418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page i Configuring Juniper Networks ® NetScreen & ® SSG Firewalls Rob Cameron Technical Editor Brad Woodberg Mohan Krishnamurthy Madwachar Mike Swarm Neil R. Wyler FOREWORD Matthew Albers BY SCOTT KRIENS Ralph Bonnell CEO, JUNIPER NETWORKS 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page ii Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other inci- dental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 5489IJJLPP 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Configuring Networks NetScreen & SSG Firewalls Copyright © 2007 by Syngress Publishing,Inc.All rights reserved.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10:1-59749-118-7 ISBN-13:978-1-59749-118-1 Publisher:Andrew Williams Page Layout and Art:Patricia Lupien Acquisitions Editor:Gary Byrne Copy Editors:Mike McGee,Sandy Jolley Technical Editor:Rob Cameron Indexer:Nara Wood Cover Designer:Michael Kavish Distributed by O’Reilly Media,Inc.in the United States and Canada. For information on rights,translations,and bulk sales,contact Matt Pedersen,Director of Sales and Rights,at Syngress Publishing;email [email protected] fax to 781-681-3585. 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iii Lead Author and Technical Editor Rob Cameron (JNCIS-FWV,JNCIA-M,CCSP,CCSE+) is a Security Solutions Engineer for Juniper Networks.He currently works to design security solutions for Juniper Networks that are considered best practice designs.Rob specializes in network security architecture,firewall deployment,risk management,and high-avail- ability designs.His background includes five years of security con- sulting for more than 300 customers.This is Rob’s second book;the previous one being Configuring NetScreen Firewalls (ISBN:1-932266- 39-9) published by Syngress Publishing in 2004. Contributing Authors Matthew Albers (CCNP,CCDA,JNCIA-M,JNCIS-FWV, JNCIA-IDP) is a senior systems engineer for Juniper Networks.He currently serves his enterprise customers in the Northern Ohio marketplace.His specialties include routing platforms,WAN acceler- ation,firewall/VPNs,intrusion prevention,strategic network plan- ning,network architecture and design,and network troubleshooting and optimization.Matthew’s background includes positions as a senior engineer at First Virtual Communications,Lucent Technologies,and Bay Networks. Matthew wrote Chapter 1 and cowrote Chapter 11. iii 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page iv Ralph Bonnell (CISSP,LPIC-2,CCSI,CCNA,MCSE:Security) is a senior information security consultant at Accuvant in Denver,CO. His primary responsibilities include the deployment of various net- work security products and product training.His specialties include NetScreen deployments,Linux client and server deployments, Check Point training,firewall clustering,and PHP Web program- ming.Ralph also runs a Linux consulting firm called Linux Friendly.Before moving to Colorado,Ralph was a senior security engineer and instructor at Mission Critical Systems,a Gold Check Point partner and training center in South Florida. Ralph cowrote Chapter 11. Mohan Krishnamurthy Madwachar (JNCIA-FWV,CWNA,and CCSA) is AVP-Infrastructure Services for ADG Infotek,Inc., Almoayed Group,Bahrain.Almoayed Group is a leading systems integration group that has branches in seven countries and executes projects in nearly 15 countries.Mohan is a key contributor to the company’s infrastructure services division and plays a key role in the organization’s network security and training initiatives.Mohan has a strong networking,security,and training background.His tenure with companies such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in imple- menting large and complex network and security projects. Mohan holds leading IT industry certifications and is a member of the IEEE and PMI. Mohan would like to dedicate his contributions to this book to his sister,Geetha Prakash,and her husband,C.V.Prakash,and their son,Pragith Prakash. Mohan has coauthored the book Designing and Building Enterprise DMZs (ISBN:1-597491004),published by Syngress Publishing.He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert. Mohan wrote Chapter 12. iivv 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page v Mike Swarm is a Security Solutions Engineer at Juniper Networks.Mike consults with Juniper’s technical field and customer communities worldwide on security design practices.Mike has over a decade of experience focused on network security.Prior to Juniper Networks and its NetScreen Technologies acquisition,Mike has been a Systems Engineer at FTP Software and Firefox Communications. Mike wrote Chapter 10. Brad Woodberg (JNCIS-FWV,JNCIS-M,JNCIA-IDP,JNCIA- SSL,CCNP) is a Security Consultant at Networks Group Inc.in Brighton,MI.At Networks Group his primary focus is designing and implementing security solutions for clients ranging from small business to Fortune 500 companies.His main areas of expertise include network perimeter security,intrusion prevention,security analysis,and network infrastructure.Outside of work he has a great interest in proof-of-concept vulnerability analysis,open source inte- gration/development,and computer architecture. Brad currently holds a bachelor’s degree in Computer Engineering from Michigan State University,and he participates with local security organizations.He also mentors and gives lectures to students interested in the computer network field. Brad wrote Chapters 5–8 and contributed to Chapter 13.He also assisted in the technical editing of several chapters. Neil R.Wyler (JNCIS-FWV,JNCIA-SSL) is an Information Security Engineer and Researcher located on the Wasatch Front in Utah.He is the co-owner of two Utah-based businesses,which include a consulting firm with clients worldwide and a small soft- ware start-up.He is currently doing contract work for Juniper Networks,working with the company’s Security Products Group. Neil is a staff member of the Black Hat Security Briefings and Def Con hacker conference.He has spoken at numerous security con- ferences and been the subject of various online,print,film,and tele- v 418_NetScrn_SSG_FM.qxd 11/7/06 6:37 PM Page vi vision interviews regarding different areas of information security. He was the Lead Author and Technical Editor of Aggressive Network Self-Defense (Syngress,1-931836-20-5) and serves on the advisory board for a local technical college. Neil cowrote Chapter 13. vvii 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page vii Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter 1Networking, Security, and the Firewall. . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Understanding Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 The OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Moving Data along with TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Understanding Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Understanding Firewall Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Firewall Ideologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 DMZ Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Traffic Flow Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Networks with and without DMZs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 DMZ Design Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Designing End-to-End Security for Data Transmission between Hosts on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Traffic Flow and Protocol Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Chapter 2Dissecting the Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 The Juniper Security Product Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Unified Access Control (UAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 The Juniper Firewall Core Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Device Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 The NetScreen and SSG Firewall Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Chapter 3Deploying Juniper Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Managing Your Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Juniper Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 The Local File System and the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Using the Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Securing the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Updating ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 System Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Configuring Your Firewall for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Types of Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 vii 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page viii viii Contents Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Types of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Configuring Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Configuring Your Firewall for the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Binding an Interface to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Setting Up IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Configuring the DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Using PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Interface Speed Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Port Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Bridge Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Configuring Basic Network Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Configuring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Web Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Chapter 4Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Theory of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Types of Juniper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Policy Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Getting Ready to Make a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Chapter 5Advanced Policy Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 191 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Traffic-Shaping Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 The Need for Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 How Traffic Shaping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Choosing the Traffic-Shaping Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Deploying Traffic Shaping on Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Methods to Enforce Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Traffic-Shaping Mechanics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Traffic-Shaping Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 Advanced Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Chapter 6User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 418_NetScrn_SSG_TOC.qxd 11/7/06 6:39 PM Page ix Contents ix Authentication Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 Internal Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Configuring the Local Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 External Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Policy-Based User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Explanation of Policy-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Configuring Policies with User Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Components of 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Enhancing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Firewall Banner Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Group Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Chapter 7Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 Virtual Routers on Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Routing Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Equal Cost Multiple Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 Virtual Router Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Route Maps and Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Importing and Exporting Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Using Static Routes on Juniper Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 RIP Informational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335 Concepts and Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 OSPF Informational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Overview of BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Configuring BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 BGP Informational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Redistributing Routes in the Juniper Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Redistributing Routes between Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . .376 Redistributing Routes into BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380 Policy-Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Components of PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396 Chapter 8Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 Overview of Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 Port Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Advantages of Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402 Disadvantages of Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 Juniper NAT Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Juniper Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406 Interface-Based Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407 MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409