.Configure Juniper's Instant Virtual Extranet (IVE)
Install and set up IVE through either the command line interface (CLI) or Web-based console.
.Master the 3 Rs: Realms, Roles, and Resources
Realize the potential of the 3Rs for endpoint security, sign-in policies, and authorization of servers.
.Get Inside both the Windows and Java Versions of Secure Application Manager (SAM)
Learn to implement SAM, manage the end-user experience, and troubleshoot SAM in the field.
.Integrate IVE with Terminal Services and Citrix
Enable terminal services proxy and configure role options, configure Citrix using a custom ICA, configure terminal services resource policies and profiles, and configure terminal services and Citrix using a hosted Java applet.
.Ensure Endpoint Security
Use Host Checker, Cache Cleaner, Secure Virtual Workspace, and IVE/IDP integration to secure your network.
.Manage the Remote Access Needs of Your Organization
Configure Web access, file access and telnet/SSH access for remote users and offices.
.Configure Core Networking Components through the System Menu
Create clusters, manage virtual systems, and monitor logs, reports, and alerts.
.Create Bullet-Proof Sign-in Policies
Create standard and custom sign-in pages for both user and administrator access and Secure Meeting pages.
.Use the IVE for Log-Related Tasks
Perform log filtering, log management, syslog exporting, SNMP management, and system resource monitoring and reporting."
Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. This comprehensive configuration guide will allow system administrators and security professionals to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access for employees, partners, and customers from a single platform. Configure Juniper's Instant Virtual Extranet (IVE) Install and set up IVE through either the command line interface (CLI) or Web-based console Master the "e;3 Rs"e;: Realms, Roles, and Resources Realize the potential of the "e;3Rs"e; for endpoint security, sign-in policies, and authorization of servers Get Inside both the Windows and Java Versions of Secure Application Manager (SAM) Learn to implement SAM, manage the end-user experience, and troubleshoot SAM in the field Integrate IVE with Terminal Services and Citrix Enable terminal services proxy and configure role options, configure Citrix using a custom ICA, configure terminal services resource policies and profiles, and configure terminal services and Citrix using a hosted Java applet Ensure Endpoint Security Use Host Checker, Cache Cleaner, Secure Virtual Workspace, and IVE/IDP integration to secure your network Manage the Remote Access Needs of Your Organization Configure Web access, file access and telnet/SSH access for remote users and offices Configure Core Networking Components through the System Menu Create clusters, manage virtual systems, and monitor logs, reports, and alerts Create Bullet-Proof Sign-in Policies Create standard and custom sign-in pages for both user and administrator access and Secure Meeting pages Use the IVE for Log-Related Tasks Perform log filtering, log management, syslog exporting, SNMP management, and system resource monitoring and reporting.
Front Cover 1
Configuring Juniper® Networks NetScreen® & SSG Firewalls Configuring
Copyright Page 3
Contents 8
Foreword 14
Chapter 1. Networking, Security, and the Firewall 16
Introduction 17
Understanding Networking 18
Understanding Security Basics 32
Understanding Firewall Basics 41
Summary 59
Solutions Fast Track 60
Frequently Asked Questions 61
Chapter 2. Dissecting the Juniper Firewall 64
Introduction 65
The Juniper Security Product Offerings 66
The Juniper Firewall Core Technologies 72
The NetScreen and SSG Firewall Product Line 78
Summary 100
Solutions Fast Track 101
Frequently Asked Questions 102
Chapter 3. Deploying Juniper Firewalls 104
Introduction 105
Managing Your Juniper Firewall 105
Configuring Your Firewall for the Network 146
Configuring System Services 157
Resources 168
Summary 169
Solutions Fast Track 169
Frequently Asked Questions 171
Chapter 4. Policy Configuration 172
Introduction 173
Firewall Policies 173
Policy Components 182
Creating Policies 191
Summary 202
Solutions Fast Track 202
Frequently Asked Questions 203
Chapter 5. Advanced Policy Configuration 206
Introduction 207
Traffic-Shaping Fundamentals 207
Deploying Traffic Shaping on Juniper Firewalls 212
Advanced Policy Options 230
Summary 243
Solutions Fast Track 243
Frequently Asked Questions 245
Chapter 6. User Authentication 248
Introduction 249
User Account Types 249
Policy-Based User Authentication 284
802.1x Authentication 292
Enhancing Authentication 299
Summary 304
Solutions Fast Track 304
Frequently Asked Questions 306
Chapter 7. Routing 308
Introduction 309
Virtual Routers 309
Static Routing 328
Routing Information Protocol 336
Open Shortest Path First 350
Border Gateway Protocol 369
Route Redistribution 390
Policy-Based Routing 398
Summary 408
Solutions Fast Track 408
Frequently Asked Questions 411
Chapter 8. Address Translation 414
Introduction 415
Overview of Address Translation 415
Juniper NAT Overview 419
Juniper Packet Flow 420
Source NAT 421
Destination NAT 443
Summary 461
Links to Sites 461
Solutions Fast Track 461
Frequently Asked Questions 464
Chapter 9. Transparent Mode 472
Introduction 473
Interface Modes 473
Understanding How Transport Mode Works 474
Configuring a Device to Use Transport Mode 477
Transparent Mode Deployment Options 481
Summary 491
Solutions Fast Track 492
Frequently Asked Questions 493
Chapter 10. Attack Detection and Defense 494
Introduction 495
Understanding Attacks 499
The Juniper Security Research Team 498
Worms, Viruses, and Other Automated Malware 502
TCP/IP Protocol Anomaly Detection 513
Using Attack Objects 525
Antivirus Rules 553
Understanding Application Layer Gateways 557
Keeping Systems Updated 558
Summary 559
Solutions Fast Track 560
Frequently Asked Questions 563
Chapter 11. VPN Theory and Usage 566
Introduction 567
IPSec Tunnel Negotiations 571
Public Key Cryptography 574
How to Use VPNs in NetScreen Appliances 576
Advanced VPN Configurations 591
Summary 595
Solutions Fast Track 596
Links to Sites 599
Mailing Lists 599
Frequently Asked Questions 599
Chapter 12. High Availability 602
Introduction 603
The Need for High Availability 603
High-Availability Options 604
Improving Availability Using NetScreen SOHO Appliances 606
Introducing the NetScreen Redundancy Protocol 623
Building an NSRP Cluster 628
Determining When to Fail Over: The NSRP Ways 639
Reading the Output from get nsrp 653
Using NSRP-Lite on Midrange Appliances 656
Creating Redundant Interfaces 667
Taking Advantage of the Full NSRP 669
Failing Over 685
Avoiding the Split-Brain Problem 688
Avoiding the No-Brain Problem 689
Configuring HA through NSM 691
Summary 697
Solutions Fast Track 698
Frequently Asked Questions 702
Chapter 13. Troubleshooting the Juniper Firewall 704
Introduction 705
Troubleshooting Methodology 705
Troubleshooting Tools 707
Network Troubleshooting 721
Debugging the Juniper Firewall 721
Debugging NAT 727
Debugging VPNs 728
Debugging NSRP 730
Debugging Traffic Shaping 730
NetScreen Logging 732
Summary 735
Solutions Fast Track 735
Frequently Asked Questions 738
Chapter 14. Virtual Systems 740
Introduction 741
What Is a Virtual System? 741
How Virtual Systems Work 743
Configuring Virtual Systems 744
Virtual System Profiles 754
Summary 756
Solutions Fast Track 757
Frequently Asked Questions 758
Index 760
Chapter 2 Dissecting the Juniper Firewall
Solutions in this chapter:
Introduction
This chapter will introduce you to the Juniper firewall product. We will begin by looking at all of Juniper Networks’ security products, exploring the wide range of products available, and allowing you to determine which is best suited for your security needs. A well-designed and properly implemented security infrastructure must be multitiered. Juniper Networks now offers a host of security solutions for your organization. Over the past several years Juniper has increased its product portfolio dramatically. Through both acquisition and internal development, Juniper has become a premier security vendor.
Juniper Networks delivers an integrated firewall and virtual private network (VPN) solution, the NetScreen firewall. The firewall product line has several tiers of appliances and systems. These tiers allow you to choose the right hardware for your network, giving the precise fit for your needs. Juniper has recently released a new firewall product line, the Security Services Gateway (SSG). This firewall line is designed to allow you to use new enhanced software features to better help protect your network from attack. Many of the SSG firewall products also enable you to use wide area network (WAN) interfaces as well.
Juniper also offers a Secure Sockets Layer (SSL) VPN product. The Secure Access series offers a clientless remote access solution as well as a collaboration tool. With a clientless VPN approach, you remove the need for software deployment and management of the remote clients. You can easily deploy the SSL portal to thousands of users in mere hours. This is a great boon to any organization. Also available in the SSL VPN product line is the secure meeting application, which allows for online collaborative meetings where users can share their desktops and engage in chat. These are secured by SSL. You can use this feature to conduct presentations or to perform remote support. It’s a great tool for any organization.
In recent years, access control for desktop PCs has become increasingly important. In the past organizations have focused primarily on protecting servers from external threats. Today, new technologies allow companies to restrict access to the network itself, thereby allowing administrators to deny untrusted users from accessing the network and its available resources. Juniper today uses its Unified Access Control (UAC) product to address this industry need.
The last part to the security product line is intrusion detection and prevention (IDP). Whereas some products allow you only to detect incoming malicious traffic, the IDP allows you to fully prevent it from continuing on your network. The IDP is a necessary device for any network.
We will explore the core technologies of the Juniper firewalls. These are the frameworks that are used throughout this book. This discussion will give you an idea of the features of the Juniper firewall and will prepare you to actually implement these solutions on it. We will look at fundamental concepts such as zones. Zones are used to logically separate areas of the network. They allow you to take a more granular approach when you begin writing access rules to allow or deny network traffic.
In the last section of the chapter, we will look thoroughly at the NetScreen and SSG firewall products. The products range from small office devices that would allow for VPN connectivity into a central location to the carrier class products that can serve as much as 12 gigabits per second (Gbps) of firewall traffic—a gigantic level of throughput for a firewall. The options provided in the Juniper firewall product line enable you to take your network to new heights.
The Juniper Security Product Offerings
NetScreen is the fastest-growing firewall product line on the market today. It has clinched the number two spot among the worldwide security appliance market. The NetScreen product line is robust and competitive, and it is now part of Juniper networks. On April 16, 2004, Juniper Networks completed its purchase of NetScreen for $4 billion. Juniper chose to purchase NetScreen to enter the enterprise market space. Previously, Juniper focused on the carrier class market for high-end routers. Juniper is aiming high; it is vying directly with Cisco for the position as the number one firewall appliance vendor, as well as the number one router vendor in the world.
The Juniper firewall appliance is Juniper’s firewall/VPN solution. Throughout the book, the firewall is referred to as a NetScreen firewall because Juniper chose to keep the NetScreen firewall product name for brand recognition. The other products in the NetScreen security line all kept their original names as well.
The NetScreen IDP product is used to provide protection against network attacks. The IDP can alert you, log events, and capture attacks as they occur. This product offers several modes of operation that allow it to be used in one of several different network designs. It can also prevent against worms, viruses, and Trojans.
The third part to the NetScreen security product line is the SSL VPN. The NetScreen Secure Access SSL VPN allows for clientless access into your network. The SSL VPN is currently the fastest-growing product line for Juniper. The Secure Access SSL VPN appliance is the market leader in its segment with 45 percent of the market share as of the first quarter of 2004. An offshoot from the SSL VPN product line is the secure meeting product. Secure Meeting can be integrated with the SSL VPN appliance, or it can be run on its own dedicated appliance. It provides Web conferencing collaboration to share your desktop and documents over the Web.
The UAC product solution is the next generation of security. The UAC architecture provides network access control to client systems. The deployment architecture can be twofold. You can use the firewalls to provide enforcement or you can also use switches that are 802.1x compatible to provide access management to clients as well.
Juniper Firewalls
Juniper Networks’ premier security platform is the NetScreen firewall product line. This product line provides integrated firewall and Internet Protocol Security (IPSec) VPN solutions in a single appliance. The NetScreen firewall core is based on stateful inspection technology. This technology provides a connection-oriented security model by verifying the validity of every connection while still providing a high-performance architecture. The NetScreen firewalls themselves are based on a custom-built architecture consisting of application-specific integrated circuit (ASIC) technology. ASIC is designed to perform a specific task at a higher performance level than a general-purpose processor. ASIC connects over a high-speed bus interface to the core processor of the firewall unit, a reduced instruction set computing (RISC) CPU.
The firewall platform also contains additional technologies to increase your network’s security. First, the products support deep inspection. This technology allows you inspect traffic at the application level to look for application-level attacks. It can help prevent the next worm from attacking your Web servers or someone from trying to send illegal commands to your SMTP server. The deep inspection technology includes a regularly updated database as well as the capability for you to create your own custom expression-based signatures. All the appliances include the capability to create IPSec VPNs to secure your traffic. The integrated VPN technology has received both the Common Criteria and the ICSA www.icsalabs.com) firewall certifications. Thus, the IPSec VPN technologies have good cross-compatibility as well as standards compliance. Juniper also offers two client VPN solutions to pair with the NetScreen firewall. First, NetScreen-Remote provides the user with the capability to create an IPSec connection to any NetScreen firewall or any IPSec-compliant device. The second client product is NetScreen-Security Client. This product not only creates IPSec tunnels but also includes a personal firewall to secure the end user’s system. The NetScreen firewall product line leverages the technologies of Trend Micro’s and Kaspersky Lab’s antivirus software. This software allows you to scan traffic as it passes directly through the firewall, thus mitigating the risks of viruses spreading throughout your network.
The latest product set for the firewall line from Juniper is the SSG. The SSG product line was designed with key ideas in mind. First, it provides at high speeds advanced security features such as antivirus protection, antispam protection, IPS capabilities, and integrated URL filtering. Second, all the SSG products allow you to use WAN interfaces on the firewall, thereby enabling you to connect your firewall directly to a T1, digital subscriber line (DSL), or ISDN (Integrated Services Digital Network) link, to name a few. It gives you the capability to bypass the need to have a router on every WAN link. Because the...
| Erscheint lt. Verlag | 8.12.2007 |
|---|---|
| Sprache | englisch |
| Themenwelt | Sachbuch/Ratgeber |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| Wirtschaft ► Betriebswirtschaft / Management | |
| ISBN-10 | 0-08-050284-9 / 0080502849 |
| ISBN-13 | 978-0-08-050284-7 / 9780080502847 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 8,6 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 21,0 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
