Category Archives: jncis-sec

JNCIS-SEC [ Web Filtering ]

There are three types of Web Filtering solutions:

1) Integrated Web Filtering:  This solution intercepts every HTTP request in a TCP connection. Then device identifies the category of a URL either from user-defined categories or from a category server (Surf Control Content Portal by Websense)

2) Redirect Web Filtering: This solution intercepts HTTP requests and sends them to an external URL filtering server (websense) to determine if URL is to be blocked or not

3) Local web filtering: This solution intercepts every HTTP request and device looks up a URL to determine if it is in the whitelist or blacklist based on its user-defined category.

*TIP: Web filtering profiles or antivirus profiles or both can be applied to a firewall policy.  If both applied, web filtering is applied first and then antivirus is applied. If URL is blocked, TCP connection is closed and no antivirus scanning is performed.

Continue reading

JNCIS-SEC [ Content Filtering ]

Content filtering blocks or permits certain types of traffic based on the MIME type, file extension and protocol command. The content filter controls file transfers across the gateway.

The content filter module evaluates traffic before all other UTM modules except Web Filtering.

There are three types of content filters:

1) MIME Pattern Filter: It is used to identify traffic in HTTP and MAIL protocols. There are block and exception lists of MIME patterns. Exception list takes precedence over block list. If the same entry exists on  both block and exception list, that type of traffic won’t be blocked because it is in the exception list.

2) Block Extension List: Blocking based on the extension of the file

3) Protocol command block/permit lists: By blocking or allowing certain commands, traffic can also be controlled on the protocol command level.

Continue reading

JNCIS-SEC [ Antivirus ]

There are two types of protection techniques

a) Full Antivirus Protection
b) Express Antivirus Protection

A) Full Antivirus Protection

Files are scanned against a signature database.  Data packets are received and the original application content e.g email attachment is reconstructed. Kaspersky lab provides scan engine and if antivirus license expires, you can continue to use scanning feature with the locally stored signatures without updates.

Pattern Updates

Downloaded by pattern-update command. As opposed to express antivirus.  It detects all malicious code, viruses (polymorphic and other advanced types), worms,  trojans and malware.

Database pattern server is accessible through HTTP or HTTPS and by default antivirus module checks for database updates automatically every 60 minutes and local copy of the pattern database is saved locally.

Continue reading

JNCIS-SEC [ Antispam ]

SPAM is an unwanted message as everyone knows. When SRX detects a message deemed to be spam, it blocks the email message or tags it with a configured string.  You can use a 3rd party spam block list (SBL) or create your own (whitelist or blacklist)

 A) Server Based Antispam Filtering

Firewall performs SBL lookups through the DNS protocol. The lookups are against the IP address of the sender or the relaying server. Checks are done in the following order;

1) Local whitelist is checked. If there is a match no further check is done. If there is no match
2) Local blacklist is checked. If there is a match, no further check is done. If there is no match
3) SBL server is checked


1) Creating a profile

[edit security]
root@host# set utm feature-profile anti-spam sbl profile sblprofile
[edit security]
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile;
}2) Enable SBL server lookup
[edit security]
root@host# set utm feature-profile anti-spam sbl profile sblprofile sbl-default-server
utm {
    feature-profile {
        anti-spam {
            sbl {
                profile sblprofile {

JNCIS-SEC [ Introduction to UTM ]

JNCIS-SEC exam has recently added UTM into its topic list  which I think makes the exam more difficult. I will try to summarize what I get from Junos Security Guide and present my configuration. Lets start with the first Introduction to UTM

Unified Thread Management (UTM) is used to describe the consolidation of several security features into one device.  Security features provided are;

1) Antispam
2) Full File-Based Antivirus: It provides file scanning for viruses against a virus signature database. It first collects packets and then reconstructs the application content (e.g an attachment) and scans the file. Kaspersky Lab provides the scanning engine.
3) Express Antivirus:  It is a less CPU intensive operation though it scans files against a signature database. Unlike full antivirus, it streams received data packages to the scan engine.  Virus scanning is handled by a hardware pattern matching engine and Juniper provides the scan engine.
4) Content Filtering: Blocking certain types of traffic based on MIME type, embedded objects etc.”
5) Web filtering: Preventing access to inappropriate content.  Three types of filtering available

a) Integrated web filtering
b) Redirect web filtering
c) Juniper Local Web Filtering

 TIP:  UTM requires 1GB memory because of which, you can’t use it in srx devices such as SRX-240B. B stands for BASE and it has 512M memory. You must have something like SRX-240H . H stands for HIGH and it has 1GB memory.

License management is done via the following operational command;

root@host> request system license ?
Possible completions:
  add                  Add license keys from file, local or from server
  delete               Delete license keys
  save                 Save license keys to file, local or to server
  update               Start autoupdate license keys from LMS servers


To delve into NAT processing in Junos it is better to see the packet flow in ASCII.

First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT->Source NAT->Services ALG->Session

Fast PATH:  Screens->TCP->NAT->Services ALG

Based on the first packet of session, JUNOS installes NAT and PAT information into the session table for fast path processing. You should pay attention to the fact that Destination NAT occurs before Source NAT which is clear in the first PATH diagram.

We can classify NAT into three distinct category;

      * Source NAT : Translates source IP address of a packet
      * Destination NAT : Translates destination IP of a packet
      * Static NAT : This allows connections to be originated from either side of the network.

 Source NAT & PAT

1) Interface based source NAT: Original source address to the egress interface IP always with PAT
2) Pool based source NAT: Dynamic mapping of original source address to an address from a user-defined pool with or without PAT
3) Source NAT with address shifting : one-to-one matching of the original source address to a user-defined pool by shifting IP address  without PAT

     NAT rules are akin to security policies both of which require some directional context. For source nat, each rule set has a from and to clause which can indicate an interface,zone or routing instance.  If rule-sets overlap (if they target the same traffic), the rule-set with the most specific context takes precedence.  Interfaces = most specific , routing instance = least specific

Continue reading


Screen is an option that you can use to prevent some sort of attacks. Once enabled, screen check is performed prior to any other check according to the packet flow diagram.  For an attack to take place, several stages have to be taken;


IP Address Sweep

This is used to know the layout of the targeted network and generally used in a way one source IP address sends ICMP packets to different hosts.

Port Scanning

Source IP sends IP packets containing TCP SYN segments to different ports at the same destination IP address. It is to scan services of the destination host.

IP Options

It is for some special routing controls, diagnostic tools but they are very seldom.

OS Probes

Because different OSs respond differently to anomalous traffic, response to this sort of traffic can give information about the target host.

Continue reading

JNCIS-SEC [ Firewall User Authentication ]

With firewall authentication,  users can be restricted. If a user tries to access a network resource, they will be asked for username/password.  Authentication methods are;

* local password database
* SecurID

There are two types of user authentication available

* Pass-through authentication: Users are authenticated when they try to access a network resource
* Web authentication: Users first should authenticate themselves connecting into the Junos device.

Pass-through Authentication

1) create a profile

[edit access]
root@host# show
profile 3rdfloor {
    client john {
        firewall-user {
            password “$9$g14UHf5F/A0z3cyeK8LUji”; ## SECRET-DATA
2) associate this profile with an authentication type
[edit access firewall-authentication]
root@host# show
pass-through {
    default-profile 3rdfloor;
    telnet {
        banner {
            success “Heyy, it worked”;
            fail “Hmm, try once again”;
3) Apply pass-through authentication to policy as action
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    then {
        permit {
            firewall-authentication {
                pass-through {
                    client-match john;

JNCIS-SEC [Security Policies]

Security policy is set of rules that tells a Junos device what to do with transit traffic between zones and within a zone. SRXs as apposed to Netscreen devices by default don’t allow intra zone traffic.

If the destination of the traffic is the device itself, security policies aren’t applicable. Instead host-inbound-traffic option must be used under zone configuration to control the traffic destined to the device.

Security policies are examined if the traffic destination is other than the incoming interface which also means that even in the same zone policy check is done.

Continue reading

JNCIS-SEC [Introduction]

Packet forwarding on Junos security devices are stateful as opposed to a traditional router whose behaviour is stateless/promiscuous.

There are several requirements for security devices;

1) Stateful packet processing based on IP,transport and application layer
3) VPNs with authentication and encryption

Stateful packet processing involves a unidirectional flow consisting of six elements

1) Source IP address
2) Destination IP address
3) Source Port number
4) Destination Port number
5) Protocol Number
6) Session token

Continue reading