| Сообщения без ответов | Активные темы |
Текущее время: 2025-01-30 09:21 |
|
Часовой пояс: UTC + 3 часа |
|
Страница 1 из 1 |
[ 1 сообщение ] |
| Пред. тема | След. тема |
Brad Woodberg, Rob Cameron - Juniper SRX Series [2013, PDF, ENG]
| Автор | Сообщение | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Релизер 
Раздал: 157 ГБ
Скачал: 4 ГБ Ратио: 39.250 Зарегистрирован: 2013-08-21 19:15 Сообщения: 48352 
|
Juniper SRX Series
#777 Год: 2013 Автор: Brad Woodberg, Rob Cameron Жанр: сети Издательство: O'Reilly Media ISBN: 978-1449338961 Язык: Английский Формат: PDF Качество: Изначально компьютерное (eBook) Интерактивное оглавление: Нет Количество страниц: 1020 Описание: This complete field guide, authorized by Juniper Networks, is the perfect hands-on reference for deploying, configuring, and operating Juniper’s SRX Series networking device. Authors Brad Woodberg and Rob Cameron provide field-tested best practices for getting the most out of SRX deployments, based on their extensive field experience. While their earlier book, Junos Security, covered the SRX platform, this book focuses on the SRX Series devices themselves. You'll learn how to use SRX gateways to address an array of network requirements—including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration. Along with case studies and troubleshooting tips, each chapter provides study questions and lots of useful illustrations. Explore SRX components, platforms, and various deployment scenarios Learn best practices for configuring SRX’s core networking features Leverage SRX system services to attain the best operational state Deploy SRX in transparent mode to act as a Layer 2 bridge Configure, troubleshoot, and deploy SRX in a highly available manner Design and configure an effective security policy in your network Implement and configure network address translation (NAT) types Provide security against deep threats with AppSecure, intrusion protection services, and unified threat management tools Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix 1. Welcome to the SRX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Evolving into the SRX 2 ScreenOS to Junos 2 The SRX Series Platform 5 Built for Services 5 Deployment Solutions 7 Small Branch 7 Medium Branch 8 Large Branch 9 Data Center 11 Data Center Edge 11 Data Center Services Tier 14 Service Provider 16 Mobile Carriers 18 Cloud Networks 20 The Junos Enterprise Services Reference Network 22 Summary 28 Study Questions 28 2. SRX Series Product Lines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Branch SRX Series 31 Branch-Specific Features 32 SRX100 Series 35 SRX200 Series 38 SRX500 Series 43 SRX600 Series 45 iii JunosV Firefly (Virtual Junos) 47 AX411 49 CX111 50 Branch SRX Series Hardware Overview 51 Licensing 53 Branch Summary 54 Data Center SRX Series 55 Data Center SRX-Specific Features 55 SPC 56 NPU 58 Data Center SRX Series Session Setup 60 Data Center SRX Series Hardware Overview 64 SRX1000 Series 66 SRX3000 Series 68 SRX5000 Series 73 Summary 81 Study Questions 81 3. SRX GUI Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 J-Web: Your On-Box Assistant 84 Dashboard 84 Device Configuration 91 Monitoring Your SRX 102 Operational Tasks 104 Troubleshooting from J-Web 108 Centralized Management 110 Space: The Final Frontier of Management 111 Log Management with STRM 114 Legacy Security Management 116 Summary 118 Study Questions 119 4. SRX Networking Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Interfaces 122 Physical Interfaces 122 Management Interfaces 129 Virtual Interfaces 133 Logical Interfaces 133 Switching Configuration 135 Aggregate Interfaces 138 Transparent Interfaces 141 Zones 142 iv | Table of Contents Security Zones 143 Functional Zones 143 Basic Protocols 146 Static Routing 146 Dynamic Routing Protocols 152 Spanning Tree 154 Routing Instances 158 Routing Instance Types 159 Configuring Routing Instances 160 Flow Mode and Packet Mode 163 Sample Deployment 167 Summary 171 Study Questions 172 5. System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 System Services Operation on the SRX 175 System Services and the Control Plane 176 System Services and the Data Plane 178 Accounts for Administrative Users 179 Accessing System Services: Control Plane Versus Data Plane 184 Zone-Based Service Control 187 Management Services 190 Command-Line Interfaces 190 Web Management on the SRX 193 Enabling NetConf over SSH 194 SNMP Management 195 Configuring SNMP Management 195 Configuring SNMP Traps 196 SNMP in High Availability Chassis Clusters 198 Junos SNMP MIB 198 Networking Services 201 Network Time Protocol 201 Domain Name System 203 Dynamic Host Configuration Protocol 205 SRX Logging and Flow Records 209 Control Plane Versus Data Plane Logs 210 Tips for Viewing Syslog Messages 218 JFlow on the SRX 220 Best Practices 222 Troubleshooting and Operation 224 Viewing the System Connection Table 224 Viewing the Services/Counters on the Interface 224 Table of Contents | v Checking NTP Status 228 Checking SNMP Status 229 DHCP Operational Mode Commands 229 Viewing Security Logs Locally 231 Checking for Core Dumps 231 Restarting Platform Daemons 232 Troubleshooting Individual Daemons 233 Summary 234 Study Questions 235 6. Transparent Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Transparent Mode Overview 237 When to Use Transparent Mode 238 MAC Address Learning 240 Transparent Mode and Bridge Loops, Spanning Tree Protocol 240 Transparent Mode Limitations 241 Transparent Mode Components 242 Interface Modes in Transparent Mode 242 Bridge Domains 243 IRB Interfaces 244 Transparent Mode Zones 244 Transparent Mode Security Policy 244 Transparent Mode Specific Options 245 QoS in Transparent Mode 245 VLAN Rewriting 246 High Availability with Transparent Mode 246 Transparent Mode Flow Process 248 Configuring Transparent Mode 252 Configuring Transparent Mode Basics 252 Traditional Switching 257 Configuring Integrated Routing and Bridging 257 Configuring Transparent Mode Security Zones 259 Configuring Transparent Mode Security Policies 261 Configuring Bridging Options 264 Configuring Transparent Mode QoS 265 Configuring VLAN Rewriting 267 Troubleshooting and Operation 269 The show bridge domain Command 269 The show bridge mac-table Command 270 The show l2-learning global-information Command 270 The show l2-learning global-mac-count Command 271 The show l2-learning interface Command 271 vi | Table of Contents Transparent Mode Troubleshooting Steps 272 Sample Deployments 275 Summary 282 Study Questions 282 7. High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Understanding High Availability in the SRX 286 Chassis Cluster 286 The Control Plane 288 The Data Plane 289 Getting Started with High Availability 291 Cluster ID 291 Node ID 291 Redundancy Groups 292 Interfaces 292 Deployment Concepts 294 Active/passive 295 Active/active 296 Mixed mode 296 Six pack 298 Preparing Devices for Deployment 301 Differences from Standalone 301 Activating Juniper Services Redundancy Protocol 302 Managing Cluster Members 304 Configuring the Control Ports 305 Configuring the Fabric Links 310 Configuring the Switching Fabric Interface 315 Node-Specific Information 316 Configuring Heartbeat Timers 319 Redundancy Groups 320 Integrating the Cluster into Your Network 327 Configuring Interfaces 327 Fault Monitoring 333 Interface Monitoring 334 IP Monitoring 338 Hardware Monitoring 343 Software Monitoring 348 Preserving the Control Plane 349 Troubleshooting and Operation 349 First Steps 350 Checking Interfaces 353 Verifying the Data Plane 354 Table of Contents | vii Core Dumps 359 The Dreaded Priority Zero 359 When All Else Fails 361 Manual Failover 362 Sample Deployments 366 Summary 370 Study Questions 371 8. Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Packet Flow 373 Security Policy Criteria and Precedence 376 Security Policy Precedence 377 Top to Bottom Policy Evaluation 378 Security Policy Components in Depth 380 Match Criteria 380 Action Criteria 399 Application Layer Gateways 410 Best Practices 414 Troubleshooting and Operation 416 Viewing Security Policies 416 Viewing the Firewall Session Table 420 Monitoring Interface Counters 426 Performing a Flow Trace 428 Performing a Packet Capture on SRX Branch 435 Performing a Packet Capture on the High-End SRX 438 Sample Deployment 442 Summary 449 Study Questions 449 9. Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 The Need for NAT 453 NAT as a Security Component? 454 Junos NAT Fundamentals 455 Junos NAT Types 456 NAT Precedence in the Junos Event Chain 457 Junos NAT Components 460 Rulesets 460 NAT Interfaces, Pools, and Mapping Objects 463 NAT Rules 465 NAT and Security Policies 465 Proxy-ARP and Proxy-NDP 466 Junos NAT in Practice 469 viii | Table of Contents Static NAT 471 Source NAT 485 Destination NAT 498 Combination Source and Destination NAT 506 No-NAT with Source or Destination NAT 511 Best Practices 518 Troubleshooting and Operation 520 NAT Rule and Usage Counters 520 Viewing the Session Table 526 View NAT Errors 530 View Firewall Logs with NAT 531 Flow Debugging with NAT 532 Sample Deployment 539 Summary 539 Study Questions 539 10. IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 VPN Architecture Overview 543 Site-to-Site IPsec VPNs 544 Hub and Spoke IPsec VPNs 544 Full Mesh VPNs 546 Partial Mesh VPNs 547 Remote Access VPNs 547 IPsec VPN Concepts Overview 549 IPsec Encryption Algorithms 549 IPsec Authentication Algorithms 550 IKE Version 1 Overview 551 IKE Version 2 555 IPsec VPN Protocol 557 IPsec VPN Mode 557 IPsec Manual Keys 558 IPv6 and IPsec on the SRX 558 IKE Negotiations 559 IKE Authentication 559 IKE Identities 560 Flow Processing and IPsec VPNs 561 SRX VPN Types 561 Policy-Based VPNs 562 Route-Based VPNs 563 Other SRX VPN Components 566 Dead Peer Detection 566 VPN Monitoring 566 Table of Contents | ix XAuth 567 NAT Traversal 567 Anti-Replay Protection 568 Fragmentation 568 Differentiated Services Code Point 569 IKEv1 Key Lifetimes 570 Network Time Protocol 570 Certificate Validation 571 Simple Certificate Enrollment Protocol 572 Group VPN 572 Dynamic VPN 572 Selecting the Appropriate VPN Configuration 573 IPsec VPN Configuration 576 Configuring NTP 578 Certificate Preconfiguration Tasks 578 Phase 1 IKE Configuration 580 Phase 2 IKE Configuration 592 IKEv1 Versus IKEv2 Configuration 597 IPsec and SRX HA 603 Dynamic VPN 604 Best Practices 608 Troubleshooting and Operation 611 Useful VPN Commands 611 VPN Tracing and Debugging 617 Sample Deployments 623 Site-to-Site VPN 623 Remote Access VPN 632 IPsec Caveats on SRX 634 Summary 635 Study Questions 636 11. Screens and Flow Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 A Brief Review of Denial-of-Service Attacks 642 Exploit-Based DoS 642 Flood-Based DoS 643 DoS Versus DDoS 645 Screen Theory and Examples 645 How Screens Fit into the Packet Flow 646 Screens in Hardware and Software 647 Screen Profiles 648 DoS Attacks with IP Protocols 650 DoS Attacks with ICMP 657 x | Table of Contents DoS Attacks with UDP 661 DoS Attacks with TCP 662 Session Limit Screens 671 SRX Flow Options 674 Best Practices 681 Troubleshooting and Operation 682 Viewing Screen Profile Settings 682 Viewing the Screen Attack Statistics 683 Viewing Flow Exceptions 684 Sample Deployment 686 Configuration for Screen and Flow Option Sample Deployment 687 Summary 690 Study Questions 690 12. AppSecure Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 AppSecure Component Overview 694 Application Identification 694 Application Tracking 695 Application Firewall 696 Application Quality of Service 697 User Role Firewalling 698 SSL Forward Proxy 698 AI Processing Architecture 699 Deploying AppSecure 707 AppSecure Licensing 708 Downloading and Installing Application Identification Sigpacks 708 AppID Signature Operations 711 Configuring and Deploying AppTrack 717 Configuring and Deploying Application Firewall 721 Configuring and Deploying Application Quality of Service 732 Configuring and Deploying User Role Firewall 739 Configuring and Deploying SSL Forward Proxy 755 Best Practices 763 Application Identification 764 AppTrack 764 AppFW 764 AppQoS 765 UserFW 765 SSL FP 766 Troubleshooting and Operation 767 Operating Application Identification 768 Operating Application Firewall 773 Table of Contents | xi Operating Application QoS 775 Operating UserFW 777 Operating SSL Forward Proxy 779 Sample Deployments 781 Summary 790 Study Questions 790 13. Intrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 The Need for IPS 795 What About Application Firewalling in NGFW? 796 How Does IPS Work? 797 Licensing 799 IPS and UTM 799 What Is the Difference Between Full IPS and Deep Inspection/IPS Lite? 800 Is It IDP or IPS? 801 False Positives and False Negatives in IPS 802 Management IPS Functionality on the SRX 802 Stages of a System Compromise 803 IPS Packet Processing on the SRX 805 Attack Object Types 810 IPS Policy Components 814 Security Packages 825 Sensor Attributes 827 SSL Inspection (Reverse Proxy) 827 Custom Attack Groups 827 Configuring IPS Features on the SRX 830 Getting Started with IPS on the SRX 830 Deploying and Tuning IPS 847 First Steps to Deploying IPS 848 Building the Policy 848 Testing Your Policy 848 Actual Deployment 851 Day-to-Day IPS Management 852 Best Practices 853 Troubleshooting and Operation 855 Checking IPS Status 855 Checking Security Package Version 857 Troubleshooting and Monitoring Security Package Installation 857 Checking Policy Compilation Status 860 IPS Attack Table 861 IPS Counters 863 IP Action Table 865 xii | Table of Contents Sample Deployments 865 Summary 885 Study Questions 886 14. Unified Threat Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889 Shifting Threats 890 UTM, IPS, or Both? 891 Antivirus 891 URL Filtering 891 Antispam 891 Content Filtering 892 Antivirus + URL Filtering+ IPS? 892 I Have SRX Antivirus: Do I Need Desktop Antivirus? 893 UTM Licensing 893 Configuring Licensing 894 UTM Components 895 Feature Profiles 896 Custom Objects 896 UTM Policies 897 Application Proxy 897 Networking Requirements for UTM Features 898 Antivirus 898 Which AV to Choose? 911 URL Filtering 911 Antispam 939 Content Filtering 942 Logging UTM Messages 945 Best Practices 946 Troubleshooting and Operation 947 UTM Engine 947 Antivirus 949 URL Filtering 951 Antispam 953 Content Filtering 955 Sample Deployments 956 Summary 960 Study Questions 960 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 |
|||||||||||||||||||
| 2014-01-05 23:10 |
|
|||||||||||||||||||
| ||||||||||||||||||||
|
|
Страница 1 из 1 |
[ 1 сообщение ] |
|
Часовой пояс: UTC + 3 часа |
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 7 |
| Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения |
