I have finally decided to start my study for JNCIP-SEC exam. To be honest, exam is just a driving force. What I would like to achieve is to get knowledge because of which I am not only going to share my studies related to exam but I will try to go deeper as much as I can on every specific topic because of which I am planing to test more than an exam asks.
I am also learning and so I do appreciate visitor’s feedback and contribution. I will try to update every topic slowly as I don’t have much time to update all in big chunks. For example until I finish this post, it will be updated from time to time. Let’s get started…
[Analyzing Traffic Flows]
Figure1
I will use the topology above throughout this post. Just assume JUNOS1 and JUNOS2 devices are two physical devices, all routing configuration is in place and JUNOS2 has a default allow policy. (To be honest, in my setup R2 is a linux machine just to test policies, so be careful)
ICMP test scenario:
R1> ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
^C
— 192.168.100.1 ping statistics —
7 packets transmitted, 0 received, 100% packet loss, time 6048ms
We cannot receive any icmp reply to our icmp echos we sent from R1 because default policy is deny-all in JUNOS-1.
Lets assign interfaces to zones and create policies on JUNOS1
[edit security zones]
root@JUNOS1# show
security-zone INTERNET {
address-book {
address R1 172.30.73.219/32;
}
interfaces {
ge-0/0/0.0;
}
}
security-zone INTERNAL {
address-book {
address JUNOS2 192.168.100.1/32;
}
interfaces {
lt-0/0/0.0;
}
}
[edit security policies]
root@JUNOS1# show
from-zone INTERNET to-zone INTERNAL {
policy allow-icmp-traffic {
match {
source-address R1;
destination-address JUNOS2;
application junos-ping;
}
then {
permit;
}
}
}
Now try to ping once again;
R1>ping 192.168.100.1 -c 2
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=63 time=3.45 ms
64 bytes from 192.168.100.1: icmp_req=2 ttl=63 time=3.59 ms
Bingo! we receive replies to our 2 icmp packets. As you can also see we only set policy in one direction, the reverse direction is handled by flow daemon.
Ok but we also want to see some counters for which we must enable count option:
[edit]
root@JUNOS1#set security policies from-zone INTERNET to-zone INTERNAL policy allow-icmp-traffic then count
After committing, send 2 icmp packets more and check how the policy output looks like;
root@JUNOS1> show security policies policy-name allow-icmp-traffic detail
TIP: The red colored number 4 is the policy index number, ge-0/0/0.0 is input, lt-0/0/0.0 is output interface
TIP: One point to mention here is what you see here is what is accepted by flow services module. If a packet is denied, you can’t see it in the session table which makes sense indeed. Packet might have been dropped during screen,routing etc if you don’t see it here.
I was wondering how I can see default sessions timeouts for tcp/udp and I saw the answer here in juniper forum according to which;
We can say that there is 1780 secs left for this session to timeout. As soon as you generate some ssh traffic, it will again start counting down from 1800 secs which is default TCP inactivity timeout. What if we want to lower this timeout?
Create a new application called my-ssh, and replace previously configured junos-ssh by my-ssh:
[edit applications]
root@JUNOS1# show
application my-ssh {
protocol tcp;
destination-port 22;
inactivity-timeout 600;
}
After commit for new requests here is the following session output;
root@JUNOS1# run show security flow session application ssh
Application Layer Gateway feature does what can’t be done via stateful firewall mechanisms and provides extra layer of inspection. The simplest example given is FTP in most of the documentations. I will present two examples here e.g FTP and DNS
Here is my new setup for ALG test.
FTP ALG:
INTERNET— (172.30.72.244 [ge-0/0/0.0]) SRX ( 10.2.2.1 [ge-0/0/2.0] ) — (10.2.2.1) Linux PC
Check which ALGs are enabled:
root@host> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
Create a policy allowing only ftp
[edit]
root@host# show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
}
}
}
Generate some traffic and look at the session table;
What can we see her is: we allowed ftp traffic to untrust network via polict but although we didn’t specifically allow traffic from 144.122.144.177:20 to 10.2.2.2:35919 ALG inspects the traffic and let the packets pass. As you can see timeout is also very small. I must remind you that this pattern can be seen if you are using active mode FTP in which remote FTP server initiates connection back to client. If passive mode is used, client initiates the connection for data channel again for which you see the following session flow;
As it can be seen in passive mode FTP, client initiates the data channel connection and connection is allowed by ALG.
DNS ALG:
When you look at default UDP session timeout value, you can see that is 60 seconds. However session timeout below is very low as it can be seen. DNS ALG monitors DNS traffic and as far as I can see if DNS response is return it sets session timeout so low to quickly close down the session. If response isn’t received it sets session timeout 60 secs. I think this is how it works.
Probably troubleshooting doesn’t fit in this category but I would like to add a troubleshooting section for policy topic as it is crucial.
Lets generate traffic for which we know that there is no policy and our packets will be dropped. We still have the policy which allow only DNS UDP traffic. What will happen if we targer 80. port? Lets troubleshoot:
—- flow_process_pkt: (thd 9): flow_ctxt type 13, common flag 0x0, mbuf 0x43e9b580, rtbl_idx = 0
flow process pak fast ifl 73 in_ifp ge-0/0/2.0
ge-0/0/2.0:10.2.2.2/56151->74.125.224.112/80, tcp, flag 2 syn
find flow: table 0x5d3e0248, hash 14748(0xffff), sa 10.2.2.2, da 74.125.224.112, sp 56151, dp 80, proto 6, tok 7
no session found, start first path. in_tunnel – 0, from_cp_flag – 0
self ip check: not for self (address=4a7de070)
flow_first_create_session
flow_first_in_dst_nat: in <ge-0/0/2.0>, out <N/A> dst_adr 74.125.224.112, sp 56151, dp 80
chose interface ge-0/0/2.0 as incoming nat if.
flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 74.125.224.112(80)
flow_first_routing: call flow_route_lookup(): src_ip 10.2.2.2, x_dst_ip 74.125.224.112, in ifp ge-0/0/2.0, out ifp N/A sp 56151, dp 80, ip_proto 6, tos 10
Doing DESTINATION addr route-lookup
routed (x_dst_ip 74.125.224.112) from trust (ge-0/0/2.0 in 0) to ge-0/0/0.0, Next-hop: 172.30.72.1
policy search from zone trust-> zone untrust (0x0,0xdb570050,0x50)
app 6, timeout 1800s, curr ageout 20s
packet dropped, denied by policy
packet dropped, policy deny.
flow find session returns error.
For those who have screenos background I am sure interpretation of this log is very easy as most of the lines are similar.
Remember FIRST PATH flow of a packet. Packet follows this path and a matching policy is searched for 80. port from trust to untrust zones however no matching policy is found and packet is dropped. You can see that there is no even source address translation because SOURCE NAT is done after policy check.
SYSLOG SERVER
Ok maybe I shouldn’t add syslog server setup here but I must explain for myself as well how to send srx logs and traffic logs to syslog server.
Our syslog server is at 10.2.2.2
[edit]
root@host# show system syslog
user * {
any emergency;
}
host 10.2.2.2 {
any any;
}
The configuration about will enable us all system logs (cli logs etc) to be sent to syslog server but what if we want to send traffic logs too.
Configure logging for session-init as below, it can also be configured for session-close.
If you are looking for NSM related syslogs check following KBs at juniper site: KB16448 : Syslog for NSM KB21050: For stream logging from data plane
FAQ
1) Is there any intra zone policy command in SRX?
SRX doesn’t have any simple command which allows intra-zone traffic but trust zone comes with a default allow any any
default configuration. If you have interfaces in different interfaces and want to allow traffic, you must explicitly set a policy.
Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN
// JNCIE-SEC #223 / RHCE / PCNSE
2 thoughts on “JNCIP-SEC [1 – Advanced Security Policy ]”
Dear Genco,
Really, I and we all appreciate your great contribution for those preparing for JNCIP-SEC exam or want to learn the contents and topics for real world.
Can you please take some time from your precious time and help me advising in building my own LAB. The one which is for Juniper’s JSEC training course?
I have 2 SRX110H-VA and 2 Netscreen-25. I want to build an exact similar lab to that but failing to do so because I don’t have in depth knowledge how that lab has built.
I will really remain thankful to you for this act of kindness.
Hi Tanweer,
I must say that during my preparation I had only two SRX210 devices but 2SRX100H is also sufficient as you can run IPS on them along with HA.
As you have netscreen devices this should be sufficient I suppose. What you can do is you can also use GNS3 to use Cisco routers virtually by which you can test compatibility between different vendors. I have a SRX100H as well now as in my opinion it is best to have 3 appliances for real testing. Least but not least don’t forget to stick to the exam objectives at http://www.juniper.net/us/en/training/certification/resources_jncipsec.html
Dear Genco,
Really, I and we all appreciate your great contribution for those preparing for JNCIP-SEC exam or want to learn the contents and topics for real world.
Can you please take some time from your precious time and help me advising in building my own LAB. The one which is for Juniper’s JSEC training course?
I have 2 SRX110H-VA and 2 Netscreen-25. I want to build an exact similar lab to that but failing to do so because I don’t have in depth knowledge how that lab has built.
I will really remain thankful to you for this act of kindness.
Regards,
Hi Tanweer,
I must say that during my preparation I had only two SRX210 devices but 2SRX100H is also sufficient as you can run IPS on them along with HA.
As you have netscreen devices this should be sufficient I suppose. What you can do is you can also use GNS3 to use Cisco routers virtually by which you can test compatibility between different vendors. I have a SRX100H as well now as in my opinion it is best to have 3 appliances for real testing. Least but not least don’t forget to stick to the exam objectives at http://www.juniper.net/us/en/training/certification/resources_jncipsec.html
cheers.
Genco.