www.sharexxx.net - free books & magazines solutions@syngress.com Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique solutions@syngress.com program. Through this site, we’ve been able to provide readers a real time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only solutions@syngress.com program. Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book. ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy to search web page, pro- viding you with the concise, easy to access data you need to perform your job. ■ A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or addi- tional topic coverage that may have been requested by readers. Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier. Register for Free Membership to 312_NetScr_FM.qxd 11/29/04 3:41 PM Page i 312_NetScr_FM.qxd 11/29/04 3:41 PM Page ii Configuring Rob Cameron NSA JNCIA-FWV Christopher Cantrell NS-IDP Dave Killion NSCA, NSCP Kevin Russell JNCIS-FWV Kenneth Tam NSCP, JNCIS-FWV NetScreen ® Firewalls 312_NetScr_FM.qxd 11/29/04 3:41 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 KLNM56332B 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Configuring NetScreen Firewalls Copyright © 2005 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-932266-39-9 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Jaime Quigley Copy Editor: Amy Thomson Technical Editor: C.J. Cui and Thomas Byrne Indexer: Odessa&Cie Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585. 312_NetScr_FM.qxd 11/29/04 3:41 PM Page iv Acknowledgments v Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington. And a hearty wel- come to Aileen Berg—glad to be working with you. The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, Mark Hunt, and Krista Leppiko, for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, and Mark Langley of Woodslane for dis- tributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. 312_NetScr_FM.qxd 11/29/04 3:41 PM Page v 312_NetScr_FM.qxd 11/29/04 3:41 PM Page vi vii Lead Author Rob Cameron (CCSA, CCSE, CCSE+, NSA, JNCIA-FWV, CCSP, CCNA, INFOSEC, RSA SecurID CSE) is an IT consultant who has worked with over 200 companies to provide network secu- rity planning and implementation services. He has spent the last five years focusing on network infrastructure and extranet security. His strengths include Juniper’s NetScreen Firewall products, NetScreen SSL VPN Solutions, Check Point Firewalls, the Nokia IP appliance series, Linux, Cisco routers, Cisco switches, and Cisco PIX firewalls. Rob strongly appreciates his wife Kristen’s constant sup- port of his career endeavors. He wants to thank her for all of her support through this project. C.J. Cui (CISSP, JNCIA) is Director of Professional Services for NetWorks Group, an information security consulting company headquartered in Brighton, Michigan. NetWorks Group provides information security solutions that mitigate risk while enabling secure online business. C.J. leads the technical team at NetWorks Group to deliver information security services to customers ranging from medium-sized companies to fortune 500 corporations.These services touch every part of security lifecycle—from enterprise security management, security assessment and audit to solution design and implementation—and leverage leading edge technologies including firewall/VPN, intrusion prevention, vulnerability manage- ment, malicious code protection, identity management and forensics analysis. C.J. holds an M.S. degree from Michigan State University and numerous industrial certifications. He is a board member of ISSA Motor City Chapter and serves as the Director of Operations for the chapter. Technical Editors 312_NetScr_FM.qxd 11/29/04 3:41 PM Page vii viii Thomas Byrne is a Code Monkey with NetScreen Technologies (now Juniper Networks). He currently does design, planning, and implementation on Juniper’s Security Manager, their next-genera- tion network management software.Tom’s background includes positions as a UI Architect at ePatterns, and as a senior developer and consultant for several Silicon Valley companies, including Lightsocket.com and Abovenet.Tom is an active developer on sev- eral open-source projects and a voracious contributor to several on- line technology forums.Tom currently lives in Silicon Valley with his wife Kelly, and children, Caitlin and Christian. Dave Killion (NSCA, NSCP) is a senior security research engineer with Juniper Networks, Inc. Formerly with the U.S.Army’s Information Operations Task Force as an Information Warfare Specialist, he currently researches, develops, and releases signatures for the NetScreen Deep Inspection and Intrusion Detection and Prevention platforms. Dave has also presented at several security conventions including DefCon and ToorCon, with a proof-of-con- cept network monitoring evasion device in affiliation with several local security interest groups that he helped form. Dave lives south of Silicon Valley with his wife Dawn and two children, Rebecca and Justin. Kevin Russell (JNCIA-FWV, JNCIA-IDP) is a system engineer for Juniper Networks, specializing in firewalls, IPSEC, and intrusion detection and prevention systems. His background includes security auditing, implementation, and design. Kevin lives in Michigan with his wife and two children. Contributing Authors 312_NetScr_FM.qxd 11/29/04 3:41 PM Page viii ix Chris Cantrell (NetScreen IDP) is a Director of System Engineering – Central Region for the Security Products Group at Juniper Networks. His career has spanned over 12 years, the last 8 focused in network and application security. Chris joined OneSecure in late 2000 where he was an active member of the team who designed and was responsible for the introduction of their intrusion prevention product, the IDP. In 2002, OneSecure was acquired by NetScreen Technologies and most recently acquired by Juniper Networks where Chris continues to manage their security sales engineering team for the Central Region. Chris attended Auburn University at Montgomery where his focus was on business and management information systems. Chris lives in Denver, Colorado with his wife Maria and two children, Dylan and Nikki. Kenneth Tam (JNCIS-FWV, NCSP) is Sr. Systems Engineer at Juniper Networks Security Product Group (formerly NetScreen Technologies). Kenneth worked in pre-sales for over 4 years at NetScreen since the startup days and has been one of many key contributors in building NetScreen as one of the most successful security company. As such, his primary role has been to provide pre- sale technical assistance in both design and implementation of NetScreen solutions. Kenneth is currently covering the upper Midwest U.S. region. His background includes positions as a Senior Network Engineer in the Carrier Group at 3com Corporation, and as an application engineer at U.S.Robotics. Kenneth holds a bach- elor’s degree in computer science from DePaul University. He lives in the suburbs of Chicago, Illinois with his wife Lorna and children, Jessica and Brandon. 312_NetScr_FM.qxd 11/29/04 3:41 PM Page ix [...]... Loopback Interfaces Configuring Security Zones Configuring Your NetScreen for the Network Binding an Interface to a Zone Setting up IP Addressing Configuring the DHCP Client Using PPPoE Interface Speed Modes Port Mode Configuration Configuring Basic Network Routing Configuring System Services ... 94 Chapter 3 Deploying NetScreen Firewalls 97 Introduction 98 Managing the NetScreen Firewall 98 NetScreen Management Options 99 Serial Console 99 Telnet 100 Secure Shell 100 WebUI 101 The NetScreen- Security Manager... 50 Frequently Asked Questions 51 Chapter 2 Dissecting the NetScreen Firewall Introduction The NetScreen Security Product Offerings Firewalls SSL VPN IDP The NetScreen Firewall Core Technologies Zones Virtual Routers ... Traffic Shaping Examples Traffic Shaping Example 1 Traffic Shaping Example 2 Configuring Traffic Shaping Interface Bandwidth Policy Configuration Advanced Policy Options Counting Configuring Counting Configuring Traffic Alarms ... Route Metric 291 Route Redistribution 293 Configuring a Route Access List 294 Configuring A Route Map 295 Routing Information Protocol 297 RIP Concepts 297 Basic RIP Configuration 297 Configuring RIP 298 Open Shortest Path First (OSPF) ... the NetScreen Redundancy Protocol 517 Virtualizing the Firewall 519 Understanding NSRP States 521 The Value of Dual HA Links 522 Building an NSRP Cluster 524 Connecting the Firewalls Directly to the Routers 525 Advantages 525 Disadvantages 525 Connecting the Firewalls. .. 623 626 Chapter 15 Enterprise NetScreen Management 627 Introduction 628 Alternative Methods for Monitoring NetScreen Devices 628 Syslog 628 WebTrends 630 SNMP 631 E-mail and Log Settings 636 NetScreen Security Manager ... think it’s safe to assume that you either: a) own a NetScreen device, or b) are considering using one Either choice shows excellent judgment, given that NetScreen is a proven, award-winning platform that can provide you with all of the above services, and do it very well This book will give you the information to install, configure and manage your NetScreen firewalls, whether you are planning to install... 58 59 61 63 63 64 64 65 66 66 Contents Device Architecture 68 The NetScreen Firewall Product Line 70 Product Line 70 NetScreen- Remote Client 72 Small Office Home Office 73 Mid-Range 77 High-Range ... 217 221 221 222 225 225 227 229 230 233 236 xvii xviii Contents Scheduling Configuring Scheduling Authentication Configuring Authentication Summary Solutions Fast Track Frequently Asked Questions . 11/29/04 3:41 PM Page ii Configuring Rob Cameron NSA JNCIA-FWV Christopher Cantrell NS-IDP Dave Killion NSCA, NSCP Kevin Russell JNCIS-FWV Kenneth Tam NSCP, JNCIS-FWV NetScreen ® Firewalls 312_NetScr_FM.qxd. infrastructure and extranet security. His strengths include Juniper’s NetScreen Firewall products, NetScreen SSL VPN Solutions, Check Point Firewalls, the Nokia IP appliance series, Linux, Cisco routers,. Group (formerly NetScreen Technologies). Kenneth worked in pre-sales for over 4 years at NetScreen since the startup days and has been one of many key contributors in building NetScreen as one