Docsity
Docsity

Przygotuj się do egzaminów
Przygotuj się do egzaminów

Studiuj dzięki licznym zasobom udostępnionym na Docsity


Otrzymaj punkty, aby pobrać
Otrzymaj punkty, aby pobrać

Zdobywaj punkty, pomagając innym studentom lub wykup je w ramach planu Premium


Informacje i wskazówki
Informacje i wskazówki


juniper check_point elektronika, Publikacje z Informatyka

juniper check_point elektronika

Typologia: Publikacje

Przed 2010

Załadowany 09.11.2025

slawomir-szczurek
slawomir-szczurek 🇵🇱

1 dokument

1 / 302

Toggle sidebar

Ta strona nie jest widoczna w podglądzie

Nie przegap ważnych części!

bg1
Juniper SDSN Workshop
Education Services Courseware
LAB GUIDE
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Podgląd częściowego tekstu

Pobierz juniper check_point elektronika i więcej Publikacje w PDF z Informatyka tylko na Docsity!

Education Services Courseware

LAB GUIDE

Lab Guide

Lab 3–2 • Implementing AppSecure

Part 1: Verifying Access to the CLI and Client

In this lab part, you will become familiar with the access details used to access the lab

equipment. Once you are familiar with the access details, you will use the CLI to log in to your

designated station. Then, you will load the starting configuration for lab 3. Then, you verify that

you can log in to the Client and confirm that FTP and Web browsing are available on the desktop.

Note

You will only be able to FTP and Web browse within the

constraints that are created on the server.

Note

Depending on the class, the lab equipment used might be

remote from your physical location. The instructor will

inform you as to the nature of your access and will provide

you the details needed to access your assigned device.

Step 1.

Consult the Management Network Diagram to determine the management address of your

devices.

Question: What are the management addresses assigned to

your devices?

Answer: The answer varies. The sample hostname and IP

address used in the output examples in this lab are for vSRX-1,

which uses 172.25.11.1 as its management IP address. The

actual management subnet might vary between delivery

environments.

Step 1.

Access the CLI of vSRX-1 using either the console, Telnet, or SSH as directed by your instructor.

Refer to the management network diagram for the IP address associated with vSRX-1.

Step 1.

Log in to the vSRX-1 device with the username lab and a password of lab123. Note that both

the name and password are case-sensitive. Enter configuration mode and load the reset

configuration file using the load override ajsec/lab3-start.config command.

After the configuration has been loaded, commit the changes before proceeding.

vSRX-1 (ttyu0)

login: lab Password:

--- JUNOS 15.1X49-D70.3 built 2016-12-13 15:11:29 UTC lab@vSRX-1> configure

Implementing AppSecure • Lab 3–

Entering configuration mode

[edit] lab@vSRX-1# load override ajsec/ lab3-start.config

[edit] lab@vSRX-1# commit commit complete

[edit] lab@vSRX-1#

Step 1.

Access the CLI of vSRX-2 using either the console, Telnet, or SSH as directed by your instructor.

Refer to the management network diagram for the IP address associated with vSRX-2.

Step 1.

Log in to the vSRX-2 device with the username lab and a password of lab123. Note that both

the name and password are case-sensitive. Enter configuration mode and load the reset

configuration file using the load override ajsec/lab3-start.config command.

After the configuration has been loaded, commit the changes before proceeding.

vSRX-2 (ttyu0)

login: lab Password:

--- JUNOS 15.1X49-D70.3 built 2016-12-13 15:11:29 UTC lab@vSRX-2> configure Entering configuration mode

[edit] lab@vSRX-2# load override ajsec/ lab3-start.config

[edit] lab@vSRX-2# commit commit complete

[edit] lab@vSRX-2#

Part 2: Configuring AppFW and AppID Features

In this lab part, you configure an AppFW rule set to block FTP traffic that is being disguised as

Hypertext Transfer Protocol (HTTP) traffic on TCP port 8080. Then, you will verify that this traffic

is being blocked as intended.

Implementing AppSecure • Lab 3–

Question: Based on the output, which types of traffic does

vSRX-1 permit?

Answer: The vSRX-1 device is allowing HTTP using the default

TCP port 80, HTTP traffic using TCP port 8080, and DNS traffic

from the Untrust to Server zones.

Question: Will the HTTP policy block non-HTTP traffic that is

using TCP ports 80 or 8080 as the destination port?

Answer: No. The HTTP policy is only examining the traffic up to

Layer 4. As long as TCP ports 80 or 8080 are used as the

destination port, any application can be used.

Step 2.

Open a session to the Client device.

From the session established with the Client device, double-click the gFTP client icon that is on

the desktop.

Note

The gFTP client might resolve the

ajsecserver.ajsec.juniper.net FQDN to the

utmserver.utm.juniper.net FQDN. Both FQDNs resolve to

the same server so do not worry if this happens.

Lab 3–6 • Implementing AppSecure

Lab 3–8 • Implementing AppSecure

Step 2.

Return to the open session with the Client device.

From the open session with the Client device, disconnect from the current FTP session attempt.

Then, open an FTP session to the ajsecserver.ajsec.juniper.net URL and use port

8080 as the destination port. To log in, use the username of lab and password of lab.

Note

If you are unable to disconnect the current session you

might have to close the gFTP application and start it again.

Step 2.

Return to the open session with vSRX-1.

From the open session with vSRX-1, examine the session table by issuing the run show

security flow session command.

[edit security policies] lab@vSRX-1# run show security flow session Session ID: 4756, Policy name: Untrust-HTTP/5, Timeout: 1740, Valid In: 172.16.1.100/42676 --> 172.16.10.100/8080;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 10, Bytes: 576, Out: 172.16.10.100/8080 --> 172.16.1.100/42676;tcp, Conn Tag: 0x0, If: ge-0/0/ 4.0, Pkts: 9, Bytes: 670, Total sessions: 1

Implementing AppSecure • Lab 3–

Question: Did the traffic make it through vSRX-1? Why or why

not? Which security policy did the traffic use?

Answer: Yes, the traffic made it through. This traffic appears to

be HTTP traffic that is using TCP port 8080 and is using the

Untrust-HTTP security policy, even though it is FTP traffic.

Question: Is this behavior a security threat?

Answer: Yes. An attacker could use this information to send

malicious traffic toward the internal server.

Question: How can you stop this type of unwanted traffic?

Answer: To stop the unwanted traffic, you can configure an

AppFW rule set that inspects the Layer 7 data.

Step 2.

Over the next couple of steps, you will examine the AppID database for application signatures

that are suitable for your situation.

Look for HTTP-related application signatures in the AppID database by issuing the run show

services application-identification application summary | match

http command.

[edit security policies] lab@vSRX-1# run show services application-identification application summary | match http junos:SOCKS2HTTP No 927 3 junos:HTTP-TUNNEL No 750 1 junos:HTTP2 No 2553 5 junos:ALIWANGWANG-HTTP No 11863 1 junos:CLOUDME-HTTP No 1471 2 junos:RYPPLE-HTTP No 11151 4 junos:BAIDU-HI-HTTP No 11859 3 junos:HTTP No 67 5 junos:DIASPORA-HTTP No 11065 1 junos:MMS-OVER-HTTP No 116 3 junos:VODDLER-HTTP No 573 1 junos:QQGAMES-HTTP No 11164 3 junos:VIBER-HTTP No 597 5 junos:YAHOO-FINANCE-HTTP No 11896 3 junos:GYGAN-HTTP No 10913 1 junos:WECHAT-HTTP No 12010 4

Implementing AppSecure • Lab 3–

Client-to-server Order: 5

Question: Could this application signature be useful in your

situation?

Answer: Yes. From the description and the parameters in the

port mapping and signature section, this application signature

could possibly help.

Question: Should you consider any other application

signatures?

Answer: The answer to this question depends on whether you

plan to create a blacklist or whitelist AppFW rule set. In this

situation, a whitelist approach is best because vSRX-1 should

only have to worry about processing HTTP traffic through an

AppFW rule set.

Step 2.

Navigate to the [edit security application-firewall] hierarchy level and

configure a rule set to only permit HTTP traffic and deny all other traffic. Then, return to the

[edit security policies global policy Untrust-HTTP] hierarchy level and

apply the AppFW rule set to the HTTP security policy. Also, configure the HTTP security policy to

log session initialization attempts and session closures.

[edit security policies] lab@vSRX-1# up 1 edit application-firewall rule-sets protect-server

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# set rule HTTP match dynamic-application junos:HTTP

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# set rule HTTP then permit

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# set default-rule deny

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# top edit security policies global policy Untrust-HTTP

[edit security policies global policy Untrust-HTTP] lab@vSRX-1# set then permit application-services application-firewall rule-set protect-server

[edit security policies global policy Untrust-HTTP] lab@vSRX-1# set then log session-init session-close

Lab 3–12 • Implementing AppSecure

[edit security policies global policy Untrust-HTTP] lab@vSRX-1#

Question: If you commit the configuration at this point, will the

AppFW logs be recorded locally on vSRX-1?

Answer: The answer depends on what is configured under the

syslog files. If you have a syslog file with the correct severity and

facility levels configured, the answer is yes. If the correct

severity and facility is not configured, the answer is no.

Step 2.

Navigate to the [edit system syslog] hierarchy level and configure the AppSecure-log

file to log messages with the severity and facility levels of any any. Then, configure the log file

to only match messages that contain the RT_FLOW tag. Commit the configuration when you are

finished.

[edit security policies global policy Untrust-HTTP] lab@vSRX-1# top edit system syslog

[edit system syslog] lab@vSRX-1# set file AppSecure-log any any

[edit system syslog] lab@vSRX-1# set file AppSecure-log match RT_FLOW

[edit system syslog] lab@vSRX-1# commit commit complete

[edit system syslog] lab@vSRX-1#

Step 2.

Return to the open session established with the client.

From the open session established with client, disconnect the previous FTP attempt. Then,

attempt the FTP connection using port 8080 again.

Lab 3–14 • Implementing AppSecure

Question: Is the AppFW rule set denying the FTP session?

Answer: The output suggests that the FTP session is being

denied. However, although the output shows that the default

rule is being hit, it does not specifically note exactly what is

being blocked.

Step 2.

Examine the ASC with the run show service application-identification

application-system-cache command to determine whether there is a result for the

recent FTP traffic.

[edit system syslog] lab@vSRX-1# run show service application-identification application-system-cache Application System Cache Configurations: application-cache: on cache-entry-timeout: 3600 seconds pic: 0/ Logical system name: 0 IP address: 172.16.10.100 Port: 8080 Protocol: TCP Application: FTP Encrypted: No Classification Path: IP:TCP:FTP

Question: What information does the output display?

Answer: The output displays that the FTP session is being

recorded in the ASC. The output also shows the destination port

of 8080.

Step 2.

Examine the AppSecure-log for the results of the session messages that relate to the FTP

session by issuing the run show log AppSecure-log command.

[edit system syslog] lab@vSRX-1# run show log AppSecure-log Feb 15 23:26:23 vSRX-1 mgd[26488]: UI_CFG_AUDIT_SET: User 'lab' set: [system syslog file AppSecure-log match] "RT_FLOW -> "RT_FLOW" Feb 15 23:26:23 vSRX-1 mgd[26488]: UI_CMDLINE_READ_LINE: User 'lab', command 'set file AppSecure-log match RT_FLOW ' Feb 15 23:27:22 vSRX-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.16.1.100/41140->172.16.10.100/8080 0x0 None 172.16.1.100/ 41140->172.16.10.100/8080 0x0 N/A N/A N/A N/A 6 Untrust-HTTP(global) Untrust Server 6179 N/A(N/A) ge-0/0/3.0 UNKNOWN UNKNOWN UNKNOWN Feb 15 23:27:22 vSRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 172.16.1.100/ 41140->172.16.10.100/8080 0x0 None 6(0) Untrust-HTTP(global) Untrust Server FTP UNKNOWN N/A(N/A) ge-0/0/3.0 No appfw deny

Implementing AppSecure • Lab 3–

Feb 15 23:27:22 vSRX-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed application failure or action junos-appfw: 172.16.1.100/41140->172.16.10.100/8080 0x0 None 172.16.1.100/41140->172.16.10.100/8080 0x0 N/A N/A N/A N/A 6 Untrust-HTTP(global) Untrust Server 6179 2(112) 2(132) 1 FTP UNKNOWN N/A(N/A) ge-0/0/3.0 No May 10 17:26:28 vSRX-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed application failure or action: 172.16.1.100/54734->172.16.10.100/8080 None 172.16.1.100/ 54734->172.16.10.100/8080 None None 6 HTTP Untrust Trust 24206 4(226) 2(132) 1 FTP UNKNOWN N/A(N/A) ge-0/0/8.0 No

Question: What is the reason given for closing the session?

Answer: The message of application failure or

action is given as the reason for closing the session.

Part 3: Building Custom Application Signatures

In this lab part, you will configure a custom application signature that you will use in an AppFW

rule set to block specific traffic. Then, you will verify that this traffic is being blocked by the

AppFW rule set.

Step 3.

Return to the open session established with the client.

From the open session established with client, open the Web browser by double-clicking the

Firefox icon. If necessary, you can close the gFTP client now.

Implementing AppSecure • Lab 3–

[edit system syslog] lab@vSRX-1# top edit services application-identification application AJSEC-FILES

[edit services application-identification AJSEC-FILES] lab@vSRX-1#

Step 3.

Configure the application signature to match on HTTP and then configure signature s-01 to

match on the http-header-host context within the m01 member.

[edit services application-identification AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m01 context http-header-host

Step 3.

Configure member m01 with the pattern match of

"(.*.)?(ajsecserver.ajsec.juniper.net)".

[edit services application-identification AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m01 pattern _"(..)?(ajsecserver.ajsec.juniper.net)"_*

Step 3.

Set the direction of member m01 to the client-to-server value.

[edit services application-identification application AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m01 direction client-to-server

Step 3.

Configure the new member m02 with the context of http-url-parsed within the s-

signature, the pattern of /files/ , and the direction of client-to-server.

[edit services application-identification AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m02 context http-url-parsed

[edit services application-identification AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m02 pattern /files/

[edit services application-identification AJSEC-FILES] lab@vSRX-1# set over HTTP signature s-01 member m02 direction client-to-server

[edit services application-identification AJSEC-FILES] lab@vSRX-1# show over HTTP { signature s-01 { member m01 { context http-header-host; pattern "(.*.)?(ajsecserver.ajsec.juniper.net)"; direction client-to-server; } member m02 { context http-url-parsed; pattern /files/; direction client-to-server; } } }

Lab 3–18 • Implementing AppSecure

Step 3.

Navigate to the [edit security application-firewall rule-sets

protect-server] hierarchy level. Then, create the rule AJSEC-FILES that denies traffic

when it matches on the AJSEC-FILES application signature. Examine the rule set after you

have added the new rule.

[edit services application-identification AJSEC-FILES] lab@vSRX-1# top edit security application-firewall rule-sets protect-server

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# set rule AJSEC-FILES match dynamic-application AJSEC-FILES

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# set rule AJSEC-FILES then deny

[edit security application-firewall rule-sets protect-server] lab@vSRX-1# show rule HTTP { match { dynamic-application junos:HTTP; } then { permit; } } rule AJSEC-FILES { match { dynamic-application AJSEC-FILES; } then { deny; } } default-rule { deny; }

[edit security application-firewall rule-sets protect-server] lab@vSRX-1#

Question: If you commit the configuration now, what will happen

to the traffic that would match the AJSEC-FILES signature you

just created?

Answer: The traffic would first match the HTTP rule in the rule

set and it would be allowed through vSRX-1. The traffic would

never hit the AJSEC-FILES rule.