Contents • iii Overview Welcome to the JNCIS-SEC Study Guide—Part 2. The purpose of this guide is to help you prepare for your JN JNCIS-SEC Study Guide Chapter 1: Introduction to Junos Security Platforms This Chapter Discusses: • • • • • Traditional routing and security implementations. the front page of the internet. Become a Redditor. and subscribe to one of thousands of communities. ×. 1. 2. 3. JNCIS-SEC Study Guide (self.
|Published (Last):||7 January 2004|
|PDF File Size:||12.18 Mb|
|ePub File Size:||17.64 Mb|
|Price:||Free* [*Free Regsitration Required]|
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services.
All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. The information in this document is current as of the date listed above. The information in this document has been carefully verified and is believed to be accurate for software Release Juniper Networks assumes no responsibilities for any jncjs-sec that may appear in this document.
In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages. Juniper Networks reserves the right to change, modify, transfer, or stuey revise this publication without notice.
The Junos operating system has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Introduction to Junos Security Platforms.
The contents of this document are based on the Junos for Security Platforms course. This study guide covers the configuration, operation, and implementation of SRX Series Services Guidearg in a typical network environment.
Key topics within this study guide include security technologies such as security zones, security policies, intrusion detection and prevention IDPNetwork Address Translation NATand high availability clusters, as well as details pertaining to basic implementation, configuration, and management.
To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table. Tuideart Example Most of what you read in the Student Guide. Input Text Versus Output Text You will also frequently see cases where you must enter input text yourself. Often this will be shown in the context of where you must enter it. We use bold style to distinguish text that is input versus text that is simply displayed. Usage Example Physical interface: Text that you must enter.
Note that these styles can be combined with the input style as well. Type set policy policy-name. Description Text where variable value is already assigned.
JNCIS-SEC Study Guide Part-1 – types and number of system-defined zones
Usage Example policy my-peers Click on my-peers in the dialog. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors. This document is studg and maintained by the Juniper Networks Education Services development team.
Please send questions and suggestions for improvement to training juniper.
JNCIS-SEC-P2 | joel Rosette –
Technical Publications You can print technical manuals and release notes directly from the Internet in a variety of formats: Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or account representative. To forward packets, the router must have a path ghideart mechanism. This mechanism could be statically assigned routes, routing protocols, or policy-based routing. Packet Processing Is Stateless Traditionally, routers process packets in a stateless fashion.
Routers do not keep track of bidirectional sessions; they forward each packet individually based on the packet header. With the introduction of advanced switching technologies and the birth of virtual LAN VLAN standards, broadcast domains can also be separated using switches. Furthermore, routers provide WAN connectivity at the network edge. Introduction to Gjideart Security Platforms? Routers perform Layer 3 packet forwarding using routing table entries.
Note that routers forward packets based on the longest prefix match. Promiscuous Behavior of a Traditional Router A traditional router is jncsi-sec promiscuous device that performs stateless packet processing.
It is promiscuous because once it is configured, it immediately forwards all traffic by default provided, of course, that some combination of static and dynamic routing is configured. Typically, a router operates only at Layer 3 and does not recognize any security threats in higher-layer protocols. Furthermore, a traditional router operates per packet, which adds to its fundamentally insecure nature, because it cannot detect malformed sessions.
The network and the router itself are immediately vulnerable to all security threats. Typical Treatment of Security Other than implementing standard access control using IP header information, most routers are not equipped to secure a network. Traditionally, a full security solution involves adding a separate firewall device. Enterprise data center applications can also be served by M Series routers.
J Series, M Series, MX Series and T Series routers support the rich routing and class-of-service CoS features needed by networks, and maintain value, stability, and predictably high performance.
Adding Security to the Network Standalone routers do not provide adequate security to enterprise networks and data centers. As networks expand, jncls-sec applications continue to diversify and expand, and as new methods of remote communications such as telecommuting increase, the need for added security becomes apparent.
Typically, a standalone firewall is added to the network, increasing costs and maintenance. Requirements for Firewall Devices A firewall device must be capable of the following: Additional Services The growth in network security has resulted in additional services provided by standalone firewalls such as Secure Sockets Layer SSL network access, intrusion detection and prevention IDPapplication-level gateway Jnis-sec processing, and more.
Stateful Packet Processing Because the main job of a firewall is to protect networks and devices, fundamental firewall intelligence consists of the ability to make packet processing decisions based jncis-xec IP packet header information, including its upper layers.
Stateful packet processing involves the creation of a unidirectional flow, which consists of six elements of information—source IP address, destination IP address, source port number, destination port number, jncis-sef number, and a session token. The session token is derived from a combination of a routing instance and a zone. The outgoing flow initiates a session table entry and the expected return flow for that packet.
Both outgoing and incoming flows comprise the session and are entered into the session table. The session table enables bidirectional communication without any additional configurational steps for return traffic. NAT and PAT When a security device resides at the edge of a network, it must be able to replace private, nonroutable addresses with public addresses before traffic is sent to the public network.
Translation can consist of replacing the IP address, port numbers, or both, depending on the configuration. Note that NAT can be used on both source and destination addresses, jncls-sec PAT can be used on both source and destination ports. Virtual Private Networks You can use a firewall to build VPNs using the public network as an access medium between two private sites.
As such, the firewall must be able to perform the following: Encapsulate the original traffic in a packet that can be transported over the public network; Encrypt the original packet so that it cannot be easily decoded if it is intercepted on the public network; and Authenticate the originating device as a member of the VPN—not a random device operating on the jncs-sec network.
Firewall Positioning The graphic illustrates a typical enterprise deployment of firewall devices. Small office and home offices or retail storefronts use branch firewall devices to provide secured access to the Internet, as well as an IP Security IPsec VPN tunnel back to a central site.
Current Trends As boundaries of networks are becoming less clear, so are the requirements of network edge devices. The Internet has created possibilities and opportunities for businesses and markets, and it has erased the concept of distance. With the Internet, however, came network vulnerabilities.
Jnxis-sec, routers have been positioned on the edge of an enterprise network and provided very basic network security such as stateless firewall filters. Network administrators etudy used to relying on separate firewall devices positioned within enterprise DMZs. The consolidation of these functions at the network edge improves costs, reduces guiideart overhead, and increases operational jncis-secc. A New Perspective The graphic illustrates how a device with strong routing and firewall features can be positioned at network boundaries.
The SRX Series Services Gateway at the enterprise headquarters in this example also provides routing and security in a high-density, modular chassis. The Dynamic Services Architecture allows SRX Series Services Gateways to leverage new services with appropriate processing capabilities without sacrificing overall system performance.
SRX Series Services Gateways are next-generation systems designed to meet the network and security requirements for the enterprise and service provider infrastructure, and facilitate data center consolidation, rapid managed services deployments, and security services aggregation. These devices are ideally suited for large enterprise and service provider networks: Securing large enterprise data centers; Securing service provider and collocated data centers; Aggregating departmental or jncis-secc security solutions; and Guiderat managed services and core service provider infrastructure.
Each services gateway can support almost linear scalability with each additional Services Processing Card SPCenabling a fully equipped SRX to support more than Gbps of firewall throughput. The SPCs are designed to support a wide range of services enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that no resources are idle, based on specific services being used, maximizing the utilization of equipped hardware.
The scalability and flexibility of the SRX and SRX lines of services gateways are supported by equally robust interfaces. With the IOCs sharing the same interface slot as the SPCs, you can configure the gateway to support the ideal balance of processing, input, and output. Hence, you can guieeart each deployment of the SRX Series to specific network requirements. With this flexibility, you can configure the SRX to support more than gigabit ports, with choices of Gigabit Ethernet or Gigabit Ethernet.
SPCs are designed to process all available services on the gateway. Without the need for dedicated hardware for specific services or capabilities, no instances exist in which a piece of hardware is taxed to the limit while other hardware is sitting idle.
All the processing capabilities of gujdeart SPCs are designed to process all configured services on the gateway. At least one SCB is required for the system to function.
Two or three SCBs increase capacity or provide redundancy, depending on the specific platform. Software processes that run on the RE maintain the routing tables, manage the routing protocols, control some chassis components, and jncis-ssc the interface for system management and user access to the device. For more information on specific SRX Series high-end system models and hardware, visit the Juniper Networks Web site for technical publications at http: A packet enters the security platform through the IOC.
Oversubscription control applies at the IOC. The NPC performs a flow lookup.