Configuring NetScreen Firewalls

Share
Add to Wishlist
PDF

Computers\\System Administration

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download

Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

The author did a wonderful job making this normally dry material easy to understand. I bet he's good looking too.

Author(s): Rob Cameron
Edition: 1
Publisher: Syngress
Year: 2005

Language: English
Pages: 737

Configuring NetScreen Firewalls......Page 1
Contents......Page 14
Foreword......Page 32
1 Networking, Security, and the Firewall......Page 34
Introduction......Page 35
The OSI Model......Page 36
Layer 7:The Application Layer......Page 37
Layer 4:The Transport Layer......Page 38
Moving Data Along with TCP/IP......Page 39
Understanding IP......Page 40
IP Packets......Page 42
What Does an IP Address Look Like?......Page 45
IP Address Allocation......Page 46
TCP Communications......Page 47
What is a Port?......Page 49
Data Link Layer Communication......Page 50
Understanding Security Basics......Page 52
Introducing Common Security Standards......Page 53
Common Information Security Concepts......Page 54
Defining Information Security......Page 55
Insecurity and the Internet......Page 57
Using VPNs in Today's Enterprise......Page 60
The Battle for the Secure Enterprise......Page 61
Types of Firewalls......Page 63
Packet Filters......Page 64
Stateful Inspection......Page 65
Firewall Incarnate......Page 66
DMZ Concepts......Page 67
Traffic Flow Concepts......Page 72
Networks with and without DMZs......Page 76
Pros and Cons of DMZ Basic Designs......Page 77
DMZ Design Fundamentals......Page 79
Why Design Is So Important......Page 80
Traffic Flow and Protocol Fundamentals......Page 81
Solutions Fast Track......Page 83
Frequently Asked Questions......Page 84
2 Dissecting the NetScreen Firewall......Page 88
Introduction......Page 89
The NetScreen Security Product Offerings......Page 90
Firewalls......Page 91
SSL VPN......Page 92
IDP......Page 94
Zones......Page 96
Interface Modes......Page 97
Policies......Page 98
Deep Inspection......Page 99
Device Architecture......Page 101
Product Line......Page 103
NetScreen-Remote Client......Page 105
Small Office Home Office......Page 106
Mid-Range......Page 110
High-Range......Page 112
Enterprise Class......Page 116
Next Generation Enterprise Class......Page 118
Carrier Class......Page 120
Enterprise Management......Page 122
Summary......Page 124
Solutions Fast Track......Page 125
Frequently Asked Questions......Page 127
3 Deploying NetScreen Firewalls......Page 130
Managing the NetScreen Firewall......Page 131
Serial Console......Page 132
Secure Shell......Page 133
WebUI......Page 134
Administrative Users......Page 135
The Local File System and the Configuration File......Page 137
Using the Command Line Interface......Page 141
Using the Web User Interface......Page 146
Securing the Management Interface......Page 147
Updating ScreenOS......Page 163
System Recovery......Page 164
Configuring the NetScreen Firewall......Page 167
Security Zones......Page 168
Virtual Routers......Page 169
Security Zone Interfaces......Page 170
Function Zone Interfaces......Page 172
Configuring Security Zones......Page 173
Configuring Your NetScreen for the Network......Page 179
Binding an Interface to a Zone......Page 180
Configuring the DHCP Client......Page 181
Using PPPoE......Page 182
Interface Speed Modes......Page 183
Port Mode Configuration......Page 184
Configuring Basic Network Routing......Page 186
Setting The Time......Page 190
DHCP Server......Page 192
DNS......Page 196
SNMP......Page 197
Syslog......Page 200
WebTrends......Page 201
Resources......Page 202
Summary......Page 203
Solutions Fast Track......Page 204
Frequently Asked Questions......Page 205
4 Policy Configuration......Page 208
NetScreen Policies......Page 209
Theory Of Access Control......Page 212
Types of NetScreen Policies......Page 213
Intrazone Policies......Page 214
Default Policy......Page 215
Policy Checking......Page 216
Getting Ready to Make a Policy......Page 217
Zones......Page 219
Creating Address Book Entries......Page 220
Address Groups......Page 223
Creating Custom Services......Page 225
Modifying and Deleting Services......Page 227
Service Groups......Page 228
Creating a Policy......Page 229
Creating a Policy via the WebUI......Page 230
Reordering Policies in the WebUI......Page 233
Creating a Policy via the CLI......Page 236
Other Policy Options Available in the CLI......Page 241
Summary......Page 242
Solutions Fast Track......Page 243
Frequently Asked Questions......Page 244
5 Advanced Policy Configuration......Page 246
Network Traffic Management......Page 247
The Benefits of Traffic Shaping......Page 248
Packet Queuing......Page 249
Guaranteed Bandwidth......Page 250
Traffic Shaping Example 1......Page 254
Traffic Shaping Example 2......Page 255
Interface Bandwidth......Page 258
Policy Configuration......Page 260
Advanced Policy Options......Page 262
Counting......Page 263
Configuring Counting......Page 266
Configuring Traffic Alarms......Page 269
Scheduling......Page 270
Configuring Scheduling......Page 271
Authentication......Page 274
Configuring Authentication......Page 275
Solutions Fast Track......Page 283
Frequently Asked Questions......Page 285
6 User Authentication......Page 288
Uses of Each Type......Page 289
Auth Users......Page 290
IKE Users......Page 291
L2TP Users......Page 292
Local Database......Page 293
External Auth Servers......Page 294
Object Properties......Page 295
RADIUS......Page 296
SecurID......Page 298
LDAP......Page 300
How to Change......Page 303
Authentication Types......Page 304
Auth Users and User Groups......Page 305
IKE Users and User Groups......Page 306
XAuth Users and User Groups......Page 307
L2TP Users and User Groups......Page 309
Admin Users and User Groups......Page 311
User Groups and Group Expressions......Page 312
Solutions Fast Track......Page 314
Frequently Asked Questions......Page 315
7 Routing......Page 318
Virtual Routers......Page 319
Creating Virtual Routers......Page 320
Route Selection......Page 321
Set Route Preference......Page 322
Set Route Metric......Page 324
Route Redistribution......Page 326
Configuring a Route Access List......Page 327
Configuring A Route Map......Page 328
Basic RIP Configuration......Page 330
Configuring RIP......Page 331
OSPF Concepts......Page 335
Basic OSPF Configuration......Page 336
Basic BGP Configuration......Page 341
Solutions Fast Track......Page 347
Frequently Asked Questions......Page 349
8 Address Translation......Page 350
Advantages of Address Translation......Page 351
NetScreen NAT Overview......Page 354
NetScreen Packet Flow......Page 355
Source NAT......Page 357
Interface-based Source Translation......Page 358
MIP Limitations......Page 359
MIP Scenarios......Page 360
Policy-based Source NAT......Page 364
DIP......Page 366
VIP......Page 371
Policy-based Destination NAT......Page 373
Destination NAT Scenarios......Page 374
Destination PAT Scenario......Page 378
Source and Destination NAT Combined......Page 379
Summary......Page 380
Solutions Fast Track......Page 381
Frequently Asked Questions......Page 383
9 Transparent Mode......Page 386
NAT Mode......Page 387
Route Mode......Page 388
How to Transparent Mode Works......Page 389
Broadcast Methods......Page 390
Configuring a Device to Use Transparent Mode......Page 391
VLAN1 Interface......Page 392
Converting an Interface to Transparent Mode......Page 394
Network Segmentation......Page 396
VPNs with Transparent Mode......Page 402
Solutions Fast Track......Page 409
Frequently Asked Questions......Page 410
10 Attack Detection and Defense......Page 412
Understanding the Anatomy of an Attack......Page 413
Script Kiddies......Page 414
Black Hat Hackers......Page 416
Worms, Viruses, and other Automated Malware......Page 418
Configuring SCREEN Settings......Page 421
Port Scans and Sweeps......Page 422
IP Protocol Manipulation......Page 423
Flood Attacks......Page 424
Protocol Attacks......Page 426
Applying Deep Inspection......Page 427
Getting the Database......Page 429
Configuring the Firewall for Automatic DI Updates......Page 430
Loading the Database Manually......Page 431
Using Attack Objects......Page 432
Enabling Deep Inspection with a Policy using the WebUI......Page 433
Enabling Deep Inspection with a Policy using the CLI......Page 435
Explanation of Deep Inspection Contexts and Regular Expressions......Page 438
Creating Your Own Signatures......Page 445
WebSense Redirect Mode......Page 450
SurfControl Redirect Mode......Page 452
SurfControl Integrated Mode......Page 453
Enforcing URL Filtering......Page 454
Configuring Global Antivirus Parameters......Page 455
Configuring Scan Manager Settings......Page 457
Activating Antivirus Scanning......Page 459
Understanding Application Layer Gateways......Page 460
Zone Isolation......Page 462
Retain Monitoring Data......Page 463
Keep Systems Updated......Page 464
Summary......Page 465
Solutions Fast Track......Page 466
Frequently Asked Questions......Page 469
11 VPN Theory and Usage......Page 472
Introduction......Page 473
IPSec Modes......Page 474
Protocols......Page 475
Key Management......Page 476
IPSec Tunnel Negotiations......Page 477
Phase 1......Page 478
Phase 2......Page 479
Public Key Cryptography......Page 480
Certificates......Page 481
Site-to-Site VPNs......Page 482
Policy-based VPNs......Page 484
Creating a Policy-Based Site-to-Site VPN......Page 485
Route-based VPNs......Page 490
NetScreen Remote......Page 491
L2TP VPNs......Page 498
VPN Monitoring......Page 499
Gateway Redundancy......Page 500
Hub and Spoke VPNs......Page 501
Multi-tunnel Interfaces......Page 502
Solutions Fast Track......Page 503
Mailing Lists......Page 506
Frequently Asked Questions......Page 507
12 Virtual Systems......Page 508
What Is a Virtual System?......Page 509
Virtual System Components......Page 510
Classifying Traffic......Page 511
Virtual System Administration......Page 512
Creating a Virtual System......Page 513
Physical Interfaces......Page 516
Subinterfaces......Page 518
Shared Interface......Page 520
Solutions Fast Track......Page 524
Frequently Asked Questions......Page 525
13 High Availability......Page 528
The Need for High Availability......Page 529
Failing Over Between Interfaces......Page 531
Using Dual Untrust Interfaces to Provide Redundancy......Page 532
Example: Configuration for Dual ADSL Modems......Page 533
Example:Advanced Configuration for ADSL Modem Plus ADSL Router......Page 535
Falling Back to Dial-up......Page 537
Example: A Simple Backup Dial-up Configuration......Page 538
Example: An Advanced Backup Dial-up Configuration......Page 539
Example: Marking FTP as Not Allowed When Using the Serial Interface......Page 542
Using IP Tracking to Determine Failover......Page 543
Example:Tracking the Default Gateway......Page 544
Example:A More Complex IP Tracking Scenario......Page 545
Monitoring VPNs to Determine Failover......Page 546
Example: Monitoring One VPN Tunnel, with Fall-back to a Second Unmonitored Tunnel......Page 547
Introducing the NetScreen Redundancy Protocol......Page 550
Virtualizing the Firewall......Page 552
Understanding NSRP States......Page 554
The Value of Dual HA Links......Page 555
Building an NSRP Cluster......Page 557
Disadvantages......Page 558
Disadvantages......Page 559
Cabling for a Full-mesh Configuration......Page 560
Advantages......Page 561
Disadvantages......Page 562
Example: Setting the Cluster ID......Page 563
Synchronizing the Configuration......Page 564
Initial Synchronization Procedure #1......Page 565
Initial Synchronization Procedure #2......Page 567
Determining When to Failover – The NSRP Ways......Page 568
Using NSRP Heartbeats......Page 569
Using Optional NSRP Monitoring......Page 570
Example: Lowering the Failover Threshold......Page 571
Example:A More Complex Interface Monitoring Setup......Page 572
Using NSRP Zone Monitoring......Page 573
Example: Using Combined Interface and Zone Monitoring......Page 574
Using NSRP IP Tracking......Page 575
Example: Using IP Tracking to Determine VPN Availability......Page 577
Example: Combining Interface, Zone, and IP Tracking Monitoring......Page 579
Looking into an NSRP Cluster......Page 583
Example: NS-500 Firewall and NSEP cluster......Page 584
Basic NSRP-Lite Usage......Page 588
Example: Providing HA Internet Access......Page 589
Example: HA Internet via Dual Providers......Page 593
Creating Redundant Interfaces......Page 599
Example: A Simple Redundant Interface Setup......Page 600
Taking Advantage of the Full NSRP......Page 602
Example: Preventing Certain Sessions from Being Backed Up......Page 603
Setting Up an Active/Active Cluster......Page 604
Example: A Typical Active/Active Setup......Page 606
Example: A Full-mesh Active/Active Setup......Page 612
Failing Over......Page 619
Example: Adjusting the Numberof ARP Packets Sent After Failover......Page 620
Example: Binding a VSYS to VSD Group 1......Page 621
Avoiding the Split-brain Problem......Page 622
Avoiding the No-brain Problem......Page 624
Summary......Page 627
Solutions Fast Track......Page 628
Frequently Asked Questions......Page 632
14 Troubleshooting the NetScreen Firewall......Page 634
Troubleshooting Methodology......Page 635
Step Four – Identify the Cause of the Problem......Page 636
Troubleshooting Tools......Page 637
Ping......Page 638
Traceroute......Page 639
Get Session......Page 640
Get Policy......Page 641
Get Interface......Page 642
Get ARP......Page 643
Debug......Page 644
Snoop......Page 645
Debugging the NetScreen Device......Page 646
Debugging NAT......Page 649
Debugging VPNs......Page 650
Policy-based VPN......Page 651
Debugging NSRP......Page 652
Debugging Traffic Shaping......Page 653
NetScreen Logging......Page 654
Event......Page 655
Solutions Fast Track......Page 656
Frequently Asked Questions......Page 659
15 Enterprise NetScreen Management......Page 660
Syslog......Page 661
WebTrends......Page 663
SNMP......Page 664
E-mail and Log Settings......Page 669
NetScreen Security Manager......Page 671
The Anatomy of NSM......Page 672
Installing NSM......Page 675
Using the GUI for the First Time......Page 686
Adding and Managing a Device in NSM......Page 688
Using the Logs......Page 693
Creating and Using Objects......Page 695
Creating VPNs......Page 699
Solutions Fast Track......Page 704
Frequently Asked Questions......Page 705
Appendix A ScreenOS 510 Enhancements and New Features......Page 708
New Features in ScreenOS 510......Page 709
Extra Banner......Page 710
Dynamic DNS......Page 711
Outgoing Dialup Policy for L2TP and L2TP over IPSEC......Page 712
NSRP Active/Active enhancements......Page 713
PPPoE and NSRP......Page 714
RIP Enhancements......Page 715
Microsoft RPC ALG-Remote Procedure Call Application Layer Gateway......Page 716
H323......Page 717
DiffServ Code Point Marking......Page 718
NAT-Traversal......Page 719
Index......Page 720

Configuring NetScreen Firewalls

My Account

Infomation

Talk To Us

Configuring NetScreen Firewalls

How to Download?

Is it Free?

Book is not loading. What to do?