| Сообщения без ответов | Активные темы |
Текущее время: 2025-01-30 09:18 |
|
Часовой пояс: UTC + 3 часа |
|
Страница 1 из 1 |
[ 1 сообщение ] |
| Пред. тема | След. тема |
Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn - JUNOS Security [2010, PDF, ENG]
| Автор | Сообщение | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Релизер 
Раздал: 157 ГБ
Скачал: 4 ГБ Ратио: 39.250 Зарегистрирован: 2013-08-21 19:15 Сообщения: 48352 
|
JUNOS Security
#777 Год: 2010 Автор: Rob Cameron, Brad Woodberg, Patricio Giecco, Timothy Eberhard, James Quinn Жанр: сети Издательство: O'Reilly Media ISBN: 978-1449381714 Язык: Английский Формат: PDF Качество: Изначально компьютерное (eBook) Интерактивное оглавление: Нет Количество страниц: 848 Описание: Junos® Security is the complete and authorized introduction to the new Juniper Networks SRX hardware series. This book not only provides a practical, hands-on field guide to deploying, configuring, and operating SRX, it also serves as a reference to help you prepare for any of the Junos Security Certification examinations offered by Juniper Networks. Network administrators and security professionals will learn how to use SRX Junos services gateways to address an array of enterprise data network requirements -- including IP routing, intrusion detection, attack mitigation, unified threat management, and WAN acceleration. Junos Security is a clear and detailed roadmap to the SRX platform. The author's newer book, Juniper SRX Series, covers the SRX devices themselves. Get up to speed on Juniper’s multi-function SRX platforms and SRX Junos software Explore case studies and troubleshooting tips from engineers with extensive SRX experience Become familiar with SRX security policy, Network Address Translation, and IPSec VPN configuration Learn about routing fundamentals and high availability with SRX platforms Discover what sets SRX apart from typical firewalls Understand the operating system that spans the entire Juniper Networks networking hardware portfolio Learn about the more commonly deployed branch series SRX as well as the large Data Center SRX firewalls "I know these authors well. They are out there in the field applying the SRX's industry-leading network security to real world customers everyday. You could not learn from a more talented team of security engineers." --Mark Bauhaus, EVP and General Manager, Juniper Networks Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii 1. Introduction to the SRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Evolving into the SRX 1 ScreenOS to Junos 2 The SRX Series Platform 5 Built for Services 5 Deployment Solutions 6 Small Branch 7 Medium Branch 8 Large Branch 9 Data Center 10 Data Center Edge 10 Data Center Services Tier 13 Service Provider 15 Mobile Carriers 16 Cloud Networks 19 The Junos Enterprise Services Reference Network 21 SRX Series Product Lines 26 Branch SRX Series 27 Branch-Specific Features 27 SRX100 30 SRX200 32 SRX600 36 AX411 39 CX111 42 Branch SRX Series Hardware Overview 42 Licensing 44 Branch Summary 45 v Data Center SRX Series 46 Data Center SRX-Specific Features 46 SPC 48 NPU 49 Data Center SRX Series Session Setup 51 Data Center SRX Series Hardware Overview 55 SRX3000 57 SRX5000 61 Summary 68 Chapter Review Questions 68 Chapter Review Answers 69 2. What Makes Junos So Special? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 OS Basics 72 FreeBSD 73 Process Separation 74 Development Model 75 Adding New Features 77 Data Plane 78 Junos Is Junos Except When It’s Junos 79 Coming from Other Products 79 ScreenOS 80 IOS and PIX OS 82 Check Point 83 Summary 84 Chapter Review Questions 85 Chapter Review Answers 85 3. Hands-On Junos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Introduction 87 Driving the Command Line 88 Operational Mode 89 Variable Length Output 90 Passing Through the Pipe 90 Seeking Immediate Help 91 Configuration Mode 94 Commit Model 100 Restarting Processes 106 Junos Automation 108 Junos Configuration Essentials 109 System Settings 109 Interfaces 113 Switching (Branch) 115 vi | Table of Contents Zones 118 Summary 122 Chapter Review Questions 122 Chapter Review Answers 123 4. Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Security Policy Overview 125 SRX Policy Processing 128 Viewing SRX Policy Tables 130 Viewing Policy Statistics 133 Viewing Session Flows 135 Policy Structure 137 Security Zones 137 Service Configuration 139 Blocking Unwanted Traffic 143 Policy Logging 145 Troubleshooting Security Policy and Traffic Flows 149 Troubleshooting Sample 150 Troubleshooting Output 152 Turning Off Traceoptions 159 Application Layer Gateway Services 160 How to Configure an ALG 163 Policy Schedulers 168 One-Time Schedulers 170 Web and Proxy Authentication 172 Web Authentication 172 Pass-Through Authentication 174 Case Study 4-1 176 Case Study 4-2 184 Converters and Scripts 188 Summary 189 Chapter Review Questions 190 Chapter Review Answers 190 5. Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 How the SRX Processes NAT 193 Source NAT 195 Interface NAT 197 Address Pools 208 Removing PAT 216 Proxy ARP 219 Persistent NAT 223 Case Study 5-1: ISP Redundancy via PAT 227 Table of Contents | vii Conclusion 231 Destination NAT 231 Implementing Destination NAT 232 Viewing Destination NAT 234 Tracing Destination NAT Flows 236 Case Study 5-2: Virtual IP NAT 238 Static NAT 240 Case Study 5-3: Double NAT 243 Summary 245 Chapter Review Questions 245 Chapter Review Answers 246 6. IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 VPN Architecture Overview 248 Site-to-Site IPsec VPNs 248 Hub and Spoke IPsec VPNs 249 Full Mesh VPNs 250 Multipoint VPNs 250 Remote Access VPNs 251 IPsec VPN Concepts Overview 253 IPsec Encryption Algorithms 254 IPsec Authentication Algorithms 254 IKE Version 1 Overview 255 IPSec VPN Protocol 257 IPsec VPN Mode 258 IPsec Manual Keys 258 Phase 1 IKE Negotiations 259 IKE Authentication 259 IKE Identities 260 Phase 1 IKE Negotiation Modes 261 Phase 2 IKE Negotiations 262 Perfect Forward Secrecy 263 Quick Mode 263 Proxy ID Negotiation 263 Flow Processing and IPsec VPNs 264 SRX VPN Types 264 Policy-Based VPNs 265 Route-Based VPNs 265 Other SRX VPN Components 268 Dead Peer Detection 268 VPN Monitoring 269 XAuth 269 NAT Traversal 270 viii | Table of Contents Anti-Replay Protection 270 Fragmentation 271 Differentiated Services Code Point 272 IKE Key Lifetimes 272 Network Time Protocol 273 Certificate Validation 273 Simple Certificate Enrollment Protocol 274 Group VPN 274 Dynamic VPN 275 Selecting the Appropriate VPN Configuration 275 IPsec VPN Configuration 279 Configuring NTP 279 Certificate Preconfiguration Tasks 279 Phase 1 IKE Configuration 282 Phase 2 IKE Configuration 293 Configuring Manual Key IPsec VPNs 303 Dynamic VPN 305 VPN Verification and Troubleshooting 309 Useful VPN Commands 310 VPN Tracing and Debugging 312 Case Studies 326 Case Study 6-1: Site-to-Site VPN 326 Case Study 6-2: Remote Access VPN 335 Summary 337 Chapter Review Questions 337 Chapter Review Answers 338 7. High-Performance Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Network Protection Tools Overview 342 Firewall Filters 342 Screens 345 Security Policy 347 IPS and AppDoS 348 Protecting Against Network Reconnaissance 349 Firewall Filtering 350 Screening 350 Port Scan Screening 352 Summary 353 Protecting Against Basic IP Attacks 354 Basic IP Protections 354 Basic ICMP Protections 356 Basic TCP Protections 357 Basic Denial-of-Service Screens 358 Table of Contents | ix Advanced Denial-of-Service and Distributed Denial-of-Service Protection 361 ICMP Floods 363 UDP Floods 364 SYN/TCP Floods 365 SYN Cookies 370 SYN-ACK-ACK Proxies 371 Session Limitation 372 AppDoS 377 Application Protection 377 SIP 378 MGCP 378 SCCP 380 Protecting the SRX 381 Summary 385 Chapter Review Questions 386 Chapter Review Answers 386 8. Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 The Need for IPS 389 How Does IPS Work? 391 IPS Packet Processing on the SRX 396 Attack Object Types 404 IPS Policy Components 408 Security Packages 416 Sensor Attributes 418 SSL Inspection 421 AppDDoS Protection 423 Custom Attack Groups and Objects 427 Configuring IPS Features on the SRX 432 Getting Started with IPS on the SRX 432 Deploying and Tuning IPS 454 First Steps to Deploying IPS 454 Building the Policy 454 Testing Your Policy 455 Actual Deployment 456 Day-to-Day IPS Management 456 Troubleshooting IPS 457 Checking IPS Status 457 Checking Security Package Version 458 IPS Attack Table 458 Application Statistics 459 IPS Counters 460 IP Action Table 461 x | Table of Contents AppDDoS Useful Commands 462 Troubleshooting the Commit/Compilation Process 463 Case Study 8-1 466 Summary 484 Chapter Review Questions 484 Chapter Review Answers 485 9. Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 What Is UTM? 487 Application Proxy 488 Web Filtering 489 Antivirus 498 Notifications 506 Viewing the UTM Logs 508 Controlling What to Do When Things Go Wrong 514 Content Filtering 516 Antispam 521 UTM Monitoring 523 Licensing 527 Tracing UTM Sessions 528 Case Study 9-1: Small Branch Office 530 Security Policies 533 UTM Policies and Profiles 534 Summary 537 Chapter Review Questions 537 Chapter Review Answers 537 10. High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Understanding High Availability in the SRX 540 Chassis Cluster 540 The Control Plane 542 The Data Plane 543 Junos High Availability Concepts 545 Deployment Concepts 548 Configuration 554 Differences from Standalone 554 Activating JSRPD (Juniper Services Redundancy Protocol) 555 Managing Cluster Members 557 Configuring the Control Ports 558 Configuring the Fabric Links 563 Node-Specific Information 567 Configuring Heartbeat Timers 570 Redundancy Groups 571 Table of Contents | xi Configuring Interfaces 577 Integrating Dynamic Routing 583 Upgrading the Cluster 584 Fault Monitoring 586 Interface Monitoring 586 IP Monitoring 591 Manual Failover 595 Hardware Monitoring 599 Software Monitoring 604 Preserving the Control Plane 605 Using Junos Automation 605 Troubleshooting the Cluster 606 First Steps 606 Checking Interfaces 610 Verifying the Data Plane 611 Core Dumps 615 The Dreaded Priority Zero 615 When All Else Fails 617 Summary 618 Chapter Review Questions 618 Chapter Review Answers 619 11. Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 How the SRX “Routes” IP Packets 622 Forwarding Tables 622 IP Routing 623 Asymmetric Routing 625 Address Resolution Protocol (ARP) 626 Static Routing 626 Creating a Static Route 627 Verifying a Static Route 629 Dynamic Routing 631 Configuring OSPF Routing 632 Case Study 11-1: Securing OSPF Adjacencies 646 Case Study 11-2: Redundant Paths and Routing Metrics 648 Growing OSPF Networks 651 Routing Policy 664 Case Study 11-3: Equal Cost Multipath (ECMP) 670 Internet Peering 672 Configuring BGP Peerings 674 BGP Routing Tables 682 Case Study 11-4: Internet Redundancy 683 Routing Instances 688 xii | Table of Contents Configuring Routing Instances 689 Filter-Based Forwarding 693 Configuring Filter-Based Forwarding 694 Case Study 11-5: Dynamic Traffic Engineering 697 Summary 705 Chapter Review Questions 706 Chapter Review Answers 706 12. Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Transparent Mode Overview 709 Why Use Transparent Mode? 710 MAC Address Learning 712 Transparent Mode and Bridge Loops, Spanning Tree Protocol 712 Transparent Mode Limitations 713 Transparent Mode Components 714 Interface Modes in Transparent Mode 715 Bridge Domains 715 IRB Interfaces 716 Transparent Mode Zones 716 Transparent Mode Security Policy 717 Transparent Mode Specific Options 717 QoS in Transparent Mode 718 VLAN Rewriting 718 High Availability with Transparent Mode 718 Transparent Mode Flow Process 721 Configuring Transparent Mode 724 Configuring Transparent Mode Basics 725 Configuring Integrated Routing and Bridging 729 Configuring Transparent Mode Security Zones 731 Configuring Transparent Mode Security Policies 732 Configuring Bridging Options 736 Configuring Transparent Mode QoS 736 Configuring VLAN Rewriting 738 Transparent Mode Commands and Troubleshooting 740 The show bridge domain Command 740 The show bridge mac-table Command 741 The show l2-learning global-information Command 741 The show l2-learning global-mac-count Command 742 The show l2-learning interface Command 742 Transparent Mode Troubleshooting Steps 743 Case Study 12-1 745 Summary 752 Chapter Review Questions 752 Table of Contents | xiii Chapter Review Answers 753 13. SRX Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755 The Management Infrastructure 755 Operational Mode 756 Configuration Mode 758 J-Web 761 NSM and Junos Space 761 NETCONF 763 Scripting and Automation 766 Commit Scripts 767 Creating a Configuration Template 774 Operational Scripts 777 Event Scripts 783 Keeping Your Scripts Up-to-Date 789 Case Studies 790 Case Study 13-1: Displaying the Interface and Zone Information 791 Case Study 13-2: Zone Groups 791 Case Study 13-3: Showing the Security Policies in a Compact Format 792 Case Study 13-4: Track-IP Functionality to Trigger a Cluster Failover 793 Case Study 13-5: Track-IP Using RPM Probes 794 Case Study 13-6: Top Talkers 796 Case Study 13-7: Destination NAT on Interfaces with Dynamic IP Addresses 798 Case Study 13-8: High-End SRX Monitor 800 Summary 801 Chapter Review Questions 801 Chapter Review Answers 801 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 |
|||||||||||||||||||
| 2014-01-05 23:10 |
|
|||||||||||||||||||
| ||||||||||||||||||||
|
|
Страница 1 из 1 |
[ 1 сообщение ] |
|
Часовой пояс: UTC + 3 часа |
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 10 |
| Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения |
