
- Node ID
- Redundancy groups
- Interfaces
- Deployment Concepts
- Active/passive
- Active/active
- Mixed mode
- Six pack
- Configuration
- Differences from Standalone
- Activating JSRPD (Juniper Services Redundancy Protocol)
- Managing Cluster Members
- Configuring the Control Ports
- Configuring the Fabric Links
- Node-Specific Information
- Configuring Heartbeat Timers
- Redundancy Groups
- Configuring Interfaces
- Integrating Dynamic Routing
- Upgrading the Cluster
- Fault Monitoring
- Interface Monitoring
- IP Monitoring
- Manual Failover
- Hardware Monitoring
- Route engine
- Switch control board
- Switch fabric board
- Services Processing Card
- Network Processing Card
- Interface card
- Control link
- Data link
- Control link and data link failure
- Power supplies
- Software Monitoring
- Preserving the Control Plane
- Using Junos Automation
- Troubleshooting the Cluster
- First Steps
- Checking Interfaces
- Verifying the Data Plane
- Core Dumps
- The Dreaded Priority Zero
- When All Else Fails
- Summary
- Chapter Review Questions
- Chapter Review Answers
- Understanding High Availability in the SRX
- 11. Routing
- How the SRX Routes IP Packets
- Forwarding Tables
- IP Routing
- Asymmetric Routing
- Address Resolution Protocol (ARP)
- Static Routing
- Creating a Static Route
- Verifying a Static Route
- Dynamic Routing
- Configuring OSPF Routing
- Troubleshooting OSPF adjacencies
- OSPF security zone configuration
- Case Study 11-1: Securing OSPF Adjacencies
- Case Study 11-2: Redundant Paths and Routing Metrics
- Growing OSPF Networks
- IS-IS
- Configuring IS-IS
- Verifying IS-IS
- Configuring BFD
- Configuring RIP
- Verifying RIP
- Configuring OSPF Routing
- Routing Policy
- Case Study 11-3: Equal Cost Multipath (ECMP)
- Internet Peering
- Configuring BGP Peerings
- BGP Routing Tables
- Case Study 11-4: Internet Redundancy
- Routing Instances
- Configuring Routing Instances
- Filter-Based Forwarding
- Configuring Filter-Based Forwarding
- Case Study 11-5: Dynamic Traffic Engineering
- Summary
- Chapter Review Questions
- Chapter Review Answers
- How the SRX Routes IP Packets
- 12. Transparent Mode
- Transparent Mode Overview
- Why Use Transparent Mode?
- Segmenting a Layer 2 domain
- Complex routing environments
- Separation of duties
- Existing transparent mode infrastructure
- MAC Address Learning
- Transparent Mode and Bridge Loops, Spanning Tree Protocol
- Transparent Mode Limitations
- Transparent Mode Components
- Interfaces, family bridge, and bridge domains in transparent mode
- Interface Modes in Transparent Mode
- Bridge Domains
- IRB Interfaces
- Transparent Mode Zones
- Transparent Mode Security Policy
- Transparent Mode Specific Options
- QoS in Transparent Mode
- VLAN Rewriting
- High Availability with Transparent Mode
- Spanning Tree Protocol in transparent mode Layer 2 deployments
- Transparent Mode Flow Process
- Slow-path packet SPU packet processing
- Fast-path SPU processing
- Session teardown
- Why Use Transparent Mode?
- Configuring Transparent Mode
- Configuring Transparent Mode Basics
- Configuring Integrated Routing and Bridging
- Configuring Transparent Mode Security Zones
- Configuring Transparent Mode Security Policies
- Configuring Bridging Options
- Configuring Transparent Mode QoS
- Configuring VLAN Rewriting
- Transparent Mode Commands and Troubleshooting
- The show bridge domain Command
- The show bridge mac-table Command
- The show l2-learning global-information Command
- The show l2-learning global-mac-count Command
- The show l2-learning interface Command
- Transparent Mode Troubleshooting Steps
- Case Study 12-1
- Summary
- Chapter Review Questions
- Chapter Review Answers
- Transparent Mode Overview
- 13. SRX Management
- The Management Infrastructure
- Operational Mode
- Configuration Mode
- J-Web
- NSM and Junos Space
- NETCONF
- Scripting and Automation
- Commit Scripts
- Hello World, commit script edition
- Adding and enabling commit scripts
- Special tags for MGD
- Using a script to enforce some condition
- Missing security zone binding
- Creating a Configuration Template
- Transient versus persistent changes
- Configuration templates part II
- Operational Scripts
- Event Scripts
- Commit Scripts
- Keeping Your Scripts Up-to-Date
- Case Studies
- Case Study 13-1: Displaying the Interface and Zone Information
- Case Study 13-2: Zone Groups
- Case Study 13-3: Showing the Security Policies in a Compact Format
- Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover
- Case Study 13-5: Track-IP Using RPM Probes
- Case Study 13-6: Top Talkers
- Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses
- Case Study 13-8: High-End SRX Monitor
- Summary
- Chapter Review Questions
- Chapter Review Answers
- The Management Infrastructure
- Index
- About the Authors
- Colophon
- SPECIAL OFFER: Upgrade this ebook with OReilly