Category Archives: jncis-sec

JNCIS-SEC [ Firewall User Authentication ]

With firewall authentication,  users can be restricted. If a user tries to access a network resource, they will be asked for username/password.  Authentication methods are;

* local password database
* RADIUS
* LDAP
* SecurID

There are two types of user authentication available

* Pass-through authentication: Users are authenticated when they try to access a network resource
* Web authentication: Users first should authenticate themselves connecting into the Junos device.

Pass-through Authentication

1) create a profile

[edit access]
root@host# show
profile 3rdfloor {
    client john {
        firewall-user {
            password “$9$g14UHf5F/A0z3cyeK8LUji”; ## SECRET-DATA
        }
    }
}
2) associate this profile with an authentication type
[edit access firewall-authentication]
root@host# show
pass-through {
    default-profile 3rdfloor;
    telnet {
        banner {
            success “Heyy, it worked”;
            fail “Hmm, try once again”;
        }
    }
}
3) Apply pass-through authentication to policy as action
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            firewall-authentication {
                pass-through {
                    client-match john;
                }
            }
        }
        count;
    }
}

JNCIS-SEC [Security Policies]

Security policy is set of rules that tells a Junos device what to do with transit traffic between zones and within a zone. SRXs as apposed to Netscreen devices by default don’t allow intra zone traffic.

If the destination of the traffic is the device itself, security policies aren’t applicable. Instead host-inbound-traffic option must be used under zone configuration to control the traffic destined to the device.

Security policies are examined if the traffic destination is other than the incoming interface which also means that even in the same zone policy check is done.

Continue reading

JNCIS-SEC [Introduction]

Packet forwarding on Junos security devices are stateful as opposed to a traditional router whose behaviour is stateless/promiscuous.

There are several requirements for security devices;

1) Stateful packet processing based on IP,transport and application layer
2) NAT,PAT
3) VPNs with authentication and encryption

Stateful packet processing involves a unidirectional flow consisting of six elements

1) Source IP address
2) Destination IP address
3) Source Port number
4) Destination Port number
5) Protocol Number
6) Session token

Continue reading

JNCIS-SEC [Zones]

Here are my notes I have taken while preparing for JNCIS-SEC exam. It may not be useful for everyone as it is for me to remember some of the stuff.

Zones are logical groupings of logical interfaces with a common security requirement.

  • Special interfaces like fxp0,chassis cluster interfaces and em0 interfaces cannot be assigned to a zone.
  • You cannot assign a logical interface to multiple zones or multiple routing instances. In addition, all of a zone’s logical interfaces must be in a single routing instance.
  • A routing instance is a logical routing construct and can contain one or more zones which cannot be shared with other routing instances.