Monday 19 August 2013

Junos: DDOS Protection

DDoS policers are enabled by default for all supported protocol groups and packet types. Policers are established at the level of the individual line card and the Routing Engine. You can disable the line card policers globally for all MPCs or FPC5s. You can also disable the Routing Engine policer. When you disable either of these policers, the policers at that level for all protocol groups and packet types are disabled.
DDoS logging is also enabled by default. You can disable all DDoS event logging (including flow detection event logging) for all protocol groups and packet types across the router.


To configure global DDoS settings:
  1. (Optional) Disable line card policers.
    [edit system ddos-protection global]user@host# set disable-fpc
  2. (Optional) Disable Routing Engine policers.
    [edit system ddos-protection global]user@host# set disable-routing-engine
  3. (Optional) Disable event logging.
    [edit system ddos-protection global]user@host# set disable-logging
at 1 comment:

Monday 12 August 2013

Junos : Firewall Authentication Part 2

Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, Telnet, or HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall

Configuring Pass-Through Firewall Authentication
Image auth-passthrough.gif



To configure the device for pass-through firewall authentication as shown in above, follow these steps:
  1. Create IP addresses for the interfaces on the device.
    user@host# set interfaces ge-0/0/1
    user@host# set unit 0 family inet address 20.20.20.1/24
    user@host# set unit 0 family inet address 20.20.20.2/24
    user@host# set interfaces ge-5/0/0
    user@host# set unit 0 family inet address 30.30.30.1/24
    user@host# set unit 0 family inet address 30.30.30.2/24
  2. Create an access profile, FWAUTH, for FWClient1 and specify a password, pwd.
    user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd
  3. Add the FWAUTH profile for pass-through firewall authentication and define a success banner for Telnet sessions.
    user@host# set access firewall-authentication pass-through default-profile FWAUTH
    user@host# set access firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"
  4. Create security zones.
    user@host# set security zones security-zone UT-ZONE host-inbound-traffic system-services all
    user@host# set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    user@host# set security zones security-zone T-ZONE host-inbound-traffic system-services all
    user@host# set security zones security-zone T-ZONE interfaces fe-5/0/0.0 host-inbound-traffic protocols all
  5. Assign a security policy, policy1, to the zones.
    user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match source-address any
    user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match destination-address any
    user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match application junos-telnet
    user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 then permit firewall-authentication pass-through client-match FWclient1
  6. Use Telnet to autheticate firewall user, FWClient1, to host2.
    regress@FWClient1# run telnet 30.30.30.2
    Trying 30.30.30.2...
    Connected to 30.30.30.2.
    Escape character is '^]'.
    Firewall User Authentication
    Username: FWClient1
    Password:***
    WELCOME TO JUNIPER TELNET SESION
    Host1 (ttyp0)
    login: regress
    Password:
    --- JUNOS 8.5R1.1 built 2007-10-12 13:30:18 UTC
    %
  7. If you are finished configuring the device, commit the configuration.
at No comments:

Sunday 4 August 2013

Junos : Firewall Authentication Part 1

Web authentication is an alternative to pass-through user authentication. Instead of pointing to the resource that you want to connect to from your client browser, you point the browser to an IP address on the device that is enabled for Web authentication. This initiates an HTTP session to the IP address hosting the Web authentication feature on the device. The device then prompts you for your username and password and caches the result in the device. Later, when traffic encounters a Web authentication policy, you are allowed or denied access based on the prior Web authentication results.
Web Authentication Example
Image webauth_prepol_chk.gif
Follow these Web authentication guidelines:
  • You can leave the default Web authentication server as the local database or you can choose an external authentication server for the role. The default Web authentication profile determines if the user authenticates using the local database or the external authentication server. An access profile stores usernames and passwords of users or points to external authentication servers where such information is stored.
  • The Web authentication address must be in the same subnet as the interface that you want to use to host it. For example, if you want authentication users to connect using Web authentication through ethernet3, which has IP address 1.1.1.1/24, then you can assign Web authentication an IP address in the 1.1.1.0/24 subnet.
  • You can put a Web authentication address in the same subnet as the IP address of any physical interface or virtual security interface (VSI). (For information about different types of interfaces.
  • You can put Web authentication addresses on multiple interfaces.
  • After a device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through Web authentication—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.
  • With Web authentication enabled, any HTTP traffic to the IP address will get the Web authentication login page instead of the administrator login page. Disabling this option will show the administrator login page (assuming that [system services web-management HTTP] is enabled.
at No comments:
Subscribe to: Posts (Atom)
loading...