Sie sind auf Seite 1von 578

1HW6FUHHQ &RQFHSW

([DPSOHV

6FUHHQ26 5HIHUHQFH *XLGH

9HUVLRQ  31  5HY &

1HW6FUHHQ &RQFHSWV

([DPSOHV

&RS\ULJKW 1RWLFH
Copyright 1998-2002 NetScreen Technologies, Inc. NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetSreen-208, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote, GigaScreen ASIC, and NetScreen ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies. NetScreen Technologies, Inc. 350 Oakmead Parkway, Suite 500 Sunnyvale, CA 94085 U.S.A. www.netscreen.com

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

'LVFODLPHU
THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES INC.

)&& 6WDWHPHQW
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a light commercial installation. This equipment generates, uses and can radiate radio frequency energy, and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

3URGXFW /LFHQVH $JUHHPHQW


PLEASE READ THIS LICENSE AGREEMENT (AGREEMENTS) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS. 1. License Grant. This is a license, not a sales agreement, between you, the end user, and NetScreen Technologies, Inc. (NetScreen). The term Software includes all NetScreen and third party Software provided to you with the NetScreen product, and includes any accompanying documentation, any updates and enhancements of the Software provided to you by NetScreen, at its option. NetScreen grants to you a non-transferable (except as provided in section 3 (Transfer) below), non-exclusive license to use the Software in accordance with the terms set forth in this License Agreement. The Software is in use on the product when it is loaded into temporary memory (i.e. RAM). 2. Limitation on Use. You may not attempt and if you are a corporation, you will use best efforts to prevent your employees and contractors from attempting to, (a) modify, translate, reverse engineer, decompile, disassemble, create, derivative works based

1HW6FUHHQ &RQFHSWV

([DPSOHV

LL

on, sublicense, or distribute the Software or the accompanying documentation; (b) rent or lease any rights in the Software or accompanying documentation in any form to any person; or (c) remove any proprietary notice, labels, or marks on the Software, documentation, and containers. 3. Transfer. You may transfer (not rent or lease) the Software to the end user on a permanent basis, provided that: (i) the end user receives a copy of this Agreement and agrees in writing to be bound by its terms and conditions, and (ii) you at all times comply with all applicable United States export control laws and regulations. 4. Proprietary Rights. All rights and title and interest in and to, and all intellectual property rights, including copyrights, to the software, and documentation, remain with NetScreen. You acknowledge that no title to the intellectual property in the Software is transferred to you and you will not acquire any rights to the Software except for the license as specifically set forth herein. 5. Term and Termination. The term of the license is for the duration of NetScreens copyright in the Software. NetScreen may terminate this Agreement immediately without notice if you breach or fail to comply with any of the terms and conditions of this Agreement. You agree that, upon such termination, you will either destroy all copies of the documentation or return all materials to NetScreen. The provisions of this Agreement, other than the license granted in Section 1 (License Grant) shall survive termination. 6. Limited Warranty. For a period of ninety (90) days after delivery to Customer, NetScreen will repair or replace any defective software product shipped to Customer, provided it is returned to NetScreen at Customers expense within that period. NetScreen warrants to Customer that such product will substantially conform with NetScreens published specifications for that product if properly used in accordance with the procedures described in documentation supplied by NetScreen. NetScreens exclusive obligation with respect to non-conforming product shall be, at NetScreens option, to replace the product or use commercially reasonable efforts to provide Customer with a correction of the defect, or to refund to customer the purchase price paid for the

unit. Defects in the product will be reported to NetScreen in a form and with supporting information reasonably requested by NetScreen to enable it to verify, diagnose, and correct the defect. For returned product, the customer shall notify NetScreen of any nonconforming product during the warranty period, obtain a return authorization for the nonconforming product, from NetScreen, and return the nonconforming product to NetScreens factory of origin with a statement describing the nonconformance. NOTWITHSTANDING ANYTHING HEREIN TO THE CONTRARY, THE FOREGOING IS CUSTOMERS SOLE AND EXCLUSIVE REMEDY FOR BREACH OF WARRANTY BY NETSCREEN WITH RESPECT TO THE PRODUCT. The warranties set forth above shall not apply to any Product or Hardware which has been modified, repaired or altered, except by NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents. THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE PRODUCT AND HARDWARE, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION. 7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE SOFTWARE. IN NO EVENT WILL NETSCREEN'S OR ITS LICENSORS' AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR SOFTWARE. Some jurisdictions do not allow

1HW6FUHHQ &RQFHSWV

([DPSOHV

LLL

the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you. 8. Export Law Assurance. You understand that the Software is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE SOFTWARE OR ANY UNDERLYING INFORMATION OR TECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITED STATES AND OTHER APPLICABLE LAWS AND REGULATIONS. 9. U.S. Government Restricted Rights. If this Product is being acquired by the U.S. Government, the Product and related documentation is commercial computer Product and documentation developed exclusively at private expense, and (a) if acquired by or on behalf of civilian agency, shall be subject to the terms of this computer Software, and (b) if acquired by or on behalf of units of the Department of Defense (DoD) shall be subject to terms of this commercial computer Software license Supplement and its successors.

10. Tax Liability. You agree to be responsible for the payment of any sales or use taxes imposed at any time whatsoever on this transaction. 11. General. If any provisions of this Agreement are held invalid, the remainder shall continue in full force and effect. The laws of the State of California, excluding the application of its conflicts of law rules shall govern this License Agreement. This Agreement will not be governed by the United Nations Convention on the Contracts for the International Sale of Goods. This Agreement is the entire agreement between the parties as to the subject matter hereof and supersedes any other Technologies, advertisements, or understandings with respect to the Software and documentation. This Agreement may not be modified or altered, except by written amendment, which expressly refers to this Agreement and which, is duly executed by both parties. You acknowledge that you have read this Agreement, understand it, and agree to be bound by its terms and conditions.

1HW6FUHHQ &RQFHSWV

([DPSOHV

LY

&RQWHQWV

&RQWHQWV
3UHIDFH  [LLL
1HW6FUHHQ 'RFXPHQWDWLRQ  [Y &RQFHSWV ([DPSOHV 0DQXDO 2UJDQL]DWLRQ  [YLL &RQYHQWLRQV  [L[
:HE8, 1DYLJDWLRQ &RQYHQWLRQV [L[ ([DPSOH 931V !! *DWHZD\ 3 !! 1HZ 5HPRWH 7XQQHO *DWHZD\ [L[ &/, &RQYHQWLRQV[[ ([DPSOH 3DUW   $FFHVV 3ROLFLHV IRU DQ (QWHUSULVH ZLWK 6L[ =RQHV 

&KDSWHU  =RQHV 


6HFXULW\ =RQHV 
*OREDO =RQH  

7XQQHO =RQHV
&UHDWLQJ D =RQH  0RGLI\LQJ D =RQH   'HOHWLQJ D =RQH  

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 


0XOWLSOH 6HFXULW\ =RQHV  6HFXULW\ =RQH ,QWHUIDFHV 
3K\VLFDO ,QWHUIDFHV  6XELQWHUIDFHV 

)XQFWLRQ =RQHV 


1XOO =RQH   0*7 =RQH   +$ =RQH  6HOI =RQH 

9LUWXDO 5RXWHUV 


5RXWH 5HGLVWULEXWLRQ 

$FFHVV 3ROLFLHV  931V 9LUWXDO 6\VWHPV 


=RQHV LQ D 9LUWXDO 6\VWHP ,QWHUIDFHV 9LUWXDO 5RXWHUV 

&KDSWHU  ,QWHUIDFHV 


,QWHUIDFH 7\SHV 
6HFXULW\ =RQH ,QWHUIDFHV   3K\VLFDO  6XELQWHUIDFH   )XQFWLRQ =RQH ,QWHUIDFHV  0DQDJHPHQW ,QWHUIDFH   +$ ,QWHUIDFH   7XQQHO ,QWHUIDFHV   9LHZLQJ LQWHUIDFHV   ,QWHUIDFH 7DEOH 

3DFNHW )ORZ 6HTXHQFH 


([DPSOH 3DUW   (QWHUSULVH ZLWK 6L[ =RQHV ([DPSOH 3DUW   ,QWHUIDFHV IRU 6L[ =RQHV  ([DPSOH 3DUW   (QWHUSULVH ZLWK 7ZR 5RXWLQJ 'RPDLQV 

1HW6FUHHQ &RQFHSWV

([DPSOHV

&RQWHQWV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV 


7UDQVSDUHQW 0RGH  ,QWHUIDFH 6HWWLQJV ([DPSOH +RZ WR 'HILQH WKH 9/$1 ,QWHUIDFH  ([DPSOH 7UDQVSDUHQW 0RGH  1HWZRUN $GGUHVV 7UDQVODWLRQ 0RGH  ,QWHUIDFH 6HWWLQJV ([DPSOH 1$7 0RGH  5RXWH 0RGH 3DFNHW )ORZ 6HTXHQFH ,QWHUIDFH 6HWWLQJV ([DPSOH 5RXWH 0RGH

'+&3 
'+&3 6HUYHU   ([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 6HUYHU   '+&3 5HOD\ $JHQW  ([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 5HOD\ $JHQW   '+&3 &OLHQW  ([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 &OLHQW  

333R( 
([DPSOH 6HWWLQJ 8S 333R( 

85/ )LOWHULQJ &RQILJXUDWLRQ 'RZQORDGLQJ8SORDGLQJ 6HWWLQJV DQG 6RIWZDUH 


6DYLQJ DQG ,PSRUWLQJ 6HWWLQJV  8SORDGLQJ DQG 'RZQORDGLQJ 6RIWZDUH  

6HFRQGDU\ ,3 $GGUHVVHV 


6HFRQGDU\ $GGUHVV 3URSHUWLHV  ([DPSOH &UHDWLQJ D 6HFRQGDU\ ,3 $GGUHVV

6RIWZDUH .H\V 


([DPSOH ([SDQGLQJ 8VHU &DSDFLW\  

0DQDJHPHQW 6HUYLFHV 2SWLRQV  ,QWHUIDFH 6HUYLFHV 2SWLRQV )LUHZDOO 2SWLRQV 
([DPSOH 6<1 )ORRG $WWDFN

8VHU $XWKHQWLFDWLRQ
,QWHUQDO 'DWDEDVH   ([DPSOH 8VHU $XWKHQWLFDWLRQ YLD WKH ,QWHUQDO 'DWDEDVH   5$',86   ([DPSOH 8VHU $XWKHQWLFDWLRQ YLD 5$',86  6HFXU,'   ([DPSOH $XWKHQWLFDWLRQ YLD 6HFXU,'   /'$3   ([DPSOH $XWKHQWLFDWLRQ YLD /'$3   8VHU $XWKHQWLFDWLRQ 7LPHRXW   ([DPSOH &KDQJLQJ WKH $XWKHQWLFDWLRQ 7LPHRXW 6HWWLQJ 

&RQILJXULQJ DQ LQWHUIDFH 


&UHDWLQJ DQ ,QWHUIDFH  0RGLI\LQJ DQ ,QWHUIDFH  'HOHWLQJ DQ ,QWHUIDFH 

&KDSWHU  6\VWHP 3DUDPHWHUV 


'RPDLQ 1DPH 6\VWHP 6XSSRUW
'16 /RRNXS  7KH '16 6WDWXV 7DEOH ([DPSOH 'HILQLQJ '16 6HUYHU $GGUHVVHV DQG 6FKHGXOLQJ /RRNXSV

6\VWHP &ORFN 


([DPSOH 6HWWLQJ WKH 6\VWHP &/RFN  

1HW6FUHHQ &RQFHSWV

([DPSOHV

YL

&RQWHQWV

&KDSWHU  $GPLQLVWUDWLRQ 


0DQDJHPHQW 0HWKRGV DQG 7RROV 
:HE 8VHU ,QWHUIDFH  :HE8, +HOS +773  6HFXUH 6RFNHWV /D\HU  &RPPDQG /LQH ,QWHUIDFH  7HOQHW 6HFXUH 6KHOO 6HULDO &RQVROH $GPLQLVWUDWLYH ,QWHUIDFH 2SWLRQV

5HVHWWLQJ WKH 'HYLFH WR WKH )DFWRU\ 'HIDXOW 6HWWLQJV   0DQDJH ,3   ([DPSOH 6HWWLQJ 0DQDJH ,3V IRU 0XOWLSOH ,QWHUIDFHV   0DQDJHPHQW =RQH ,QWHUIDFHV   ([DPSOH $GPLQLVWUDWLRQ WKURXJK WKH 0*7 ,QWHUIDFH   9LUWXDO 3ULYDWH 1HWZRUNV  ([DPSOH 6HQGLQJ 6103 DQG 6\VORJ 5HSRUWV WKURXJK DQ ,36HF 7XQQHO  ([DPSOH $GPLQLVWUDWLRQ WKURXJK D 931 7XQQHO IURP WKH 7UXVW =RQH 

/HYHOV RI $GPLQLVWUDWLRQ 


5RRW $GPLQLVWUDWRU  5HDG:ULWH $GPLQLVWUDWRU  5HDG2QO\ $GPLQLVWUDWRU 96<6 $GPLQLVWUDWRU 96<6 5HDG2QO\ $GPLQLVWUDWRU $GGLQJ $GPLQ 8VHUV ([DPSOH $GGLQJ D 5HDG2QO\ $GPLQLVWUDWRU 

&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV 


6\VORJ 
/RJJLQJ 3ULRULW\ /HYHOV   :HE7UHQGV   ([DPSOH (QDEOLQJ 6\VORJ DQG :HE7UHQGV  

6103 
,PSOHPHQWDWLRQ 2YHUYLHZ   ([DPSOH 6HWWLQJ 8S 6103 &RPPXQLWLHV   931 0RQLWRULQJ  

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF 


&KDQJLQJ WKH 3RUW 1XPEHU ([DPSOH &KDQJLQJ WKH 3RUW 1XPEHU &KDQJLQJ WKH $GPLQ /RJLQ 1DPH DQG 3DVVZRUG ([DPSOH &KDQJLQJ DQ $GPLQ 8VHU /RJLQ 1DPH DQG 3DVVZRUG  ([DPSOH $Q $GPLQ 8VHU &KDQJLQJ +HU 3DVVZRUG  5HVWULFWLQJ $GPLQLVWUDWLYH $FFHVV  ([DPSOH 5HVWULFWLQJ $GPLQLVWUDWLRQ WR D 6LQJOH :RUNVWDWLRQ  ([DPSOH 5HVWULFWLQJ $GPLQLVWUDWLRQ WR D 6XEQHW

&RXQWHUV 
([DPSOH 9LHZLQJ &RXQWHUV  

/RJV 
(YHQW /RJ  7UDIILF /RJ  6HOI /RJ  ([DPSOH 'RZQORDGLQJ WKH 6HOI /RJ  

$ODUPV
7UDIILF $ODUPV  

1HW6FUHHQ &RQFHSWV

([DPSOHV

YLL

&RQWHQWV (YHQW $ODUPV  ([DPSOH 6HQGLQJ (PDLO $OHUWV  ([DPSOH (GLWLQJ D 9,3 &RQILJXUDWLRQ  ([DPSOH 5HPRYLQJ D 9,3 &RQILJXUDWLRQ  

&KDSWHU  9LUWXDO 5RXWHUV 


&RQILJXULQJ D 9LUWXDO 5RXWHU 
&UHDWLQJ D 9LUWXDO 5RXWHU  0RGLI\LQJ D 9LUWXDO 5RXWHU &KDQJLQJ =RQHWR9LUWXDO 5RXWHU %LQGLQJV  'HOHWLQJ D 8VHU'HILQHG 9LUWXDO 5RXWHU

8VHUV 
([DPSOH &UHDWLQJ 6LQJOH7\SH 8VHUV   ([DPSOH &UHDWLQJ 0XOWLSOH7\SH 8VHUV   'LDOXS 8VHU *URXSV  ([DPSOH 'HILQLQJ D 1HZ 'LDOXS 8VHU *URXS DQG $GGLQJ D 0HPEHU  ([DPSOH 5HPRYLQJ D *URXS 0HPEHU   ([DPSOH 0RYLQJ D *URXS 0HPEHU WR $QRWKHU *URXS   ([DPSOH 5HPRYLQJ D *URXS  *URXS ,.( ,'   ([DPSOH 'HILQLQJ D 8VHU 'HILQLWLRQ WR 8VH *URXS ,.( ,'  

5RXWH 5HGLVWULEXWLRQ 5RXWH ([SRUWLQJ  5RXWH 7DEOH &RQILJXUDWLRQ 


([DPSOH 5RXWH 7DEOH &RQILJXUDWLRQ ([DPSOH 6HWWLQJ D 5RXWH IRU 7UDIILF WKURXJK D 7XQQHO ,QWHUIDFH 

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V 


$GGUHVVHV 
$GGUHVV %RRN (QWULHV  ([DPSOH $GGLQJ $GGUHVVHV ([DPSOH 0RGLI\LQJ $GGUHVVHV ([DPSOH 'HOHWLQJ $GGUHVVHV  $GGUHVV *URXSV  ([DPSOH &UHDWLQJ DQ $GGUHVV *URXS ([DPSOH (GLWLQJ D *URXS $GGUHVV (QWU\  ([DPSOH 5HPRYLQJ DQ $GGUHVV *URXS 0HPEHU DQG D *URXS

6HUYLFHV 
([DPSOH 9LHZLQJ WKH 6HUYLFH %RRN   ([DPSOH $GGLQJ D &XVWRP 6HUYLFH   ([DPSOH 0RGLI\LQJ D &XVWRP 6HUYLFH   ([DPSOH 5HPRYLQJ D &XVWRP (QWU\   + 3URWRFRO IRU 9RLFHRYHU,3  ([DPSOH *DWHNHHSHU LQ WKH 7UXVW =RQH 7UDQVSDUHQW RU 5RXWH 0RGH   ([DPSOH *DWHNHHSHU LQ WKH 7UXVW =RQH 1$7 0RGH   ([DPSOH *DWHNHHSHU LQ WKH 8QWUXVW =RQH 7UXVW =RQH LQ 7UDQVSDUHQW RU 5RXWH 0RGH   ([DPSOH *DWHNHHSHU LQ WKH 8QWUXVW =RQH 7UXVW =RQH LQ 1$7 0RGH   6HUYLFH *URXSV   ([DPSOH &UHDWLQJ D 6HUYLFH *URXS   ([DPSOH 0RGLI\LQJ D 6HUYLFH *URXS  

9LUWXDO ,3 
9,3 DQG WKH *OREDO =RQH ([DPSOH &RQILJXULQJ 9LUWXDO ,3 6HUYHUV 

1HW6FUHHQ &RQFHSWV

([DPSOHV

YLLL

&RQWHQWV ([DPSOH 5HPRYLQJ D 6HUYLFH ([DPSOH 5HPRYLQJ D 6HUYLFH *URXS 5HRUGHULQJ $FFHVV 3ROLFLHV   5HPRYLQJ DQ $FFHVV 3ROLF\  

6FKHGXOHV
([DPSOH 5HFXUULQJ 6FKHGXOH 

&KDSWHU  ,36HF
,QWURGXFWLRQ WR 931V ,36HF &RQFHSWV 
0RGHV   7UDQVSRUW 0RGH   7XQQHO 0RGH   3URWRFROV  $+   (63   .H\ 0DQDJHPHQW   0DQXDO .H\  $XWR.H\ ,.(   6HFXULW\ $VVRFLDWLRQ 

&KDSWHU  $FFHVV 3ROLFLHV 


$FFHVV 3ROLFLHV 'HILQHG
$QDWRP\ RI D 3ROLF\ =RQHV  $GGUHVVHV  6HUYLFHV  $FWLRQV 1HWZRUN $GGUHVV 7UDQVODWLRQ 1$7  931 7XQQHO /73 $XWKHQWLFDWLRQ  /RJJLQJ  &RXQWLQJ  $ODUP 7KUHVKROG  6FKHGXOHV 7UDIILF 6KDSLQJ

7XQQHO 1HJRWLDWLRQ 


3KDVH    0DLQ 0RGH DQG $JJUHVVLYH 0RGH   7KH 'LIILH+HOOPDQ ([FKDQJH   3KDVH    3HUIHFW )RUZDUG 6HFUHF\  5HSOD\ 3URWHFWLRQ  3DFNHW )ORZ 3ROLF\%DVHG /$1WR/$1 931  

$FFHVV 3ROLFLHV $SSOLHG


9LHZLQJ $FFHVV 3ROLFLHV  $FFHVV 3ROLF\ ,FRQV  &UHDWLQJ $FFHVV 3ROLFLHV ([DPSOH $FFHVV 3ROLFLHV 3HUPLWWLQJ %LGLUHFWLRQDO 7UDIILF  $FFHVV 3ROLF\ /RFDWLRQ ([DPSOH 7\SLFDO $&/ IRU D 6PDOOWR0HGLXP (QWHUSULVH 0RGLI\LQJ DQG 'LVDEOLQJ $FFHVV 3ROLFLHV 

,36HF 1$7 7UDYHUVDO 


7UDYHUVLQJ D 1$7 'HYLFH  8'3 &KHFNVXP   7KH .HHSDOLYH )UHTXHQF\ 9DOXH   ,36HF 1$77UDYHUVDO DQG ,QLWLDWRU5HVSRQGHU 6\PPHWU\  ([DPSOH (QDEOLQJ 1$77UDYHUVDO  

1HW6FUHHQ &RQFHSWV

([DPSOHV

L[

&RQWHQWV

&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\


,QWURGXFWLRQ WR 3XEOLF .H\ &U\SWRJUDSK\  3., &HUWLILFDWHV DQG &5/V 
2EWDLQLQJ D &HUWLILFDWH 0DQXDOO\  ([DPSOH 5HTXHVWLQJ D &HUWLILFDWH 0DQXDOO\  ([DPSOH /RDGLQJ &HUWLILFDWHV  ([DPSOH &RQILJXULQJ 'HIDXOW 6HUYHU 6HWWLQJV IRU D &5/ 2EWDLQLQJ D &HUWLILFDWH $XWRPDWLFDOO\ ([DPSOH 5HTXHVWLQJ D &HUWLILFDWH $XWRPDWLFDOO\ 

([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 '\QDPLF 3HHU  

'LDOXSWR/$1 931 '\QDPLF 3HHU 


([DPSOH 5RXWLQJ%DVHG 'LDOXSWR/$1 931 '\QDPLF 3HHU  

+XEDQG6SRNH 931V
([DPSOH +XEDQG6SRNH 931V  

%DFNWR%DFN 931V
([DPSOH %DFNWR%DFN 931V  

&KDSWHU  3ROLF\%DVHG 931V 


/$1WR/$1 931V 
7XQQHO ,QWHUIDFHV   ([DPSOH 3ROLF\%DVHG /$1WR/$1 931 0DQXDO .H\  ([DPSOH 3ROLF\%DVHG /$1WR/$1 931 $XWR.H\ ,.(   ([DPSOH 3ROLF\%DVHG /$1WR/$1 931 '\QDPLF 3HHU  

&KHFNLQJ IRU 5HYRFDWLRQ 8VLQJ 2&63 


&RQILJXULQJ IRU 2&63 6SHFLI\LQJ (LWKHU &5/ RU 2&63 IRU 5HYRFDWLRQ &KHFNLQJ 'LVSOD\LQJ &HUWLILFDWH 5HYRFDWLRQ 6WDWXV $WWULEXWHV 6SHFLI\LQJ WKH 85/ RI DQ 2&63 5HVSRQGHU IRU D &HUWLILFDWH  5HPRYLQJ &HUWLILFDWH 5HYRFDWLRQ &KHFN $WWULEXWHV

'LDOXSWR/$1 931V 


([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 0DQXDO .H\  ([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 $XWR.H\ ,.(   ([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 '\QDPLF 3HHU  

&KDSWHU  5RXWLQJ%DVHG 931V 


7XQQHO ,QWHUIDFHV 
([DPSOH 7XQQHO %RXQG WR 7XQQHO ,QWHUIDFH 

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7 


([DPSOH 7XQQHO ,QWHUIDFH LQ D 7XQQHO =RQH  

/$1WR/$1 931V 


7XQQHO ,QWHUIDFHV  ([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 0DQXDO .H\  ([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 $XWR.H\ ,.(

&KDSWHU  /73
,QWURGXFWLRQ WR /73  3DFNHW (QFDSVXODWLRQ DQG 'HFDSVXODWLRQ 
(QFDSVXODWLRQ  

1HW6FUHHQ &RQFHSWV

([DPSOHV

&RQWHQWV 'HFDSVXODWLRQ 

&KDSWHU  9LUWXDO 6\VWHPV 


(VWDEOLVKLQJ D 9LUWXDO 6\VWHP 
([DPSOH &UHDWLQJ 9LUWXDO 6\VWHPV DQG 9LUWXDO 6\VWHP $GPLQLVWUDWRUV  

/73 3DUDPHWHUV
([DPSOH &RQILJXULQJ DQ ,3 3RRO DQG /73 'HIDXOW 6HWWLQJV

/73 DQG /732YHU,36HF 


([DPSOH &RQILJXULQJ /73  ([DPSOH &RQILJXULQJ /732YHU,36HF

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV


([DPSOH 'HILQLQJ 7KUHH 6XELQWHUIDFHV DQG 9/$1 7DJV  

,PSRUWLQJ DQG ([SRUWLQJ 3K\VLFDO ,QWHUIDFHV 


([DPSOH ,PSRUWLQJ D 3K\VLFDO ,QWHUIDFH WR D 9LUWXDO 6\VWHP  ([DPSOH ([SRUWLQJ D 3K\VLFDO ,QWHUIDFH IURP D 9LUWXDO 6\VWHP 

&KDSWHU  3ROLF\%DVHG 1$7 


'\QDPLF ,3 
3RUW $GGUHVV 7UDQVODWLRQ  ([DPSOH &UHDWLQJ D ',3 3RRO ZLWK 3$7  ([DPSOH &KDQJLQJ D ',3 3RRO  ([DPSOH 'HOHWLQJ D 7XQQHO ,QWHUIDFH 

/RJJLQJ 2Q DV D 9LUWXDO 6\VWHP $GPLQLVWUDWRU 


([DPSOH /RJJLQJ 2Q DQG &KDQJLQJ <RXU 3DVVZRUG  

0DSSHG ,3 
0,3 DQG WKH *OREDO =RQH  ([DPSOH $GGLQJ D 0,3 WR D 7XQQHO ,QWHUIDFH  ([DPSOH $GGLQJ D 0,3 WR DQ ,QWHUIDFH LQ WKH 8QWUXVW =RQH 

&RPPXQLFDWLQJ %HWZHHQ 9/$1V 


([DPSOH ,QWHU9/$1 &RPPXQLFDWLRQ  

&KDSWHU  +LJK $YDLODELOLW\ 


&DEOLQJ 3URFHGXUH
*HQHUDO &DEOLQJ 5XOHV   %LQGLQJ D 1RQ'HGLFDWHG ,QWHUIDFH WR WKH +$ =RQH 

3ROLF\%DVHG 1$7 IRU 1HWZRUN 7UDIILF 


([DPSOH 1$7 RQ 2XWJRLQJ 1HWZRUN 7UDIILF 

5HGXQGDQW *URXSV 


([DPSOH )RUPLQJ D 5HGXQGDQW *URXS   'LVDEOLQJ +$  

&KDSWHU  7UDIILF 6KDSLQJ


$SSO\LQJ 7UDIILF 6KDSLQJ 
0DQDJLQJ %DQGZLGWK DW WKH $FFHVV 3ROLF\ /HYHO  ([DPSOH 7UDIILF 6KDSLQJ

6HFXULQJ +$ &RPPXQLFDWLRQV 


([DPSOH (QDEOLQJ $XWKHQWLFDWLRQ DQG (QFU\SWLRQ  

6HWWLQJ 6HUYLFH 3ULRULWLHV 


([DPSOH 3ULRULW\ 4XHXLQJ 

3DWK 0RQLWRULQJ 


([DPSOH (QDEOLQJ 3DWK 7UDFNLQJ 

1HW6FUHHQ &RQFHSWV

([DPSOHV

[L

&RQWHQWV

$SSHQGL[ $ 6103 0,% )LOHV $,


7KH 3ULPDU\/HYHO 0,% )LOH )ROGHUV $,, 6HFRQGDU\/HYHO 0,% )ROGHUV$,9
QHW6FUHHQ,GV$,9 QHWVFUHHQ9SQ $,9 QHWVFUHHQ4RV  $9 QHWVFUHHQ6HWWLQJ $9 QHWVFUHHQ3ROLF\  $9

QHWVFUHHQ1$7  $9, QHWVFUHHQ6HUYLFH  $9, QHWVFUHHQ6FKHGXOH $9, QHWVFUHHQ5HVRXUFH  $9, QHWVFUHHQ,S $9,

$SSHQGL[ % *ORVVDU\  %, ,QGH[ ,;,

1HW6FUHHQ &RQFHSWV

([DPSOHV

[LL

3UHIDFH
NetScreen devices are ASIC-based, ICSA-certified1 Internet security appliances that integrate firewall, virtual private networking (VPN), and traffic-shaping features to provide complete protection of your local area network (LAN) when connecting to the Internet. Firewall: A firewall screens traffic crossing the boundary between a private LAN and the public network, such as the Internet. VPN: A VPN provides a secure communications channel between two or more remote network appliances. Traffic Shaping: Traffic shaping functionality allows administrative monitoring and control of traffic passing across the NetScreen firewall to maintain a networks quality-of-service (QoS) level.

Note: For information on NetScreen compliance with Federal Information Processing Standards (FIPS) and for instructions on setting a FIPS-compliant NetScreen device in FIPS mode, see the NetScreen-100 Cryptographic Module Security Policy on the documentation CD-ROM.

1.

The Internet Computer Security Association (ICSA) is an organization focused on all types of network security for Internet-connected companies. Among its many functions, ICSA provides product certification for several kinds of security products such as virus protection, firewall, PKI, intrusion detection, IPSec, and cryptography. ICSA has certified all NetScreen products for firewall and IPSec.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[LLL

LAN

LAN

VPNs: Secure communication tunnels between sites for traffic passing through the Internet

Firewall: Screening traffic between the protected LAN and the Internet

Traffic Shaping: Efficient prioritization of traffic as it traverses the firewall LAN

NetScreen ScreenOS version 3.0.0 is the operating system that provides all the features needed to set up and manage any NetScreen security appliance or system. The NetScreen Concepts & Examples ScreenOS Reference Guide provides a useful reference guide for configuring and managing a NetScreen appliance through the ScreenOS.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[LY

1HW6FUHHQ 'RFXPHQWDWLRQ

1(76&5((1 '2&80(17$7,21
In addition to the NetScreen Concepts & Examples ScreenOS Reference Guide guide, there are other technical publications available from NetScreen. These publications are as follows: Whats New in ScreenOS 3.1.0 This manual describes all new features in ScreenOS 3.1.0. In addition, it lists all commands that have been removed since version 3.0.0 and all commands that have remained the same. It also presents full descriptions of all new commands, and all commands that have undergone modification. NetScreen WebUI Reference Guide This manual presents a brief introduction to the WebUI management application, with a glossary of important technical terms, and general instructions on how to use the application. NetScreen CLI Reference Guide This manual provides descriptions of all command line interface (CLI) commands. Each command description presents the commands syntax and basic elements, including options, parameters, switches, and element dependencies. The descriptions also provide practical examples of command execution. NetScreen-5XP Installers Guide, NetScreen-10 Installers Guide, NetScreen-25 Installers Guide, NetScreen-50 Installers Guide, NetScreen-204/208 Installers Guide These manuals provide instructions for connecting a NetScreen-5XP, -10, -25, and -50 device respectively to a network, and performing an initial configuration. The instructions explain how to set up the device in Transparent, NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how to change the admins login name and password. Each manual also provides an overview of the hardware for each specific platform.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[Y

1HW6FUHHQ 'RFXPHQWDWLRQ

NetScreen-100 Installers Guide, NetScreen-204/208 Installers Guide, NetScreen-500 Installers Guide, and NetScreen-1000 Installers Guide These manuals provide instructions for connecting a NetScreen-100, -204/208, -500, and -1000 device respectively to a network, and performing an initial configuration. The instructions explain how to set up the device in Transparent, NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how to change the admins login name and password. The manual also provides an overview of the hardware, and cabling and configuration instructions for single appliances and redundant appliances using High Availability (HA). NetScreen-Remote Administrators Guide This manual provides instructions for installing and using the NetScreen-Remote client software, which allows a remote user to connect with a NetScreen security device through a virtual private network (VPN) tunnel. NetScreen Message Log Reference Guide This manual documents the log messages that appear in ScreenOS 3.0.0. Each log message entry includes the message text, its meaning, and any recommended action to take upon receiving the message. If you find any errors or omissions in the content of this or any other NetScreen manual, please contact us at the e-mail address below: techpubs@netscreen.com

1HW6FUHHQ &RQFHSWV

([DPSOHV

[YL

&RQFHSWV

([DPSOHV 0DQXDO 2UJDQL]DWLRQ

&21&(376

(;$03/(6 0$18$/ 25*$1,=$7,21

The following are summaries of each of the chapters in the NetScreen Concepts & Examples ScreenOS Reference Guide: Chapter 1, Universal Security Gateway Architecture presents the fundamental elements of USGAthe architecture presented in ScreenOS 3.1.0and concludes with a four-part example illustrating an enterprise-based configuration incorporating most of those elements. In this and all subsequent chapters, each concept is accompanied by illustrative examples. Chapter 2, Zones explains security zones, tunnel zones, and function zones. Chapter 3, Interfaces describes the various physical, logical, and virtual interfaces on NetScreen devices, explains the concepts behind Transparent, Network Address Translation (NAT), and Route operational modes, and includes information on various firewall attacks and the attack blocking options that NetScreen provides. Chapter 4, System Parameters presents the concepts behind Domain Name System (DNS) addressing; using Dynamic Host Configuration Protocol (DHCP) to assign or relay TCP/IP settings; URL filtering; downloading and uploading system configurations and software; and setting the system clock. Chapter 5, Administration explains the different means available for managing a NetScreen device both locally and remotely. This chapter also explains the privileges pertaining to each of the four levels of network administrators that can be defined. Finally, it explains how to secure local and remote administrative traffic. Chapter 6, Monitoring NetScreen Devices explains various monitoring methods and provides guidance in interpreting monitoring output. Chapter 7, Virtual Routers presents the concept of a virtual router and explains how to configure the virtual routers on the NetScreen device. It also contains information on routing table entries. Chapter 8, Building Blocks for Access Policies and VPNs discusses the elements used for creating access policies and virtual private networks (VPNs): addresses (including VIP addresses), users, and services. It also presents several example configurations support for the H.323 protocol. Chapter 9, Access Policies explores the components and functions of access policies and offers guidance on their creation and application.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[YLL

&RQFHSWV

([DPSOHV 0DQXDO 2UJDQL]DWLRQ

Chapter 10, IPSec provides background information bout IPSec, presents a flow sequence for Phase 1 in IKE negotiations in Aggressive and Main modes, and concludes with information regarding NAT-Traversal. Chapter 11, Public Key Cryptography provides information on how to obtain and load digital certificates and certificate revocation lists (CRLs). Chapter 12, Routing-Based VPNs provides extensive examples of routing-based VPN configurations, including hub-and-spoke and back-to-back tunnel designs. Chapter 13, Policy-Based VPNs provides extensive examples of policy-based VPN configurations for LAN-to-LAN and client-to-LAN communication using Manual Key and AutoKey IKE mechanisms. It also details how to make use of tunnel interfaces to provide policy-based NAT to traffic flowing through VPN tunnels between sites that have trusted networks with an overlapping address space. Chapter 14, L2TP explains the Layer 2 Tunneling Protocol (L2TP), its use alone and in conjunction with IPSec (L2TP-over-IPSec). Chapter 15, Policy-Based NAT explains how to provide NAT services for network traffic at the policy level. Chapter 16, Traffic Shaping explains how you can manage bandwidth at the interface and Access Policy levels and prioritize services. Chapter 17, Virtual Systems presents the concepts of virtual systems and virtual local area networks (VLANs), and explains how to set up virtual systems and create virtual system administrators. Chapter 18, High Availability explains how to cable, configure, and manage two or more NetScreen-100, -204/208, -500, or -1000 devices in a redundant group to provide high availability. Appendix A, SNMP MIB Files lists and briefly describes the Management Information Base (MIB) files available for MIB compilers. Appendix B, Glossary provides a reference for the terms and acronyms used in the Security and Firewall field.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[YLLL

&RQYHQWLRQV

&219(17,216
This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI) and the command line interface (CLI). The conventions used for both are introduced below.

:HE8, 1DYLJDWLRQ &RQYHQWLRQV


Throughout this book, a double chevron ( >> ) is used to indicate navigation through the WebUI by clicking buttons, tabs, and links.

([DPSOH 931V !! *DWHZD\ 3 !! 1HZ 5HPRWH 7XQQHO *DWHZD\


To access the Remote Tunnel Gateway Configuration dialog box to define the VPN tunnel gateway of an IKE peer, do the following: 1. 2. 3. Click the VPNs button in the menu column. Click the Gateway (P1) tab. Click the New Remote Tunnel Gateway link. The Remote Tunnel Gateway Configuration dialog box appears.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[L[

&RQYHQWLRQV

&/, &RQYHQWLRQV
The CLI conventions are as follows: A parameter inside [ ] (square brackets) is optional. A parameter inside { } (braces) is required. Anything inside < > is a variable. If there is more than one choice for a parameter inside [ ] and { }, they are separated by a pipe ( | ). For example, [auth {md5 | sha-1}] means choose either MD5 or SHA-1 as your authentication method.

For example, when entering a route to the route table for the IP address 2.2.2.2/32 via the untrusted interface, use the following syntax: set route <ip_addr> <mask> interface { trust | untrust | dmz | mgt | tunnel/<number> } [ gateway <ip_addr> ] [ metric <number> ] to produce this command: set route 2.2.2.2 255.255.255.255 interface untrust Because the gateway IP address and the metric2 are optionalthese arguments are presented within brackets [ ] you can omit them from the command. In this example, the gateway IP address would be that of a router on the untrusted side through which you want to route traffic bound for 2.2.2.2/32. By not specifying a router, the default router for the untrusted interface is used. Note: When typing a key word, you only have to type enough letters to identify the word uniquely. For example, typing set in t n is enough to enter the command set interface trust nat. If you want to see the options following part of a command, press the SPACE key and then type ? (question mark). For example, typing set interface ? displays the following options: trust, untrust, dmz, mgt, ha1, ha2, tunnelwhich are the available options that you can enter after typing set interface.

2.

The metric <number> argument specifies the number of hops between the NetScreen-500 and the specified gateway. In this example, you do not specify a gateway; consequently, you do not specify a metric for it. However, even if you do specify a gateway, specifying a metric is optional.

1HW6FUHHQ &RQFHSWV

([DPSOHV

[[

8uhr

8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

NetScreen ScreenOS 3.1.0 introduces Universal Security Gateway Architecture (USGA), an architecture that offers great flexibility in designing the layout of your network security. On NetScreen devices with multiple interfaces, you can create numerous security zones and configure access policies to regulate traffic between them. You can bind one or more interfaces to each zone and enable a unique set of management and firewall attack screening options on a per-interface basis. Essentially, USGA allows you to create the number of zones your network environment requires, assign the number of interfaces each zone requires, and design each interface to your specifications. This chapter presents an overview of USGA, covering the following key components: Multiple Security Zones on page 2 Security Zone Interfaces on page 3 Virtual Routers on page 5 Access Policies on page 7 VPNs on page 8 Virtual Systems on page 10

Furthermore, to better understand the ScreenOS mechanism for processing traffic, you can see the flow sequence for an incoming packet in Packet Flow Sequence on page 13. The chapter concludes with a four-part example that illustrates a basic configuration for a NetScreen device using ScreenOS 3.1.0 with USGA. Example (Part 1): Enterprise with Six Zones on page 16 Example (Part 2): Interfaces for Six Zones on page 18 Example (Part 3): Enterprise with Two Routing Domains on page 23 Example (Part 4): Access Policies for an Enterprise with Six Zones on page 26

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

0XOWLSOH 6HFXULW\ =RQHV

08/7,3/( 6(&85,7< =21(6


A security zone is a collection of one1 or more network segments requiring the regulation of inbound and outbound traffic via access policies. You can define multiple security zones, the exact number of which you determine based on your network needs. In addition to user-defined zones, you can also use the three predefined zones: trust, untrust, and DMZ. In fact, if you upgrade from an earlier version of ScreenOS, all your configurations for the trust, untrust, and DMZ zones remain intact. If you like, you can continue using just the predefined zones. You can also 2 delete all predefined zones and use user-defined zones exclusively. Optionally, you can use both kinds of zones predefined and user-definedside by side. USGA provides the flexibility for you to use and define security zones to best suit your specific needs.

A network configured with 5 security zones3 default zones (Trust, Untrust, DMZ), and 2 user-defined zones (Finance, Eng)

Finance Untrust

Trust

Policy Engine

NetScreen device

Traffic (indicated by black lines) passes from one security zone to another only if a policy permits it. Eng DMZ

1. 2.

The one security zone that requires no network segment is the global zone. (For more information, see Global zone Global Zone on page 33.) Additionally, any zone without an interface bound to it nor any address book entries can also be said not to contain any network segments. If you delete a security zone, you also automatically delete all addresses configured for that zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

6HFXULW\ =RQH ,QWHUIDFHV

6(&85,7< =21( ,17(5)$&(6


An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.
3 Through the access policies you define, you can permit traffic between zones to flow in one direction or in both . With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Because you can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces of your choice.

To provide a zone with a doorway, you bind an interface to the zone andfor an interface in Route or NAT mode assign an IP address to the interface. Such interfaces can be of two types: physical interfaces andfor those devices with virtual system supportsubinterfaces (that is, a layer 2 substantiation of a physical interface).

3K\VLFDO ,QWHUIDFHV
A physical interface is identified by the position of an interface module and an ethernet port on that module. For example, on the NetScreen-500, the interface ethernet1/2 designates the interface module in the first bay (ethernet1/2) and the second port (ethernet1/2) on that module. A physical interface relates to components that are physically present on the NetScreen device.
Physical Interface Assignments

1/1

1/2

3/1

3/2

2/1

2/2

4/1

4/2

3.

For traffic to flow between interfaces bound to the same zone, no policy is required because both interfaces have security equivalency. ScreenOS requires policies for traffic between zones, not within a zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

6HFXULW\ =RQH ,QWHUIDFHV

6XELQWHUIDFHV
On devices that support virtual systems, you can logically divide a physical interface into several virtual subinterfaces, each of which borrows the bandwidth it needs from the physical interface from which it stems. A subinterface is an abstraction that functions identically to an interface for a physically present port and is distinguished by 802.1Q VLAN tagging4. The NetScreen device directs traffic to and from a zone with a subinterface via its IP address and VLAN tag. For convenience, administrators usually assign a VLAN tag that is the same as the interface number. For example, an interface using VLAN tag 3 and named ethernet1/2.3 refers to the interface module in the first bay, the second port on that module, and interface number 3 (ethernet1/2.3). Note that although a subinterface shares part of its identity with a physical interface, the zone to which you bind it is not dependent on the zone to which you bind the physical interface. You can bind the subinterface ethernet1/2.3 to a different zone than that to which you bind the physical interface ethernet1/2, or to which you bind ethernet1/2.2. Similarly, there are no restrictions in terms of IP address assignments. The term subinterface does not imply that its address be in a subnet of the address space of the physical interface. Note: For more information on interfaces, see Universal Security Gateway Architecture on page 1.
Subinterface Assignments 1/1.1 1/1.2 1/2.1 1/2.2 3/1.1 3/1.2 3/1.3

3/2.1 3/2.2 3/2.3

1/1

1/2

3/1

3/2

2/1 2/1.1 2/1.2

2/2 2/2.1 2/2.2

4/1 4/1.1 4/1.2

4/2 4/2.1 4/2.2

4.

802.1Q is an IEEE standard that defines the mechanisms for the implementation of virtual bridged LANs and the ethernet frame formats used to indicate VLAN membership via VLAN tagging.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

9LUWXDO 5RXWHUV

9,578$/ 5287(56
A virtual router (VR) functions identically to a nonvirtual router. It has its own interfaces and its own routing table. In USGA, a NetScreen device supports two virtual routers. This allows the NetScreen device to maintain two separate routing tables and conceal the routing information in one virtual router from the other. For example, virtual router 1, which is typically used for communication with untrusted parties, does not contain any routing information for any of the protected zones, which is maintained by virtual router 2. Thus, no internal network information can be gleaned by the surreptitious extraction of routes from virtual router 1.

Trust-VR Routing Domain Finance

VR1

Untrust-VR Routing Domain

Untrust

Trust

Eng

DMZ

Note: The castle icon represents an interface for a security zone.

Route Redistribution

Note: To create additional VRs, you must first obtain and load a virtual router software key on the NetScreen device.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

9LUWXDO 5RXWHUV

5RXWH 5HGLVWULEXWLRQ
Each virtual router (VR) maintains a routing table with unique entries for its routing domain. That is, the entries in VR1 are completely different from those maintained in VR2. Because the routing table entries in VR2 cannot be found in VR1, the VR1 routing table must include a route pointing to VR2 for any routes that it does not have and that you want to make accessible for traffic from VR1. (Likewise, the reverse is required for traffic in the other direction; that is, from VR2 to VR1.) The term for this link between the two virtual routers is route redistribution.

Finance 10.10.1.0/24 Trust-VR (VR2) Routing Domain eth1/1 Trust 10.10.2.0/24 eth1/2

Untrust 210.10.1.0/24 Untrust-VR (VR1) Routing Domain eth3/1

To 10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 0.0.0.0/0

Use eth1/1 eth1/2 eth2/1 VR1

To 210.10.1.0/24 210.10.2.0/24

Use eth3/1 eth4/1 VR2 eth3/1

Engineering 10.10.3.0/24 eth2/1

DMZ 210.10.2.0/24 eth4/1

10.10.0.0/16 0.0.0.0/0

Route Redistribution

Note: For more information about virtual routers, see Chapter 7, Virtual Routers.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

$FFHVV 3ROLFLHV

$&&(66 32/,&,(6
Every time a packet attempts to pass from one zone to another, the NetScreen device checks its access control list (ACL) for a policy that permits such traffic. To allow traffic to pass from one security zone to anotherfor example, from zone A to zone Byou must configure an access policy that permits zone A to send traffic to zone B. To allow traffic to flow the other way, you must configure another policy permitting traffic from zone B to zone A. For any traffic to pass from one zone to another, there must be an access policy that permits it.

Trust-VR Routing Domain Finance Untrust

Untrust-VR Routing Domain

Trust

Policy Engine

Eng Note: The black lines represent traffic between security zones.

DMZ

Route Redistribution

Note: For information about access policies, see Chapter 9, Access Policies.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

931V

9316
USGA supports several VPN configuration options, some of which allow the separation of virtual private network (VPN) tunnels and access policies5. Once configured, such tunnels exist as available resources for securing traffic en route between one security zone and another. The main steps for configuring a VPN tunnel independent of any access policy are as follows: 1. While configuring the VPN tunnel (for example, vpn-to-SF, where SF is the destination or end entity), specify a physical or subinterface on the local device. (The IP address for this interface is what the remote peer must use when configuring its remote gateway.) Create a tunnel interface (for example, tunnel.1), and bind it to a security zone6. Bind the tunnel interface tunnel.1 to the VPN tunnel vpn-to-SF. To direct traffic through this tunnel, set up a route stating that traffic to SF must use tunnel.1.

2. 3. 4.

At this point, the tunnel is ready for traffic bound for SF. You can now set up access policies to permit or block traffic from a specified source to that destination.
Source Zone Policy Engine Routing Table ---------------------------------------------Tunnel Interface VPN tunnel Destination Zone

Packet sent

Packet arrives

5.

In earlier versions of ScreenOS, a VPN policy must explicitly specify tunneling and name a specific VPN tunnel. You can still configure VPN policies this way in ScreenOS 3.1.0. However, you can also configure policies that only permit or deny traffic between two security zones. If permitted, that traffic is tunneled if the route to the specified destination points to an interface bound to a VPN tunnel. You do not have to bind the tunnel interface to the same zone from which VPN traffic originates locally. Traffic from any zone can access a tunnel interface if a route points to that interface.

6.

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

931V

Traffic from security zone Finance to SF LAN in security zone Untrust is routed to the tunnel interface tunnel.1. Because tunnel.1 is bound to VPN tunnel vpn-to-SF, the traffic is sent through that tunnel to the remote gateway at SF LAN.

VR1: Untrust Virtual Router

To Reach 210.10.1.0 0.0.0.0/0

Use eth3/1 210.10.1.2/24


Zone: Untrust eth3/1210.10.1.1/24
Interface: tunnel.1

SF LAN 10.20.2.0/24

VR2: Trust Virtual Router Local Device

VPN Tunnel vpn-to-SF


Default Gateway: 210.10.1.2

To Reach 10.20.2.0/24 10.10.1.0/24 0.0.0.0/0

Use tunnel.1 eth1/1 VR1


Zone: Finance eth1/110.10.1.1/24

1HW6FUHHQ &RQFHSWV

([DPSOHV

&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

9LUWXDO 6\VWHPV

9,578$/ 6<67(06
Some NetScreen devices support virtual systems (vsys)7. The application of USGA to virtual systems involves the coordination of three main components: zones, interfaces, and virtual routers. The following illustration presents a conceptual overview of how USGA integrates these components at both the root and vsys levels.
Note: The castle icon represents a security zone interface.

TRUST-VR UNTRUST-VR DMZ Mail


shared interface for root and vsys1

Finance Eng

Trust

root sys
Trust-vsys1

vsys1-vr

Untrust

subinterface dedicated to vsys2

vsys1 vsys2 vsys3 vsys3-vr


Trust-vsys3

vsys2-vr
Trust-vsys2

physical interface dedicated to vsys3

The following subsections explore each of these componentszones, interfaces, and virtual routersand their application within the context of virtual systems.

7.

A virtual system is a subdivision of the main system that appears to the user to be a stand-alone entity. Vsys reside separately from each other and from the root system within the same NetScreen device.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

9LUWXDO 6\VWHPV

=RQHV LQ D 9LUWXDO 6\VWHP


When a root-level admin creates a virtual system, the following zones are automatically inherited or created: Shared Untrust Zone (inherited from the root system) Shared Null Zone (inherited from the root system) Trust-<vsys_name> Zone Untrust-Tun-<vsys_name> Zone Self-<vsys_name> Zone Global-<vsys_name> Zone

All virtual systems share the untrust and null zones with the root system. Note that because the root system and all virtual systems share the untrust zone, they also share the address book for the untrust zone. All other zones in a vsys are owned by that vsys. Note: For information on each of these zone types, see Chapter 2, Zones. In addition, a root-level admin can create one user-defined zone for each virtual system.

,QWHUIDFHV
A virtual system can have any of the following three types of interfaces bound to the untrust zone: One or more vsys can share the physical interface that is bound to the untrust zone with the root system. A vsys can have its own subinterface bound to the untrust zone, and use VLAN tagging as the means for trunking8 inbound and outbound traffic. A vsys can have its own physical interface bound to the untrust zone or to trust-<vsys-name> zone.

You can bind one, two, or all three of the above interface types to the untrust zone concurrently. You can also bind multiple interfaces of each type to the untrust zone.
8. VLAN trunking allows one physical interface to support multiple logical subinterfaces, each of which must be identified by a unique VLAN tag. The VLAN identifier (tag) on an incoming ethernet frame indicates its intended subinterfaceand hence the virtual systemto which it is destined.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

9LUWXDO 6\VWHPV

You can bind either a subinterface (with VLAN tagging to trunk traffic) or a physical interface to the trust-<vsys_name> zone. You can also bind multiple interfaces of each type to these zones.

9LUWXDO 5RXWHUV
When a root-level admin creates a virtual system, the vsys automatically has the following two virtual routers available for its use: A shared virtual router: untrust-vr In the same way that a vsys and the root system share the untrust zone, they also share untrust-vr, which maintains the routing information for that zone. Its own virtual router: <vsys_name>-vr This is a vsys-specific virtual router that, by default, maintains the routing table for the trust-<vsys_name> zone.

If you, as a root-level administrator, want all of the vsys zones to be in the untrust-vr routing domainfor example, if all the interfaces bound to the vsys-trust zone are in Route modeyou can dispense with the trust-vr by changing the zone bindings from the trust-vr to the untrust-vr. For more information on virtual routers, see Chapter 7, Virtual Routers. Note: ScreenOS 3.1.0 does not support user-defined virtual routers within a vsys.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

3$&.(7 )/2: 6(48(1&(


In ScreenOS 3.1.0, the flow sequence of an incoming packet progresses as presented below.
Incoming Packet 1 2 Session Lookup Incoming Interface 3 4 Route Lookup Route Table
10.10.10.0/24 eth1/1 0.0.0.0/0 untrust-vr

5 Policy Lookup ACL


src dst service action

6 Src Addr ( Translation )

7 Create Session Session Table


id 977 vsys id 0, flag 000040/00, pid -1, did 0, time 180 13 (01) 10.10.10.1/1168 -> 211.68.1.2/80, 6, 002be0c0066b, subif 0, tun 0

8 Perform Operation

( MIP/VIP ) Host IP

If packet does not match an existing session, perform steps 3-8. If it does match, go directly to step 8.

Source Zone Security Zones


If network traffic, source zone = security zone to which interface or subinterface is bound. If VPN traffic to tunnel interface bound to VPN tunnel, source zone = security zone in which tunnel interface is configured If VPN traffic to tunnel interface in a tunnel zone, source zone = carrier zone

Destination Interface and Destination Zone

Permit = Forward packet Deny = Drop packet Tunnel = Use specified tunnel for VPN encryption

If destination zone = security zone, use that zone for policy lookup.

If destination zone = tunnel zone, use its carrier zone for policy lookup

Tunnel Zone

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

1.

The interface module identifies the incoming interface and, consequently, the source zone to which the interface is bound. The source zone determination is based on the following criteria: If the packet is not encapsulated, the source zone is the security zone to which the incoming interface or subinterface is bound. If the packet is encapsulated and the tunnel interface is bound to a VPN tunnel, the source zone is the security zone in which the tunnel interface is configured. If the packet is encapsulated and the tunnel interface is in a tunnel zone, the source zone is the corresponding carrier zone (a security zone that carries a tunnel zone) for that tunnel zone. The session module performs a session lookup, attempting to match the packet with an existing session. If the packet does not match an existing session, the NetScreen device performs First Packet Processing, a procedure involving the following steps 3 through 8. If the packet matches an existing session, the NetScreen device performs Fast Processing, using the information available from the existing session entry to process the packet. Fast Processing bypasses steps 3 through 7 because the information generated by those steps has already been obtained during the processing of the first packet in the session.

2.

3. 4.

If a mapped IP (MIP) or virtual IP (VIP) address is used, the address-mapping module resolves the MIP or VIP so that the routing table can search for the actual host address. The route table lookup finds the interface that leads to the destination address. In so doing, the interface module identifies the destination zone to which that interface is bound. The destination zone determination is based on the following criteria: If the destination zone is a security zone, that zone is used for the policy lookup. If the destination zone is a tunnel zone, the corresponding carrier zone is used for the policy lookup.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

5.

The policy engine searches the access control list (ACL) for a policy between the addresses in the identified source and destination zones. The action configured in the policy determines what the NetScreen firewall does with the packet: If the action is permit, the firewall determines to forward the packet to its destination. If the action is deny, the firewall determines to drop the packet. If the action is tunnel, the firewall determines to forward the packet to the VPN module, which encapsulates the packet and transmits it using the specified VPN tunnel settings. If source address translation is specified (either interface-based NAT or policy-based NAT), the NAT module translates the source address before forwarding it either to its destination or to the VPN module. The session module creates a new entry in the session table containing the results of steps 1 through 6. The NetScreen device then uses the information maintained in the session entry when processing subsequent packets of the same session.

6. 7.

8.

The NetScreen device performs the operation specified in the session. Some typical operations are source address translation, VPN tunnel selection and encryption, decryption, and packet forwarding.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

([DPSOH 3DUW   (QWHUSULVH ZLWK 6L[ =RQHV


This is the first part of an ongoing example. For the next part, in which the interfaces for each zone are set, see Example (Part 2): Interfaces for Six Zones on page 18. Here you configure the following six zones for an enterprise:
Finance Trust Eng Mail Untrust DMZ

The zones Trust, Untrust, and DMZ are preconfigured. You must configure the zones Finance, Eng, and Mail. By default, a user-configured zone is placed in the virtual router trust-vr. Thus, you do not have to specify a virtual router for the Finance and Eng zones. However, in addition to configuring the Mail zone, you must also specify that it be in the virtual router untrust-vr9. For both the DMZ and the Mail zones, you enable intra-zone blocking.
Trust-VR Routing Domain Finance Mail Untrust-VR Routing Domain

Trust

Untrust

Eng

DMZ

9.

For more information on virtual routers and their routing domains, see Chapter 7, Virtual Routers.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

:HE8,
1. Zone >> New Entry: Enter the following, and then click OK: Name: Finance Virtual Router Name: trust-vr Zone Type: Regular: (select) 2. Zone >> New Entry: Enter the following, and then click OK: Name: Eng Virtual Router Name: trust-vr Zone Type: Regular: (select) 3. Zone >> New Entry: Enter the following, and then click OK: Name: Mail Intra-Zone Blocking: (select) Virtual Router Name: untrust-vr Zone Type: Regular: (select) 4. Zone >> Edit (for DMZ): Select Intra-Zone Blocking, and then click OK.

&/,
1. 2. 3. 4. 5. 6. 7. set zone name finance set zone name eng set zone name mail set zone mail vrouter untrust-vr set zone mail block set zone dmz block save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

([DPSOH 3DUW   ,QWHUIDFHV IRU 6L[ =RQHV


This is the second part of an ongoing example. For the first part, in which zones are configured, see Example (Part 1): Enterprise with Six Zones on page 16. For the next part, in which virtual routers are configured, see Example (Part 3): Enterprise with Two Routing Domains on page 23. This part of the example demonstrates how to configure interfaces and bind them to zones.

210.10.1.1/24 eth1/1 Finance 10.10.1.1/24 eth3/2.1 Mail 210.10.2.2/24 eth1/1.2

Trust 10.10.2.1/24 eth3/2

Untrust 210.10.3.1/24 eth1/2

Eng 10.10.3.1/24 eth3/1

DMZ 210.10.4.1/24 eth2/2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

:HE8,
,QWHUIDFH HWKHUQHW
1. Interfaces >> Physical >> Edit (for ethernet3/2): Enter the following, and then click Save: IP Address: 10.10.2.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT (select) Management Services: WebUI, Telnet, SNMP, SCS (select) Other Services: Ping (select)

,QWHUIDFH HWKHUQHW
2. Interfaces >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save: Interface Name: ethernet3/2.: 1 IP Address: 10.10.1.1 Netmask: 255.255.255.0 VLAN Tag: 1 Zone Name: Finance Interface Mode: NAT (select) Other Services: Ping (select)

,QWHUIDFH HWKHUQHW
3. Interfaces >> Physical >> Edit (for ethernet3/1): Enter the following, and then click Save: IP Address: 10.10.3.1 Netmask: 255.255.255.0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

Zone Name: Eng Interface Mode: NAT (select) Other Services: Ping (select)

,QWHUIDFH HWKHUQHW
4. Interfaces >> Physical >> Edit (for ethernet1/1): Enter the following, and then click Save: IP Address: 210.10.1.1 Netmask: 255.255.255.0 Zone Name: Mail

,QWHUIDFH HWKHUQHW
5. Interfaces >> Physical >> Sub-i/f (for ethernet1/1): Enter the following, and then click Save: Interface Name: ethernet1/1.: 2 IP Address: 210.10.2.2 Netmask: 255.255.255.0 VLAN Tag: 2 Zone Name: Mail

,QWHUIDFH HWKHUQHW
6. Interfaces >> Physical >> Edit (for ethernet1/2): Enter the following, and then click Save: IP Address: 210.10.3.1 Netmask: 255.255.255.0 Zone Name: Untrust Management Services: SNMP (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

,QWHUIDFH HWKHUQHW
7. Interfaces >> Physical >> Edit (for ethernet2/2): Enter the following, and then click Save: IP Address: 210.10.4.1 Netmask: 255.255.255.0 Zone Name: DMZ

&/,
,QWHUIDFH HWKHUQHW
8. 9. 10. 11. 12. 13. 14. 15. set interface eth3/2 zone trust set interface eth3/2 ip 10.10.2.1/24 set interface eth3/2 nat set interface eth3/2 manage ping set interface eth3/2 manage webui set interface eth3/2 manage telnet set interface eth3/2 manage snmp set interface eth3/2 manage scs

,QWHUIDFH HWKHUQHW
1. 2. 3. 4. set interface eth3/2.1 zone finance set interface eth3/2.1 ip 10.10.1.1/24 tag 1 set interface eth3/2.1 nat set interface eth3/2.1 manage ping

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

,QWHUIDFH HWKHUQHW
5. 6. 7. 8. set interface eth3/1 zone eng set interface eth3/1 ip 10.10.3.1/24 set interface eth3/1 nat set interface eth3/1 manage ping

,QWHUIDFH HWKHUQHW
9. set interface eth1/1 zone mail 10. set interface eth1/1 ip 210.10.1.1/24

,QWHUIDFH HWKHUQHW
11. set interface eth1/1.1 zone mail 12. set interface eth1/1.1 ip 210.10.2.2 /24 tag 2

,QWHUIDFH HWKHUQHW
13. set interface eth1/2 zone untrust 14. set interface eth1/2 ip 210.10.3.1/24 15. set interface eth1/2 manage snmp

,QWHUIDFH HWKHUQHW
16. set interface eth2/2 zone dmz 17. set interface eth2/2 ip 210.10.4.1/24 18. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

([DPSOH 3DUW   (QWHUSULVH ZLWK 7ZR 5RXWLQJ 'RPDLQV


This is the third part of an ongoing example. For the previous part, in which interfaces for the various security zones are defined, see Example (Part 2): Interfaces for Six Zones on page 18. For the next part, in which the access polices are set, see Example (Part 4): Access Policies for an Enterprise with Six Zones on page 26. In this example, you only have to configure a route for the default gateway to the internet. The other routes are automatically created by the NetScreen device when you create the interface IP addresses.

Trust-VR Routing Domain

Untrust-VR Routing Domain

Finance 10.10.1.1/24 eth3/2.1, NAT

210.10.1.1/24 eth1/1, Route Mail

210.10.2.2/24 eth1/1.2, Route

Trust 10.10.2.1/24 eth3/2, NAT

To Internet Untrust 210.10.3.1/24 eth1/2, Route 210.10.3.254

Eng 10.10.3.1/24 eth3/1, NAT

Route Redistribution

DMZ 210.10.4.1/24 eth2/2, Route

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

:HE8,
1. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 210.10.2.254 Interface: ethernet1/2(untrust-vr)

&/,
1. 2. set vrouter untrust-vr route 0.0.0.0/0 interface eth1/2 gateway 210.10.1.254 save To see the route table entries for the ongoing example, look at the tables on the next page.
Note: This is the only user-configured entry.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

The NetScreen device automatically creates the following routes (in black):
To Reach: 0.0.0.0/0 10.10.3.0/24 10.10.2.0/24 10.10.1.0/24 Use Interface: n/a eth3/1 eth3/2 eth3/2.1 Use Gateway: Untrust-VR 0.0.0.0 0.0.0.0 0.0.0.0

To Reach: 210.10.4.0/24 210.10.3.0/24 210.10.2.0/24 210.10.1.0/24 0.0.0.0/0

Use Interface: eth2/2 eth1/2 eth1/1.2 eth1/1 eth1/2

Use Gateway: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 210.10.3.254

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

([DPSOH 3DUW   $FFHVV 3ROLFLHV IRU DQ (QWHUSULVH ZLWK 6L[ =RQHV


This is the last part of an ongoing example. The previous part is Example (Part 3): Enterprise with Two Routing Domains on page 23. This part of the example demonstrates how to configure new access policies.

Finance

Mail

Trust

Policy Engine

Untrust

Eng Route Redistribution

DMZ

For the purpose of this example, before you begin configuring new access policies, you need to create new service groups. Note: When you create a zone, the NetScreen device automatically creates the address Any for all hosts within that zone. This example makes use of the address Any for the hosts.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

:HE8,
6HUYLFH *URXSV
1. Services >> Custom >> New Group: Enter the following, and then click OK. Group Name: Mail-Pop3 Group Members << Available Members Mail Pop3 2. Services >> Custom >> New Group: Enter the following, and then click OK. Group Name: HTTP-FTPGet Group Members << Available Members HTTP FTP-Get

$FFHVV 3ROLFLHV
3. Policy (From Zone: Finance, To Zone: Mail) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Mail-Pop3 Action: Permit 4. Policy (From Zone: Trust, To Zone: Mail) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Mail-Pop3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

Action: Permit 5. Policy (From Zone: Eng, To Zone: Mail) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Mail-Pop3 Action: Permit 6. Policy (From Zone: Untrust, To Zone: Mail) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Mail Action: Permit 7. Policy (From Zone: Finance, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: HTTP-FTPGet Action: Permit 8. Policy (From Zone: Finance, To Zone: DMZ) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: HTTP-FTPGet Action: Permit 9. Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Any

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

Destination Address: Any Service: HTTP-FTPGet Action: Permit 10. Policy (From Zone: Trust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: HTTP-FTPGet Action: Permit 11. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: HTTP-FTPGet Action: Permit 12. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: FTP-Put Action: Permit 13. Policy (From Zone: Untrust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: HTTP-FTPGet Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH

3DFNHW )ORZ 6HTXHQFH

&/,
6HUYLFH *URXSV
1. 2. 3. 4. set group service mail-pop3 add mail set group service mail-pop3 add pop3 set group service http-ftpget add http set group service http-ftpget add ftpget

$FFHVV 3ROLFLHV
5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. set policy from finance to mail any any mail-pop3 permit set policy from trust to mail any any mail-pop3 permit set policy from eng to mail any any mail-pop3 permit set policy from untrust to mail any any mail permit set policy from finance to untrust any any http-ftpget permit set policy from finance to dmz any any http-ftpget permit set policy from trust to untrust any any http-ftpget permit set policy from trust to dmz any any http-ftpget permit set policy from eng to untrust any any http-ftpget permit set policy from eng to dmz any any http-ftpget permit set policy from eng to dmz any any ftp-put permit set policy from untrust to dmz any any http-ftpget permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr!

=RQHV

A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performs a specific function (a function zone). This chapter examines each type of zone, with particular emphasis given to the security zone, and is organized into the following sections: Security Zones on page 33 Tunnel Zones on page 34 Function Zones on page 37 When you first boot up a NetScreen device, you can see a number of preconfigured zones. In the WebUI, click Zone in the menu column on the left. In the CLI, use the get zone command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

The output of the get zone command:


ns500-> get zone Total of 12 zones in vsys root -----------------------------------------------------------------------Id Name Type Attr VR 0 Null Null Shared trust-vr 1 Untrust Reg Shared untrust-vr 2 Trust Reg trust-vr 3 DMZ Reg untrust-vr 4 Self Reg trust-vr 5 MGT Reg trust-vr 6 HA Reg trust-vr 10 Global Reg trust-vr 11 V1-Untrust L2 trust-vr 12 V1-Trust L2 trust-vr 13 V1-DMZ L2 trust-vr 16 Untrust-Tun Tun trust-vr -----------------------------------------------------------------------The root and virtual systems share these zones.

Default-If null ethernet1/2 ethernet3/2 ethernet2/2 self mgt ha1 null v1-untrust v1-trust v1-dmz tunnel

vsys Root Root Root Root Root Root Root Root Root Root Root Root

These zones do not and cannot have an interface.

These zones provide backward compatibility when upgrading to ScreenOS 3.1.0the top 3 for devices in NAT or Route mode, the bottom 3 for devices in Transparent mode.

Zone ID numbers 79 and 1415 are reserved for future use.

By default, VPN tunnel interfaces are bound to the Untrust-Tun zone, whose carrier zone is the Untrust zone. (When upgrading to ScreenOS 3.1.0, existing tunnels are bound to the Untrust-Tun zone.)

The preconfigured zones shown above can be grouped into three different types: Security Zones: Untrust, Trust, DMZ, Global, V1-Untrust, V1-Trust, V1-DMZ Tunnel Zone: Untrust-Tun Function Zones: Null, Self, MGT, HA

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

6HFXULW\ =RQHV

6(&85,7< =21(6
On a single NetScreen device, you can configure multiple security zones, sectioning the network into segments to which you can apply various security options to satisfy the needs of each segment. At a minimum, you must define two security zones, basically to protect one area of the network from the other. You can also define many security zones, bringing finer granularity to your network security design and without deploying multiple security appliances to do so.

*OREDO =RQH
You can identify a security zone because it has an address book and can be referenced in access policies. The global zone satisfies these criteria. However, it does not have one element that all other security zones do havean interface. The global zone serves as a storage area for mapped IP (MIP) and virtual IP (VIP) addresses. Because traffic going to these addresses is mapped to other addresses, the global zone does not require an interface for traffic to flow through it. Note: When configuring a policy for a MIP or VIP, you can specify the global zone as the destination zone. If you specify the security zone to which the MIP or VIP maps the traffic it receives as the destination, the policy engine automatically changes it to global.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

7XQQHO =RQHV

7811(/ =21(6
A tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnel zone is associated with a security zone that acts as its carrier. The NetScreen device uses the routing information for the carrier zone to direct traffic to the tunnel endpoint. The default tunnel zone is Untrust-Tun, and it is associated with the Untrust zone. You can create other tunnel zones and bind them to other security zones, with a maximum of one tunnel zone per carrier 1 zone per virtual system . By default, a tunnel zone is in the Trust-VR routing domain, but you can also move a tunnel zone into another routing domain.

&UHDWLQJ D =RQH
To create a security zone or tunnel zone, do either of the following:

:HE8,
Zone >> New Entry: Enter the following, and then click OK: Name: Type a name for the zone. Block Intra-Zone Traffic: Select this if you want to block traffic between hosts within the same security zone. By default, intra-zone blocking is disabled. Virtual Router Name: Select the virtual router in whose routing domain you want to place the zone. Zone Type: Select Regular to create a zone to which you can bind interfaces in NAT or Route mode. Select Layer 2 to create a zone to which you can bind interfaces in Transparent mode. Select Tunnel Out Zone when creating a tunnel zone and binding it to a carrier zone, and then select a specific carrier zone from the drop-down list.

1.

The root system and all virtual systems can share the Untrust zone. However, each system has its own separate Untrust-Tun zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

7XQQHO =RQHV

&/,
set zone name <name> [ l2 <vlan_id_number> | tunnel <zone_name> ] set zone <name> block set zone vrouter <vrouter_name>

0RGLI\LQJ D =RQH
To modify the ID number or name of a security zone or tunnel zone, you must first delete the zone2, and then create it again with the new name. To change the intra-zone blocking option or to change the virtual router, you can modify those settings on the existing zone.

:HE8,
0RGLI\LQJ WKH =RQH 1DPH
1. 2. 3. Zone: Click Remove (for the zone whose ID number or name you want to modify). When the prompt appears, asking for confirmation of the removal, click Yes. Zone >> New Entry: Enter the zone settings, modifying the ID number or name, and then click OK.

&KDQJLQJ WKH ,QWUD=RQH %ORFNLQJ 2SWLRQ RU 9LUWXDO 5RXWHU


1. Zone >> Edit (for the zone that you want to modify): Enter the following, and then click OK: Intra-Zone Blocking: To enable, select the check box. To disable, clear it. Virtual Router Name: From the drop-down list, select the virtual router into whose routing domain you want to move the zone.

2.

Before you can remove a zone, you must first unbind all interfaces bound to it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

7XQQHO =RQHV

&/,
0RGLI\LQJ WKH =RQH 1DPH
1. 2. unset zone <name> set zone name <name> [ l2 <vlan_id_number> | tunnel <zone_name> ]

&KDQJLQJ WKH ,QWUD=RQH %ORFNLQJ 2SWLRQ RU 9LUWXDO 5RXWHU


{ set | unset } zone <name> block set zone vrouter <vrouter_name>

'HOHWLQJ D =RQH
To delete a security zone or tunnel zone, do either of the following3:

:HE8,
1. 2. Zone: Click Remove (for the zone you want to delete). When the prompt appears, asking for confirmation of the removal, click Yes.

&/,
unset zone <name>

3.

Before you can remove a zone, you must first unbind all interfaces bound to it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

)XQFWLRQ =RQHV

)81&7,21 =21(6
The four function zones are Null, MGT, HA, and Self. Each zone exists for a single purpose, as explained below. Note: Although you can set interfaces for the MGT and HA zones, the zones themselves are not configurable.

1XOO =RQH
This zone serves as temporary storage for any interfaces that are not bound to any other zone.

0*7 =RQH
This zone hosts the out-of-band management interface, MGT.

+$ =RQH
This zone hosts the high availability interfaces, HA1 and HA2.

6HOI =RQH
This zone hosts the interface for remote management connections. When you connect to the NetScreen device via HTTP, SCS, or Telnet, you connect to the Self zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  =RQHV

)XQFWLRQ =RQHV

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr"

,QWHUIDFHV

Creating an interface is the next step following the creation of a zone. You must create an interface and bind it to a zone to allow traffic to flow in and out of the zone. Then, you must set routes and configure access policies to allow traffic to pass from interface to interface . Physical interfaces and subinterfaces, like doorways, allow traffic to enter and exit a zone. You can assign multiple interfaces to a zone, but an interface can only be assigned to one zone. For more information on configuring access policies, see Access Policies on page 249, and Policy-Based VPNs on page 381 for VPN tunnels. For more information on configuring routes, see Virtual Routers on page 179. The great flexibility of USGA enables you to set DHCP service and firewall options on a per interface basis. This chapter contains the following sections: Interface Types on page 40 Interface Settings and Operational Modes on page 45 Transparent Mode on page 45 Network Address Translation Mode on page 52 Route Mode on page 58 Secondary IP Addresses on page 63 Management Services Options on page 65 Interface Services Options on page 66 Firewall Options on page 67 Configuring an interface on page 78

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 7\SHV

,17(5)$&( 7<3(6
This section describes physical interfaces, subinterfaces, and tunnel interfaces. For information on how to view a table of all these interfaces, see Viewing interfaces on page 42.

6HFXULW\ =RQH ,QWHUIDFHV


The purpose of physical interfaces and subinterfaces is to provide an opening through which network traffic can pass between zones.

3K\VLFDO
Each port on your NetScreen device represents a physical interface, and the name of the interface is predefined. The name of a physical interface is composed of the media type, slot number (for some NetScreen devices), and port number, for example, ethernet3/2 or ethernet2 (see also Security Zone Interfaces on page 3). For backward compatibility, certain interfaces can still be named Trust, Untrust, and DMZ as in the old version of ScreenOS. You can bind a physical interface to any security zone where it acts as a doorway through which traffic enters and exits the zone. Without an interface, no traffic can access the zone or leave it. Three of the physical ethernet interfaces are pre-bound to specific zonesTrust, Untrust, or DMZ and which interface is bound to which zone is specific to each platform. For more information on the Trust, Untrust, and DMZ zones, see Multiple Security Zones on page 2.

6XELQWHUIDFH
A subinterface, like a physical interface, acts as a doorway through which traffic enters and exits a security zone. You can logically divide a physical interface into several virtual subinterfaces. Each virtual subinterface borrows the bandwidth it needs from the physical interface from which it stems, thus its name is an extension of the physical interface name, for example, ethernet3/2.1 or ethernet2.1 (see also Security Zone Interfaces on page 3).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 7\SHV

You can bind a subinterface to any zone. You can bind a subinterface to the same zone as its physical interface, or you can bind it to a different zone.

)XQFWLRQ =RQH ,QWHUIDFHV


Function zone interfaces, such as Management and HA, each serve a special purpose.

0DQDJHPHQW ,QWHUIDFH
On some NetScreen devices, you can manage the device through a separate physical interfacethe Management (MGT) interfacemoving administrative traffic outside the regular network user traffic. Separating administrative traffic from network user traffic greatly increases security and assures constant management bandwidth. Note: For information on configuring the device for administration, see Administration on page 123.

+$ ,QWHUIDFH
With NetScreen devices with dedicated High Availability (HA) interfaces, you can link two or more devices together to form a redundant group, or cluster. In a redundant group, one unit acts as the master, performing the network firewall, VPN, and traffic-shaping functions, while the other units act as backups, basically waiting to take over the firewall functions should the master unit fail. The HA interface is a physical port used exclusively for HA functions.

9LUWXDO +$ ,QWHUIDFH
On NetScreen devices without a dedicated HA interface, a Virtual High Availability (HA) interface provides the same functionality. Because there is no separate physical port exclusively used for HA traffic, the Virtual HA interface must be bound to one of the physical portstrust, untrust, or DMZ.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 7\SHV

7XQQHO ,QWHUIDFHV
A tunnel interface acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN tunnel via a tunnel interface. By binding a tunnel interface to a VPN, you can separate the policy from the VPN tunnel. This way, you can configure one tunnel, and define multiple policies to regulate the traffic that flows through that tunnel. When there is no tunnel interface bound to a VPN tunnel, you can only define one policy per VPN tunnel. You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynamic IP (DIP) addresses in the same subnet as the tunnel interface. A typical reason for using policy-based NAT on a tunnel interface is to avoid IP address conflicts between the two sites on either end of the VPN tunnel. You can use the same tunnel interface and DIP pool for more than one VPN tunnel. In USGA, you can bind a tunnel interface to any zone. Note: For information on how to configure an interface, see Configuring an interface on page 78.

9LHZLQJ LQWHUIDFHV
You can view a table that lists all interfaces on your NetScreen device. Because they are predefined, physical interfaces are listed regardless of whether or not you configure them. Subinterfaces and tunnel interfaces are only listed once you create and configure them. To view the interface table in the WebUI, click Interface in the menu column on the left, and to view it in the CLI, use the get interface command. In the CLI, the get interface command includes tunnel interfaces. In the WebUI, tunnel interfaces are separated from other interfaces. To view them, click Interfaces >> Tunnel.

,QWHUIDFH 7DEOH
The interface table displays the following information on each interface: Name: This field identifies the name of the interface. IP/Netmask: This field identifies the IP address and netmask address of the interface. Zone: This field identifies the zone to which the interface is bound.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 7\SHV

Link: This field identifies whether the interface is active (Up) or inactive (Down). Configure: This field allows you configure and modify interfaces through these options: Edit: Configure a physical interface for the first time, or modify an existing configuration. New Sub-i/f: Create a new subinterface, or click Edit to modify an existing configuration. Remove: Delete an interface. MIP: Create a mapped IP address. DIP: Create a dynamic IP address pool. 2IP: Create a secondary IP address. VIP: Create a virtual IP address. Screen: Select Network Attack Blocking Engine (Screen) options to counter network attacks such as the ones listed in the Firewall Options on page 67. Note: In the WebUI, in the physical interfaces and subinterfaces table, yellow rows identify physical interfaces, and green rows identify subinterfaces (see WebUI Interface Table on page 44). In the CLI, you can distinguish a subinterface from a physical interface by its VLAN tag (see CLI Interface Table on page 44).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 7\SHV

WebUI Interface Table

CLI Interface Table

VLAN Tag

VLAN Tag

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

,17(5)$&( 6(77,1*6 $1' 23(5$7,21$/ 02'(6


Interfaces can operate in three different modes: Network Address Translation (NAT), Route, and Transparent modes. You select an operational mode when you configure an interface.

7UDQVSDUHQW 0RGH
When an interface is in a Transparent mode, the NetScreen device filters packets traversing the firewall without modifying any of the source or destination information in the IP packet header. All interfaces behave as though they are part of the same network, with the NetScreen device acting much like a layer-2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the NetScreen device invisible, or transparent, to users.
209.122.30.2 209.122.30.1 209.122.30.5 209.122.30.3 209.122.30.4

Trust Zone Switch Public Address Space

Untrust Zone External Router

To Internet

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

Transparent mode is a convenient means for protecting Web servers, or any other kind of server that mainly receives traffic from untrusted sources. Using Transparent mode offers the following benefits: No need to reconfigure the IP settings of routers or protected servers No need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers

,QWHUIDFH 6HWWLQJV
Interfaces in transparent mode can only be managed through the VLAN1 interface. By default, ScreenOS always creates a VLAN1 interface, and three VLAN1 zones: V1-Trust, V1-Untrust, V1-DMZ.

9/$1 ,QWHUIDFH
While ScreenOS creates the VLAN1 interface, you need to configure it before you can use it to manage any interface. The VLAN1 interface has in fact two main purposes: one is to provide an address for managing the device, and the other is to terminate VPN traffic when the device is in transparent mode. The VLAN1 interface has the same configuration and management abilities as a physical interface. You can configure the VLAN1 interface to permit hosts in the VLAN1 zones to manage it, in which case, you must set the VLAN1 interface IP to be in the same subnet as the hosts. The VLAN1 interface IP overrides the system IP and the manage IP. When the VLAN1 interface is configured, neither the system IP nor the manage IP have any effect on interfaces in transparent mode.

9/$1 =RQHV
VLAN1 zones are also referred to as Layer 2 zones because they share the same layer 2 domain. When you configure an interface in one of the VLAN1 zones, it gets added to the layer 2 domain shared by all interfaces in all the VLAN1 zones. By default the following physical interfaces are bound to the VLAN1 zones:
Zone V1-Trust V1-DMZ V1-Untrust NetScreen 200 Series Interface ethernet1 ethernet2 ethernet3 NetScreen 500 Interface ethernet3/2 ethernet2/2 ethernet1/2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

All hosts in the VLAN1 zones must be on the same subnet to communicate, and you must define policies to allow hosts to communicate between zones. For more information on how to set policies, see Access Policies on page 249.

([DPSOH +RZ WR 'HILQH WKH 9/$1 ,QWHUIDFH


This example demonstrates how to define an IP address for the VLAN1 interface, management options, and a route to enable management traffic to flow to and from the NetScreen device.

:HE8,
1. Interfaces >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click OK. IP Address: 209.122.30.254 Netmask: 255.255.255.0 Management Services: WebUI, Telnet, SCS (select) Other Services: Ping (select)

&/,
1. 2. 3. set interface vlan1 ip 209.122.30.254/24 set interface vlan1 manage webui telnet scs ping save

([DPSOH 7UDQVSDUHQW 0RGH


The following example illustrates a basic configuration for a single LAN protected by a NetScreen device in Transparent mode. Access policies permit outgoing traffic for all four hosts in the Trust zone, incoming mail for the mail server, and incoming FTP for the FTP server. The device is managed through its VLAN1 IP address.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

FTP Server 209.122.17.250/24

Mail Server 209.122.17.249/24 NetScreen Device

Router 209.122.17.253/24

Trust Zone VLAN1 IP 209.122.17.252 Port 5555 PC #1 209.122.17.1/24 PC #2 209.122.17.2/24

Internet

:HE8,
1. Interfaces >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click Apply: IP Address: 209.122.17.252 Netmask: 255.255.255.0 Management Services: WebUI, Telnet, SCS (select) Other Services: Ping (select) 2. 3. Admin >> Web: Enter the following, and then click Apply: HTTP Port: 55551 Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 0.0.0.0
1. The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access to the configuration. When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

Netmask: 0.0.0.0 Manage IP: 0.0.0.0 Traffic Bandwidth: 0 Zone Name: Trust 4. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 0.0.0.0 Netmask: 0.0.0.0 Manage IP: 0.0.0.0 Traffic Bandwidth: 0 Zone Name: Untrust 5. Addresses >> Address (under the New column for the Trust zone): Enter the following and then click OK: Address Name: Mail Server IP Address/Domain Name: 209.122.17.249 Netmask: 255.255.255.255 6. Addresses >> Address (under the New column for the Trust zone): Enter the following and then click OK: Address Name: FTP Server IP Address/Domain Name: 209.122.17.250 Netmask: 255.255.255.255 7. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: Any Service: Any Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

8.

Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: Mail Server Service: Mail Action: Permit Note: To get the Mail Server address, it must already exist in the address list. You can create this address by selecting Addresses >> Address (under the New column for the appropriate zone) and specifying the mail servers name and IP address.

9.

Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: FTP Server Service: FTP Action: Permit Note: Because PC #1 and PC #2 are not specified in an access policy, they do not need to be added to the address book. The term Any applies to any device connected to the interface in the Trust zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. set interface vlan1 ip 209.122.17.252 set admin port 55552 set interface ethernet1 zone trust set interface ethernet1 ip 0.0.0.0/0 set interface ethernet3 zone untrust set interface ethernet3 ip 0.0.0.0/0 set address trust Mail_Server 209.122.17.249/24 set address trust FTP_Server 209.122.17.250/24 set policy from trust to untrust any any any permit set policy from untrust to trust any 209.122.17.250/24 mail permit set policy from untrust to trust any 209.122.17.249/24 ftp permit save

2.

When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

1HWZRUN $GGUHVV 7UDQVODWLRQ 0RGH


When an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer-3 switch (or router), translates two components in the header of an outgoing IP packet traversing the firewall across an interface in NAT mode: its source IP address and source port number. The NetScreen device replaces the source IP address of the host that sent the packet with the IP address of the interface of the destination zone. Also, it replaces the source port number with another random port number generated by the NetScreen device.
10.16.20.2 10.16.20.1 10.16.20.3 10.16.20.4 10.16.20.5

Trust Zone Private Address Space


Trust Zone Interface 10.16.20.10

Public Address Space

Untrust Zone Interface 209.122.30.10

Untrust Zone

Internet

When the reply packet arrives at the NetScreen device, the device translates two components in the IP header of the incoming packet: the destination address and port number, which are translated back to the original numbers. The packet is then forwarded to its destination. NAT adds a level of security not provided in Transparent mode: The addresses of hosts connected to the trusted port are never exposed to the network in the Untrust or DMZ zones.
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

Also, NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address that of the interface in the Untrust zonethe LAN in the Trust zone, or any other zone using NAT services, can have a vast number of hosts with private IP addresses. The following IP address ranges are reserved for private IP networks and must not get routed on the Internet: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 A host in a zone sending traffic through an interface in NAT mode can initiate outbound traffic to another zone if an access policy permits it, but it cannot receive traffic from another zone unless a Mapped IP (MIP), Virtual IP (VIP), or VPN tunnel is set up for it. Note: For more information about MIPs, see Mapped IP on page 476. For more about VIPs, see Virtual IP on page 204.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

,QWHUIDFH 6HWWLQJV
For NAT mode, define the following interface settings, where <address1> and <address2> represent numbers in an IP address, <netmask> represents the numbers in a netmask, <tag> represents the number of a VLAN tag, <zone> represents the name of a zone, and <number> represents the bandwidth size in kbps:
Zone Interfaces Trust and User-Defined Zones using NAT Settings IP: <address1> Netmask: <netmask> Manage IP*: <address2> Traffic Bandwidth: <number> NAT: (select) IP: <address1> Netmask: <netmask> Manage IP*: <address2> Traffic Bandwidth: <number> Zone Subinterfaces IP: <address1> Netmask: <netmask> VLAN Tag: <tag> Zone Name: <zone> NAT: (select) IP: <address1> Netmask: <netmask> VLAN Tag: <tag> Zone Name: <zone>

Untrust and DMZ

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specific device when it is in a high availability configuration. You can also use the manage IP address for management purposes when using the NetScreen device as a single security appliance. Optional setting for traffic shaping. Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.

([DPSOH 1$7 0RGH


The following example illustrates a simple configuration for a LAN with a single subnet in the Trust zone. The LAN is protected by a NetScreen device in NAT mode. Access policies permit outgoing traffic for all three hosts in the Trust zone and incoming mail for the mail server. The incoming mail is routed to the mail server through a Virtual IP address. Note: Compare this example with that for Route mode on page 60.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

Mail Server VIP 209.2.2.3 NAT 172.16.10.253 NetScreen Device Trust Zone Trust Zone Interface 172.16.10.1/24 Workstation #1 172.16.10.20/24 Workstation #2 172.16.10.30/24 Untrust Zone Interface 200.2.2.2/24

Router 200.2.2.1/24

Internet

Untrust Zone

:HE8,
1. 1. Admin >> Settings: Enter the following, and then click Apply. System IP Address: 0.0.0.0 Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.16.10.1 Netmask: 255.255.255.0 Manage IP: 0.0.0.0 Traffic Bandwidth: 0 Zone Name: Trust NAT:3 (select)

3.

Selecting NAT determines that the NetScreen device performs NAT on traffic entering and exiting the Trust zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

2.

Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address4: 200.2.2.2 Netmask: 255.255.255.0 Manage IP: 0.0.0.0 Traffic Bandwidth: 0 Zone Name: Untrust

3. 4.

Interfaces >> Physical >> VIP (for ethernet3) >> New Entry: Enter the following, and then click OK: Virtual IP Address: 200.2.2.3 Interfaces >> Physical >> VIP (for ethernet3) >> Services: Enter the following, and then click OK: Virtual Port: 25 Service: Mail Map to IP: 172.16.10.253

5.

Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Any Action: Permit

6.

Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: VIP(200.2.2.3) Service: Mail Action: Permit

4.

If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP address and netmask fields empty and select DHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. set admin sys-ip 0.0.0.0 set interface ethernet1 zone trust set interface ethernet1 ip 172.16.10.1 255.255.255.0 set interface ethernet1 NAT5 set interface ethernet3 zone untrust6 set interface ethernet3 ip 200.2.2.2 255.255.255.0 set interface ethernet3 ip 0.0.0.0 0.0.0.0 set vip ethernet3 200.2.2.3 25 mail 172.16.10.253 set policy from trust to untrust any any any permit set policy from untrust to trust any vip 200.2.2.3 mail permit save

5. 6.

The set interface ethernet<number> nat command determines that the NetScreen device operates in NAT mode. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, use the following command: set interface untrust dhcp. If the ISP uses Point-to-Point Protocol over Ethernet, use the set pppoe and exec pppoe commands. For more information, see the NetScreen CLI Reference Guide.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

5RXWH 0RGH
When an interface is in Route mode, the NetScreen device routes traffic between different zones without performing NAT; that is, the source address and port number in the IP packet header remain unchanged as it traverses the NetScreen device. Unlike NAT, you do not need to establish Mapped and Virtual IP addresses on an interface in Route mode to allow inbound sessions to reach hosts. Unlike Transparent mode, the interfaces in the Trust zone and the interfaces in the Untrust zone are on different subnets.
210.45.30.3 210.45.30.4 210.45.30.5

210.45.30.2 210.45.30.1

Trust Zone Public Address Space


Trust Zone Interface 210.45.30.10

Public Address Space

Untrust Zone Interface 209.122.30.10

Untrust Zone

Internet

Instead of applying NAT at the interface level so that all source addresses initiating outgoing traffic get translated to the IP address of the destination interface, when an interface operates in Route mode, you can perform NAT selectively at the policy level. You can determine which network and VPN traffic to route and on which traffic to perform NAT by creating access policies that enable NAT for specified source addresses on either incoming or

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

outgoing traffic. For network traffic, you can perform NAT using the IP address or addresses of the destination zone interface from a Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interface. For VPN traffic, you can perform NAT using the destination zone interface IP address or an address from its associated DIP pool, or a tunnel interface IP address or an address from its associated DIP pool. Note: For more information about configuring policy-based NAT, see Chapter 15, Policy-Based NAT on page 471.

3DFNHW )ORZ 6HTXHQFH


For information and examples on packet flow sequence, see Packet Flow Sequence on page 13.

,QWHUIDFH 6HWWLQJV
For Route mode, define the following interface settings, where <address1> and <address2> represent numbers in an IP address, <netmask> represents the numbers in a netmask, <tag> represents the number of a VLAN tag, <zone> represents the name of a zone, and <number> represents the bandwidth size in kbps:
Zone Interfaces Trust and User-Defined Zones using NAT Settings IP: <address1> Netmask: <netmask> Manage IP*: <address2> Traffic Bandwidth: <number> Route: (select) IP: <address1> Netmask: <netmask> Manage IP*: <address2> Traffic Bandwidth: <number> Zone Subinterfaces IP: <address1> Netmask: <netmask> VLAN Tag: <tag> Zone Name: <zone> Route: (select) IP: <address1> Netmask: <netmask> VLAN Tag: <tag> Zone Name: <zone>

Untrust and DMZ

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specific device when it is in a high availability configuration. You can also use the manage IP address for management purposes when using the NetScreen device as a single security appliance. Optional setting for traffic shaping. Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

([DPSOH 5RXWH 0RGH


In the previous example, Example: NAT Mode on page 54, the hosts in the Trust zone LAN have private IP addresses and a Mapped IP for the mail server. In the following example of the same network protected by a NetScreen device operating in Route mode, note that the hosts have public IP addresses and that a MIP is unnecessary for the mail server.
Mail Server 240.9.10.45/24 NetScreen Device Internet Trust Zone Interface 240.9.10.10/24 Workstation #1 240.9.10.20/24 Workstation #2 240.9.10.30/24 Untrust Zone Interface 200.2.2.2/24 Router 200.2.2.1/24

:HE8,
1. 1. Admin >> Settings: Enter the following, and then click Apply: System IP Address: 0.0.0.0 Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 240.9.10.10 Netmask: 255.255.255.0 Traffic Bandwidth: 0 Zone Name: Trust Route7: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

2.

Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address8: 200.2.2.2 Netmask: 255.255.255.0 Traffic Bandwidth: 0 Zone Name: Untrust

3.

Addresses >> Address (under the New column for the Trust zone): Enter the following and then click OK: Address Name: Mail Server IP Address/Domain Name: 240.9.10.45 Netmask: 255.255.255.255

4.

Policies >> Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: Any Service: Any Action: Permit

5.

Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following and then click OK: Source Address: Any Destination Address: Mail Server Service: Mail Action: Permit

7. 8.

Selecting Route determines that the NetScreen device operates in Route mode, without performing NAT on traffic entering or exiting the Trust zone. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP address and netmask fields empty and select DHCP. If the ISP is using Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HWWLQJV DQG 2SHUDWLRQDO 0RGHV

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. set admin sys-ip 0.0.0.0 set interface ethernet1 zone trust set interface ethernet1 ip 240.9.10.10/24 set interface ethernet1 route9 set interface ethernet3 zone untrust set interface ethernet3 ip 200.2.2.2/24 set address trust mail_server 240.9.10.45/24 set policy from trust to untrust any any any permit set policy from untrust to trust any mail_server mail permit save

9.

The set interface ethernet<number> route command determines that the NetScreen device operates in Route mode.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

6HFRQGDU\ ,3 $GGUHVVHV

6(&21'$5< ,3 $''5(66(6
Each NetScreen interface has a single, unique primary IP address. However, some situations demand that an interface have multiple IP addresses. For example, an organization might have additional IP address assignments, and might not wish to add a router to accommodate them. In addition, an organization might have more network devices than its subnet can handle, as when there are more than 254 hosts connected to a LAN. To solve such problems, you can add secondary IP addresses to an interface in the Trust, DMZ, or user-defined zone. Note: You cannot set multiple secondary IP addresses for interfaces in the Untrust zone.

6HFRQGDU\ $GGUHVV 3URSHUWLHV


Secondary addresses have certain properties that affect how you can implement such addresses. These properties are as follows. There can be no subnet address overlap between any two secondary IPs. In addition, there can be no subnet address overlap between a secondary IP and any existing subnet on the NetScreen device. When you manage a NetScreen device through a secondary IP address, the address always has the same management properties as the primary IP address. Consequently, you cannot specify a separate management configuration for the secondary IP address. You cannot configure a gateway for a secondary IP address. You cannot configure a secondary IP address in transparent mode. For example, if you configure the secondary IP in NAT or route mode and then attempt to change the mode to transparent mode, the action fails. Whenever you create a new secondary IP address, the NetScreen device automatically creates a corresponding routing table entry. When you delete a secondary IP address, the device automatically deletes its routing table entry. Enabling or disabling routing between two secondary IP addresses causes no changes in the routing table. For example, if you disable routing between two such addresses, the NetScreen device drops any packets directed from one interface to the other, but no changes occur in the routing table.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

6HFRQGDU\ ,3 $GGUHVVHV

([DPSOH &UHDWLQJ D 6HFRQGDU\ ,3 $GGUHVV


In this example, you set up a secondary IP address192.168.1.2for an interface in the Trust zone.

:HE8,
Interfaces >> Physical >> 2IP (for ethernet1) >> New Entry: Enter the following, and then click OK: IP Address: 192.168.1.2 Netmask 255.255.255.0

&/,
1. 2. set interface ethernet1 ip 192.168.1.2/24 secondary save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

0DQDJHPHQW 6HUYLFHV 2SWLRQV

0$1$*(0(17 6(59,&(6 237,216


You can configure an interface to allow various methods of administration. For example, you might have local management access the device through one interface and remote management through another interface. You might use one interface exclusively for administration, separating management traffic completely from network user traffic. You can select as many or as few of the following management services options as you want. WebUI: Selecting this option allows the interface to receive HTTP traffic to manage the NetScreen device via the Web user interface (WebUI). Telnet: A terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control network devices. Selecting this option enables Telnet manageability. SNMP: The NetScreen device supports the Simple Network Management Protocol version 1.5 (SNMPv1), described in RFC-1157, and all relevant Management Information Base II (MIB II) groups, as defined in RFC-1213. Selecting this option enables SNMP manageability. SCS: You can administer the NetScreen device from an Ethernet connection or a dial-in modem using Secure Command Shell (SCS), which is SSH-compatible. You must have a SSH client that is compatible with version 1.5 of the SSH protocol. These clients are available for most operating systems, including Windows 95 and later, Linux, and UNIX. The NetScreen device communicates with the SSH client through its built-in SCS server, which provides device configuration and management services. Selecting this option enables SCS manageability. SSL: Selecting this option allows the interface to receive HTTPS traffic for secure management of the NetScreen device via the WebUI.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

,QWHUIDFH 6HUYLFHV 2SWLRQV

,17(5)$&( 6(59,&(6 237,216


These services affect how your NetScreen device behaves. You may select as many options as required to meet the needs of your network. Ping: A utility that enables you to determine whether a specific IP address is accessible. Selecting this option allows people to ping the IP address of the interface through any security zone interface. Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgement, they send the request again. While the request is processing, there is no user access. By enabling the Ident-reset option, the NetScreen device sends a TCP reset announcement in response to an IDENT request to port 113 and restores access that has been blocked by an unacknowledged identification request.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

),5(:$// 237,216
NetScreen firewalls secure a network by inspecting, and then allowing or denying, all connection attempts that require to pass from one security zone to another.
10 By default, a NetScreen firewall denies all traffic in all directions. Through the creation of access policies, you can then control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times. At the broadest level, you can allow all kinds of traffic from any source in one zone to any destination in all other zones without any scheduling restrictions. At the narrowest level, you can create an access policy that allows only one kind of traffic between a specified host in one zone and another specified host in another zone during a scheduled period of time. In the first case, the firewall allows all hosts in the source zone to connect to all hosts in all other zones. In the second case, you completely separate all hosts in different zones except for a single hole connecting a point in the source zone to another point in the destination zone using a specific service during a particular window of time.

Broadly defined Internet Access: Any service from any point in the trust zone to any point in the untrust zone at any time

Narrowly defined Internet Access: SMTP service from a mail server in the trust zone to a mail server in the untrust zone from 5:00 AM to 7:00 PM

Untrust Zone

Untrust Zone

Trust Zone

Trust Zone

10. Some NetScreen devices ship with a default access policy that denies all inbound traffic but allows all outbound traffic.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

Note: For more information on the creation and application of access policies, see Chapter 9, Access Policies on page 249. To secure all connection attempts, NetScreen devices use a dynamic packet filtering method known as stateful inspection. Using this method, the NetScreen device notes various components in a TCP packet header source and destination IP addresses, source and destination port numbers, and packet sequence numbersand maintains the state of each TCP session traversing the firewall. (The NetScreen device also modifies session states based on changing elements such as dynamic port changes or session termination.) When a responding TCP packet arrives, the NetScreen device compares the information reported in its header with the state of its associated session stored in the inspection table. If they match, the responding packet is allowed to pass the firewall. If the two do not match, the packet is dropped. NetScreen firewall options secure a zone by inspecting, and then allowing or denying, all connection attempts that require crossing an interface. To protect against attacks from other zones, you can enable defense mechanisms that detect and deflect the following common network attacks. The following options are available for physical interfaces only: SYN Attack, ICMP Flood, UDP Flood, and Port Scan Attack. SYN Attack: A SYN flood attack occurs when a network becomes so overwhelmed by SYN packets initiating uncompletable connection requests that it can no longer process legitimate connection requests, resulting in a denial of service (DoS). UDP Flood: Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. After enabling the UDP flood protection feature, you can set a threshold that once exceeded invokes the UDP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the threshold is exceeded, the NetScreen device ignores further UDP packets for the remainder of that second. Port Scan Attack: Port scan attacks occur when packets are sent with different port numbers with the purpose of scanning the available services in hopes that one port will respond. The NetScreen device internally logs the number of different ports scanned from one remote source. If a remote host scans 10 ports in 0.3 seconds, NetScreen flags this as a port scan attack, and rejects further packets from the remote source.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

Ping of Death: The TCP/IP specification requires a specific packet size for datagram transmission. Many ping implementations allow the user to specify a larger packet size if desired. A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service (DoS), crashing, freezing, and rebooting. If you enable the NetScreen device to do so, it can detect and reject such oversized and irregular packet sizes. IP Spoofing: Spoofing attacks occur when an attacker attempts to bypass the firewall security by imitating a valid client IP address. When IP Spoofing defense is enabled, the NetScreen device guards against this attack by analyzing the IP addresses with its own route table. If the IP address is not in the route table, traffic from that source is not allowed to communicate through the NetScreen device and any packets from that source are dropped. Land Attack: Combining a SYN attack with IP spoofing, a Land attack occurs when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. The receiving system responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, causing a DoS. By combining elements of the SYN flood defense and IP Spoofing protection, the NetScreen device blocks any attempts of this nature. Tear Drop Attack: Tear Drop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the options is offset. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash. If the NetScreen sees this discrepancy in a fragmented packet, it drops it. Filter IP Source Route Option: IP header information has an option to contain routing information that may specify a different source than the header source. Enable this option to block all IP traffic that employs the Source Route Option. Source Route Option can allow an attacker to enter a network with a false IP address and have data sent back to his real address. Address Sweep Attack: Similar to a port scan attack, an address sweep attack occurs when an attacker sends ICMP echo requests (or pings) to different destination addresses hoping that one will reply, thus uncovering an address to target. The NetScreen device internally logs the number of different addresses being pinged from one remote source. If a remote host pings 10 addresses in 0.3 seconds, NetScreen flags this as an address sweep attack, and rejects further ICMP echo requests from that host.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

Block Java/ActiveX/ZIP/EXE Component: Malicious Java or ActiveX components can be hidden in Web 11 pages. When downloaded, these applets install a Trojan horse on your computer. Similarly, Trojan horses can be hidden in compressed files such as .zip, .gzip, and .tar, and executable (.exe) files. Enabling this feature blocks all embedded Java and ActiveX applets from Web pages and blocks all downloads of .zip, .gzip, .tar and .exe files. WinNuke Attack: WinNuke is a pervasive application, whose sole intent is to cause any computer on the Internet running Windows to crash. WinNuke sends out-of-band (OOB) datausually to NetBIOS port 139to a host with an established connection, and introduces a NetBIOS fragment overlap, which causes many machines to crash. After rebooting, the following message appears, indicating that an attack has occurred: An exception OE has occurred at 0028:[address] in VxD MSTCP(01) + 000041AE. This was called from 0028:[address] in VxD NDIS(01) + 00008660. It may be possible to continue normally. Press any key to attempt to continue. Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications. Press any key to continue. If you enable the WinNuke attack defense mechanism, the NetScreen device scans any incoming Microsoft NetBIOS Session Service (port139) packets. If the NetScreen device observes that TCP URG code bit is set on one of those packets, it inspects the offset, removes the fragmented overlap, and corrects the offset as necessary to prevent an OOB error. The modified packet is then passed, and a WinNuke attack log entry is created in the Event Alarm log.

Malicious URL Protection: When you enable Malicious URL Detection, the NetScreen device monitors each HTTP packet and detects any URL that matches any of several user-defined patterns. The device automatically drops any such packet. Bad IP Option: Triggered when the list of IP options in the IP datagram header is incomplete or malformed.

11. A Trojan horse is a program that when surreptitiously installed on a computer provides direct control of the computer to an outside party.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

Record Route Option: The NetScreen device blocks packets where the IP option is 7 (Record Route). This option is used to record the route of a packet. A recorded route is composed of a series of internet addresses, which an outsider can analyze to learn details about your networks addressing scheme and topology. IP Timestamp Option: The NetScreen device blocks packets where the IP option list includes option 4 (Internet Timestamp). Loose Source Route Option: The NetScreen device blocks packets where the IP option is 3 (Loose Source Routing). This option provides a means for the source of a packet to supply routing information to be used by the gateways in forwarding the packet to the destination. This option is a loose source route because the gateway or host IP is allowed to use any route of any number of other intermediate gateways to reach the next address in the route. IP Security Option: This option provides a way for hosts to send security, compartmentation, TCC (closed user group) parameters, and Handling Restriction Codes compatible with DOD requirements. IP Stream Option: The NetScreen device blocks packets where the IP option is 8 (Stream ID). This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support the stream concept. IP Strict Source Route Option: The NetScreen device blocks packets where the IP option is 9 (Strict Source Routing). This option provides a means for the source of a packet to supply routing information to be used by the gateways in forwarding the packet to the destination. This option is a strict source route because the gateway or host IP must send the datagram directly to the next address in the source route, and only through the directly connected network indicated in the next address to reach the next gateway or host specified in the route. Unknown Protocol: The NetScreen device drops packets where the protocol field is set to 101 or greater. These protocol types are reserved and undefined at this time. ICMP Flood: An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. When enabling the ICMP flood protection feature, you can set a threshold that once exceeded invokes the ICMP flood attack protection feature. (The default threshold value is 1000 packets per second.) If the threshold is exceeded, the NetScreen device ignores further ICMP echo requests for the remainder of that second. There are different types of ICMP messages, each with their own purpose.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

ICMP Echo Reply: (Code 0, Echo Reply) A response to a ping. Many firewalls allow ping responses so that internal people can gain access to external resources. Therefore, they are an effective flooding technique. ICMP Host Unreachable: (Code 3, Destination Unreachable) An error message from a host or router indicating that a packet you sent did not reach its destination. ICMP Source Quench: (Code 4, Source Quench) A response indicating congestion on the Internet. Somebody may be trying to flood your network with these packets in an attempt to convince your machines to slow down data transmission. ICMP Redirect: (Code 5, Redirect) A message advising to redirect traffic, for example, for network X directly to gateway G2 as this is a shorter path to the destination. Somebody may be trying to redirect your default router. This could be from a hacker trying to execute a man-in-the-middle attack against you by causing you to route through their own machine. ICMP Echo Request: (Code 8, Echo Request) These are ping request packets. They are commonly used. They may indicate hostile intent of someone trying to scan your computer, but they may be part of the normal network functionality. ICMP Time Exceeded for a Datagram: (Code 11, Time Exceeded in Transit) A message indicating that a packet never reached its target because something timed out. ICMP Parameter Problem on Datagram: (Code 12, Parameter Problem on datagram) A message advising that something unusual is going on, and probably indicates an attack. ICMP Timestamp Request: (Code 13, Timestamp Request) ICMP Timestamp Reply: (Code 14, Timestamp Reply) ICMP Information Request and Information Reply: (Code 15& 16) A host may use this method to find out the number of the network it is on. ICMP Information Reply: (Code 16, Information Request Reply) ICMP Address Mask Request: (Code 17, Address Mask Request) ICMP Fragment: When the protocol field indicates ICMP packets, and the fragment flag is set to 1 or an offset is indicated. Large ICMP Packet: An ICMP packet with a length greater than 1024.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

TCP Packet Without Flag: TCP packet that does not have any bits set in the flags. FIN Bit With No ACK Bit: TCP packet with a FIN set but no ACK set in the flags field.

([DPSOH 6<1 )ORRG $WWDFN


A TCP connection is established with a triple exchange of packets known as a three-way handshake: A sends a SYN packet to B; B responds with a SYN/ACK packet; and A responds with an ACK packet. A SYN Flood attack inundates a site with SYN packets containing forged (spoofed) IP source addresses with nonexistent or unreachable addresses. The firewall responds with SYN/ACK packets to these addresses and then waits for responding ACK packets. Because the SYN/ACK packets are sent to nonexistent or unreachable IP addresses, they never elicit responses and eventually time out.

Actual IP Address 201.10.24.6

Workstation at IP Address 201.10.24.6 sends a SYN packet with the spoofed source address of 245.20.26.80.

Non-existent or Unreachable IP Address 245.20.26.80 The NetScreen device responds by sending SYN/ACK packets to the spoofed source IP address, and waits for a response until the effort times out.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

By flooding a server or host with uncompletable connections, the attacker eventually fills the hosts memory buffer. Once this buffer is full, no further connections can be made and the hosts operating system might be damaged. Either way, the attack disables the host and its normal operations. A SYN Flood attack is classified as a denial-of-service (DoS) attack.

6<1 )ORRG $WWDFN 3URWHFWLRQ


NetScreen devices can impose a limit on the number of SYN packets per second permitted to pass through the firewall. When that threshold is reached, the NetScreen device starts proxying incoming SYN packets, sending out 12 SYN/ACK responses for the host and storing the incomplete connections in a connection queue. The incomplete connections remain in the queue until the connection is completed or the request times out. In the following illustration, the SYN threshold has been passed and the NetScreen device has begun proxying SYN packets.

Proxied Connection Queue Filling up

Traffic continues flowing to LAN.

12. Because the NetScreen-1000 proxies all incoming SYN packets, setting a threshold is unnecessary.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

In the next illustration, the proxied connection queue has completely filled up, and new incoming SYN packets are being rejected.
Proxied Connection Queue Full

New SYN packets are rejected.

No new traffic can reach LAN.

This action attempts to shield hosts on the protected network from the bombardment of incomplete three-way handshakes. Note: The procedure of proxying incomplete SYN connections above a set threshold pertains only to traffic permitted by existing access policies. Any traffic for which an access policy does not exist is automatically dropped.

:HE8, (QDEOLQJ 6<1 )ORRG $WWDFN 3URWHFWLRQ


1. Interfaces >> Physical >> Screen (for the desired interface): Enter the following settings, and then click Apply: Detect SYN Attack: Select SYN Attack Threshold: 20,000/Sec . Note: Through the WebUI, you can set the attack threshold at which the NetScreen device begins proxying sessions. Through the CLI, you can also set the queue length, timeout value, and alarm threshold.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

&/, (QDEOLQJ 6<1 )ORRG $WWDFN 3URWHFWLRQ DQG 'HILQLQJ 3DUDPHWHUV


1. Enable SYN Flood attack protection. ns-> set interface <name> screen syn-flood You can set the following four parameters for proxying uncompleted SYN connections: 2. Attack Threshold: The number of SYN packets per second required to activate the SYN proxying mechanism. Although you can set the threshold at any number, you need to know the normal traffic patterns at your site to set an appropriate threshold for it. For example, if it is an e-business site that normally gets 20,000 SYN packets per second, you might want to set the threshold at 30,000/second. If a smaller site normally gets 20 SYN packets/second, you might consider setting the threshold at 40. ns-> set interface <name> screen syn-flood attack-threshold <number> 3. Queue size: The number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests. The longer the queue size, the longer the NetScreen device needs to scan the queue to match a valid ACK response to a proxied connection request. This can slightly slow the initial connection establishment; however, because the time to begin data transfer is normally far greater than any minor delays in initial connection setup, users would not see a noticeable difference. ns-> set interface <name> screen syn-flood queue-size <number> 4. Timeout: The maximum length of time before a half-completed connection is dropped from the queue. The default is 20 seconds, and you can set the timeout from 050 seconds. You might try decreasing the timeout value to a shorter length until you begin to see any dropped connections during normal traffic conditions. Twenty (20) seconds is a very conservative timeout for a threeway-handshake ACK response. ns-> set interface <name> screen syn-flood timeout <number>

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

)LUHZDOO 2SWLRQV

5.

Alarm Threshold: The number of proxied, half-complete connections per second at which an alarm is entered in the Event Alarm log. The value you set for an alarm threshold triggers an alarm when the number of proxied, half-completed connections per second exceeds that value. For example, if the SYN threshold is set at 2000 SYN packets per second and the alarm at 1000, then a total of 3001 SYN packets per second are required to trigger an alarm entry in the log. More precisely: 1. The firewall passes the first 2000 SYN packets per second that meet access policy requirements. 2. The firewall proxies the next 1000 SYN packets in the same second. 3. The 1001st proxied connection (or 3001st connection request in that second) triggers the alarm. If an attack persists, the Event Alarm log enters an alarm for each second of the attack until the attack stops and the queue empties. ns-> set interface <name> screen syn-flood alarm-threshold <number>

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

&RQILJXULQJ DQ LQWHUIDFH

&21),*85,1* $1 ,17(5)$&(
This section describes how to create, configure, modify, and delete physical interfaces and subinterfaces.

&UHDWLQJ DQ ,QWHUIDFH
:HE8,
1. 2. Interfaces >> Physical: To configure a physical interface, click Edit. To create a new subinterface, click New Sub-i/f. Enter the required information, and then click Save.

&/,
Use the set interface command.

0RGLI\LQJ DQ ,QWHUIDFH
:HE8,
Interfaces >> Physical >> Edit (for the interface that you want to modify): Make your modifications, and then click Save.

&/,
Use the set interface command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

&RQILJXULQJ DQ LQWHUIDFH

'HOHWLQJ DQ ,QWHUIDFH
Before you can delete an interface that hosts MIPs, VIPs, or DIP pools, you must first remove any policies using them. Then you must delete the MIPs, VIPs, and DIP pools.

:HE8,
1. Interfaces >> Physical >> Remove (for the interface that you want to delete). A system message prompts you to confirm the removal. 2. Click Yes to delete the interface.

&/,
Use the unset interface command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,QWHUIDFHV

&RQILJXULQJ DQ LQWHUIDFH

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr#

6\VWHP 3DUDPHWHUV
Domain Name System Support on page 82 DNS Lookup on page 83 The DNS Status Table on page 84 DHCP on page 86 DHCP Server on page 87 DHCP Relay Agent on page 93 DHCP Client on page 98 URL Filtering Configuration on page 104 Downloading/Uploading Settings and Software on page 106 Saving and Importing Settings on page 106 Uploading and Downloading Software on page 108 Software Keys on page 109 User Authentication on page 111 Internal Database on page 111 RADIUS on page 113 SecurID on page 115 LDAP on page 118 User Authentication Timeout on page 120 System Clock on page 122

This chapter focusses on the concepts involved in establishing system parameters affecting the following areas of a NetScreen security appliance:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RPDLQ 1DPH 6\VWHP 6XSSRUW

'20$,1 1$0( 6<67(0 6833257


The NetScreen device incorporates Domain Name System (DNS) support allowing you to use domain names as well as IP addresses for identifying locations. A DNS server keeps a table of the IP addresses associated with domain names. Using DNS makes it possible to reference locations by domain name (such as www.netscreen.com) in addition to using the routable IP address, which for www.netscreen.com is 209.125.148.135. DNS translation is supported in all the following programs: Address Book Syslog E-mail WebTrends Websense LDAP SecurID RADIUS NetScreen Global-Manager

Before you can use DNS for domain name/address resolution, you must enter the addresses for DNS servers (the primary and secondary DNS servers) in the NetScreen device. Note: When enabling the NetScreen device as a Dynamic Host Configuration Protocol (DHCP) server (see DHCP on page 86), you must also enter the IP addresses for DNS servers in the DHCP page on the WebUI or through the set interface <interf_name> dhcp command in the CLI.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RPDLQ 1DPH 6\VWHP 6XSSRUW

'16 /RRNXS
When the NetScreen device connects to the DNS server to resolve a domain name/IP address mapping, it stores that entry in its DNS status table. Some details involved in a DNS lookup follow: In the WebUI, the DNS lookup is performed as soon as you press Apply or OK on a page that supports DNS. In the CLI, the DNS lookup occurs when you enter a command that supports DNS. When a DNS lookup returns multiple entries, the address book accepts all entries. The other programs listed above accept only the first one. The NetScreen device reinstalls all access policies if it finds that anything in the domain name table has changed when you refresh a lookup using the Refresh button in the WebUI or enter the exec dns refresh CLI command. If a DNS server fails, the NetScreen device looks up everything again. If a lookup fails, the NetScreen device removes it from the cache table. If the domain name lookup fails when adding addresses to the address book, the NetScreen device displays an error message and prompts you to choose to continue adding the entry to the address book or not.

The NetScreen device must do a new lookup once a day, which you can schedule the NetScreen device to do at a specified time:

:HE8,
Configure >> DNS: Enter the following, and then click Apply: DNS refresh every day at: Select check box and enter time <hh:mm>

&/,
1. 2. set dns host schedule <hh:mm> save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RPDLQ 1DPH 6\VWHP 6XSSRUW

7KH '16 6WDWXV 7DEOH


The DNS status table reports all the domain names looked up, their corresponding IP addresses, whether the lookup was successful, and when the domain name/IP address was last resolved. The report format looks like the example below:
Domain Name www.yahoo.com Corresponding IPs 204.71.200.74 204.71.200.75 204.71.200.67 204.71.200.68 209.185.151.28 209.185.151.210 216.32.228.18 Status Success Last Resolved 8/13/2000 16:45:33

www.hotbot.com

Success

8/13/2000 16:45:38

([DPSOH 'HILQLQJ '16 6HUYHU $GGUHVVHV DQG 6FKHGXOLQJ /RRNXSV


To implement DNS functionality, the IP addresses for the DNS servers at 24.1.64.38 and 24.0.0.3 are entered in the NetScreen device, protecting a single host in a home office. The NetScreen device is scheduled to refresh the DNS settings stored in its DNS status table everyday at 11:00 P.M.

Trust Zone

Untrust Zone

Secondary DNS Server 24.1.64.38 Primary DNS Server 24.0.0.3

Internet

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RPDLQ 1DPH 6\VWHP 6XSSRUW

:HE8,
Configure >> DNS: Enter the following, and then click Apply: Primary DNS Server: 24.0.0.3 Secondary DNS Server: 24.1.64.38 DNS refresh every day at: 23:00

&/,
1. 2. 3. 4. set dns host dns1 24.0.0.3 set dns host dns2 24.1.64.38 set dns host schedule 23:00 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

'+&3
Dynamic Host Configuration Protocol (DHCP) was designed to reduce the demands on network administrators by automatically assigning the TCP/IP settings for the hosts on a network. Instead of requiring administrators to assign, configure, track, and change (when necessary) all the TCP/IP settings for every machine on a network, DHCP does it all automatically. Furthermore, DHCP ensures that duplicate addresses are not used, reassigns unused addresses, and automatically assigns IP addresses appropriate for the subnet on which a host is connected. Some NetScreen devices can act as a DHCP client, receiving a dynamically assigned IP address for the Untrust zone interface from an ISP. Some NetScreen devices can also act as a DHCP server, allocating dynamic IP addresses to hosts, acting as DHCP clients, on the network in the Trust zone. Some NetScreen devices can also act as a DHCP relay agent, receiving DHCP information from a DHCP server and relaying that information to hosts in the Trust zone. Note: While using DHCP to assign addresses to hosts such as workstations and printers in the Trust zone, you can still use fixed IP addresses for other machines such as mail servers and WINS servers. DHCP consists of two components: a protocol for delivering host-specific TCP/IP configuration settings and a mechanism for allocating IP addresses. When the NetScreen device acts as a DHCP server, it provides the following TCP/IP settings to each host when that host boots up: Default gateway IP address of the routerif there is onethat connects a subnet to the Trust zone interface. The IP addresses of the following servers: WINS servers (2):1 A Windows Internet Naming Service (WINS) server maps a NetBIOS name used in a Windows NT network environment to an IP address used on an IP-based network. NetInfo servers (2): NetInfo is an Apple network service used for the distribution of administrative data within a LAN. NetInfo tag (1): The identifying tag used by the Apple NetInfo database. DNS servers (3): A Domain Name System (DNS) server maps a uniform resource locator (URL) to an IP address.

1.

The number in parentheses indicates the number of servers supported.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

SMTP server (1): A Simple Mail Transfer Protocol (SMTP) server delivers SMTP messages to a mail server, such as a POP3 server, which stores the incoming mail. POP3 server (1): A Post Office Protocol version 3 (POP3) server stores incoming mail. A POP3 server must work conjointly with an SMTP server. News server (1): A news server receives and stores postings for news groups. Note: If a DHCP client to which the NetScreen device is passing the above parameters has a specified IP address, that address overrides all the dynamic information received from the DHCP server.

'+&3 6HUYHU
When acting as a DHCP server, a NetScreen device allocates IP addresses and subnet masks in two modes: In Dynamic mode, the NetScreen device, acting as a DHCP server, assigns (or leases) an IP address from an address pool2 to a host, acting as a DHCP client. The IP address is leased for a determined period of time or until the client relinquishes the address. (To define an unlimited lease period, enter 0.) In Reserved mode, the NetScreen device assigns a designated IP address from an address pool exclusively to a specific client every time that client goes online. Note: The NetScreen device saves every IP address assigned through DHCP in flash memory. Consequently, rebooting the NetScreen device does not affect address assignments. When the master unit in a redundant group functions as a DHCP server, all DHCP configurations and IP address assignments are maintained by all members in the group. In the event of a failover, the new master unit maintains all the DHCP assignments. However, if HA communication becomes temporarily disabled, you can again synchronize the DHCP assignments among the group members by using the following CLI command: exec dhcp server syncsync.

2.

An address pool is a defined range of IP addresses within the same subnet from which the NetScreen device can draw DHCP address assignments. You can group up to 255 IP addresses in up to 64 address pools.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 6HUYHU


Using DHCP, the 172.16.10.0/24 network in the Trust zone is sectioned into three IP address pools. All IP addresses are assigned dynamically, except for two workstations with reserved IP addresses, and four servers that have static IP addresses. The interface ethernet1 is bound to the Trust zone, has IP address 172.16.10.1/24, and is in NAT mode. The domain name is dynamic.com.
DNS Servers Fixed IPs 172.16.10.240 172.16.10.241

Trust Zone

ethernet1 172.16.10.1/24

Address Pool
172-16.10.10 172.16.10.19

172.16.10.0/24 LAN

Address Pool
172-16.10.210 172.16.10.219

Address Pool
Reserved IP 172.16.10.11 MAC: 12:34:ab:cd:56:78 Reserved IP 172.16.10.112 MAC: ab:cd:12:34:ef:gh 172-16.10.120 172.16.10.129 SMTP and POP3 Servers Fixed IPs 172.16.10.25 and 172.16.10.10

:HE8,
1. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: DNS#1 IP Address/Domain Name: 172.16.10.240 Netmask: 255.255.255.255 Comment: Primary DNS Server Zone: Trust
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

2.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: DNS#2 IP Address/Domain Name: 172.16.10.241 Netmask: 255.255.255.255 Comment: Secondary DNS Server Zone: Trust

3.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: SMTP IP Address/Domain Name: 172.16.10.25 Netmask: 255.255.255.255 Comment: SMTP Server Zone: Trust

4.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: POP3 IP Address/Domain Name: 172.16.10.110 Netmask: 255.255.255.255 Comment: POP3 Server Zone: Trust

5.

Interfaces >> Physical >> DHCP (for ethernet1): Select DHCP Server, and then click Apply.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

6.

Interfaces >> Physical >> DHCP (for ethernet1) >> Options: Enter the following, and then click OK: Lease: Unlimited (select) WINS#1: 0.0.0.0 WINS#2: 0.0.0.0 DNS#1: 172.16.10.240 DNS#2: 172.16.10.241 DNS#3: 0.0.0.0 SMTP: 172.16.10.25 POP3: 172.16.10.110 NEWS: 0.0.0.0 NetInfo Server #1: 0.0.0.0 NetInfo Server #2: 0.0.0.0 NetInfo Tag: (leave field empty) Domain Name: dynamic.com

7.

Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Dynamic: (select) IP Address Start: 172.16.10.10 IP Address End: 172.16.10.19

8.

Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Dynamic: (select) IP Address Start: 172.16.10.120 IP Address End: 172.16.10.129

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

9.

Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Dynamic: (select) IP Address Start: 172.16.10.210 IP Address End: 172.16.10.219

10. Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Reserved: (select) IP Address: 172.16.10.21 Ethernet Address: 1234 abcd 5678 11. Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Reserved: (select) IP Address: 172.16.10.112 Ethernet Address: abcd 1234 efgh

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. set address trust dns1 172.16.10.240 255.255.255.255 primary dns server set address trust dns2 172.16.10.241 255.255.255.255 secondary dns server set address trust snmp 172.16.10.25 255.255.255.255 snmp server set address trust pop3 172.16.10.110 255.255.255.255 pop3 server set interface ethernet1 dhcp server option domainname dynamic.com set interface ethernet1 dhcp server option lease 0 set interface ethernet1 dhcp server option netmask 255.255.255.0 set interface ethernet1 dhcp server option dns1 172.16.10.240 set interface ethernet1 dhcp server option dns2 172.16.10.241 set interface ethernet1 dhcp server option smtp 172.16.10.25 set interface ethernet1 dhcp server option pop3 172.16.10.110 set interface ethernet1 dhcp server ip 172.16.10.10 to 172.16.10.19 set interface ethernet1 dhcp server ip 172.16.10.120 to 172.16.10.129 set interface ethernet1 dhcp server ip 172.16.10.210 to 172.16.10.219 set interface ethernet1 dhcp server ip 172.16.10.11 mac 1234abcd5678 set interface ethernet1 dhcp server ip 172.16.10.112 mac abcd1234efgh set interface ethernet1 dhcp server service save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

'+&3 5HOD\ $JHQW


When acting as a DHCP relay agent, the NetScreen device forwards DHCP requests and assignments between hosts in the Trust zone and a DHCP server in the Untrust zone. The DHCP messages between the NetScreen device and the DHCP server can be transmitted in the open or through a VPN tunnel. Note: When a NetScreen device acts as a DHCP relay agent, no status reports are generated because the remote DHCP server controls all the IP address allocations. The following simplified illustration presents the process involved in using a NetScreen device as a DHCP relay agent. Note that to ensure security, the DHCP messages pass through a VPN tunnel when traveling over the untrusted network.
Host 1 Request Request Trust Zone Relay Agent VPN Tunnel in DHCP Untrust Zone Server

Assignment

Assignment

Release

Release

Note: When the NetScreen device functions as a DHCP relay agent, its interfaces must be in either Route mode or Transparent mode.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 5HOD\ $JHQW


In this example, a NetScreen device receives its DHCP information from a DHCP server at 194.2.9.10 and relays it to hosts in the Trust zone. The hosts receive IP addresses from an IP pool defined on the DHCP server. The address range is 180.10.10.2180.10.10.254. The DHCP messages pass through a VPN tunnel between the local NetScreen device and the DHCP server, located behind a second NetScreen device. The interface ethernet1 is bound to the Trust zone, has the IP address 180.10.10.1/24, and is in Route mode. The interface ethernet3 is bound to the Untrust zone and has the IP address 201.10.10.1/24.

Trust Zone ethernet1 180.10.10.1/24 ethernet3 201.10.10.1/24

Untrust Zone

DHCP Server 194.2.9.10

Local NetScreen Device VPN Tunnel Router 201.10.10.2

Internet

Remote NetScreen Device

IP Pool 180.10.10.2 180.10.10.254

:HE8,
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 180.10.10.1 Netmask: 255.255.255.0 Zone: Trust Interface Mode: Route

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

2.

Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save and Reset: IP Address: 201.10.10.1 Netmask: 255.255.255.0 Zone: Untrust

3.

Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 201.10.10.23 Interface: ethernet3(untrust-vr)

4.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: DHCP Server IP Address/Domain Name: 194.2.9.10 Netmask: 255.255.255.255 Zone: Untrust

5.

VPNs >> Gateway(P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Name: dhcp server Static IP Address: 194.2.9.1 Main (ID Protection): (select) Outgoing Interface: ethernet3 Phase 1 Proposal: rsa-g2-3des-sha

3. Setting a route to the external router designated as the default gateway is essential for both outbound VPN and network traffic. In this example, the NetScreen device sends encapsulated VPN traffic to this router as the first hop along its route to the remote NetScreen device. In the illustration for this example, the concept is presented by depicting the tunnel passing through the router.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

6.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: to_dhcp Remote Gateway Tunnel: dhcp Phase 2 Proposal: g2-esp-3des-sha Bind to: None

7.

Interfaces >> Physical >> DHCP (for ethernet1): Enter the following, and then click Apply: DHCP Relay Agent: (select) Server: 194.2.9.10 Use Trust Interface as Source IP for VPN: (select)

8.

Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: DHCP Server Service: DHCP-Relay Action: Tunnel VPN Tunnel: to_dhcp Create matching VPN policy: (select)

&/,
1. 2. 3. 4. 5. set interface ethernet1 zone trust set interface ethernet1 ip 180.10.10.1/24 set interface ethernet1 route set interface ethernet3 zone untrust set interface ethernet3 ip 201.10.10.1/24

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

6. 7. 8. 9. 10. 11. 12. 13. 14.

set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.10.10.2 set address untrust dhcp_server 194.2.9.10/32 set ike gateway dhcp server ip 194.2.9.1 main outgoing-interface ethernet3 proposal rsa-g2-3des-sha set vpn to_dhcp gateway dhcp server proposal g2-esp-3des-sha set interface ethernet1 dhcp relay server-name 194.2.9.10 set interface ethernet1 dhcp relay vpn set policy from trust to untrust any dhcp_server dhcp-relay tunnel vpn to_dhcp set policy from untrust to trust dhcp_server any dhcp-relay tunnel vpn to_dhcp save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

'+&3 &OLHQW
When acting as a DHCP client, the NetScreen device receives the IP address for the interface bound to the untrust zone dynamically from a DHCP server.

([DPSOH 1HW6FUHHQ 'HYLFH DV '+&3 &OLHQW


The interface bound to the untrust zone has a dynamically assigned IP address. When the NetScreen device requests its IP address from its ISP, it receives its IP address, subnet mask, gateway IP address, and the length of its lease for the address. The IP address of the DHCP server is 222.33.44.55.
Trust Zone

1. IP address requested for ethernet3 (Untrust zone) 2. IP address assigned


ISP (DHCP Server)

Internet Untrust Zone

Note: Before setting up a site for DHCP service, you must have the following: Digital subscriber line (DSL) modem and line Account with ISP

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'+&3

:HE8,
Interfaces >> Physical >> Edit (for ethernet3): Select Obtain IP using DHCP, and then click Save and Reset4 .

&/,
1. 2. 3. set interface ethernet3 dhcp set interface ethernet3 dhcp settings server 222.33.44.55 save

4.

You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

333R(

3332(
Point-to-Point Protocol over Ethernet (PPPoE) is a protocol that allows the members of an Ethernet LAN to make individual PPP connections with their ISP by encapsulating the IP packet within the PPP payload, which is encapsulated inside the PPPoE payload. Some NetScreen devices support PPPoE, allowing them to operate compatibly on DSL, Ethernet Direct, and cable networks run by ISPs using PPPoE for their clients Internet access.

([DPSOH 6HWWLQJ 8S 333R(


The following example illustrates how to define the untrusted interface of a NetScreen device for PPPoE connections, and how to initiate PPPoE service. In this example, the NetScreen device receives a dynamically assigned IP address for its Untrust zone interface (ethernet3) from the ISP, and the NetScreen device also dynamically assigns IP addresses for the three hosts in its Trust zone. In this case, the NetScreen device acts both as a PPPoE client and a DHCP server. The Trust zone interface must be in either NAT mode or Route mode. In this example, it is in NAT mode.

NetScreen Device
Hub

DSL Modem

DSL Line

ISP DSLAM AC

Internet

Primary DNS Server Trust Zone Secondary DNS Server Untrust Zone

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

333R(

Before setting up the site in this example for PPPoE service, you must have the following: Digital subscriber line (DSL) modem and line Account with ISP User name and password (obtained from the ISP)

:HE8,
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.16.30.10 Netmask: 255.255.255.0 Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following: Obtain IP using PPPoE (select) User Name: <name> Password: <password> 3. Interfaces >> Physical >> Edit (for ethernet3): To test your PPPoE connection, click Connect. Note: When you initiate a PPPoE connection, your ISP automatically provides the IP addresses for the untrusted interface and the IP addresses for the Domain Name Service (DNS) servers. If you use a static IP address for the untrusted interface, you must obtain the DNS servers IP addresses and then manually enter them on the NetScreen-5XP and on the trusted hosts. 4. Interfaces >> Physical >> DHCP (for ethernet1): Select DHCP Server, and then click Apply.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

333R(

5.

Interfaces >> Physical >> DHCP (for ethernet1) >> Options: Select the following, and then click OK: Lease: 1 hour Gateway: 0.0.0.0 Netmask: 0.0.0.0 DNS#1: 0.0.0.0 DNS#2: 0.0.0.0 Domain Name: (leave blank) Interfaces >> Physical >> DHCP (for ethernet1) >> New Address: Enter the following, and then click OK: Dynamic: (select) IP Address Start: 172.16.30.2 IP Address End: 172.16.30.5 Turn off the power to the DSL modem, the NetScreen device, and the three workstations. Turn on the DSL modem. Turn on the NetScreen device. The NetScreen device makes a PPPoE connection to the ISP and, through the ISP, gets the IP addresses for the DNS servers.

6.

7. 8. 9.

10. Turn on the workstations. The workstations automatically receive the IP addresses for the DNS servers. They get an IP address for themselves when they attempt a TCP/IP connection. Note: When you use DHCP to assign IP addresses to hosts on the trusted side, the NetScreen-5XP automatically forwards the IP addresses of the DNS servers that it receives from the ISP to the trusted hosts. If the IP addresses for the hosts are not dynamically assigned through DHCP, you must manually enter the IP addresses for the DNS servers on each host. Every TCP/IP connection that a host in the Trust zone makes to the Untrust zone automatically goes through the PPPoE encapsulation process.
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  6\VWHP 3DUDPHWHUV

333R(

&/,
1. 2. 3. 4. 5. 6. set interface ethernet1 zone trust set interface ethernet1 ip 172.16.30.10/24 set interface ethernet3 zone untrust set pppoe interface ethernet3 set pppoe username <name> password <password> To test your PPPoE connection: exec pppoe connect get pppoe 7. 8. 9. 10. 11. 12. 13. 14. set interface ethernet1 dhcp server service set interface ethernet1 dhcp server ip 172.16.30.2 to 172.16.30.5 set interface ethernet1 dhcp server option lease 60 save Turn off the power to the DSL modem, the NetScreen device, and the three workstations. Turn on the DSL modem. Turn on the NetScreen device. Turn on the workstations. The workstations automatically receive the IP addresses for the DNS servers. They get an IP address for themselves when they attempt a TCP/IP connection. Every TCP/IP connection that a host in the Trust zone makes to the Untrust zone automatically goes through the PPPoE encapsulation process.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

85/ )LOWHULQJ &RQILJXUDWLRQ

85/ ),/7(5,1* &21),*85$7,21


NetScreen supports URL filtering using the Websense Enterprise Engine (version 4.x and earlier), which enables you to block or permit access to different sites based on their URLs, domain names, and IP addresses. With the Websense API built directly into the NetScreen firewall, the NetScreen device creates a direct link to a Websense URL-blocking server, running on either Microsoft Windows NT 4.0 or Solaris 2.5 or 2.6. Microsoft Windows 2000 can also support Websense 4.2. Using Websense manager, the NetScreen administrator can do the following: Alter the URL-blocking database to block or allow access to any sites they choose Schedule different URL filtering profiles for different times of the day Download Websense Reporter logs of blocked or viewed URLs

Note: For additional information about Websense, visit www.websense.com. To specify URL filtering options:

:HE8,
Configure >> URL Filtering: Enter the following information, and then click Apply: Enable URL Filtering via Websense Server: (select) Websense Server Name: The IP address of the computer running the Websense server. Websense Server Port: The default port for Websense is 15868. If you have changed the default port on the Websense server you must also change it on the NetScreen device. Please see your Websense documentation for full details. Communication Timeout: The time interval, in seconds, that the NetScreen device waits for a response from the Websense filter. If Websense does not respond within the time interval, the NetScreen device either blocks the request or allows it, as you choose (see below).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

85/ )LOWHULQJ &RQILJXUDWLRQ

Current Server Status: The NetScreen device reports the status of the Websense server. To update the status report, click the Server Status icon. If connectivity to the Websense server is lost, Block all HTTP requests/Permit all HTTP requests: If the NetScreen device loses contact with the Websense server, you can specify whether to block or permit all HTTP requests. Blocked URL Message Type: The source of the message the user receives when Websense blocks a site. If you select Websense, the Websense server sends the message. When you select NetScreen, the NetScreen device sends the message, which you entered in the NetScreen Blocked URL Message field. Note: If you select NetScreen, some of the functionality that Websense provides, such as redirection, are suppressed. NetScreen Blocked URL Message: This is the message the NetScreen device returns to the user after blocking a site. You can use the message sent from the Websense server, or create a message (up to 220 characters) to be sent from the NetScreen device.

&/,
1. 2. 3. 4. 5. set url config { enable | disable } set url message <string> set url msg-type {0 | 1} set url server { <domain_name> | <a.b.c.d> } <port_number> <timeout_value> set url fail-mode <fail-allow | fail-block> Note: See the NetScreen CLI Reference Guide for an explanation of the set url arguments, plus examples and related commands.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RZQORDGLQJ8SORDGLQJ 6HWWLQJV DQG 6RIWZDUH

'2:1/2$',1*83/2$',1* 6(77,1*6 $1' 62)7:$5(


You can upload and download configuration settings and software to and from a NetScreen device. The kinds of location that you upload from and download to depend on whether you use the WebUI or the CLI to perform the operation. Using the WebUI and Web browser support, you can upload and download configuration settings and upload ScreenOS software from any local directory. Through the CLI, you can upload and download settings and software from and to a TFTP server or PC card.

6DYLQJ DQG ,PSRUWLQJ 6HWWLQJV


It is good practice to backup your settings after every significant change you make. Through the WebUI, you can download the configuration to any local directory as a backup precaution. With some NetScreen devices, you can use the CLI to download the configuration to a TFTP server or PC card. Should you need the saved backup configuration, you can then simply upload it to the NetScreen device. The ability to download and upload a configuration also provides the means for mass distribution of configuration templates. To download a configuration:

:HE8,
1. 2. Admin >> Settings: Click Save Current Configuration, select Save this file to disk, and then click OK. Browse to the location where you want to keep the configuration file, and then click Save.

&/,
save config to { tftp <ip_addr> | slot } <filename> Note: On the NetScreen-1000, you must specify slot 1 or slot 2.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RZQORDGLQJ8SORDGLQJ 6HWWLQJV DQG 6RIWZDUH

To upload a configuration:

:HE8,
Admin >> Settings: Specify the file name and location, and then click Apply: In the Load New Configuration Script field, type the configuration file location. Or Click Browse and navigate to the file location, select the file, and then click Open.

&/,
save config from { tftp <ip_addr>| slot } <filename> to flash Note: On the NetScreen-1000, you must specify slot 1 or slot 2.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

'RZQORDGLQJ8SORDGLQJ 6HWWLQJV DQG 6RIWZDUH

8SORDGLQJ DQG 'RZQORDGLQJ 6RIWZDUH


When the NetScreen ScreenOS operating system is updated, a customer can purchase and upload it to their NetScreen device. With some NetScreen devices, you can use the WebUI to upload software from a local directory. Through the CLI, you can upload the software from a TFTP server or PC card, and you can download software to a TFTP server. Note: After the software is upgraded, the NetScreen device reboots. This process takes a few minutes.

:HE8,
Configure >> General: Specify the file name and location, and then click Apply: Software Update: Type the software file location in the entry field. Or Click Browse and navigate to the file location, select the file, and then click Open.

&/,
save software from { tftp <ip_addr> | slot } <filename> to flash Note: On some NetScreen devices, you must specify slot 1 or slot 2. Through the CLI, you can also download software to a TFTP server, using the save command: save software from flash to tftp <ip_addr> <filename>

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

6RIWZDUH .H\V

62)7:$5( .(<6
The software key feature allows you to expand the capabilities of your NetScreen device without having to upgrade to a different device or system image. You can purchase a key that unlocks specified features already loaded in the software, such as the following: VPN tunnels Zones User capacity Virtual systems Virtual routers High Availability

Each NetScreen device ships with a standard set of features enabled and might support the activation of optional features or the increased capacity of existing features. For information regarding which features are currently available for upgrading, refer to the latest marketing literature from NetScreen.

([DPSOH ([SDQGLQJ 8VHU &DSDFLW\


A small company using a single NetScreen device with a license for 10 users has grown to the point where it now needs an unrestricted user license. The NetScreen administrator expands the capabilities of the device by obtaining a software key for an unrestricted number of users. 1. 2. Contact the value-added reseller (VAR) who sold you the NetScreen device or contact NetScreen Technologies directly. Provide the digit serial number of your device and state the feature option you wantan unrestricted user license, in this example. A combination of the serial number, the feature keyword (vpn, capacity, ha, vsys), and the feature option keyword (<number> or unlimited tunnels, users, users) is used to generate the software key (for example, 7e58e876ca050192). The key is then sent to you via e-mail. 3. Enter the key through either the WebUI or CLI:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

6RIWZDUH .H\V

:HE8,
Configure >> Software Key: Specify the path and file name, and then click Apply and Reset 5: License File Update: Type the software key file location. Or Click Browse and navigate to the software key file location, select the file, and then click Open.

&/,
1. 2. exec software-key { capacity | ha | vpn | vsys } <key_value> reset

5.

Through the CLI, you can schedule the NetScreen device to reset at a time that is convenient for maintaining uninterrupted network operation: set timer <mm|dd|yyyy> <hh:mm> action reset.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

86(5 $87+(17,&$7,21
You can configure the NetScreen device to use one of several authentication methods to verify that users are who they say they are. These different methods are discussed in this section.

,QWHUQDO 'DWDEDVH

A VPN dialup user requests a connection to the protected network.

The NetScreen device uses its internal database to authenticate the dialup VPN user before approving the connection request.

All NetScreen devices support a built-in user database for authentication. After creating an authentication user (see Users on page 209), the NetScreen device enters the user name and password in its internal database. You must then create an access policy that requires the user to authenticate himself or herself when initiating an HTTP, FTP, or Telnet connection request (see Authentication on page 254). When the user attempts to initiate traffic to which the access policy applies, the NetScreen device intercepts the request and prompts the user to enter his or her name and password. Before granting permission, the NetScreen device validates the user name and password by checking them against those stored in the database.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

([DPSOH 8VHU $XWKHQWLFDWLRQ YLD WKH ,QWHUQDO 'DWDEDVH


In the following example, you configure the NetScreen device to use its internal database.

:HE8,
Configure >> Authen: Select Built-in User Database, and then click Apply.

&/,
1. 2. set auth type 0 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

5$',86

A VPN dialup user requests a connection to the protected network.

The NetScreen device uses an external RADIUS server to authenticate the dialup VPN user before approving the connection request.

The Remote Authentication Dial-In User Service (RADIUS) is a protocol for an authentication server which can be modified to run on different kinds of networks. One RADIUS server can support up to tens of thousands of users, making it a very practical service for rapidly growing networks. The RADIUS client (that is, the NetScreen device) authenticates users through a series of communications between the client and the server. Basically, RADIUS asks the person logging on to enter his or her user name and password. It then compares these values to those in its database, and once a user is authenticated, the client provides the user with access to the appropriate network services. To configure the NetScreen device for RADIUS, you must specify the IP address of the RADIUS server and define a shared secret. The shared secret is a password the RADIUS server uses to generate a key to encrypt traffic between the devices. To configure the NetScreen device for authentication via a RADIUS server, you need the following information: Server Name: The IP address of the RADIUS server. Shared Secret: The password shared between the NetScreen device and the RADIUS server. The devices use this password to encrypt the transactions they exchange.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

([DPSOH 8VHU $XWKHQWLFDWLRQ YLD 5$',86


In the following example, you configure the NetScreen device to use a RADIUS server, specify the RADIUS server at IP address 10.20.2.100, and a shared secret of A56htYY97kl.

:HE8,
Configure >> Authen: Enter the following, and then click Apply: RADIUS Server: (select). Server Name: 10.20.2.100 Shared Secret: A56htYY97kl

&/,
1. 2. 3. 4. set auth type 1 set auth server-name 10.20.2.100 set auth secret A56htYY97kl save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

6HFXU,'
The relationship of NetScreen device and a Security Dynamics Technologies SecurIDACE server is similar to that of a NetScreen device and a RADIUS server; that is, the NetScreen device acts as a client, forwarding authentication requests to the external server for approval. SecurID differs from RADIUS in that the user password involves a continually changing string of numbers.

A VPN dialup user requests a connection to the protected network.

The NetScreen device uses an external SecurID server to authenticate the dialup VPN user before approving the connection request.

SecurID issues a credit card sized device with an LCD window that displays a randomly generated string of numbers that changes every minute. There is no other information on the card besides the number in the LCD display.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

Security Dynamics issues a card and a personal ID number (PIN) to a registered user and maintains the user profile in their database. When the user is prompted to authenticate himself, he enters his name and password, which is his PIN followed by the string of numbers currently displayed on his card. The numbers displayed on the card change every minute. The values that display are generated by an algorithm known only by Security Dynamics. This value is saved to the Security Dynamics database entry for this PIN. When the user to be authenticated enters his PIN and the number on his card, Security Dynamics compares these values to those in the database. If they match, the user is authenticated. To configure the NetScreen device for authentication via a SecurID server, you need the following information: Master Server Name: The IP address of the primary SecurID server. Slave Server Name: The IP address of the secondary (backup) SecurID server, if one exists. Authentication Port: The port number on the SecurID server to which the NetScreen device sends authentication requests. The default port number is 5500. Encryption Type: The algorithm used for encrypting communication between the NetScreen device and the SecurID servereither SDI or DES. Client Retries: The number of times that the SecurID client (that is, the NetScreen device) tries to establish communication with the SecurID server before aborting the attempt. Client Timeout: The length of time in seconds that the NetScreen device waits between authentication retry attempts. Use Duress: An option that prevents or allows use of a different PIN number. When this option is enabled, and a user enters an incorrect PIN number, the NetScreen device sends a signal to the SecurID server, indicating that the user is performing the login against his or her will; that is, while under duress. The SecurID server permits access that one time, and then it denies any further login attempts by that user until he or she contacts the SecurID administrator. Duress mode is available only if the SecurID Server supports this option.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

([DPSOH $XWKHQWLFDWLRQ YLD 6HFXU,'


In the following example, you configure the NetScreen device to use a SecurID server at IP address 192.168.10.10, with a backup (slave) server at IP address 192.168.10.12. The authentication port is 5500. The NetScreen device and the SecurID server protect the authentication information using DES encryption. There are three allowable retries, and a timeout value of 10 seconds. The Use Duress setting is disabled.

:HE8,
Configure >> Authen: Enter the following, and then click Apply: SecurID Server: (select) Master Server Name: 192.168.10.10 Slave Server Name: 192.168.10.12 Authentication Port: 5500 Encryption Type: DES Client Retries: 3 Client Timeout: 10 User Duress: No

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set auth type 2 set auth securid master 192.168.10.10 set auth securid slave 192.168.10.12 set auth securid auth-port 5500 set auth securid encr 1 set auth securid retries 3 set auth securid timeout 10 set auth securid duress 0 save
([DPSOHV 

1HW6FUHHQ &RQFHSWV

&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

/'$3

A VPN dialup user requests a connection to the protected network.

The NetScreen device uses an external LDAP server to authenticate the dialup VPN user before approving the connection request.

Lightweight Directory Access Protocol (LDAP) is a directory server standard developed by Netscape to help authenticate users attempting to connect to networks controlled by directory servers. LDAP is a client-server protocol for accessing a directory service. You can use it as a front-end to X.500, as a stand-alone protocol, or as a directory server. LDAP does not require the upper layers of the OSI stack, it is a simpler protocol to implement (especially in clients), and LDAP is under IETF change control and so can more easily evolve to meet Internet requirements. The LDAP information model is based on the entry, which contains information about some object (for example, a person). Entries are composed of attributes, which have a type and one or move values. Each attribute has a syntax that determines what kind of values are allowed in the attribute and how those values behave during directory operations. You can configure the NetScreen device to link to a Lightweight Directory Access Protocol (LDAP) server. This server uses the LDAP hierarchical syntax to identify each user uniquely.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

To configure the NetScreen device for authentication via an LDAP server, you need the following information: LDAP Server Name/Port: The Lightweight Directory Access Protocol (LDAP) server IP address and port number. Common Name Identifier: The identifier used by the LDAP server to identify the Distinguished Name. For example, an entry of uid means user ID. Distinguished Name (dn): The path used by the LDAP server before using the Common Name Identifier to search for a specific entry. (For example, c=us, o=netscreen, where c stands for country, and o for organization.)

([DPSOH $XWKHQWLFDWLRQ YLD /'$3


In the following example, you configure the NetScreen device to use an LDAP server at IP address 172.16.20.10, using port number 389. The LDAP common name identifier is cn, and the Distinguished Name is o=netscreen.com;ou=marketing.com.

:HE8,
Configure >> Authen: Enter the following, and then click Apply: LDAP Server: (select) LDAP Server Name/Port: 172.16.20.10, 389 Common Name Identifier: cn Distinguished Name: o=netscreen.com;ou=marketing

&/,
1. 2. 3. set auth type 3 set auth ldap server-name 172.16.20.10 389 o=netscreen.com;ou=marketing cn save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

8VHU $XWKHQWLFDWLRQ 7LPHRXW


User authentication timeout6 is the interval of time that the NetScreen device permits an authenticated user to initiate a new connection without requiring him or her to log in again. The timeout interval begins after a successful login. The interval resets after a user who has already been authenticated creates a new session. When an authentication user initiates a connection (HTTP, FTP, or Telnet) to which an access policy requiring authentication applies, the NetScreen device intercepts the connection request and prompts the user to log in. After the user successfully logs in to the NetScreen device, the user can initiate other connections to the same destination during the interval defined as the timeout for user authentication, and the NetScreen device will not prompt the user to log in again. For example, you can configure the following parameters to allow an authentication user access to a Telnet server. The user can initiate a new Telnet session within a 30-minute interval after successfully logging in, and not be prompted to log in a second time: Set the timeout for user authentication at 30 minutes. (The default setting is 10 minutes.) Define an authentication user Create addresses to be used as the source and destination in an access policy (or use the generic address any, which applies to all addresses in a specified security zone) Configure an access policy with authentication enabled that permits Telnet traffic from the source address to the destination address

The authentication user attempts to connect to the Telnet server and successfully logs in to the NetScreen device (and then the user logs in to the Telnet server). After that, the user can initiate another Telnet connection to the same server within the next 30 minutes, and the NetScreen device will not prompt him or her to log in again. If the user initiates a new connection, the timeout is reset to 0 and the user has another 30 minutes to initiate another connection before being required to log in again. Note: User authentication timeout is not the same as session idle timeout. If no activity occurs in a session for a predefined length of time, the NetScreen device automatically removes the session from its session table.

6.

The CLI uses the term user authentication timeout. The WebUI uses the term New Connection Idle Timeout. Both terms refer to the same concept.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

8VHU $XWKHQWLFDWLRQ

([DPSOH &KDQJLQJ WKH $XWKHQWLFDWLRQ 7LPHRXW 6HWWLQJ


In the following example, you change the user authentication timeout interval to 60 minutes.

:HE8,
Configure >> Authen: Enter the following, and then click Apply: Enable New Connection Idle Timeout: (select) Enable New Connection Idle Timeout entry field: 60

&/,
1. 2. set auth timeout 5 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  6\VWHP 3DUDPHWHUV

6\VWHP &ORFN

6<67(0 &/2&.
Each NetScreen device has a system clock you can set to your local time zone. You can use the WebUI or the CLI to configure the current clock settings. Your NetScreen device uses Network Time Protocol (NTP) to synchronize its system clock with that of an NTP server. Thus, the device can synchronize its system clock through the Internet at specified intervals. You set the time zone by specifying the number of hours, added to the local time, needed to equal GMT. For example, if your time zone is Pacific Standard Time, adding 8 hours equals GMT.

([DPSOH 6HWWLQJ WKH 6\VWHP &/RFN


In the following example you set the system clock to Pacific Standard Time, and configure the NetScreen device to update the clock at five-minute intervals from a server at IP address 172.168.10.10.

:HE8,
Admin >> Settings: Enter the following, and then click Apply: GMT Time Zone: (hours) 8, (minutes) 0 Server: 172.168.10.10 Update system clock every: 5

&/,
1. 2. 3. 4. set clock ntp set ntp timezone 8 0 set ntp server 172.168.10.10 set ntp interval 5

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr$

$GPLQLVWUDWLRQ
Management Methods and Tools on page 124 Web User Interface on page 125 Command Line Interface on page 130 Levels of Administration on page 136 Adding Admin Users on page 138 Securing Administrative Traffic on page 139 Changing the Port Number on page 140 Changing the Admin Login Name and Password on page 141 Restricting Administrative Access on page 143 Resetting the Device to the Factory Default Settings on page 144 Manage IP on page 145 Management Zone Interfaces on page 148 Virtual Private Networks on page 150

This chapter describes various management methods and tools, ways to secure administrative traffic, and the administrative privilege levels that you can assign to admin users:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

0$1$*(0(17 0(7+2'6 $1' 722/6


The management methods and the tools with which to apply each method are presented in the following sections: Web User Interface on page 125 HTTP HTTPS using Secure Sockets Layer (SSL) Command Line Interface on page 130 Telnet SSH Secure Shell Serial console

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

:HE 8VHU ,QWHUIDFH


For administrative ease and convenience, you can use the Web user interface (WebUI). NetScreen devices use Web technology that provides a Web-server interface to configure and manage the software. Web User Interface Information

Menu Column Central Display

To use the WebUI, you must have the following: Netscape Communicator (version 4.5 or later) or Microsoft Internet Explorer (version 5 or later) TCP/IP network connection to the NetScreen device

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

:HE8, +HOS
You can view Help files for the WebUI at http://help.netscreen.com/help/english/<screenos_version> /ns<platform_number> (for example, http://help.netscreen.com/help/english/3.1.0/ns500). You also have the option of relocating the Help files. You might want to store them locally and point the WebUI to either the administrators workstation or to a secured server on the local network. In the case where you do not have Internet access, storing the Help files locally provides accessibility to them you otherwise would not have.

&RS\LQJ WKH +HOS )LOHV WR D /RFDO 'ULYH


The Help files ship on the documentation CD. You can modify the WebUI to point to the Help files on the CD in your local CD drive. You can also copy the files from the CD to a server on your local network or to another drive on your workstation and configure the WebUI to invoke the Help files from there. Note: If you want to run the Help files directly from the documentation CD, you can skip this step. 1. 2. Load the documentation CD in the CD drive of your workstation. Navigate to that drive and copy the directory named help. The help directory contains the following subdirectories: english/3.1.0/ns<number>. 3. Navigate to the location you want to store the help directory and paste it there.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

3RLQWLQJ WKH :HE8, WR WKH 1HZ +HOS /RFDWLRQ


You must now redirect the WebUI to point to the new location of the Help directory. Change the default URL to the new file path, where <path> is the specific path to the Help directory from the administrators workstation <screenos_version> is the version of the ScreenOS loaded on the NetScreen device that you are managing <platform_number> is the platform number of the NetScreen device 1. Admin >> Web: In the Help Link Path field, replace the underlined section of the default URL http://help.netscreen.com/help/english/<screenos_version>/ns<platform_number> with (for local drive) file://<path>/ or (for local server) http://<server_name>/<path>/ Click Apply. When you click the help link in the upper right corner of the WebUI, the device now uses the new path that you specified in the Help Link Path field to locate the appropriate Help file.

2.

+773
With a standard Web browser you can access, monitor, and control your network security configurations remotely using the Hypertext Transfer Protocol (HTTP). You can secure HTTP traffic by either encapsulating it in a virtual private network (VPN) tunnel or through the Secure Sockets Layer (SSL) protocol. You can also secure it by completely separating management traffic from network user traffic. With some NetScreen device models, you can run all administrative traffic through the MGT interface, or devote an interface (such as the DMZ) entirely to administrative traffic. Note: For more information, see Virtual Private Networks on page 150, Secure Sockets Layer (below), and Manage IP on page 145.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

6HFXUH 6RFNHWV /D\HU


Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connection between a Web client and server communicating over a TCP/IP network. NetScreen ScreenOS provides: Web SSL support SSL version 3 compatibility Netscape Navigator 4.7x and Internet Explorer 5.x compatibility1 Public Key Infrastructure (PKI) key management integration (see Public Key Cryptography on page 291.)

SSL is not a single protocol, but consists of the SSL Handshake Protocol (SSLHP), which allows the server and client to authenticate each other and negotiate an encryption method, and the SSL Record Protocol (SSLRP), which provides basic security services to higher-level protocols such as HTTP. These two protocols operate at the following two layers in the Open Systems Interconnection (OSI) model: SSLHP at the application layer (layer 7) SSLRP at the presentation layer (layer 6)

Independent of application protocol, SSL uses TCP to provide secure service. SSL uses certificates to authenticate first the server or both the client and the server, and then encrypt the traffic sent during the session. Before using SSL, you must first create a public/private key pair and then load a certificate. Because SSL is integrated with PKI key/certificate management, you can select the SSL certificate from one of the certificates in the certificate list. You can also use the same certificate for an IPSec VPN. Note: For information on obtaining certificates, see Certificates and CRLs on page 297.

1.

Check your Web browser to see how strong the ciphers can be and which ones your browser supports. (Both the NetScreen device and your Web browser must support the same kind and size of ciphers you use for SSL.) In Internet Explorer 5x, click Help, About Internet Explorer, and read Cipher Strength. To obtain the advanced security package, click the Update Information link. In Netscape Navigator, click Help, About Communicator, and read the section about RSA. To change the SSL configuration settings, click Security Info, Navigator, Configure SSL v3.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

NetScreen supports the following encryption algorithms for SSL: RC4 with 40-bit and 56-bit keys DES: Data Encryption Standard 3DES: Triple DES

NetScreen supports the same authentication algorithms for SSL as for VPNsMessage Digest version 5 (MD5) and Secure Hash Algorithm version 1 (SHA-1). The RC4 algorithms are always paired with MD5; DES and 3DES with SHA-1. The basic steps for setting up SSL are as follows: 1. Obtain a certificate2. For details on requesting and loading a certificate, see Certificates and CRLs on page 297. 2. Enable SSL management: Admin >> Web: Enter the following, and then click OK: Certificate: Select the certificate you intend to use from the drop-down list. Cipher: Select the cipher you intend to use from the drop-down list. 3. Configure the interface through which you manage the NetScreen device to permit SSL management: Interfaces >> Physical >> Edit (for the interface you want to manage): Enable the SSL management service check box, and then click Save. 4. Connect to the NetScreen device via the SSL port: When you type the IP address for managing the NetScreen device in your browsers URL field, change http to https, and follow the IP address with a colon and the HTTPS (SSL) port number (for example, https://123.45.67.89:1443).

2.

Be sure to specify a bit length that your Web browser also supports.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

&RPPDQG /LQH ,QWHUIDFH


Advanced administrators can attain finer control by using the command line interface (CLI). To configure a NetScreen device with the CLI, you can use any software that emulates a VT100 terminal. With a terminal emulator, you can configure the NetScreen device using a console from any Windows, UNIX , or Macintosh operating system. For remote administration through the CLI, you can use Telnet or Secure Command Shell (SCS). With a direct connection through the console port, you can use Hyperterminal. Note: For a complete listing of the CLI commands for the NetScreen devices, refer to the NetScreen CLI Reference Guide.

7HOQHW
Telnet is a login and terminal emulation protocol that uses a client/server relationship to connect to and remotely configure network devices over a TCP/IP network. The administrator launches a Telnet client program on the administration workstation and creates a connection with the Telnet server program on the NetScreen device. After logging in, the administrator can issue CLI commands, which are sent to the Telnet program on the NetScreen device, effectively configuring the device as if operating through a direct connection. Using Telnet to manage NetScreen devices requires the following: Telnet software on the administrative workstation An Ethernet connection to the NetScreen device

You can secure Telnet traffic by encapsulating it in a virtual private network (VPN) tunnel or by completely separating it from network user traffic. Depending upon your NetScreen device model, you can run all administrative traffic through the MGT interface or devote an interface such as the DMZ entirely to administrative traffic. Note: For more information, see Virtual Private Networks on page 150, Secure Sockets Layer on page 128, and Manage IP on page 145.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

6HFXUH 6KHOO
You can use secure shell (SSH) for secure CLI access over insecure channels. On UNIX platforms and on other hosts, SSH allows you to open a remote command shell securely, execute commands, and copy files to or from the remote device. Secure Command Shell (SCS) is a SSH-compatible agent in the NetScreen device that allows you to remotely manage your NetScreen device without establishing a VPN. The built-in SCS server on the NetScreen device allows the SSH client, installed on the administrators workstation, to open a secure connection to the NetScreen device console, which makes secure configuration and management possible.
SSH Client (Remote) SCS server Encrypted Administrative Traffic Internet

Administrators Workstation

ScreenOS

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

You can connect to a NetScreen device with SSH in two ways. Through a user name and password authentication This is the method commonly used by network administrators, security administrators, and other users who need to access, configure, or manage the NetScreen device. (The SSH client sends the user name and password to the NetScreen device. In response to an attempt to open SSH, the NetScreen device presents a prompt requiring the user name and password.) Using SCS Public Key Authentication (PKA) This is the method commonly used by clients such as intrusion detection devices or organizations which use application programs or script routines to access the NetScreen device. SCS Public Key makes this possible by allowing the application or a script to initiate SSH without entering a password, using public/private key pairs for authentication. The process for initiating SCS PKA is as follows. 1. 2. 3. 4. The client host generates a public and private key pair. From the client host, the user manually logs into the NetScreen device as admin. Using the CLI, WebUI or TFTP, the admin user uploads the public key to the NetScreen device. Thereafter, the client can connect to the NetScreen device automatically.

Because the NetScreen device can have 4 public keys per admin account, there can be only 4 corresponding private keys per account. Note: It is possible to keep and use a single private key on multiple clients, but be sure to keep it protected from potential intruders. To set up SCS, complete the following steps using the Command Line Interface (CLI) 1. 2. From the public key file for your host, obtain the key length, exponent, and modulus. Enable SCS PKA for the current admin user, specifying the key length, exponent, and modulus, as with the following example.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

ns-> set scs pka-rsa key 512 65537 9687527248844895807195605409339193503321 3724615582796813757422715643970626128793365599992658289801116115376527150778370890191 19296718115311887359071551679 This command binds the specified public key to the admin users login name. The command must not exceed 256 characters in length. If the modulus value requires the command to be of greater length, use the set command instead. The following example uses key length, exponent, and modulus values from a public key file named ourkeyfile.pub. ns-> set scs pka-rsa tftp file-name ourkeyfile.pub ip-addr 172.16.10.10 3. (Optional) Display the list of SSH public keys bound to the current admin user. ns-> get scs pka-rsa 4. (Optional) Display the list of SSH public keys bound to the login name of the specified user (mkt_admin). ns-> get scs pka-rsa username mkt_admin Note: Only the root administrator can execute this command.

6HULDO &RQVROH
You can manage a NetScreen device through a direct serial connection from the administrators workstation to the NetScreen device via the Console port. Although a direct connection is not always possible, this is surely the most secure method for managing the device provided that the location around the NetScreen device is secure. Depending on your NetScreen device model, creating a serial connection might require any of the following items: A DB-9 female to DB-25 male straight-through serial cable A DB-9 female to DB-9 male straight-through serial cable A DB-9 female to MiniDIN-8 male serial cable

You will also need Hyperterminal software (or another kind of VT100 terminal emulator) on the management workstation, with the Hyperterminal port settings configured as follows:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

Serial communications 9600 bps 8 bit, no parity 1 stop bit no flow control

Note: For more details on using Hyperterminal, see the Getting Started chapter in the NetScreen CLI Reference Guide or one of the installers guides.

$GPLQLVWUDWLYH ,QWHUIDFH 2SWLRQV


You can configure a NetScreen device to allow administration of the device through one or more interfaces. For example, you might have local management access the device through the trusted interface and remote management through the untrusted interface. With a NetScreen model that has a DMZ interface, you might use that interface exclusively for administration, separating management traffic completely from network user traffic for the trusted and untrusted interfaces. To enable an interface to allow various methods of administration to traverse it through the WebUI and the CLI, do the following:

:HE8,
Interfaces >> Physical >> Edit (for the interface you want to edit): Select the following management service options, and then click Save 3 : WebUI: Selecting this option allows the interface to receive HTTP traffic to manage the NetScreen device via the Web user interface (WebUI).

3.

Through the CLI, you can schedule the NetScreen device to reset at a time that is convenient for maintaining uninterrupted network operation: set timer <mm|dd|yyyy> <hh:mm> action reset.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

0DQDJHPHQW 0HWKRGV DQG 7RROV

SCS: You can administer the NetScreen device from an Ethernet connection or a dial-in modem using Secure Command Shell (SCS), which is SSH-compatible. You must have a SSH client that is compatible with Version 1.5 of the SSH protocol. These clients are available for Windows 95, Windows 98, Windows NT, Linux, and UNIX. The NetScreen device communicates with the SSH client through its built-in SCS server, which provides device configuration and management services. Selecting this option enables SCS manageability. Telnet: A terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control network devices. Selecting this option enables Telnet manageability. SSL: Selecting this option allows the interface to receive HTTPS traffic for secure management of the NetScreen device via the Web user interface (WebUI). SNMP: The NetScreen device supports the Simple Network Management Protocol version 1.5 (SNMPv1), described in RFC-1157, and all relevant Management Information Base II (MIB II) groups, as defined in RFC-1213. Selecting this option enables SNMP manageability. Ping: Selecting this option allows the NetScreen device to respond to an ICMP echo request, or ping, which determines whether a specific IP address is accessible from the device. Ident-Reset: When a service such as Mail or FTP sends an identification request and receives no acknowledgment, it sends the request again. While the request is in progress, user access is disabled. With the Ident-Reset checkbox enabled, the NetScreen device automatically restores user access.

&/,
To set up the management (mgt) interface for SSL, execute the following command. set interface mgt manage ssl

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

/HYHOV RI $GPLQLVWUDWLRQ

/(9(/6 2) $'0,1,675$7,21
NetScreen devices support multiple administrative users. For any configuration changes made by an administrator, the NetScreen device logs the following information. The name of the administrator making the change The IP address from which the change was made The time of the change

There are several levels of administrative user. The availability of these levels depends on the model of your NetScreen device.

5RRW $GPLQLVWUDWRU
The root administrator has complete administrative privileges. There is only one root administrator per NetScreen device. The root administrator has the following privileges. Manages the root system of the NetScreen device Adds, removes, and manages all other administrators Establishes and manages virtual systems, and assigns physical or logical interfaces to them Creates, removes, and manages virtual routers (VRs) Adds, removes, and manages security zones Assigns interfaces to security zones

5HDG:ULWH $GPLQLVWUDWRU
The read/write administrator has the same privileges as the root administrator, but cannot create, modify, or remove other admin users. The read/write administrator has the following privileges. Creates virtual systems and assigns a virtual system administrator for each one Monitors any virtual system Tracks statistics (a privilege that cannot be delegated to a virtual system administrator)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

/HYHOV RI $GPLQLVWUDWLRQ

5HDG2QO\ $GPLQLVWUDWRU
The read-only administrator has only viewing privileges using the WebUI, and can only issue the get and ping CLI commands. The read-only administrator has the following privileges. Read-only privileges in the root system, using the following four commands: enter, exit, get, and ping Read-only privileges in virtual systems

96<6 $GPLQLVWUDWRU
The VSYS administrator can configure any NetScreen device that supports virtual systems (VSYS). Each VSYS is a unique security domain, managed by administrative users with privileges that apply only to that VSYS. Virtual system administrators independently manage virtual systems through CLI or the WebUI. On each virtual system, the virtual system administrator has the following privileges: Creates and edits users Creates and edits services Creates and edits access policies Creates and edits addresses Creates and edits VPNs Creates the VSYS administrator login password Creates and manages security zones

96<6 5HDG2QO\ $GPLQLVWUDWRU


The VSYS read-only administrator has only viewing privileges using the WebUI, and can only issue the enter, exit, get, and ping CLI commands. Note: For more information on virtual systems, see Virtual Systems on page 499.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

/HYHOV RI $GPLQLVWUDWLRQ

$GGLQJ $GPLQ 8VHUV


The root administrator is the only one who can create, modify, and remove admin users. In the following example, the one performing the procedure must be a root administrator.

([DPSOH $GGLQJ D 5HDG2QO\ $GPLQLVWUDWRU


In this example, the root administrator adds a read/only administrator named Roger with password 2bd21wG7.

:HE8,
Admin >> Admin >> New Local Administrator: Enter the following, and then click OK: Name: Roger New Password: 2bd21wG74 Confirm Password: 2bd21wG7 Privileges: READ_ONLY (select)

&/,
To add a sub administrator named Roger with password 2bd21wG7 and read-only privilege, execute the following command. set admin user Roger password 2bd21wG7 privilege read-only

4.

The password can be up to 31 characters long and is case sensitive.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

6(&85,1* $'0,1,675$7,9( 75$)),&


To secure the NetScreen device during setup, perform the following steps: 1. On the Web interface, change the administrative port. See Changing the Port Number on page 140. 2. Turn off any unnecessary interface management service options. See Administrative Interface Options on page 134. 3. Disable the ping and ident-reset service options on the interfaces, both of which respond to requests initiated by unknown parties and can reveal information about your network:

:HE8,
Interfaces >> Physical >> Edit (for the interface you want to edit): Disable the following service options, and then click Save: Ping: Selecting this option allows the NetScreen device to respond to an ICMP echo request, or ping, which determines whether a specific IP address is accessible from the device. Ident-Reset: When a service such as Mail or FTP sends an identification request and receives no acknowledgment, it sends the request again. While the request is in progress, user access is disabled. With the Ident-Reset checkbox enabled, the NetScreen device automatically restores user access.

&/,
To disable the ping and ident-reset services, execute the following commands. unset interface mgt manage ping unset interface mgt manage ident-reset

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

1. Change the user name and password for administration access. See Changing the Admin Login Name and Password on page 141. 2. Define the management client IP addresses for the admin users. See Restricting Administrative Access on page 143.

&KDQJLQJ WKH 3RUW 1XPEHU


Changing the port number to which the NetScreen device listens for HTTP management traffic improves security. The default setting is port 80, the standard port number for HTTP traffic. After you change the port number, you must then type the new port number in the URL field in your Web browser when you next attempt to contact the NetScreen device. (In the following example, the administrator needs to enter http://188.30.12.2:15522.)

([DPSOH &KDQJLQJ WKH 3RUW 1XPEHU


In this example, the System IP is 188.30.12.2 with the standard port number 80. You change the port number from 80 to 15522.

:HE8,
1. Admin >> Web >> HTTP Port: 15522 2. Click Apply.

&/,
To change the administration port number, execute the following commands. 1. set admin port 15522 2. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

&KDQJLQJ WKH $GPLQ /RJLQ 1DPH DQG 3DVVZRUG


By default, the initial login name for NetScreen devices is netscreen. The initial password is also netscreen. Because these have been widely published, you should change the login name and password immediately. The login name and password are both case-sensitive. Each must be one word, alphanumeric, with no symbols. Record the new admin login name and password in a secure manner. Warning: Be sure to record your new password! If you forget it, you must reset the NetScreen device to its factory settings, and all your configurations will be lost. For more information, see Resetting the Device to the Factory Default Settings on page 144. Administrative users for the NetScreen device can be authenticated using the internal database and an external RADIUS server5. When the admin user logs in to the NetScreen device, it first checks the local internal database for authentication. If there is no entry present and a RADIUS server is connected, it then checks for a matching entry in the RADIUS server database. Note: For more information about admin user levels, see Levels of Administration on page 136. For more about using a RADIUS server for authentication, see RADIUS on page 113.

([DPSOH &KDQJLQJ DQ $GPLQ 8VHU /RJLQ 1DPH DQG 3DVVZRUG


The root administrator has decided to change a super administrators login name from John to Smith and his 6 password from xL7s62a1 to 3MAb99j2 . Note: For information on the different levels of administrators, see Levels of Administration on page 136.

5. Remote Authentication Dial-In User Service (RADIUS) is a protocol for authenticating and authorizing dial-up users. The NetScreen device can act as a client of a RADIUS server. 6. Instead of using actual words for passwords, which might be guessed or discovered through a dictionary attack, you can use an apparently random string of letters and numbers. To create such a string that you can easily remember, compose a sentence and use the first letter from each word. For example, Charles will be 6 years old on November 21 becomes Cwb6yooN21.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

:HE8,
Admin >> Admin >> Edit (for John): Enter the following, and then click OK: Name: Smith Old Password: xL7s62a1 New Password: 3MAb99j2 Confirm Password: 3MAb99j2

&/,
To change the user name from John to Smith, and set the password to 3MAb99j2, execute the following commands. 1. unset admin user John 2. set admin user Smith password 3MAb99j2 privilege all 3. save

([DPSOH $Q $GPLQ 8VHU &KDQJLQJ +HU 3DVVZRUG


Non-root users can change their own administrator password, but not their login name. In this example, a super administrator with the login name starling is changing her password from 3MAb99j2 to ru494Vq5.

:HE8,
Admin >> Admin >> Edit (for first entry): Enter the following, and then click OK: Name: starling Old Password: 3MAb99j2 New Password: ru494Vq5 Confirm Password: ru494Vq5

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

&/,
To set the administration password to ru494Vq5, execute the following commands. 1. set admin password ru494Vq5 2. save

5HVWULFWLQJ $GPLQLVWUDWLYH $FFHVV


You can administer NetScreen devices from one or multiple addresses of a subnet. By default, any host on the trusted interface can administer a NetScreen device. To restrict this ability to specific workstations, you must configure Management Client IP addresses. Note: The assignment of a management client IP address takes effect immediately. If you are managing the device via a network connection and your workstation is not included in the assignment, the NetScreen device will immediately terminate your current session and you will no longer be able to manage the device from that workstation.

([DPSOH 5HVWULFWLQJ $GPLQLVWUDWLRQ WR D 6LQJOH :RUNVWDWLRQ


In this example, the administrator at the workstation with the IP address 172.16.40.42 is the only administrator specified to manage the NetScreen device.

:HE8,
Admin >> Admin >> New Restricted Management IP: Enter the following, and then click OK: IP Address: 172.16.40.42 Netmask: 255.255.255.255

&/,
1. set admin manager-ip 172.16.40.42 255.255.255.255 2. save
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

([DPSOH 5HVWULFWLQJ $GPLQLVWUDWLRQ WR D 6XEQHW


In this example, the group of administrators with workstations in the 172.16.40.0/24 subnet are specified to manage a NetScreen device.

:HE8,
Admin >> Admin >> New Restricted Management IP: Enter the following, and then click OK: IP Address: 172.16.40.0 Netmask: 255.255.255.0

&/,
1. set admin manager-ip 172.16.40.0 255.255.255.0 2. save

5HVHWWLQJ WKH 'HYLFH WR WKH )DFWRU\ 'HIDXOW 6HWWLQJV


If the admin password is lost, you can use the following procedure to reset the NetScreen device to its default settings. The configurations will be lost, but access to the device will be restored. To perform this operation, you need to make a console connection, which is described in detail in the NetScreen CLI Reference Guide and the installers guides. Note: By default the device recovery feature is enabled. You can disable it by entering the unset admin device-reset command. Also, if the NetScreen device is in FIPS mode, the recovery feature is automatically disabled. 1. 2. At the login prompt, type the serial number of the device. At the password prompt, type the serial number again.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

The following message appears: !!!! Lost Password Reset !!!! You have initiated a command to reset the device to factory defaults, clearing all current configuration, keys and settings. Would you like to continue? y/n 3. Press the y key. The following message appears: !! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen; password: netscreen. Would you like to continue? y/n 4. Press the y key to reset the device. You can now login in using netscreen as the default username and password.

0DQDJH ,3
Any interface you bind to a security zone can have two IP addresses. a physical port interface IP address (or a logical subinterface), which connects to a network. a logical manage IP address for receiving administrative traffic.

When a NetScreen device is a backup unit in a redundant group for High Availability (HA), you can access and configure the unit through its manage IP address (or addresses) Note: The manage IP address differs from the system IP address in the following two ways: When the NetScreen device is in Transparent mode, the system IP address can be the endpoint of a VPN tunnel, but the manage IP address cannot. You can define multiple manage IP addressesone for each network interfacebut you can only define one system IP addressfor the entire system.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

([DPSOH 6HWWLQJ 0DQDJH ,3V IRU 0XOWLSOH ,QWHUIDFHV


In this example, an interface bound to the DMZ zone gives access to a group of administrators using HTTP, SNMP, or Telnet. The interface bound to the DMZ zone (ethernet2/2) and the interface bound to the Untrust zone (ethernet1/2) each have a Manage IP address, which allows administrative access.
Untrust Zone NetScreen-Global PRO Internet

Interface Ethernet3, bound to Untrust Zone Manage IP: 211.24.54.43125/24

Interface Ethernet2, bound to DMZ Zone Manage IP: 211.24.55.43/24 HTTP, SNMP, or Telnet hosts DMZ Zone

LAN Trust Zone

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

:HE8,
Interfaces >> Physical >> Edit (ethernet2): Enter the following, and then click Save: IP Address: 211.24.55.144 Netmask: 255.255.255.0 Manage IP: 211.24.55.43 Traffic Bandwidth: 0 Zone Name: DMZ Management Services: WebUI, Telnet, SNMP: (select)

&/,
To set up the same configuration using the CLI, execute the following commands. 1. 2. 3. 4. 5. 6. set interface ethernet2 ip 211.24.55.144 255.255.255.0 set interface ethernet2 manage-ip 211.24.55.43 set interface ethernet2 manage web set interface ethernet2 manage telnet set interface ethernet2 manage snmp save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

0DQDJHPHQW =RQH ,QWHUIDFHV


On some NetScreen devices, the Management (MGT) zone allows you to manage the device through a separate interface, moving administrative traffic outside the regular network user traffic. Separating administrative traffic from network user traffic greatly increases administrative security and assures constant management bandwidth. There are two interfaces, bound by default to the MGT zone: vlan1 Use this interface when running the NetScreen device in transparent mode. The device is in transparent mode when it works at Level 2. mgt Use this interface when running the NetScreen device in non-transparent (NAT or Router) mode. The device is in non-transparent mode when it works at Level 3.

These interfaces provide dedicated connections for management traffic. With this arrangement, you can use a Web browser to manage through the WebUI (see Web User Interface on page 125) or use other services such as Telnet (see Telnet on page 130) to manage through the CLI.

([DPSOH $GPLQLVWUDWLRQ WKURXJK WKH 0*7 ,QWHUIDFH


You can configure some NetScreen devices to allow administration through one or more of the trusted, untrusted, DMZ or Management (mgt) interfaces. To maintain the highest level of security, NetScreen recommends that you limit administrative traffic exclusively to the vlan1 or mgt interface and user traffic to the trusted and untrusted interfaces. These interfaces are bound by default to the Management (MGT) zone. Using these interfaces prohibits administrative access from trusted and untrusted workstations that are connected to your network and assures bandwidth availability for administrative traffic. In the following example, the IP address of the MGT interface is 192.168.20.2/24, and the MGT interface is enabled to receive Telnet and Web administrative traffic.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

:HE8,
Interfaces >> Physical >> Edit (for mgt): Enter the following, and then click Save: IP Address: 192.168.20.2 Netmask: 255.255.255.0 WebUI: enable Telnet: enable

&/,
1. 2. 3. 4. set interface mgt ip 192.168.20.2/24 set interface mgt manage web set interface mgt manage telnet save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

9LUWXDO 3ULYDWH 1HWZRUNV


You can use a Virtual Private Network (VPN) to secure remote management and monitoring of a NetScreen device from either a dynamically assigned or fixed untrusted IP address. Using a VPN, you can protect any kind of traffic, such as HTTP, Telnet, or SNMP. NetScreen supports three methods for creating a VPN tunnel: Manual Key: You manually set the three elements that define a Security Association (SA) at both ends of the tunnel: a Security Parameters Index (SPI), an encryption key, and an authentication key. To change any element in the SA, you must manually enter it at both ends of the tunnel. AutoKey IKE with Preshared Key: One or two preshared secretsone for authentication and one for encryptionfunction as seed values. Using them, the IKE protocol generates a set of symmetrical keys at both ends of the tunnel; that is, the same key is used to encrypt and decrypt. At predetermined intervals, these keys are automatically regenerated. AutoKey IKE with Certificates: Using the Public Key Infrastructure (PKI), the participants at both ends of the tunnel use a digital certificate (for authentication) and an RSA public/private key pair (for encryption). The encryption is asymmetrical; that is, one key in a pair is used to encrypt and the other to decrypt. Note: For a complete description of VPN tunnels, see the VPN chapters. For more information on NetScreen-Remote, refer to the NetScreen-Remote Users Guide. To send traffic (such as syslog reports or SNMP traps) generated by the NetScreen device through a VPN tunnel to an administrator in the Untrust zone, you must designate the interface bound to the Trust zone as the source address in the access policy. (Even though the traffic actually originates in the device itself, you must specify the Trust zone interface as the source address.) Note: To tunnel administrative traffic generated by a NetScreen device, the source address must be the interface bound to the Trust zone, and the destination address must be in the Untrust zone. Also, for the NetScreen device to send device-generated traffic through the tunnel properly, you must bind only one interface to the Trust zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

([DPSOH 6HQGLQJ 6103 DQG 6\VORJ 5HSRUWV WKURXJK DQ ,36HF 7XQQHO


In this example, a remote administrator behind a NetScreen device receives SNMP traps and syslog reports7 from a another NetScreen device through an AutoKey IKE IPSec tunnel. The tunnel uses a preshared key (Ci5y0a1aAG) for data origin authentication and 3DES and SHA-1 for data encryption and authentication. The tunnel is in IPSec main mode, using Diffie-Hellman group 2 exchanges for the Phase 1 and Phase 2 IPSec negotiations. Note: For the following example, assume that ethernet3/2 is bound to the Trust zone, and ethernet1/2 is bound to the Untrust zone. The default gateway IP address is 2.2.2.1.

ethernet3/2 Trust Zone 10.10.1.1/24

ethernet1/2 Untrust Zone 2.2.2.2/24

Internet VPN Tunnel

Remote Gateway IP Address: 3.3.3.3 Syslog server and SNMP host 10.20.1.2

LAN

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet3/2): Enter the following, and then click Save: IP Address: 10.10.1.18 Netmask: 255.255.255.0

7. 8.

This example assumes that the remote admin has already set up the syslog server and SNMP manager. When the remote admin sets up the VPN tunnel on his NetScreen device, he uses 2.2.2.2 as the remote gateway and 10.10.1.1 as the destination address. When the remote admin configures the SNMP manager, he must enter 10.10.1.1 in the Remote SNMP Agent field. This is the address to which the SNMP manager sends queries.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

2. Interfaces >> Physical >> Edit ( for ethernet1/2): Enter the following, and then click Save: IP Address: 2.2.2.2 Netmask: 255.255.255.0

$GGUHVVHV
3. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: trust_int IP Address/Domain Name: 10.10.1.1 Netmask: 255.255.255.255 Zone: Trust 4. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: remote_admin IP Address/Domain Name: 10.20.1.2 Netmask: 255.255.255.255 Zone: Untrust

931
5. VPNs >> Gateway(P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: to_admin Static IP Address: 3.3.3.3 Mode (Initiator): Main (ID Protection): (select) Outgoing Interface: ethernet1/2 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: Ci5y0a1aAG

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

6. VPNs >> AutoKey(P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: admin Remote Gateway Tunnel: to_admin Phase 2 Proposal: g2-esp-3des-sha

6\VORJ DQG 6103


7. Admin >> Syslog: Enter the following, and then click Apply: Enable Syslog Messages: (select) Use Trust Interface as Source IP for VPN: (select) Syslog Host Name: 10.20.1.2 8. Admin >> SNMP >> New Community: Enter the following, and then click OK: Community Name: remote_admin Write: (select) Trap: (select) Hosts: 10.20.1.2 9. Admin >> SNMP: Select Use Trust Interface as Source IP for VPN, and then click Apply.

5RXWHV
10. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select) 2.2.2.1 Interface: None Metric: 1

3ROLFLHV
12. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: trust_int Destination Address: remote_admin Service: SNMP Action: Tunnel VPN Tunnel: admin 13. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: trust_int Destination Address: remote_admin Service: SYSLOG Action: Tunnel VPN Tunnel: admin

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

&/,
Note: For this example, assume that ethernet interface (ethernet4/1) is bound to the Trust zone, and another ethernet interface (ethernet4/2) is bound to the Untrust zone.

,QWHUIDFHV 6HFXULW\ =RQHV


1. 2. 3. 4. set interface eth3/2 zone trust set interface eth3/2 ip 10.10.1.1/24 set interface eth1/2 zone untrust set interface eth1/2 ip 2.2.2.2/24

$GGUHVVHV
5. set address trust trust_int 10.10.1.1/24 6. set address untrust remote_admin 10.20.1.2/24

931
7. set ike gateway to_admin ip 3.3.3.3 main outgoing-interface eth1/2 preshare Ci5y0a1aAG proposal pre-g2-3des-sha 8. set vpn admin gateway to_admin tunnel proposal g2-esp-3des-sha

6\VORJ DQG 6103


9. set syslog config 10.20.1.2 auth/sec local0 10. set syslog vpn 11. set syslog enable 12. set snmp community remote_admin read-write trap-on 13. set snmp host remote_admin 10.20.1.2 14. set snmp vpn

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

5RXWHV
15. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 16. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet1/2 gateway 2.2.2.1

3ROLFLHV
17. set policy outgoing trust_int remote_admin snmp tunnel vpn admin 18. set policy outgoing trust_int remote_admin syslog tunnel vpn admin 19. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

([DPSOH $GPLQLVWUDWLRQ WKURXJK D 931 7XQQHO IURP WKH 7UXVW =RQH


In this example, the network security administrator uses a VPN to keep security separate from general network administration. The administrator creates a Manual Key VPN tunnel from the workstation at 10.10.11.56 to 10.10.10.1, the IP address of an interface bound to a tunnel zone. The workstation runs NetScreen-Remote.

Internet Untrust Zone

Trust Zone Interface IP: 10.10.10.1/24 Trust Zone LAN VPN Tunnel

Administrative Workstation IP: 10.10.11.56/24

:HE8,
1. Interfaces >> Physical >> Edit (ethernet1): Enter the following, and then click OK: IP Address: 10.10.10.1 Netmask: 255.255.255.0 Zone Name: Trust Virtual Router Name: trust-vr

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

2. Zones >> Zone >> New Entry: Enter the following, and then click OK: Zone Name: Other_Zone Virtual Router Name: untrust-vr Zone Type: select Regular 3. Interfaces >> Physical >> Edit (ethernet5): Enter the following, and then click OK: IP Address: 10.20.10.2 Netmask: 255.255.255.0 Zone Name: Other_Zone 4. Address >> Address (under the New column for the Trust zone): Enter the following, and then click OK: Address Name: Admin_Interface IP Address/Domain Name: 10.10.10.56 Netmask: 255.255.255.0 Zone: Trust 5. Address >> Address (under the New column for the Other_ Zone): Enter the following, and then click OK: Address Name: Other_Interface IP Address/Domain Name: 10.10.10.2 Netmask: 255.255.255.255 Zone: Other_Zone

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

6. VPNs >> Manual Key >> New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Admin_Tunnel Gateway IP: 10.10.10.56 Security Index: 4567 (Local) 5555 (Remote) Outgoing Interface: ethernet1 Tunnel Zone: (select) Untrust_Tun ESP-CBC: (select) Encryption Algorithm: DES-CBC Generate Key by Password9: netscreen1 Authentication Algorithm: MD5 Generate Key by Password: netscreen2 7. Policies >> Policy (From Zone: Trust, To Zone: Other_Zone) >> New Policy: Enter the following, and then click OK: Source Address: Admin_Interface Destination Address: Other_Interface Service: ANY Action: Tunnel VPN Tunnel: Admin_Tunnel

9.

Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you configure the tunnel do the following: (1) Return to the Manual Key Configuration dialog box (click Edit in the Configure column for Admin Tunnel); (2) copy the generated hexadecimal key; and (3) use that hexadecimal key when configuring the NetScreen-Remote end of the tunnel.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $GPLQLVWUDWLRQ

6HFXULQJ $GPLQLVWUDWLYH 7UDIILF

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set interface ethernet1 zone trust set interface ethernet1 route set interface ethernet1 ip 10.10.10.1/24 set zone name Other_Zone set interface ethernet5 zone Other_Zone set interface ethernet5 ip 10.20.10.2/24 set address trust Admin_Interface 10.10.10.56/24 set address Other_Zone Other_Interface 10.20.10.2/24 set vpn Admin_Tunnel manual 4567 5555 gateway 10.10.10.56 outgoing ethernet1 esp des password netscreen1 auth md5 password netscreen2 10. set policy from trust to Other_Zone Admin_Interface Other_Interface any tunnel vpn Admin_Tunnel 11. set policy from Other_Zone to trust Other_Interface Admin_Interface any tunnel vpn Admin_Tunnel 12. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr%

0RQLWRULQJ 1HW6FUHHQ 'HYLFHV


This chapter discusses the following topics that can be used when monitoring NetScreen devices: Syslog on page 162 SNMP on page 165 Counters on page 171 Logs on page 172 Alarms on page 175

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6\VORJ

6<6/2*
Syslog is facility that enables the logging of system events to a single file for later review. A NetScreen device generates syslog messages for system events at user-defined priority levels and sends these messages via UDP (port 514) to a syslog host, which runs on a UNIX/Linux system. Syslog messages can be used by the syslog host to create e-mail alerts for the system administrator, or be displayed on the console of the designated host using UNIX syslog conventions. Note: On UNIX/Linux platforms, modify the /etc/rc.d/init.d/syslog file so that syslog retrieves information from the remote source (syslog -r). You can also send syslog messages through a VPN tunnel. In the WebUI, select the Use Trust Interface as Source IP for VPN. In the CLI, use the set syslog vpn command.

/RJJLQJ 3ULRULW\ /HYHOV


The syslog message levels are as follows: EMERGENCY: Generates messages on SYN attacks, Tear Drop attacks, and Ping of Death attacks. For more information on these types of attacks, see Firewall Options on page 67. ALERT: Generates messages for multiple user authentication failures and other firewall attacks not included in the emergency category. CRITICAL: Generates messages for URL blocks, traffic alarms, high availability (HA) status changes, and global communications. ERROR: Generates messages for admin name and password changes. WARNING: Generates messages for admin logins and logouts, failures to log in and log out, and user authentication failures, successes, and timeouts. NOTICE: Generates messages for link status changes, load balancing server status changes, and traffic logs. INFO: Generates any kind of message not specified in other categories. DEBUG: Generates all messages.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6\VORJ

Syslog messages are organized hierarchically, so that setting a level includes that level and all levels above it. For example, an alert setting generates messages for alert and emergency messages, whereas a debug setting generates messages for all levels. Note: You can also send traffic logs with the syslog messages.

:HE7UHQGV
WebTrends offers a product called the WebTrends Firewall Suite that allows you to customize syslog reports to display the information you want in the format you specify. You can create reports that focus on areas such as firewall activity, network traffic flow, or event alarms. Note: The WebTrends Syslog Server and the WebTrends Firewall Suite must run on the same Windows NT system. You must have administrator rights to configure it. You can also send WebTrends messages through a VPN tunnel. In the WebUI, select the Use Trust Interface as Source IP for VPN. In the CLI, use the set webtrends vpn command.

([DPSOH (QDEOLQJ 6\VORJ DQG :HE7UHQGV


The following example illustrates how to set up the syslog facility to send messages to port 514 on a WebTrends syslog Server at 172.10.16.25. The security and facility levels are set to Local0. Traffic logs are included with the system event messages.

:HE8,
Admin >> Syslog: Enter the following, then click Apply: Enable syslog messages: (select) Include Traffic Log: (select) Syslog Host Name: 172.10.16.25 Syslog Host Port: 5141

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6\VORJ

Security Facility: Local0 Facility: Local0 Enable WebTrends Messages: (select) WebTrends Host Name: 172.10.16.25 WebTrends Host Port: 514 Note: When you enable syslog and WebTrends on a NetScreen device running in Transparent mode, you must set up a static route on the Route Table.

&/,
1. 2. 3. 4. 5. 6. 7. 8. set syslog config 172.10.16.25 auth/sec local0 set syslog port 514 set syslog traffic set syslog enable set webtrends host-name 172.10.16.25 set webtrends port 514 set webtrends enable save

1.

The syslog host port number must match the WebTrends port number.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

6103
The Simple Network Management Protocol (SNMP) agent for the your NetScreen device provides network administrators with a way to view statistical data about the network and the devices on it, and to receive notification of system events of interest. The NetScreen devices support the SNMPv1 protocol (described in RFC-1157) and all relevant Management Information Base II (MIB II) groups defined in RFC-1213. Accordingly, the NetScreen SNMP agent generates the following traps, or notifications, when specified events or conditions occur: Cold Start Trap: The cold start trap is generated when the NetScreen device becomes operational after you power it on. Trap for SNMP Authentication Failure: The authentication failure trap is triggered if the SNMP manager sends the incorrect community string. Traps for System Alarms: System alarms are triggered by firewall conditions and NetScreen device error conditions. Three NetScreen enterprise traps are defined to cover alarms related to hardware, security, and software. (For more information on firewall settings and alarms, see Firewall Options on page 67, and Alarms on page 175.) Traps for Traffic Alarms: Traffic alarms are triggered when traffic exceeds the alarm thresholds set in access policies. (For more information on configuring access policies, see Chapter 9, Access Policies.

The following table list possible alarm types and their associated trap number:
Trap Enterprise ID 100 200 300 400 500 Description Hardware problems Firewall problems Software problems Traffic problems VPN problems

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

For more information on types of problems, see Logs on page 172. Note: The network administrator must have an SNMP manager application such as HP OpenView or SunNet ManagerTM to browse the SNMP MIB II data and to receive traps from either the trusted or untrusted interface. There are also several shareware and freeware SNMP manager applications available from the Internet. NetScreen devices do not ship with a default configuration for the SNMP manager. To configure your NetScreen device for SNMP, you must first create communities, define their associated hosts, and assign permissions (read-write or read only).

,PSOHPHQWDWLRQ 2YHUYLHZ
The following points summarize how SNMP is implemented in NetScreen devices: The network administrator can create up to three communities, each containing up to eight hosts. Hosts must be listed individually; they cannot be specified as a range. Each community has either read-only or read-write permission for the MIB II data. Each community can be allowed or denied receiving traps. Access to the MIB II data and traps is available through any physical interface. Each system alarm generates a single NetScreen enterprise SNMP trap to each of the hosts in each community that is set to receive traps. Cold Start / Link Up / Link Down traps will be sent to all hosts in communities that are set to receive traps. If you specify trap-on for a community, you also have the option to allow traffic alarms.

You can also send SNMP messages through a VPN tunnel. In the WebUI, select the Use Trust Interface as Source IP for VPN. In the CLI, use the set snmp vpn command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

([DPSOH 6HWWLQJ 8S 6103 &RPPXQLWLHV


In the example below, you configure SNMP for two communities, named JCarney and TCooper. In the first community, its members can read MIB II data and receive traps. In the second community, its members can read and write MIB II data, receive traps, and traffic alarms. The contact person is John Fisher in Miami. The JCarney community host IP addresses are 172.16.20.181, 172.16.40.245, and 172.16.40.55. The TCooper community host is 172.16.20.250. Note: The MIB II system group variables sysContact, sysName (which is the same as the host name), sysLocation, and sysServices are read-write objects. All other variables are read-only.

:HE8,
1. Admin >> SNMP: Enter the following settings, and then click Apply: System Contact: John Fisher Location: Miami 2. Admin >> SNMP >> New Community: Enter the following settings, and then click OK: Community Name: JCarney Trap: (select) Hosts: 172.16.20.181 172.16.40.245 172.16.40.55 3. Admin >> SNMP >> New Community: Enter the following settings, and then click OK: Community Name: TCooper Write: (select) Trap: (select) Including Traffic Alarms: (select) Hosts: 172.16.20.250
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set snmp contact John Fisher set snmp location Miami set snmp community JCarney read-only trap-on set snmp host JCarney 172.16.20.181 set snmp host JCarney 172.16.40.245 set snmp host JCarney 172.16.40.55 set snmp community TCooper read-write trap-on traffic set snmp host TCooper 172.16.20.250 reset

931 0RQLWRULQJ
The NetScreen ScreenOS provides the ability to determine the status and condition of active VPNs through the use of SNMP VPN monitoring objects and traps. Note: To enable your SNMP manager application to recognize the VPN monitoring MIBs, you must import the NetScreen-specific MIB extension files into the application. You can find the MIB extension files on the NetScreen documentation CD that shipped with your NetScreen device. By enabling the VPN monitoring feature on a Manual Key or AutoKey IKE VPN tunnel, the NetScreen device activates its SNMP VPN monitoring objects, which note data on the following: The total number of active VPN sessions The time each session started The Security Association (SA) elements for each session: ESP encryption (DES or 3DES) and authentication algorithm (MD5 or SHA-1) types AH algorithm type (MD5 or SHA-1) Key exchange protocol (AutoKey IKE or Manual Key)
([DPSOHV 

1HW6FUHHQ &RQFHSWV

&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

Phase 1 authentication method (Preshared Key or certificates) VPN type (dialup or peer-to-peer) Peer and local gateway IP addresses Peer and local gateway IDs Security Parameter Index (SPI) numbers Session status parameters VPN monitoring status (up or down) Tunnel status (up or down) Phase 1 and 2 status (inactive or active) Phase 1 and 2 lifetime (time in seconds before rekeying; Phase 2 lifetime is also reported in remaining bytes before rekeying)

When VPN monitoring is enabled, the NetScreen device also pings the remote gateway at specified intervals (in 10-second increments) to monitor network connectivity between the two VPN gateways.2 The pings are sent through the VPN tunnel between the two end points of the tunnelthe untrusted interface IP addresses (NAT or Route mode) or the System IP addresses (Transparent mode). The VPN monitoring MIB notes whether the ping elicited a response, a running average of successful responses, the latency of the response, and the average latency over the last 30 attempts. An SNMP trap is triggered when the ping activity indicates that the VPN status has changed: Up to Down: The state of the VPN tunnel is up, but the ping request has not elicited a response after a specified number of attempts. Down to Up: The state of the VPN tunnel is down, but the ping request elicits a response.

To enable VPN monitoring, do the following:

2.

You must use the following CLI command to change the ping interval: set vpnmonitor. The default is 10 seconds.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

6103

:HE8,
VPNs >> Manual Key >> New Manual Key Entry: Configure the VPN, select the VPN Monitor check box, and then click OK. Or VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Configure the VPN, select the VPN Monitor check box, and then click OK.

&/,
Configure the Manual Key or AutoKey IKE VPN, then execute the following commands. 1. set vpn <vpn_name> monitor 2. set vpnmonitor frequency <number3> 3. save

3.

You can set the VPN monitoring frequency in 10-second increments.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

&RXQWHUV

&2817(56
Counters measure traffic as defined in the access policies section.

([DPSOH 9LHZLQJ &RXQWHUV


This example illustrates how to view the amount of traffic per second handled by the first incoming access policy, which has a policy ID of 3.

:HE8,
1. Counters >> Count >> View Count Details: Click on a line in the graph to view information at that interval. Note: The X-axis represents time and the Y-axis represents the number of bytes. The X-axis displays seconds, minutes, hours, days, or months, depending on which tab you select. The color of the bar appears in blue, unless an alarm threshold was set and exceeded, in that case the bar is red. 2. Counters >> Count >> View Count Details >> Download to File: Specify the desired location of the counter data for review and analysis. 3. Counters >> Count >> View Count Details >> Update Now: The screen refreshes with the most recent data available.

&/,
get counter policy 3 second

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

/RJV

/2*6
NetScreen devices categorize system-level events as system events, traffic events, and denied traffic. System events are discussed in Event Log on page 172, traffic events in Traffic Log on page 173, and denied traffic in Self Log on page 174.

(YHQW /RJ
System events are classified into two distinct categories: information (indicated by a yellow circle in the WebUI) and configuration (indicated by a red circle). You can view system events through the WebUI, the CLI, or you can send event logs to a syslog host, (see Syslog on page 162) or a WebTrends host (WebTrends on page 163). Note: For detailed information about the messages that appear in the event log, refer to the NetScreen Message Log Reference Guide.

:HE8,
Log >> Event Log

&/,
The get log command allows you to impose parameters to determine the events displayed. (For more information, see the NetScreen CLI Reference Guide.) To list the current event log, execute the following CLI command: get log event

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

/RJV

7UDIILF /RJ
NetScreen devices provide comprehensive monitoring tools to monitor traffic flow in real-time. You can view all graphs of the usage data with a browser on the Internet, or download it and import it into a spreadsheet or database for numerous applications. NetScreen devices maintain a traffic log. To view traffic logs you have defined in the Access Policies page, do the following:

:HE8,
Log >> Traffic Log >> View All Log Entries: Select the action you want to perform: Click Download to File to save the data to a desired location for review and analysis. You can save the data to your local C: drive in a *.txt text format. The file contents are tab-delimited. Click Clear Logs to clear the log after downloading the most recent data available.

&/,
get log traffic

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

/RJV

6HOI /RJ
In addition to the event log and traffic log, each NetScreen device supports a logging function called self log. The self log records all the dropped packets detected by that NetScreen device; that is, the log shows all the traffic which terminated at the device and was denied. In addition to viewing the self log through the WebUI or CLI, you can also open or save the file to the location you specify. Use an ASCII text editor (such as Notepad) to view the file.

([DPSOH 'RZQORDGLQJ WKH 6HOI /RJ


This example illustrates how to download a self log to your workstation desktop (WebUI) or to a TFTP server with the IP address 10.10.20.200 (CLI).

:HE8,
1. Log >> Self Log: Select the Download to File option. The File Download wizard prompts you to open the file (using an ASCII editor) or save it to disk. 2. Select the Save this file to disk option, and then click OK. The File Download wizard prompts you to choose a directory. 3. Specify the desktop, name the file and give it a .txt extension, and then click Save.

&/,
The following example assumes an output file named OutFile.txt: get log self > tftp 10.10.20.200 OutFile.txt

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

$ODUPV

$/$506
Your NetScreen device maintains two types of alarmstraffic alarms, when traffic thresholds on access policies are exceeded, and event alarms, when system events occur. You can also configure the your NetScreen device to alert you through one or more of the following methods whenever an alarm is generated: E-mail Syslog or WebTrends SNMP

7UDIILF $ODUPV
You define and enable Traffic Alarms by setting alarm thresholds in the Access Policy Configuration dialog box. They are triggered when traffic exceeds those thresholds. (For more information on monitoring traffic, see Traffic Log on page 173.) Alarms >> Traffic Alarm >> Recent Alarm Time: View alarm details by selecting the following: To save the data to the specified location for review and analysis, click Download to File. You can save the data to your local C: drive in a *.txt text format. The file contents are tab-delimited. To erase all the data, click Clear Alarms. To move to the next/previous page, click Next/Previous.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

$ODUPV

(YHQW $ODUPV
Event alarms, such as those for attacks against which you have configured the device to guard, are triggered by the events themselves. (For more information on monitoring events, see Event Log on page 172.)

:HE8,
Alarms >> Event Alarm: View the Event Alarm details by selecting the following: To save the data to the specified location for review and analysis, click Download to File. You can save the data to your local C: drive in a *.txt text format. The file contents are tab-delimited. Click the Next/Previous option to see the next/previous page.

&/,
1. get alarm traffic 2. get alarm event

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

$ODUPV

([DPSOH 6HQGLQJ (PDLO $OHUWV


This example shows how you set up notification by e-mail alerts when there is an alarm. The mail server is at 172.16.10.254, the first e-mail address to be notified is jharker@netscreen.com, and the second address is driggs@netscreen.com. The NetScreen device includes traffic logs with event logs sent via e-mail.

:HE8,
Admin >> Settings: Enter the following information, then click Apply: Enable E-Mail Notification for Alarms: (select) SMTP Server Name: 172.16.10.2544 E-Mail Address 1: jharker@netscreen.com E-Mail Address 2: driggs@netscreen.com Include Traffic Log: select

&/,
1. 2. 3. 4. 5. 6. set admin mail alert set admin mail mail-addr1 jharker@netscreen.com set admin mail mail-addr2 driggs@netscreen.com set admin mail server-name 172.16.10.254 set admin mail traffic-log save

4.

If you have DNS enabled, you can also use a host name for the mail server, such as mail.netscreen.com.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  0RQLWRULQJ 1HW6FUHHQ 'HYLFHV

$ODUPV

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr&

9LUWXDO 5RXWHUV

The routing component of a NetScreen security appliance maintains a routing table with entries for all the IP addresses in its routing domain so that it can forward packets from one subnet to another. A NetScreen device running ScreenOS 3.1.0 logically subdivides its routing module into two virtual routers1Trust-VR (VR-2), which contains the trust zone and, by default, any user-defined zone, and Untrust-VR (VR-1), which contains the untrust zone. Each virtual router has a memory buffer, a route entry maximum, and a routing table. ScreenOS 3.1.0 supports the following kinds of virtual routers: Two predefined virtual routers Trust-VR, which contains the trust zone and, by default, any user-defined zone Untrust-VR, which contains the untrust zone Untrust-vr, which contains the untrust zone, DMZ zone, and any user-defined zone assigned to it Multiple user-defined virtual routers, the number of which depends on the amount specified in the virtual router software key that you must first obtain This chapter contains the following sections about the creation, modification, and deletion of virtual routers, as well as information about route redistribution, route exporting, and route table configuration: Configuring a Virtual Router on page 180 Creating a Virtual Router on page 180 Modifying a Virtual Router on page 181 Changing Zone-to-Virtual Router Bindings on page 182 Deleting a User-Defined Virtual Router on page 182 Route Redistribution on page 183 Route Exporting on page 184 Route Table Configuration on page 185
1. Each virtual system shares the untrust-vr with the root system and has its own vsys-vr. Therefore, by increasing the number of virtual systems, you increase the number of virtual routers.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

&RQILJXULQJ D 9LUWXDO 5RXWHU

&21),*85,1* $ 9,578$/ 5287(5


By separating routing information into two or more virtual routers, you can control the information that is visible to others in any given routing domain. For example, you can keep the routing information for all the security zones inside a corporate network on the predefined virtual router trust-vr, and all the zones outside the corporate network on the other predefined virtual router untrust-vr. Because the information in the routing table of one virtual router is not visible to the other, you can keep internal network routing information hidden from untrusted sources outside the company.

&UHDWLQJ D 9LUWXDO 5RXWHU


If you have obtained a software key permitting the addition of user-defined virtual routers, you can define them either through the WebUI or CLI as follows:

:HE8,
1. Routing >> Virtual Router >> New Entry: Enter the following, and then click OK: Virtual Router Name: Type the name of the virtual router. Maximum Route Entry: Type the maximum number of routes that the virtual router can maintain. (The minimum is 10.) Route Export: Select this check box to enable route exporting. Clear it to disable route exporting. 2. Routing >> Redist. Rule >> New Entry: Enter the following, and then click OK: Virtual Router Name: From the drop-down list, select the virtual router to which you want to redistribute routing information. Network Address: Type the address to which the route leads. Netmask: Type the netmask for the address. Source Virtual Router Name: From the drop-down list, select the name of the virtual router that maintains the address in its routing table.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

&RQILJXULQJ D 9LUWXDO 5RXWHU

&/,
1. 2. set vrouter <name> id <number> set vrouter <name> { max-routes <number> | auto-route-export | redistribute ip <ip_addr> <netmask> vrouter <name> }

0RGLI\LQJ D 9LUWXDO 5RXWHU


You can modify all aspects of a user-defined virtual router. For the predefined virtual router trust-vr, you can change its name and whether or not it automatically exports route information for interfaces configured in Route mode to the untrust-vr (see Route Exporting on page 184). For the predefined virtual router untrust-vr, no modifications are allowed. To modify the ID number or name of a user-defined virtual router, you must first delete the virtual router, and then recreate it with the new name or ID number.

:HE8,
1. 2. Routing >> Virtual Router >> Edit (for the virtual router that you want to modify): Change the settings, and then click OK. Routing >> Redist. Rule >> { New Entry (if no entry exists) | Edit (for an existing entry that you want to modify }: Change the settings, and then click OK .

&/,
1. 2. set vrouter <name> { max-routes <number> | auto-route-export | redistribute ip <ip_addr> <netmask> vrouter <name> } save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

&RQILJXULQJ D 9LUWXDO 5RXWHU

&KDQJLQJ =RQHWR9LUWXDO 5RXWHU %LQGLQJV


You can change the binding of a security zone from one virtual router to another. (First, however, you must remove all interfaces from the zone. For information on binding and unbinding an interface to a security zone, see Creating an Interface on page 78.)

:HE8,
1. Zones >> Zone >> Edit (for the zone whose binding you want to change): Select the virtual router to which you want to bind the zone from the Virtual Router Name drop-down list, and then click OK.

&/,
1. 2. set zone <name> vrouter <vr_name> save

'HOHWLQJ D 8VHU'HILQHG 9LUWXDO 5RXWHU


You cannot delete the predefined virtual routers untrust-vr and trust-vr, although you can modify some aspects of the trust-vr. However, you can delete any user-defined virtual router.

:HE8,
1. 2. Routing >> Virtual Router >> Remove (for the virtual router that you want to remove). When the prompt appears asking you to confirm the removal, click Yes.

&/,
1. 2. unset vrouter <name> save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 5HGLVWULEXWLRQ

5287( 5(',675,%87,21
Because each virtual router maintains its own routing table, for traffic originating in one routing domain to reach a destination in another routing domain, there must be a link between the two virtual routers. Such route leakage is made possible via route redistribution. Route redistribution locates a route that is unavailable on one virtual router by requesting another virtual router to check its routing table. For example, for host A in the trust-vr routing domain to communicate with host B in the untrust-vr routing domain, the trust-vr must contain a route that states to reach host B, go to untrust-vr. By default, trust-vr has the following route to untrust-vr so that any routes not available on trust-vr are deferred to untrust-vr: (VR) trust-vr, (IP/Netmask) 0.0.0.0/0, (Gateway) untrust-vr, (Interface) n/a.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH ([SRUWLQJ

5287( (;3257,1*
You can specify that trust-vr or a user-configured virtual router exports routes to other virtual routers2. These exported routes are for zones with interfaces in Route mode. When you define the operational mode of an interface for a security zone in the trust-vr routing domain as Route, an entry is automatically added to the untrust-vr routing table. To enable route exporting for trust-vr, do either of the following:

:HE8,
Routing >> Virtual Router >> Edit (for trust-vr): Select the Route Export check box, and then click OK.

&/,
set vrouter trust-vr auto-route-export To disable route exporting for trust-vr, do either of the following:

:HE8,
Routing >> Virtual Router >> Edit (for trust-vr): Clear the Route Export check box, and then click OK.

&/,
unset vrouter trust-vr auto-route-export If the operational mode of an interface for a security zone in the trust-vr routing domain is NAT, and if you have configured a MIP or VIP on that interface to receive incoming traffic from a source in the untrust-vr routing domain, then you must create a route to the MIP or VIP in untrust-vr that points to trust-vr as the gateway.

2.

By default, route exporting is enabled on trust-vr.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

5287( 7$%/( &21),*85$7,21


The route table provides information that helps the virtual router direct traffic to different interfaces3 and subnets. You need to define static routes for conditions such as the following: If the Trust zone interface or a user-defined interface is on a subnet with more than one router leading to other subnets, you must define static routes that specify which router to use when forwarding traffic destined for those subnets. If the Untrust zone interface is on a subnet with more than one router leading to multiple Internet connections, you must define static routes that specify which router to use for forwarding traffic to specific ISPs. You must define static routes that direct management traffic originating from the device itself (as opposed to user traffic traversing the firewall). For example, you need to define static routes directing syslog, SNMP, OneSecure, and WebTrends messages to the administrators address, authentication requests to the RADIUS, SecurID, and LDAP servers, and URL checks to the Websense server. Note: When the NetScreen device is in Transparent mode, you must define a static route for management traffic from the device even if the destination is on the same subnet as the device. This route is necessary to specify the interface through which to send traffic. For outbound VPN traffic when there is more than one outgoing interface, you need to set a route for directing the outbound traffic through the desired interface to the external router.

([DPSOH 5RXWH 7DEOH &RQILJXUDWLRQ


In the following example, a NetScreen device operating in NAT mode protects a multilevel network. There is both local and remote management (via NetScreen-Global PRO). SNMP traps and syslog reports are sent to the local administrator, located on a network in the Trust zone, while NetScreen-Global PRO reports are sent to the remote administrator, located on a network in the Untrust zone. A SecurID server in the DMZ zone is used to authenticate users, and a Websense server in the Trust zone performs URL blocking.
3. When you set the interface IP addresses for a NetScreen device in NAT mode, the route table automatically creates static routes for traffic traversing the interfaces.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

There must be statements in the Trust-VR and Untrust-VR routing tables specifying the destination network address 4 and netmask, and the gateway IP address and interface through which the NetScreen device directs traffic to the following destinations:

8QWUXVW95
1. 2. 3. 4. Default gateway to the Internet Remote administrator in the 3.3.3.0/24 subnet The 2.2.40.0/24 subnet in the DMZ zone The 2.20.0.0/16 subnet in the DMZ zone

7UXVW95
5. 6. 7. 8. Untrust-VR for all addresses not found in the Trust-VR The 10.10.0.0/16 subnet in the Trust zone The 10.20.0.0/16 subnet in the Trust zone The 10.30.1.0/24 subnet in the Trust zone Note: The following example assumes that you have already bound ethernet1 to the Trust zone, ethernet2 to the DMZ zone, and ethernet3 to the Untrust zone. The interface IP addresses are 10.1.1.1/24, 2.2.10.1/24, and 2.2.2.1/24 respectively.

4.

For each route table entry, there is also metric statement of either 0 or 1. This parameter specifies the priority of the route; that is, when there are multiple route entries for the same subnet in the route table, the NetScreen device uses the one with the lowest metric value. All route table entries that are automatically created when you enter the interface, subinterface, and tunnel interface addresses have a value of 0, and any user-defined routes have a default metric value of 1.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

Untrust Zone Internet 1

Remote Management NetScreen-Global PRO 3.3.3.10/32

= Router = Switch/Hub

3.3.3.0/24

Untrust-VR

5 Route Redistribution NetScreen

200.20.2.2/24 2.2.2.2/24 2.2.2.0/24

3.3.3.1/24 2.2.2.3/24 2.2.10.0/24

DMZ Zone
2.2.10.3/24 2.20.30.1/24

10.1.1.0/24 10.1.1.2/24 10.10.30.1/24 10.10.40.1/24 10.1.1.4/24 10.30.1.1/24 10.1.1.3/24 8 10.20.1.1/24 10.30.1.0/24 Websense Server 10.30.4.7/32

2.2.10.2/24 2.2.40.1/24

4
2.20.30.0/24 2.20.30.2/24 2.20.3.1/24 2.20.4.1/24 2.20.4.0/24

2.2.40.0/24 SecurID Server 2.2.45.7/32

6
10.10.30.0/24

10.10.40.0/24

7
10.20.1.0/24

2.20.3.0/24

Local Management 10.10.30.5/32

10.20.1.2/24 10.20.3.1/24 10.20.4.1/24 10.20.3.0/24

Trust-VR

10.20.4.0/24

Trust Zone

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

:HE8,
8QWUXVW95
1. Routing >> Route Table >> New Entry: Enter the following to create the untrusted default gateway, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway: (select) Interface: ethernet3(untrust-vr) Gateway IP Address: 2.2.2.2 2. Routing >> Route Table >> New Entry: Enter the following to direct system reports generated by the NetScreen device to remote management, and then click OK: Virtual Router Name: untrust-vr Network Address: 3.3.3.0 Netmask: 255.255.255.0 Gateway: (select) Interface: ethernet3(untrust-vr) Gateway IP Address: 2.2.2.2 3. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 2.2.40.0 Netmask: 255.255.255.0 Gateway: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

Interface: ethernet2(untrust-vr) Gateway IP Address: 2.2.10.2 Interface: DMZ 4. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 2.20.0.0 Netmask: 255.255.0.0 Gateway: (select) Interface: ethernet2(untrust-vr) Gateway IP Address: 2.2.10.3 Interface: DMZ

7UXVW95
5. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Next Hop Virtual Router Name: (select), untrust-vr 6. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 10.10.0.0 Netmask: 255.255.0.0 Gateway: (select) Interface: ethernet1(trust-vr) Gateway IP Address: 10.1.1.2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

7.

Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 10.20.0.0 Netmask: 255.255.0.0 Gateway: (select) Interface: ethernet1(trust-vr) Gateway IP Address: 10.1.1.3

8.

Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 10.30.1.0 Netmask: 255.255.255.0 Gateway: (select) Interface: ethernet1(trust-vr) Gateway IP Address: 10.1.1.4 Note: To modify a route table entry, click Edit under the Configure section for the entry you want to modify. The Route Table Configuration dialog box for that entry opens. Make your changes and click OK. To remove an entry, click Remove. A System Message appears prompting you to confirm the removal. Click Yes to proceed, or No to cancel the action.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

&/,
1. 2. 3. 4. 5. 6. 7. 8. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 2.2.2.2 set vrouter untrust-vr route 3.3.3.0/24 interface ethernet3 gateway 2.2.2.3 set vrouter untrust-vr route 2.2.40.0/24 interface ethernet2 gateway 2.2.10.2 set vrouter untrust-vr route 2.20.0.0/16 interface ethernet2 gateway 2.2.10.3 set vrouter trust-vr route 10.10.0.0/16 interface ethernet1 gateway 10.1.1.2 set vrouter trust-vr route 10.20.0.0/16 interface ethernet1 gateway 10.1.1.3 set vrouter trust-vr route 10.30.1.0/24 interface ethernet1 gateway 10.1.1.4 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

([DPSOH 6HWWLQJ D 5RXWH IRU 7UDIILF WKURXJK D 7XQQHO ,QWHUIDFH


In this example, a trusted host is in a different subnet than the trusted interface. It is an FTP server that receives inbound traffic through a VPN tunnel. You need to set a route to direct traffic exiting the tunnel interface to the internal router leading to the subnet where the server is located.
Trust Interface ethernet1 10.20.1.1/24 Trust Zone Internet VPN Tunnel Tunnel.1 10.30.1.1/24 Router 210.20.1.2/24 10.20.2.0/24 Untrust Interface ethernet3 210.20.1.1/24 FTP Server (MIP): 210.30.1.2 > 10.20.2.2 Untrust Zone

:HE8,
1. Routing >> Route Table >> New Entry: Enter the following, and then click Apply: Virtual Router Name: trust-vr Network Address: 210.30.1.2 Netmask: 255.255.255.255 Gateway: (select) Interface: tunnel.1 Gateway IP Address: 0.0.0.0 Note: For tunnel.1 to appear in the Interface drop-down list, you must first create the tunnel.1 interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

2.

Routing >> Route Table >> New Entry: Enter the following, and then click Apply: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Next Hop Virtual Router name: (select), untrust-vr

3.

Routing >> Route Table >> New Entry: Enter the following, and then click Apply: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway: (select) Interface: ethernet3 Gateway IP Address: 210.20.1.2

&/,
1. 2. 3. 4. set vrouter trust-vr route 10.20.2.2/32 interface tunnel.1 set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 210.20.1.2 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 5RXWHUV

5RXWH 7DEOH &RQILJXUDWLRQ

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr'

%XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V


Addresses on page 196 Address Book Entries on page 197 Address Groups on page 199 Virtual IP on page 204 VIP and the Global Zone on page 206 Users on page 209 Dialup User Groups on page 217 Group IKE ID on page 220 Services on page 223 H.323 Protocol for Voice-over-IP on page 227 Service Groups on page 241 Schedules on page 245

This chapter discusses the concepts common to access policies and Virtual Private Networks (VPNs). The specific topics discussed are:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

$''5(66(6
The NetScreen ScreenOS classifies the addresses of all other devices by location and netmask. Each zone possesses its own list of addresses and address groups. Individual hosts have only a single IP address defined and are represented by a single computer icon in the WebUI. Individual hosts must have a netmask setting of 255.255.255.255 (which masks out all but this host). Subnets have an IP address and a netmask (for example, 255.255.255.0 or 255.255.0.0) and are represented by multiple computer icons in the WebUI. Before you can configure access policies to permit, deny, or tunnel traffic to and from individual hosts and subnets, you must make entries for them in the NetScreen address book.

Note: You do not have to make address book entries for Any. This term automatically applies to all devices physically located within their respective zones.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

$GGUHVV %RRN (QWULHV


Before you can set up many of the NetScreen firewall, VPN, and traffic shaping features, you need to define addresses in the address book. The address book contains the IP addresses or domain names1 of hosts or subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.

([DPSOH $GGLQJ $GGUHVVHV


In this example, you add the subnet Santa Clara Eng with the IP address 192.10.10.0/24 as an address in the Trust zone, and the address www.firenet.com as an address in the Untrust zone.

:HE8,
1. Address >> Address >> New Address: Enter the following information, and then click OK: Address Name: Santa Clara Eng IP Address/Domain Name: 192.10.10.0 Netmask: 255.255.255.0 Zone: Trust (select) 2. Address >> Address >> New Address: Enter the following information, and then click OK: Address Name: FireNet IP Address/Domain Name: www.firenet.com Netmask: 255.255.255.255 Zone: Untrust (select)

1.

Before you can use domain names for address book entries, you must configure the NetScreen device for Domain Name System (DNS) services. For information on DNS configuration, see Domain Name System Support on page 82.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

&/,
1. 2. 3. set address trust Santa Clara Eng 192.10.10.0 255.255.255.0 set address untrust www.firenet.com 255.255.255.255 save

([DPSOH 0RGLI\LQJ $GGUHVVHV


In this example, you change the address entry for the host Santa Clara Eng to reflect that this host has moved to Dallas and reassigned an IP address of 192.10.40.0/24.

:HE8,
Address >> Address >> Edit (for Santa Clara Eng): Change the name and IP address to the following, and then click OK: Address Name: Dallas Eng IP Address/Domain Name: 192.10.40.0

&/,
1. 2. 3. unset address trust Santa Clara Eng set address trust Dallas Eng 192.10.40.0 255.255.255.0 save

Note: After you define an addressor an address groupand associate it with an access policy, you cannot change the address location to another zone (such as from Trust to Untrust). To change its location, you must first disassociate it from the underlying access policy.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

([DPSOH 'HOHWLQJ $GGUHVVHV


In this example, you remove the address entry for the subnet Dallas Eng.

:HE8,
Address >> Address: Click Remove in the Configure column for Dallas Eng.

&/,
1. 2. unset address trust Dallas Eng save

$GGUHVV *URXSV
The previous section explained how you create, modify, and delete address book entries for individual hosts and subnets. As you add addresses to the address book, it becomes difficult to manage how access policies affect each address entry. NetScreen allows you to create groups of addresses. Rather than manage a large number of address book entries, you can manage a small number of groups. Changes you make to the group are applied to each address entry in the group.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

1 Access Policy per Address

1 Access Policy per Address Group

The address group option has the following features: You can create address groups in any zone. You can create address groups with existing users, or you can create empty address groups and later fill them with users. An address group entry can be used like an individual address book entry. NetScreen applies access policies to each member of the group by creating individual access policies for each group member. While you only have to create one access policy for a group, NetScreen actually creates an access policy for each member in the group (as well as for each service configured for each user).2 When an individual address book entry is deleted from the address book, it is also removed from all groups in which it was referenced.

2.

The automatic nature by which the NetScreen device applies access policies to each address group member, saves you from having to create them one by one for each address. Furthermore, NetScreen writes these access policies to ASIC which makes lookups run very fast.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

The following constraints apply to address groups: Address groups can only contain addresses that belong to the same zone. Address names cannot be the same as group names. If the name Paris is used for an individual address entry, it cannot be used for a group name. If an address group is referenced in an access policy, the group cannot be removed. It can, however, be edited. When a single access policy is assigned to an address group, it is applied to each group member individually, and the NetScreen device makes an entry for each member in the access control list (ACL). If you are not vigilant, it is possible to exceed the number of available access policy resources, especially if both the source and destination are address groups. You cannot add the predefined addresses: Any, All Virtual IPs, and Dial-Up VPN to groups.

([DPSOH &UHDWLQJ DQ $GGUHVV *URXS


In the following example, you create a group named HQ 2nd Floor that includes Santa Clara Eng and Tech Pubs, two addresses that you have already entered in the address book for the Trust zone.

:HE8,
1. Addresses >> Address >> Group (under the New column, for the zone in which you want to add the address group): Enter the following group name, move the following addresses, and then click OK: Group Name: HQ 2nd Floor Group Members << Available Members: Santa Clara Eng, Tech Pubs

&/,
1. 2. 3. set group address trust HQ 2nd Floor add Santa Clara Eng set group address trust HQ 2nd Floor add Tech Pubs save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

([DPSOH (GLWLQJ D *URXS $GGUHVV (QWU\


In this example, you add Support (an address that you have already entered in the address book) to the HQ 2nd Floor address group.

:HE8,
Addresses >> Address >> Group (for the zone in which the group is located) >> Edit (for HQ 2nd Floor): Move the following address, and then click OK: Group Members << Available Members: Support

&/,
1. 2. set group address trust HQ 2nd Floor add Support save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

$GGUHVVHV

([DPSOH 5HPRYLQJ DQ $GGUHVV *URXS 0HPEHU DQG D *URXS


In this example, you remove the member Support from the HQ 2nd Floor address group, and delete Sales, an address group that you had previously created.

:HE8,
1. Addresses >> Address >> Group (for the zone in which the group is located) >> Edit (HQ 2nd Floor): Move the following address, and then click OK: Group Members >> Available Members: Support 2. Addresses >> Address >> Group (for the zone in which the group is located): Click Remove in the Configure column for Sales.

&/,
1. 2. 3. unset group address trust HQ 2nd Floor remove Support unset group address trust Sales save

Note: The NetScreen device does not automatically delete a group from which you have removed all names.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

9LUWXDO ,3

9,578$/ ,3
A VIP uses the destination port number in the incoming packet header to distinguish it from other kinds of traffic and route it to the appropriate host on a network within any zone. As seen below, all incoming traffic is destined for IP address 209.122.17.3, but the destination port numbers dictate the host in the Trust zone to which the NetScreen device then routes this traffic. The mail server at 172.16.10.251 receives traffic for port 25 (SMTP), the Web server at 172.16.10.252 receives traffic for port 80 (HTTP), and the FTP server at 172.16.10.253 receives traffic for port 21 (FTP).
Untrust Zone Trust Zone Mail Server 172.16.10.251 FTP Server 172.16.10.253

Internet

IP Packet In IP Header: 209.122.17.3/ Port 25

IP Packet Destination: Mail Server

LAN

Web Server 172.16.10.252

Virtual IP Routing Table IP in Untrust Zone 209.122.17.3 209.122.17.3 209.122.17.3 . . . Port 25 (SMTP) 80 (WWW) 21 (FTP) . . . . . . IP in Trust Zone 172.16.10.251 172.16.10.252 172.16.10.253 . . .

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

9LUWXDO ,3

You can also use virtual port numbers for well-known services to increase security. For example, if you only want to allow employees at a branch office to have access to the FTP server at the corporate site, you can specify a registered port number from 1024 to 65,535 as the port number for incoming FTP traffic. Any traffic attempting to reach the FTP server at its well-known port number of 21 is denied. Only those who know the virtual port number in advance and append it to the packet header can gain access. You need the following information to define a Virtual IP: The IP address for the VIP, which must be in the same subnet as the interface of the zone from which traffic is originating The IP addresses for the servers that process the requests

Note: You can only create a virtual IP for the Untrust zone. The Virtual IP (VIP) feature provides network flexibility and security. In a Network Address Translation (NAT) environment, host computers use non-routable IP addresses inside the firewall while maintaining full Internet connection and functionality. This feature gives network administrators flexibility to expand their networks without being constrained by the scarcity of legal IP addresses. In addition, NAT also provides better network security by hiding internal network topology and host information from the outside world. However, to maintain some Internet services (for example, e-mail, POP3, FTP), a server with a legal IP address must be present to service the requests. VIP allows you to map routable IP addresses to internal servers, thereby providing transparent connections for a NAT network to the Internet. Other benefits of using VIP include: Scalability: As Internet service demand increases, companies need to improve servers performance in order to maintain the quality of their services. While upgrading the server to a larger, faster machine generally relieves the short-term pressures, the disruption to services and the prohibitive cost of upgrading quickly make this solution undesirable. Reduction in capital cost: Multiple domains and Web servers can be mapped to the same physical server, thus reducing the cost of computer equipment as well as the associated administration tasks.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

9LUWXDO ,3

9,3 DQG WKH *OREDO =RQH


Setting a VIP for an interface in the Untrust zone generates an entry in the Global zone address book. The Global zone address book keeps all the VIPs of all interfaces, regardless of the zone to which the interface belongs. You can use these VIP addresses as the destination addresses in access policies between any two zones.

([DPSOH &RQILJXULQJ 9LUWXDO ,3 6HUYHUV


In this example, you configure a VIP at 2.2.2.20 to route inbound HTTP traffic to a pool of two Web servers at 172.16.12.10 and 172.16.12.11. (The IP address of the NetScreen device in the Untrust zone is 2.2.2.10/24.) The port number for HTTP is translated from 80 (the standard protocol ID number) to 1142.
Untrust Zone

Untrust Interface 2.2.2.10/24

Trust Interface 172.16.12.1/24

172.16.12.10 Service: HTTP

Trust Zone

VIP: 2.2.2.20 Internet


LAN

172.16.12.11 Service: FTP Virtual Port: 1142

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

9LUWXDO ,3

:HE8,
1. 2. Interfaces >> Physical >> VIP (for ethernet3) >> New Entry: Enter the following address, and then click OK: Virtual IP Address: 2.2.2.20 Interfaces >> Physical >> VIP (for ethernet3) >> Services >> New Entry: Enter the following, and then click OK: Virtual Port: 80 Map to Service: HTTP Map to IP: 172.16.12.10 3. Interfaces >> Physical >> VIP (for ethernet3) >> Services >> New Entry: Enter the following, and then click OK: Virtual Port: 11423 Map to Service: FTP Map to IP: 172.16.12.11

&/,
1. 2. 3. set interface ethernet3 vip 2.2.2.20 80 http 172.16.12.10 set interface ethernet3 vip 2.2.2.20 1142 ftp 172.16.12.11 save

3.

Using non-standard port numbers adds another layer of security, thwarting attacks that check for services at standard port numbers.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

9LUWXDO ,3

([DPSOH (GLWLQJ D 9,3 &RQILJXUDWLRQ


In this example, you modify the Virtual IP server configuration you just created. In this case, you specify the virtual port number 2211 for HTTP traffic.

:HE8,
Interfaces >> Physical >> VIP (for ethernet3) >> Services >> Edit (in the HTTP row): Enter the following, and then click OK: Virtual Port: 2211

&/,
1. 2. set interface ethernet3 vip 2.2.2.20 2211 http 172.16.12.10 save

([DPSOH 5HPRYLQJ D 9,3 &RQILJXUDWLRQ


In this example, you delete the VIP configuration that you just created and modified.

:HE8,
Interfaces >> Physical >> VIP (for ethernet3): Click Remove for the appropriate VIP.

&/,
1. 2. unset interface ethernet3 vip 2.2.2.20 save

Note: You cannot edit or remove a Virtual IP entry when existing access policies are still associated with it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

86(56
NetScreen supports four kinds of users: Authentication User A network user who must provide a user name and password for authentication when initiating a connection across the firewall. IKE User A remote VPN user with a dynamically assigned IP address. The user provides his or her identity using an e-mail address, an IP address, a domain name, or ASN1-DN. The VPN can use either AutoKey IKE with a preshared key or AutoKey IKE with a certificate. It is often impractical to create separate user definitions for every host that uses a NetScreen device. In such circumstances, you can make one user definition available to any host with a local certificate containing a specified value in a distinguished name field. This technique is known as Group IKE ID. For more information, refer to Dialup User Groups below. L2TP User A remote user whose IP address a NetScreen device assigns from a pool of addresses via Point-to-Point Protocol (PPP). The NetScreen device communicates with the remote user through PPP frames encapsulated in L2TP frames. Manual Key User A remote VPN user with a dynamically assigned IP address. The VPN uses the manual key method for encryption and/or IPSec authentication.

You can also combine the first three kinds of usersAuthentication, IKE, L2TPto create the following four combinations, referred to later in this chapter as multiple-type users: Auth/IKE User The remote VPN user uses one term for its network authentication password (which must be one word, alphanumeric, with no symbols), and another term (which can be an e-mail address, IP address, domain name, or ASN1-DN) for its IKE identity. Auth/L2TP User The remote user uses the same password for network and L2TP authentication. Auth/IKE/L2TP User The remote VPN user uses the same password for network and L2TP authentication, and another to verify its IKE identity. IKE/L2TP User The remote VPN user uses one term for its L2TP authentication password, and another term for its IKE identity.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

Before traffic from an authentication user can traverse the firewall, and before a remote user can participate in a VPN, you must create a configuration profile for each one. Note: For more information on creating VPNs, see Policy-Based VPNs on page 381, and Routing-Based VPNs on page 311.

([DPSOH &UHDWLQJ 6LQJOH7\SH 8VHUV


In this example, you create the following four kinds of users: authentication, IKE, Manual Key, and L2TP. Alice: An authentication user with the password Cwb6yooN214 Bob: An IKE user with the ID bob@netscreen.com Christine: An L2TP user with password Mgh13s1N. The NetScreen device assigns the default L2TP settings to Christines computer. Dan: A Manual Key VPN dialup user, who is assigned to the dialup user group Western and uses 3DES encryption with SHA-1 authentication

4.

Instead of using actual words for passwords, which might be guessed or discovered through a dictionary attack, you can use an apparently random string of letters and numbers. To create such a string that you can easily remember, compose a sentence and use the first letter from each word. For example, Charles will be 6 years old on November 21 becomes Cwb6yooN21.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

:HE8,
$XWK 8VHU
1. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Alice Status: Enable (select) Authentication User: (select) User Password: Cwb6yooN21 Confirm Password: Cwb6yooN21

,.( 8VHU
2. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Bob Status: Enable (select) IKE User: (select) Simple Identity: (select) IKE Identity: bob@netscreen.com

/73 8VHU
3. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Christine Status: Enable (select) L2TP User: (select) User Password: Mgh13s1N Confirm Password: Mgh13s1N

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

0DQXDO .H\ 8VHU


4. Users >> Users >> New Manual Key User: Enter the following, and then click OK: User Name: Dan User Group: Western Security Index: 1000 (Local); 1001 (Remote) Outgoing Interface: ethernet 1/2 ESP: (select) ESP-Encryption-Algorithm: 3DES-CBC Generate Key by Password: W1goAciM32 Authentication Algorithm: SHA-1 Generate Key by Password: TmoR104iVs

&/,
$XWK 8VHU
1. set user Alice password Cwb6yooN215

,.( 8VHU
2. set user Bob ike-id u-fqdn bob@netscreen.com

/73 8VHU
3. 4.
5. 6.

set user Christine password Mgh13s1N set user Christine type l2tp6

When you create a user through the CLI, the user is enabled by default. Note that an L2TP user requires a password to be enabled. If you enter these two commands in the reverse order (that is, set user Christine type l2tp and then set user Christine password Mgh1321N) the user type automatically becomes AUTH/L2TP.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

0DQXDO .H\ 8VHU


5. 6. set user Dan dialup 1000 1001 esp 3des pass W1goAciM32 auth sha-1 pass TmoR104iVs save

([DPSOH &UHDWLQJ 0XOWLSOH7\SH 8VHUV


In this example, you create the following multiple-type users by combining authentication user, IKE user, and L2TP user attributes: Elly: An Auth/IKE user with the password T2iF273d and the IKE identity 190.2.2.1 Fred: An Auth/L2TP user with the password G84t2m13. The NetScreen device assigns the default L2TP settings to Freds computer except for his IP address, which comes from the IP pool castle. Grace: An Auth/IKE/L2TP user with the password 56mc2Wed and the IKE identity www.netscreen.com Harry: An IKE-L2TP user with the password Qbls462R and the IKE identity harry@ha.com. Harry gets his address from the IP pool wizard and uses DNS servers 204.11.2.3 (primary) and 204.11.2.8 (secondary).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

:HE8,
$XWK,.( 8VHU
1. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Elly Status: Enable (select) IKE User: (select) Simple Identity: (select) IKE Identity: 190.2.2.1 Authentication User: (select) User Password: T2iF273d Confirm Password: T2iF273d

$XWK/73 8VHU
2. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Fred Status: Enable (select) Authentication User: (select) L2TP User: (select) Password: G84t2m13 Confirm Password: G84t2m13 L2TP Remote Settings: IP Pool (select); castle

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

$XWK,.(/73 8VHU
3. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Grace Status: Enable (select) IKE User: (select) Simple Identity: (select) IKE Identity: www.netscreen.com Auth User: (select) L2TP User: (select) User Password: 56mc2Wed Confirm Password: 56mc2Wed

,.(/73 8VHU
4. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, and then click OK: User Name: Harry Status: Enable (select) IKE User: (select) Simple Identity: (select) IKE Identity: harry@ha.com L2TP User: (select) User Password: Qbls462R

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

Confirm Password: Qbls462R L2TP Remote Settings: IP Pool (select): wizard Primary DNS IP: 204.11.2.3 Secondary DNS IP: 204.11.2.8

&/,
$XWK,.( 8VHU
1. 2. set user Elly password T2iF273d set user Elly ike-id ip 190.2.2.1

$XWK/73 8VHU
3. 4. 5. set user Fred password G84t2m13 set user Fred type auth l2tp set user Fred remote-settings ippool castle

$XWK,.(/73 8VHU
6. 7. 8. set user Grace password 56mc2Wed set user Grace ike-id fqdn www.netscreen.com set user Grace type auth ike l2tp

,.(/73 8VHU
9. 10. 11. 12. set user Harry password Qbls462R set user Harry ike-id u-fqdn harry@ha.com set user Harry type ike l2tp set user Harry remote-settings ippool castle

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

13. set user Harry remote-settings dns1 204.11.2.3 14. set user Harry remote-settings dns2 204.11.2.8 15. save

'LDOXS 8VHU *URXSV


VPNs allow remote dialup users to traverse firewalls from anywhere in the world and access data in a secure environment. A VPN tunnel connection from a dialup user to a corporate site assures security as well as access.
1 Access Policy per VPN Dialup User 1 Access Policy per VPN Dialup User Group

To manage a number of remote dialup users, NetScreen enables you to create dialup user groups. Rather than manage each user individually, you can aggregate users into a group. Changes you make to the group are then propagated to each group member. The examples that follow illustrate how to create new dialup user groups and then add users to it. Other examples show how to remove members from a group, move members from one group to another, and delete a group.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

([DPSOH 'HILQLQJ D 1HZ 'LDOXS 8VHU *URXS DQG $GGLQJ D 0HPEHU


In this example, you define a new remote IKE/L2TP dialup user group named Tahoe. You then add an IKE user named Bob to the group.

:HE8,
1. 2. 3. 4. 5. 6. Users >> Dialup Group >> New Group. Group Name: Tahoe. Group Type: IKE/L2TP. Click Add Members. Select Bob from the Available Members column, and then click << to move your selection to the Group Members column. Click OK. Note: To add a user to the group later, you can do either of the following: Users >> Users >> Edit (Bob): Select Tahoe from the User Group drop-down list, and then click OK. Users >> Dialup Group >> Edit (Tahoe): Select Bob from the Available Members column, click <<, and then click OK

&/,
1. 2. set dialup-group Tahoe + Bob save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

([DPSOH 5HPRYLQJ D *URXS 0HPEHU


In this example, you remove Bob from the Tahoe dialup user group.

:HE8,
Users >> Dialup Group >> Edit (for Tahoe): Select Bob in the Group Members column, click >> to move Bob to the Available Members column, and then click OK. Note: You can also remove Fred from the group as follows: Users >> Users >> Edit (for Bob): In the User Group drop-down list, select None, and then click OK.

&/,
1. 2. set dialup-group Tahoe - Bob save

([DPSOH 0RYLQJ D *URXS 0HPEHU WR $QRWKHU *URXS


In this example, you move Bob from the group Tahoe to the group Santa Cruz.

:HE8,
Users >> Users >> Edit (for Bob): In the User Group drop-down list, select Santa Cruz, and then click OK.

&/,
1. 2. 3. set dialup-group Tahoe - Bob set dialup-group Santa Cruz + Bob save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

([DPSOH 5HPRYLQJ D *URXS


In this example, you delete the dialup group Tahoe.

:HE8,
Users >> Dialup Group: Click Remove (for Tahoe).

&/,
1. 2. unset dialup-group Tahoe save

*URXS ,.( ,'


Some organizations have many hosts that need to exchange traffic through a single NetScreen device. For example, a Marketing department might have hundreds of users, each requiring secure Internet communication through a NetScreen device. With so many users, it is impractical to create a separate user definition for each host machine. To avoid this difficulty, the Group IKE ID method makes one user definition available to multiple hosts. This user definition applies to all hosts having certificates with specified values in the distinguished name (DN). In the following example, a users certificate has Organization=ACME and OU=Marketing in the distinguished name: Country =US State=CA Location =Santa Clara Organization =ACME OU=Marketing CN=Michael Zhang CN=a2010002

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

CN=ns500 CN=(408) 555-7800 CN=rsa-key CN=10.10.5.44 Using Group IKE ID, you can configure a user definition to automatically accept tunnel connections from any host having such a certificate. The hosts can establish secure communication through the NetScreen device, without a separate user definition for each host. Because these users have valid, non-revoked certificates containing the necessary distinguished name values, authentication of these users is implicit. Note: It is impossible to use Group IKE ID while using a Preshared Key.

([DPSOH 'HILQLQJ D 8VHU 'HILQLWLRQ WR 8VH *URXS ,.( ,'


In this example, you create a new user definition named Market_Dept, and configure it to concurrently accept tunnels from up to 10 hosts having certificates that match specific distinguished name fields. This user definition recognizes any host with a certificate containing Organization=ACME and OU=Marketing in the O and OU fields respectively. Note: The user in this example must be in a dial-up group, and must setup the VPN gateway using this dial-up group.

:HE8,
1. Users >> Users >> New Auth/IKE/L2TP User: Enter the following, then click OK: User Name: Market_Dept Status: Enable IKE User: Enabled Numbers of Multiple Login with same ID: 10 2. Select the Use Distinguished Name For ID radio button. This displays the distinguished name fields for the certificate.
([DPSOHV 

1HW6FUHHQ &RQFHSWV

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

8VHUV

3. 4. 5.

Enter ACME in the Organization field. Enter Marketing in the OU field. Click OK.

&/,
set user marketing ike-id asn1-dn wildcard o=ACME,ou=Marketing share-limit 10 Note: This command is only applicable to systems that use IKE dial-up

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

6(59,&(6
Services are types of IP traffic for which protocol standards exist. Each service has a port number associated with it, such as 21 for FTP and 23 for Telnet. This section is meant as a brief overview of services available, and does not cover each one of them in depth except for H.323 Protocol for Voice-over-IP on page 227. The illustration below shows the services supported in this version of ScreenOS. For information on each service, hold your cursor over the service icon. In this illustration, the mouseover information block is displayed for X-Windows.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

When you create an access policy, you must specify a service for it. You can select one of the pre-configured services from the service book, or a custom service or service group that you created. You can see which service you can use in an access policy by examining the Service drop-down List in the Policy Configuration dialog box (WebUI), or by using the get service command (CLI). The following section provides examples for viewing the service book and for creating, modifying, and deleting custom services.

([DPSOH 9LHZLQJ WKH 6HUYLFH %RRN


In this example, you view the predefined and custom services in the service book.

:HE8,
1. 2. Services >> Pre-defined Services >> Custom

&/,
get service The output from the CLI is similar to that shown below. Individual Services:
Name ANY AOL BGP Proto Port 0 6 6 0/65535 5190/5194 179 67 53 79 Group other remote other Timeout Flag 0 0 0 Pre-defined Pre-defined Pre-defined Pre-defined Pre-defined Pre-defined

DHCP-Relay 17 DNS FINGER 17 6

info seeking 0 info seeking 0 info seeking 0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

Name FTP FTP-Get FTP-Put GOPHER H.323 --- more ---

Proto Port 6 6 6 6 6 21 21 21 70 389

Group remote remote remote

Timeout Flag 0 0 0 Pre-defined Pre-defined Pre-defined Pre-defined Pre-defined

info-seeking 0 remote 0

([DPSOH $GGLQJ D &XVWRP 6HUYLFH


To add a custom service to the service book, you need the following information: A name for the service, in this example corp A range of internal port numbers valid for the service. For example, 1500-10000. A range of external port numbers to receive the service request; for example, 15000-25000. Whether the service uses TCP or UDP protocol, or some other protocol as defined by the Internet specifications. In this example, the protocol is TCP.

:HE8,
Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: corp Source Port Low: 1500 Source Port High: 1500 Destination Port Low: 15000 Destination Port High: 15000 Transport: TCP (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

&/,
1. 2. 3. set service corp protocol tcp src-port 1500-1500 dst-port 15000-55000 set service corp timeout 307 save

([DPSOH 0RGLI\LQJ D &XVWRP 6HUYLFH


In this example, you change the custom service corp. In this case, the transport changes from TCP to UDP, and the source port range changes to 1 through 1000. Use the set service <name> clear command to remove the definition of a custom service without removing the service from the service book:

:HE8,
Services >> Custom >> New Service: Enter the following and then click OK: Service Name: corp Source Port Low: 1 Source Port High: 1000 Destination Port Low: 15000 Destination Port High: 15000 Transport: UDP (select)

&/,
1. 2. 3. set service corp clear set service corp protocol udp src-port 1-1000 dst-port 15000-15000 save

7.

The timeout value is in minutes. If you do not set it, the timeout value of a custom service is 180 minutes. If you do not want a service to timeout, enter never.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH 5HPRYLQJ D &XVWRP (QWU\


In this example, you remove the custom service corp.

:HE8,
Services >> Custom: Click Remove in the Configure column for corp.

&/,
1. 2. unset service corp save

+ 3URWRFRO IRU 9RLFHRYHU,3


To allow secure Voice-over-IP (VoIP) communication between terminal hosts, NetScreen devices support H.323 protocol. In such a telephony system, gatekeeper devices manage call registration, admission, and call status for VoIP calls. Gatekeepers can reside in the two different zones, or in the same zone.

Gatekeeper Allowed Trust Zone Allowed Endpoint

Gatekeeper

Internet Untrust Zone

Endpoint

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH *DWHNHHSHU LQ WKH 7UXVW =RQH 7UDQVSDUHQW RU 5RXWH 0RGH


In the following example, you set up two policies. Together, these policies allow H.323 traffic to pass between IP phone hosts and a gatekeeper in the Trust zone, and an IP phone host (209.16.2.2) in the Untrust zone. In this example, the NetScreen device can be in either Transparent mode or Route mode.
Trust Zone Untrust Zone

Gatekeeper Internet IP Phones

Endpoint

Endpoint

IP Phone 209.16.2.2

:HE8,
1. Address >> Address (under the New column for the Untrust zone): Enter the following, and then click OK: Address Name: IP_Phone IP Address/Domain Name: 209.16.2.2 Netmask:255.255.255.255 Zone: Untrust 2. Policies >> Policy (From Zone Trust, To Zone Untrust) New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: IP_Phone Service: H.323 Action: Permit
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

3.

Policies >> Policy (From Zone Untrust, To Zone Trust) New Policy: Enter the following, and then click OK: Source Address: IP_Phone Destination Address: Any Service: H.323 Action: Permit

&/,
1. 2. 3. 4. set address untrust IP_Phone 209.16.2.2/32 set policy from trust to untrust any IP_Phone h.323 permit set policy from untrust to trust IP_Phone any h.323 permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH *DWHNHHSHU LQ WKH 7UXVW =RQH 1$7 0RGH


When the NetScreen device is in NAT mode, a gatekeeper or endpoint device is said to be private when it resides on the trusted side, and public when it resides on the untrusted side. When you set a NetScreen device in NAT mode, you must map a public IP address to each private device. In this example, the devices in the Trust zone include the endpoint host (10.10.1.2/32) and the gatekeeper device (10.10.1.10/32). IP_Phone2 (200.20.1.2/32) is in the Untrust zone. You configure the NetScreen device to allow traffic between the endpoint host IP_Phone1 and the gatekeeper in the Trust zone and the endpoint host IP_Phone2 (210.10.1.2) in the Untrust zone.
Trust Zone ethernet1 10.10.1.1/24 Gatekeeper 10.10.1.10/32 ethernet3 210.10.1.1/24 Gateway 210.10.1.2 Untrust Zone

IP_Phone1 10.10.1.2/32

IP_Phone2 200.20.1.2/32

MIP 210.10.1.10 -> 10.10.1.10 MIP 210.10.1.2 -> 10.10.1.2

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 10.10.1.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

2.

Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 210.10.1.1 Netmask: 255.255.255.0 Zone Name: Untrust

$GGUHVVHV
3. Address >> Address (under the New column for the Trust zone): Enter the following, and then click OK: Address Name: IP_Phone1 IP Address/Domain Name: 10.10.1.2 Netmask: 255.255.255.255 Zone: Trust 4. Address >> Address (under the New column for the Trust zone): Enter the following, and then click OK: Address Name: Gatekeeper IP Address/Domain Name: 10.10.1.10 Netmask: 255.255.255.255 Zone: Trust 5. Address >> Address (under the New column for the Untrust zone): Enter the following, and then click OK: Address Name: IP_Phone2 IP Address/Domain Name: 200.20.1.2 Netmask: 255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

0DSSHG ,3 $GGUHVVHV
6. Interfaces >> MIP (for ethernet3) >> New Entry: Enter the following, and then click OK: Mapped IP Address: 210.10.1.2 Netmask: 255.255.255.255 Host IP Address: 10.10.1.2 Host Virtual Router Name: trust-vr 7. Interfaces >> MIP (for ethernet3) >> New Entry: Enter the following, and then click OK: Mapped IP Address: 210.10.1.10 Netmask: 255.255.255.255 Host IP Address: 10.10.1.10 Host Virtual Router Name: trust-vr

5RXWHV
8. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 210.10.1.2 Interface: ethernet3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

3ROLFLHV
10. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone1 Destination Address: Phone2 Service: H.323 Action: Permit 11. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Gatekeeper Destination Address: Phone2 Service: H.323 Action: Permit 12. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone2 Destination Address: MIP(210.10.1.10) Service: H.323 Action: Permit 13. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone2 Destination Address: MIP(210.10.1.2) Service: H.323 Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

&/,
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. 5. set interface ethernet1 zone trust set interface ethernet1 ip 10.10.1.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust set interface ethernet3 ip 210.10.1.1/24

$GGUHVVHV
6. 7. 8. set address trust IP_Phone1 10.10.1.2/32 set address trust gatekeeper 10.10.1.10/32 set address untrust IP_Phone2 200.20.1.2/32

0DSSHG ,3 $GGUHVVHV
9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2 10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10

5RXWHV
11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.20

3ROLFLHV
13. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit 14. set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit 15. set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit 16. set policy from untrust to trust IP_Phone2 mip (210.10.1.10) h.323 permit 17. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH *DWHNHHSHU LQ WKH 8QWUXVW =RQH 7UXVW =RQH LQ 7UDQVSDUHQW RU 5RXWH 0RGH
Because Transparent mode and Route mode do not require address mapping of any kind, NetScreen device configuration for a gatekeeper on the untrusted side is usually identical to the configuration for a gatekeeper on the trusted side. In the following example, you set up two policies to allow H.323 traffic to pass between IP phone hosts (and the gatekeeper) on the trusted side, and the IP phone at IP address 209.16.2.2 on the untrusted side. The device can be in Transparent or Route mode.
Gatekeeper Trust Zone Untrust Zone Internet

IP_Phones

IP_Phone 209.16.2.2/32

:HE8,
1. Address >> Address (under the New column for the Untrust zone): Enter the following, and then click OK: Address Name: IP_Phone IP Address/Domain Name: 209.16.2.2 Netmask:255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

2.

Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: IP_Phone Service: H.323 Action: Permit

3.

Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone Destination Address: Any Service: H.323 Action: Permit

&/,
1. 2. 3. 4. set address untrust IP_Phone 209.16.2.2/32 set policy from trust to untrust any IP_Phone h.323 permit set policy from untrust to trust IP_Phone any h.323 permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH *DWHNHHSHU LQ WKH 8QWUXVW =RQH 7UXVW =RQH LQ 1$7 0RGH


In this example, the gatekeeper device (210.10.1.10/32) and host IP_Phone2 are in the Untrust zone and host IP_Phone1 is in the Trust zone. You configure the NetScreen device to allow traffic between host IP_Phone1 on the trusted side, and (and the gatekeeper) on the untrusted side.
ethernet1 10.10.1.1/24 NAT Mode ethernet3 210.10.1.1/24 Gateway 210.10.1.2

Trust Zone

Untrust Zone Internet

IP_Phone1 10.10.1.2/32

Gatekeeper 210.10.1.10/32

IP_Phone2 200.20.1.2/32

MIP 210.10.1.2 -> 10.10.1.2

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 10.10.1.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 210.10.1.1 Netmask: 255.255.255.0 Zone Name: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

$GGUHVVHV
3. Address >> Address (under the New column for the Trust zone): Enter the following, and then click OK: Address Name: IP_Phone1 IP Address/Domain Name: 10.10.1.2 Netmask: 255.255.255.255 Zone: Trust 4. Address >> Address (under the New column for the Untrust zone): Enter the following, and then click OK: Address Name: Gatekeeper IP Address/Domain Name: 210.10.1.10 Netmask: 255.255.255.255 Zone: Untrust 5. Address >> Address (under the New column for the Untrust zone): Enter the following, and then click OK: Address Name: IP_Phone2 IP Address/Domain Name: 200.20.1.2 Netmask: 255.255.255.255 Zone: Untrust

0DSSHG ,3 $GGUHVV
6. Interfaces >> (Interface bound to Untrust zone >> MIP >> New Entry: Enter the following, and then click OK: Mapped IP Address: 210.10.1.2 Netmask: 255.255.255.255 Host IP Address: 10.10.1.2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

5RXWHV
7. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 8. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 210.10.1.2 Interface: ethernet3

3ROLFLHV
9. Policies >> Policy (From Zone Trust ,To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone1 Destination Address: IP_Phone2 Service: H.323 Action: Permit 10. Policies >> Policy (From Zone Trust ,To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone1 Destination Address: Gatekeeper Service: H.323 Action: Permit
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

11. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: IP_Phone2 Destination Address: MIP(210.10.1.2) Service: H.323 Action: Permit 12. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: Gateway Destination Address: MIP(210.10.1.2) Service: H.323 Action: Permit

&/,
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. 5. set interface ethernet1 zone trust set interface ethernet1 ip 10.10.1.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust set interface ethernet3 ip 210.10.1.1/24

$GGUHVVHV
6. 7. 8. set address trust IP_Phone1 10.10.1.2/32 set address untrust gatekeeper 210.10.1.10/32 set address untrust IP_Phone2 200.20.1.2/32

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

0DSSHG ,3 $GGUHVVHV
9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2

5RXWHV
10. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 11. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 210.10.1.2

3ROLFLHV
12. 13. 14. 15. 16. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit set policy from trust to untrust IP_Phone1 gatekeeper h.323 permit set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit set policy from untrust to trust gatekeeper mip(210.10.1.2) h.323 permit save

6HUYLFH *URXSV
A service group is a set of services that you have gathered together under one name. After you create a group containing several services, you can then apply services at the group level to access policies, thus simplifying administration. The NetScreen service group option has the following features: Each service book entry can be referenced by one or more service groups. Each service group can contain pre-defined and user-defined service book entries. Each service group can be referenced by other service groups, providing that a group referencing other groups does not include itself in the reference list.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

Service groups are subject to the following limitations: Service groups cannot have the same names as services; therefore, if you have a service named FTP, you cannot have a service group named FTP. If a service group is referenced in an access policy, you can edit the group but you cannot remove it until you have first removed the reference to it in the access policy. If a custom service book entry is deleted from the service book, the entry is also removed from all the groups in which it was referenced. The all-inclusive service term ANY cannot be added to groups.

([DPSOH &UHDWLQJ D 6HUYLFH *URXS


This example illustrates how you create a custom service named Wiget that supports IKE, FTP, and LDAP services.

:HE8,
Services >> Custom >> New Group: Enter the following group name, move the following services, and then click OK: Group Name: Wiget Group Members << Available Members: IKE, FTP, LDAP

&/,
1. 2. 3. 4. 5. set group service Wiget set group service Wiget add ike set group service Wiget add ftp set group service Wiget add ldap save

Note: If you attempt to add a service to a service group that does not exist, the NetScreen device creates the group. Also, ensure that groups referencing other groups do not include themselves in the reference list.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH 0RGLI\LQJ D 6HUYLFH *URXS


Although you cannot modify any of the pre-defined NetScreen services, you can modify existing user-defined custom services and service groups. In this example, you change the existing user-defined services from IKE, FTP, and LDAP to HTTP, FINGER, IMAP, and H.323 protocols.

:HE8,
Services >> Custom >> Edit (Wiget): Move the following services, and then click OK: Group Members >> Available Members: IKE, FTP, LDAP Group Members << Available Members: HTTP, FINGER, IMAP, H.323

&/,
1. 2. 3. 4. 5. 6. clear group service Wiget set group service Wiget add http set group service Wiget add finger set group service Wiget add imap set group service Wiget add h.323 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6HUYLFHV

([DPSOH 5HPRYLQJ D 6HUYLFH


Although you cannot remove any of the pre-defined NetScreen services, you can remove existing user-defined custom services and service groups. In this example, you delete HTTP from the service group Wiget.

:HE8,
Services >> Custom >> Edit (for Wiget): Move the following service, and then click OK: Group Members >> Available Members: HTTP

&/,
1. 2. 3. unset group service Wiget remove http get service Wiget save

([DPSOH 5HPRYLQJ D 6HUYLFH *URXS


In this example, you delete the service group Wiget.

:HE8,
Services >> Custom: Click Remove (for Wiget).

&/,
1. 2. unset group service Wiget save

Note: The NetScreen device does not automatically delete a group from which you have removed all members.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6FKHGXOHV

6&+('8/(6
A schedule is a configurable object that you can associate with one or more access policies to define when they are in effect. Through the application of schedules, you can control network traffic flow and enforce network security. When you define a schedule, enter values for the following parameters: Schedule Name: The name that appears in the Schedule drop-down list in the Policy Configuration dialog box. Choose a descriptive name to help you identify the schedule. The name must be unique and is limited to 19 characters. Comment: Any additional information that you want to add. Recurring: Enable this when you want the schedule to repeat on a weekly basis. Start and End Times: You must configure both a start time and an end time. You can specify up to two time periods within the same day. Once: Enable this when you want the schedule to start and end only once. mm/dd/yyyy hh:mm: You must enter both start and stop dates and times.

([DPSOH 5HFXUULQJ 6FKHGXOH


In this example, there is a short-term marketing employee named Tom who is using the companys Internet access for personal pursuits after work. You create a schedule for non-business hours that you can then associate with an access policy to deny outbound TCP/IP traffic from that workers computer (10.10.4.5/24) outside of regular business hours.

:HE8,
1. Schedules >> Schedule >> New Schedule: Enter the following, and then click OK: Schedule Name: After Hours Comment: For non-business hours Recurring: (select)
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6FKHGXOHV

Period 1:
Week Day Sunday Monday Tuesday Wednesday Thursday Friday Saturday Start Time End Time 00:00 00:00 00:00 00:00 00:00 00:00 00:00 23:59 06:00 06:00 06:00 06:00 06:00 23:59

Period 2:
Week Day Sunday Monday Tuesday Wednesday Thursday Friday Saturday Start Time End Time 17:00 17:00 17:00 17:00 17:00 17:00 17:00 23:59 23:59 23:59 23:59 23:59 23:59 23:59

2.

Address >> Address >> Address (under the New column for the appropriate zone): Enter the following, and then click OK: Address Name: Tom IP Address/Domain Name: 10.10.4.5 Netmask: 255.255.255.255

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6FKHGXOHV

Comment: Temp Location: Trust 3. Policies >> From Zone: Marketing, To Zone: Untrust >> New Policy: Enter the following, and then click OK: Name: No Net Source Address: Tom Destination Address: Any Service: HTTP Action: Deny Schedule: After Hours

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. set schedule after hours recurrent sunday start 00:00 stop 23:59 set schedule after hours recurrent monday start 00:00 stop 06:00 start 17:00 stop 23:59 set schedule after hours recurrent tuesday start 00:00 stop 06:00 start 17:00 stop 23:59 set schedule after hours recurrent wednesday start 00:00 stop 06:00 start 17:00 stop 23:59 set schedule after hours recurrent thursday start 00:00 stop 06:00 start 17:00 stop 23:59 set schedule after hours recurrent friday start 00:00 stop 06:00 start 17:00 stop 23:59 set schedule after hours recurrent saturday start 00:00 stop 23:59 comment for non-business hours set address trust tom 10.10.4.5 255.255.255.0 temp set policy from marketing to untrust tom any http deny schedule after hours save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  %XLOGLQJ %ORFNV IRU $FFHVV 3ROLFLHV DQG 931V

6FKHGXOHV

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr(

$FFHVV 3ROLFLHV

By default, a NetScreen device denies all traffic in all directions. Through the creation of access policies, you can control the traffic flow across an interface by defining the kinds of traffic permitted to pass from one security zone to another. This chapter describes what access policies do and how the various elements that comprise an access policy are related. It is divided into the following two main sections: Access Policies Defined on page 250 Anatomy of a Policy on page 250 Viewing Access Policies on page 258 Access Policies Applied on page 258 Creating Access Policies on page 259 Modifying and Disabling Access Policies on page 267 Reordering Access Policies on page 267 Removing an Access Policy on page 268

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

$&&(66 32/,&,(6 '(),1('


A firewall provides a network boundary with a single point of entry and exita choke point. Because all incoming and outgoing traffic must pass through the choke point, you can screen and direct all that traffic through the implementation of a set of access policiesthe Access Control List (ACL). Access policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross from one security zone to another. You decide which users and what information can enter and leave, and when and where they can go. Warning: Access policies set in the root system of certain NetScreen devices do not affect access policies set in Virtual Systems.

$QDWRP\ RI D 3ROLF\
An access policy must contain the following elements: Zones (source and destination) Addresses (source and destination) Service Action (permit, deny, tunnel) An access policy can also contain the following elements: Network Address Translation (NAT), using Dynamic IP (DIP) pools VPN tunneling Layer 2 Transfer Protocol (L2TP) tunnel Authentication Logging Counting Traffic alarm settings Scheduling Traffic shaping
([DPSOHV 

1HW6FUHHQ &RQFHSWV

&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

The remainder of this section examines each of the above elements in turn.

Policy Configuration Dialog Box

Note: This option appears when the Action is Tunnel and a VPN tunnel is selected.

Note: In Transparent mode, these features are not available.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

=RQHV
A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performs a specific function (a function zone). An access policy allows traffic to flow between two zones. An access policy enters and exits a zone via an interface or subinterface that is bound to that zone. For more information on zones, see Zones on page 31. For more information on interfaces, see Interfaces on page 39.

$GGUHVVHV
Addresses are objects that identify network devices such as hosts and networks by their location in relation to the firewallin one of the security zones. Individual hosts are specified using the mask 255.255.255.255, indicating that all 32 bits of the address are significant. Networks are specified using their subnet mask to indicate which bits are significant. To create an access policy for specific addresses, you must first create entries for the relevant hosts and networks in the address book. You can also create address groups and apply access policies to them as you would to other address book entries. When using address groups as elements of access policies, be aware that because the NetScreen device applies the access policy to each address in the group, the number of available access policies can become depleted more quickly than expected. This is a danger especially when you use address groups for both the source and destination.

6HUYLFHV
Services are objects that identify application protocols using layer 4 information such as standard and accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. The ScreenOS includes predefined core Internet services. Additionally, you can define custom services. You can define access policies that specify which services are permitted, denied, encrypted, authenticated, logged, or counted, and which transmit alarm messages.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

$FWLRQV
Actions are objects that describe what the firewall does to the traffic it receives. Permit allows the packet to pass the firewall. Deny blocks the packet from traversing the firewall. Tunnel encapsulates outgoing IP packets and decapsulates incoming IP packets. For an IPSec VPN tunnel, specify which VPN tunnel to use. For an L2TP tunnel, specify which L2TP tunnel to use. For L2TP-over-IPSec, specify both an IPSec VPN tunnel and an L2TP tunnel1.

The NetScreen device applies the specified action on traffic that matches the first two criteria: addresses (source and destination) and service.

1HWZRUN $GGUHVV 7UDQVODWLRQ 1$7


You can apply NAT at the interface level or at the policy level. With policy-based NAT, you can translate the source address on either incoming or outgoing network and VPN traffic. The new source address can come from either a Dynamic IP pool or from a Mapped IP (for incoming network traffic and incoming and outgoing VPN traffic).

931 7XQQHO
You can apply a single access policy or multiple access policies to any VPN tunnel that you have configured. In the WebUI, the VPN Tunnel option provides a drop-down list of all such tunnels. In the CLI, you can see all available tunnels with the get vpn command. (For more information, see Chapter 12, Routing-Based VPNs on page 311 and Chapter 13, Policy-Based VPNs on page 381.) When the VPN configuration at both ends of a VPN tunnel are using policy-based-NAT, then the administrators of both gateway devices each need to create an inbound and an outbound access policy (four policies in total). When the VPN policies constitute a matching pair (that is, everything in the inbound and outbound policy configurations is the same except that the source and destination addresses are reversed), you can configure one policy and then

1.

For L2TP-over-IPSec, the source and destination addresses for the IPSec VPN tunnel must be the same as those for the L2TP tunnel.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

select the Create matching VPN policy check box to create a second policy automatically for the opposite direction. For the configuration of a new policy, the matching VPN policy check box is cleared by default. For the modification of an existing policy that is a member of a matching pair, the check box is selected by default, and any changes made to one policy are propagated to the other. (Note that this option is only available through the WebUI.)

/73
You can apply a single access policy or multiple access policies to any Layer 2 Tunneling Protocol (L2TP) tunnel that you have configured. In the WebUI, the L2TP option provides a drop-down list of all such tunnels. In the CLI, you can see all available tunnels with the get l2tp all command. You can also combine a VPN tunnel and an L2TP tunnelif both have the same endpointsto create a tunnel combining the characteristics of each. This is called L2TP-over-IPSec. Note: L2TP is not supported in Transparent mode.

$XWKHQWLFDWLRQ
Selecting this option requires the user at the source address to authenticate his/her identity by supplying a user name and password before traffic is allowed to traverse the firewall or enter the VPN tunnel. The NetScreen device can use the internal user database or an external RADIUS, SecurID, or LDAP server to perform the authentication check. Note: If an access policy requiring authentication applies to a subnet of IP addresses, authentication is required for each IP address. If one of host supports multiple user accounts (as with a Unix host running Telnet), then after the first user authenticates, all other users from that host can pass traffic through the device without authentication.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

The authentication process proceeds as follows: 1. 2. 3. 4. The user sends a HTTP, FTP or Telnet connection request to the destination address, which the NetScreen device intercepts. The NetScreen device sends the user a Firewall Login/Password prompt. The user responds to this prompt by entering his/her firewall login and password, and sending it. The NetScreen device authenticates the users firewall login and password. If the authentication is successful, a connection is established between the user and the destination address. For the initial connection request, a policy must include one or all of the three following services: Telnet, HTTP, or FTP. Only a policy with one or all of these services is capable of initiating the authentication process. You can use any of the following services in an access policy involving user authentication: Any (because any includes all three required services) Telnet, or FTP, or HTTP A service group that includes the service or services you want, plus one or more of the three services required to initiate the authentication process (Telnet, FTP, or HTTP). For example, you can create a custom service group named Login that supports FTP, Netmeeting, and H.323 services. Then, when you create the policy, specify Login as the service.

For any connection following a successful authentication, all services specified in the policy are valid. Note: An access policy with authentication enabled does not support DNS (port 53) as the service.

/RJJLQJ
When you enable logging in an access policy, the NetScreen device logs all connections to which that particular access policy applies. You can view the logs through either the WebUI or CLI, and the graphs in the Monitor section of the WebUI. Note: For more information about viewing logs and graphs, see Monitoring NetScreen Devices on page 161.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

&RXQWLQJ
When you enable counting in an access policy, the NetScreen device counts the total number of bytes of traffic to which this access policy applies and records the information in historical graphs.

$ODUP 7KUHVKROG
You can set a threshold that triggers an alarm when the traffic permitted by the access policy exceeds a specified number of bytes per second, bytes per minute, or both. Because the traffic alarm requires the NetScreen device to monitor the total number of bytes, you must also enable the counting feature. Note: For more information about traffic alarms, see Alarms on page 175.

6FKHGXOHV
By associating a schedule to an access policy, you can determine when the access policy is in effect. You can configure schedules on a recurring basis and as a one-time event. Schedules provide a powerful tool in controlling the flow of network traffic and in enforcing network security. For an example of the latter, if you were concerned about employees transmitting important data outside the company, you might set an access policy that blocked outbound FTP-Put and MAIL traffic after normal business hours. In the WebUI, define schedules in the Schedule section. In the CLI, use the set schedule command. Note: In the WebUI, scheduled access policies appear in green to indicate that the current time is not within the defined schedule. When a scheduled access policy becomes active, it appears in red.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV 'HILQHG

7UDIILF 6KDSLQJ
You can set parameters for the control and shaping of traffic for each access policy. The traffic shaping parameters include: Guaranteed Bandwidth: Guaranteed throughput in kilobits per second (kbps). Traffic below this threshold passes with the highest priority without being subject to any traffic management or shaping mechanism. Maximum Bandwidth: Secured bandwidth available to the type of connection in kilobits per second (kbps). Traffic beyond this threshold is throttled and dropped. Note: It is advised that you do not use rates less than 10 kbps. Rates below this threshold lead to dropped packets and excessive retries that defeat the purpose of traffic management. Traffic Priority: When traffic bandwidth falls between the guaranteed and maximum settings, the NetScreen device passes higher priority traffic first, and lower priority traffic only if there is no other higher priority traffic. There are eight priority levels. DiffServ Codepoint Marking: Differentiated Services (DiffServ) is a system for tagging (or marking) traffic at a position within a hierarchy of priority. The eight NetScreen priority levels can be mapped to the TOS DiffServ system. By default, the highest priority (priority 7) maps to the first three bits (000) in the DS field (see RFC 2472) or the IP precedence field in the TOS byte (see RFC 1349) in the IP packet header. The lowest priority (priority 0) in the NetScreen system maps to (111) in the TOS DiffServ system. Note: For a more detailed discussion of traffic management and shaping, see Traffic Shaping on page 485. To change the mapping between the NetScreen priority levels and the DS system, use the following CLI command: set traffic-shaping ip_precedence <number for priority 0 (highest priority)> <number for priority 1> <number for priority 2> <number for priority 3> <number for priority 4> <number for priority 5> <number for priority 6> <number for priority 7>

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

$&&(66 32/,&,(6 $33/,('


This section describes the management of access policies: viewing, creating, modifying, ordering and reordering, and removing access policies.

9LHZLQJ $FFHVV 3ROLFLHV


To view access policies through the WebUI, click Policies >> Policy: List Policy. In the CLI, use the get policy command.

$FFHVV 3ROLF\ ,FRQV


When viewing a list of access policies, the WebUI uses icons to provide you a graphical summary of policy components. The table below defines the different icons used in the access policies page.
Icon Function Network-level NAT Description Because the NetScreen device is operating in NAT mode, NAT is applied on all outgoing traffic. The NetScreen device performs policy-based NAT on all traffic meeting the criteria. All traffic meeting the criteria is passed. All traffic meeting the criteria is denied. All outgoing traffic meeting the criteria is encapsulated. All incoming traffic meeting the criteria is decapsulated.

Policy-level NAT

Permit

Deny

Enable encapsulation

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

Icon

Function Bidirectional VPN policies Authenticate

Description A matching VPN policy exists for the opposite direction. The user must authenticate himself/herself when initiating a connection. All traffic is logged and made available for syslog and e-mail, if enabled. The amount of traffic is counted in bytes per second. Indicates that you have set alarm thresholds. An access policy is only active during the time defined by the chosen schedule. Bandwidth shaping is active.

Log

Count

Alarm

Schedule

Traffic Shaping

&UHDWLQJ $FFHVV 3ROLFLHV


To allow traffic to flow between zones, you assign access policies to interfaces, which act as doorways to zones. You cannot create policies for traffic within the same zone. Access policies apply only to traffic between zones. To allow bidirectional traffic between two zones, for example, between the abc and xyz zones, you need to create a policy that goes from abc to xyz, and then create a second policy from xyz to abc. The policies use the same IP addresses, only the source and destination addresses are reversed. Depending on your needs, the policies can have the same configuration or different ones.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

([DPSOH $FFHVV 3ROLFLHV 3HUPLWWLQJ %LGLUHFWLRQDO 7UDIILF


In this example, you create two access policies. The first policy permits the services in the service group Mail-POP3 2 to traverse the NetScreen firewall from Host A to Mail Server . The second policy permits the service Mail to traverse the firewall from Mail Server to Host A.

:HE8,
1. Policy (From Zone: abc, To Zone: xyz) >> New Policy: Enter the following, and then click OK: Source Address: Host A Destination Address: Mail Server Service: Mail-POP3 Action: Permit 2. Policy (From Zone: xyz, To Zone: abc) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: Host A Service: Mail Action: Permit

&/,
1. 2. 3. set policy from abc to xyz host a mail server mail-pop3 permit set policy from xyz to abc mail server host a mail permit save

2.

To create a service group, see Service Groups on page 241.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

$FFHVV 3ROLF\ /RFDWLRQ


You can define access policies between any zones that are located within the same system, root or virtual, else, one of the zones must be a shared zone.

([DPSOH 7\SLFDO $&/ IRU D 6PDOOWR0HGLXP (QWHUSULVH


This example assumes that you have already configured the addresses and default routes. For more information on configuring addresses, see Addresses on page 196. For more information on how to set default routes, see the chapter on Virtual Routers on page 179 A small software firm, ABC Design, has divided its network into two subnets, and both are in the Trust zone. The subnets are: Engineering (with the defined address Engineering) The rest of the company (with the defined address Office).

It also has a DMZ for its Web and mail servers. The following example presents a typical set of access policies for the following users: Engineering is permitted to use all the services for outbound traffic except FTP-Put, IMAP, MAIL, and POP3. Office is permitted to use e-mail and access the Internet, provided they authenticate themselves. The entire company can access the company Web and mail servers on the DMZ. There is also a group of system administrators (with the defined address Sys-admins), who have complete user and administrative access to the servers on the DMZ.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

Untrust Zone

Internet

www.abc.com Router NetScreen device Router

mail.abc.com

DMZ

DMZ Zone Office LAN Engineering LAN

Trust Zone

Note: The following example uses service groups. For information on creating such groups, see Service Groups on page 241.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

From Zone Source Address Trust - Any

To Zone Service Destination Address Untrust - Any

Action

Com (service group: Deny FTP-Put, IMAP, MAIL, POP3) Any Internet (service group: FTP-Get, HTTP, HTTPS) Permit Permit (+ Authentication)

Trust - Engineering Trust - Office

Untrust - Any Untrust - Any

From Zone Source Address Untrust - Any

To Zone Service Destination Address Trust - Any Any

Action Deny

From Zone Source Address Untrust Any Untrust Any Trust Any Trust Any

To Zone Service Destination Address DMZ - mail.abc.com MAIL

Action Permit Permit

DMZ - www.abc.com Web (service group: HTTP, HTTPS) DMZ - mail.abc.com

e-mail (service group: Permit IMAP, MAIL, POP3) Permit

DMZ - www.abc.com Internet

From Zone Source Address DMZ - mail.abc.com

To Zone Service Destination Address Untrust Any MAIL

Action Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

:HE8,
1. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Com3 Action: Deny 2. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK: Source Address: Engineering Destination Address: Any Service: ANY Action: Permit 3. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK: Source Address: Office Destination Address: Any Service: Internet4 Action: Permit Authentication: (select) Note: For incoming traffic (from Untrust zone to Trust zone), use the default access policy to deny everything.

3. 4.

Com is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3. Internet is a service group with the following members: FTP-Get, HTTP, and HTTPS.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

4.

Policies >> From Zone: Trust, To Zone: DMZ >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: mail.abc.com Service: MAIL Action: Permit

5.

Policies >> From Zone: Trust, To Zone: DMZ >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: www.abc.com Service: Web5 Action: Permit

6.

Policies >> From Zone: Trust, To Zone: DMZ >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: mail.abc.com Service: e-mail6 Action: Permit

7.

Policies >> From Zone: Trust, To Zone: DMZ >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: www.abc.com Service: Internet Action: Permit

5. 6.

Web is a service group with the following members: HTTP and HTTPS. e-mail is a service group with the following members: MAIL, IMAP, and POP3.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

8.

Policies >> From Zone: Trust, To Zone: DMZ >> New Policy: Enter the following, and then click OK: Source Address: Sys-admins Destination Address: Any Service: ANY Action: Permit

9.

Policies >> From Zone: DMZ, To Zone: Trust >> New Policy: Enter the following, and then click OK: Source Address: mail.abc.com Destination Address: Any Service: MAIL Action: Permit

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. set policy from trust to untrust any any com deny set policy from trust to untrust engineering any any permit set policy from trust to untrust office any internet permit auth set policy from trust to dmz any mail.abc.com mail permit set policy from trust to dmz any www.abc.com web permit set policy from trust to dmz any mail.abc.com e-mail permit set policy from trust to dmz any www.abc.com internet permit set policy from trust to dmz sys-admins any any permit set policy from dmz to trust mail.abc.com any mail permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

0RGLI\LQJ DQG 'LVDEOLQJ $FFHVV 3ROLFLHV


After you create an access policy, you can always return to it to make modifications. In the WebUI, click the Edit link in the Configure column for the access policy that you want to change. In the Policy Configuration dialog box that appears for that access policy, make your changes, and then click OK. In the CLI, use the set policy command. The ScreenOS also provides a means for enabling and disabling access policies. By default, an access policy is enabled. To disable it, do the following:

:HE8,
Policy: Select the Disable option from the Configure column for the policy that you want to disable. The row containing the policy information is shaded grey to indicate that the policy is disabled.

&/,
1. 2. set policy from <zone name> to <zone name> id <id_num> disable save Note: To enable the policy again, click Enable in the Configure column for the policy that you want to enable (WebUI), or type unset policy from <zone name> to <zone name> id <id_num> disable (CLI).

5HRUGHULQJ $FFHVV 3ROLFLHV


The NetScreen device checks all attempts to traverse the firewall against access policies, beginning with the first one listed in the ACL for the appropriate direction (incoming or outgoing) and moving through the list. Because action applies to the first matching access policy, you must arrange them from the most specific to the most general. (Whereas a specific access policy does not preclude the application of a more general access policy located down the list, a general access policy appearing before a specific one does.)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  $FFHVV 3ROLFLHV

$FFHVV 3ROLFLHV $SSOLHG

To move an access policy to a different position in the ACL:

:HE8,
1. Policy: Click the circular arrows in the Configure column for the policy you want to move to display the Move Policy dialog box:

2.

Change the order of the access policy to fit your needs, and then click OK. The access policies page reappears with the access policy you moved in its new position.

&/,
1. 2. set policy move <id number> { before | after } <number> save

5HPRYLQJ DQ $FFHVV 3ROLF\


In addition to modifying an access policy, you can also delete it from the ACL. In the WebUI, click Remove in the Configure column for the access policy that you want to remove. When the system message prompts for confirmation to proceed with the removal, click Yes. In the CLI, use the unset policy <id_number> command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr 

,36HF


IPSec Concepts on page 271 Modes on page 272 Protocols on page 275 Key Management on page 277 Security Association on page 278 Tunnel Negotiation on page 279 Phase 1 on page 279 Main Mode and Aggressive Mode on page 280 Phase 2 on page 281 Packet Flow: Policy-Based LAN-to-LAN VPN on page 283 IPSec NAT Traversal on page 285 Traversing a NAT Device on page 286 UDP Checksum on page 287 The Keepalive Frequency Value on page 287 IPSec NAT-Traversal and Initiator/Responder Symmetry on page 288

This chapter introduces the various elements of Internet Protocol Security (IPSec) and how they relate to virtual private network (VPN) tunneling. Following an Introduction to VPNs on page 270, the remainder of the chapter covers the following elements of IPSec:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,QWURGXFWLRQ WR 931V

,1752'8&7,21 72 9316
A virtual private network (VPN) provides a means for securely communicating between remote computers across a public wide area network (WAN), such as the Internet. A VPN connection can link two local area networks (LANs) or a remote dialup user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IP Security (IPSec) tunnel1. An IPSec tunnel consists of a pair of unidirectional Security Associations (SAs)one at each end of the tunnelthat specify the security parameter index (SPI), destination IP address, and security protocol (Authentication Header or Encapsulating Security Payload) employed. Note: For more information on SPIs, see Security Association on page 278. For more about the IPSec security protocols, see Protocols on page 275. Through the SA, an IPSec tunnel can provide the following security functions: Privacy (via encryption) Content integrity (via data authentication) Sender authentication andif using certificatesnonrepudiation (via data origin authentication) The security functions you employ depend on your needs. If you only need to authenticate the IP packet source and content integrity, you can authenticate the packet without applying any encryption. On the other hand, if you are only concerned with preserving privacy, you can encrypt the packet without applying any authentication mechanisms. Optionally, you can both encrypt and authenticate the packet. Most network security designers choose to encrypt, authenticate, and replay-protect their VPN traffic. NetScreen supports IPSec technology for creating VPN tunnels with two kinds of key creation mechanisms: Manual Key AutoKey IKE with a preshared key or a certificate

1.

The term tunnel does not denote either transport or tunnel mode (see Modes on page 272). It simply refers to the IPSec connection.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

,36(& &21&(376
IP Security (IPSec) is a suite of related protocols for cryptographically securing communications at the IP packet layer. IPSec consists of two modes and two main protocols: Transport and tunnel modes The Authentication Header (AH) protocol for authentication and the Encapsulating Security Payload (ESP) protocol for encryption (and authentication)

IPSec also provides methods for the manual and automatic negotiation of Security Associations (SAs) and key distribution, all the attributes for which are gathered in a Domain of Interpretation (DOI). See RFC 2407 and 2408.
IPSec Architecture Transport Mode
Note: NetScreen does not support Transport Mode with AH.

Tunnel Mode

AH Protocol

ESP Protocol

Authentication Algorithm (MD5, SHA-1)

Encryption Algorithm (DES, 3DES)

Domain of Interpretation (DOI)

SA and Key Management (Manual and Automatic)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

Note: The IPSec Domain of Interpretation (DOI) is a document containing definitions for all the security parameters required for the successful negotiation of a VPN tunnelessentially, all the attributes required for SA and IKE negotiations.

0RGHV
IPSec operates in one of two modes: transport and tunnel. When both ends of the tunnel are hosts, transport mode and tunnel mode can be used. When at least one of the endpoints of a tunnel is a security gateway, such as a router or firewall, tunnel mode must be used. NetScreen devices always operate in tunnel mode for IPSec tunnels and transport mode for L2TP-over-IPSec tunnels.

7UDQVSRUW 0RGH
The original IP packet is not encapsulated within another IP packet. The entire packet can be authenticated (with AH), the payload can be encrypted (with ESP), and the original header remains in plaintext as it is sent across the WAN. IP Packets
Transport Mode AH Original AH Header Header Payload Authenticated Transport Mode ESP Original ESP Header Header Encrypted Authenticated Payload

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

7XQQHO 0RGH
The entire original IP packetpayload and headeris encapsulated within another IP payload and a new header appended to it. The entire original packet can be encrypted, authenticated, or both. With AH, the AH and new headers are also authenticated. With ESP, the ESP header can also be authenticated.

IP Packets
Tunnel Mode AH New AH Original Header Header Header

The original packet is encapsulated. Payload Authenticated

Tunnel Mode ESP

New ESP Original Header Header Header Encrypted

Payload Authenticated

In a LAN-to-LAN VPN, the source and destination addresses used in the new header are the IP addresses of the outgoing interface (in NAT or Route mode) or the VLAN1 or System IP address (in Transparent mode); the source and destination addresses of the encapsulated packets are the addresses of the ultimate endpoints of the connection.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

NetScreen-100 Tunnel Gateway Internet LAN 1 A A B Payload 1 2 A B Payload The original packet is encapsulated. LAN-to-LAN VPN in Tunnel Mode Tunnel

NetScreen-100 Tunnel Gateway

LAN 2 A B B Payload

In a dialup-to-LAN VPN, there is no tunnel gateway on the VPN dialup client end of the tunnel; the tunnel extends directly to the client itself. In this case, on packets sent to the dialup client, both the new header and the encapsulated original header have the same IP address: that of the clients computer.
NetScreen-100 Tunnel Gateway VPN Dialup Client Internet Tunnel A=1 A B Payload 1 2 A B Payload The original packet is encapsulated. Dialup-to-LAN VPN in Tunnel Mode 2 A B B Payload LAN

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

3URWRFROV
IPSec uses two protocols to secure communications at the IP layer: Authentication Header (AH)A security protocol for authenticating the source of an IP packet and verifying the integrity of its content Encapsulating Security Payload (ESP)A security protocol for encrypting the entire IP packet (and authenticating its content)

$+
The Authentication Header (AH) protocol provides a means to verify the authenticity/integrity of the content and origin of a packet. You can authenticate the packet by the checksum calculated via a hash-based message authentication code (HMAC) using a secret key and either MD5 or SHA-1 hash functions. Message Digest version 5 (MD5)An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key. The resulting hash is used, like a fingerprint of the input, to verify content and source authenticity and integrity. Secure Hash Algorithm-1 (SHA-1)An algorithm that produces a 160-bit hash from a message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces. Because the computational processing is done in the NetScreen ASIC, the performance cost is negligible. Note: For more information on MD5 and SHA-1 hashing algorithms, see the following RFCs: (MD5) 1321, 2403; (SHA-1) 2404. For information on HMAC, see RFC 2104.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

(63
The Encapsulating Security Payload (ESP) protocol provides a means to ensure privacy (encryption), and source authentication and content integrity (authentication). ESP in tunnel mode encapsulates the entire IP packet (header and payload), and then appends a new IP header to the now encrypted packet. This new IP header contains the destination address needed to route the protected data through the network. With ESP, you can encrypt and authenticate, encrypt only, or authenticate only. For encryption, you can choose either of the following encryption algorithms: Data Encryption Standard (DES)A cryptographic block algorithm with a 56-bit key. Triple DES (3DES)A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key. DES provides a significant performance savings but is considered unacceptable for many classified or sensitive material transfers. Advanced Encryption Standard (AES)An emerging encryption standard which, when adopted by Internet infrastructures worldwide, will offer greater interoperability with other network security devices. This version of AES uses a 128-bit key. For authentication, you can use either MD5 or SHA-1 algorithms. For either the encryption or authentication algorithm you can select NULL; however, you cannot select NULL for both simultaneously.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

.H\ 0DQDJHPHQW
The distribution and management of keys are critical to successfully using VPNs. IPSec supports both manual and automatic key distribution methods.

0DQXDO .H\
With Manual Keys, administrators at both ends of a tunnel configure all the security parameters. This is a viable technique for small, static networks where the distribution, maintenance, and tracking of keys is not difficult. However, safely distributing Manual Key configurations across great distances poses security issues. Aside from passing the keys face-to-face, you cannot be completely sure that the keys have not been compromised while in transit. Also, whenever you want to change the key, you are faced with the same security issues as when you initially distributed it.

$XWR.H\ ,.(
When you need to create and manage numerous tunnels, you need a method that does not require you to configure every element manually. IPSec supports the automated generation and negotiation of keys and security associations using the Internet Key Exchange (IKE) protocol. NetScreen refers to such automated tunnel negotiation as AutoKey IKE and supports AutoKey IKE with preshared keys and AutoKey IKE with certificates.

$XWR.H\ ,.( ZLWK 3UHVKDUHG .H\V


With AutoKey IKE using preshared keys to authenticate the participants in an IKE session, each side must configure and securely exchange the preshared key2 in advance. In this regard, the issue of secure key distribution is the same as that with Manual Keys. However, once distributed, an AutoKey, unlike a Manual Key, can automatically change its keys at predetermined intervals using the IKE protocol. Frequently changing keys greatly improves security, and automatically doing so greatly reduces key-management responsibilities. However, changing keys increases traffic overhead; therefore, doing so too often can reduce data transmission efficiency.

2.

A preshared key is a key for both encryption and decryption that both participants must have before initiating communication.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF &RQFHSWV

$XWR.H\ ,.( ZLWK &HUWLILFDWHV


When using certificates to authenticate the participants during an AutoKey IKE negotiation, each side generates a public/private key pair (see Chapter 11, Public Key Cryptography) and acquires a certificate (see Certificates and CRLs on page 297). As long as the issuing certificate authority (CA) is trusted by both sides, the participants can retrieve the peers public key and verify the peers signature. There is no need to keep track of the keys and SAs; IKE does it automatically. Note: For examples of both Manual Key and AutoKey IKE tunnels, see Chapter 13, Policy-Based VPNs.

6HFXULW\ $VVRFLDWLRQ
A security association (SA) is a unidirectional agreement between the VPN participants regarding the methods and parameters to use in securing a communication channel. Full bidirectional communication requires at least two SAs, one for each direction. An SA groups together the following components for securing communications: Security algorithms and keys Protocol mode (transport or tunnel) Key management method (Manual Key or AutoKey IKE) SA lifetime

For outbound VPN traffic, the access policy invokes the SA associated with the VPN tunnel. For inbound traffic, the NetScreen device looks up the SA by using the following triplet: destination IP, security protocol (AH or ESP), and security parameter index (SPI) value.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

7811(/ 1(*27,$7,21
For a Manual Key IPSec tunnel, because all of the security association (SA) parameters have been previously defined, there is no need to negotiate which SAs to use. In essence, the tunnel has already been established. When traffic matches an access policy using that Manual Key tunnel or when a route involves the tunnel, the NetScreen devices simply encrypts and authenticates the data, as you determined, and forwards it to the destination gateway. To establish an AutoKey IKE IPSec tunnel, two phases of negotiation are required: In Phase 1, the participants establish a secure channel in which to negotiate the IPSec SAs. In Phase 2, the participants negotiate the IPSec SAs for encrypting and authenticating the ensuing exchanges of user data.

3KDVH 
Phase 1 of an AutoKey IKE tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The exchange can be in one of two modes: Aggressive mode or Main mode (see below). Using either mode, the participants exchange proposals for acceptable security services such as: Encryption algorithms (DES and 3DES) and authentication algorithms (MD5 and SHA-1). For more information about these algorithms, see Protocols on page 275. A Diffie-Hellman Group (See The Diffie-Hellman Exchange on page 281.) Preshared Key or RSA/DSA certificates (see AutoKey IKE on page 277)

A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed, and then process them. NetScreen devices support up to four proposals for Phase 1 negotiations, allowing you to define how restrictive a range of security parameters for key negotiation you will accept.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

0DLQ 0RGH DQG $JJUHVVLYH 0RGH


Phase 1 can take place in either Main mode or Aggressive mode. The two modes are described below. Main Mode: The initiator and recipient send three two-way exchanges (six messages total) to accomplish the following services: First exchange, (messages 1 and 2): Propose and accept the encryption and authentication algorithms. Second exchange, (messages 3 and 4): Execute a Diffie-Hellman exchange, and the initiator and recipient each provide a nonce (randomly generated number). Third exchange, (messages 5 and 6): Send and verify their identities.

The information transmitted in the third exchange of messages is protected by the encryption algorithm established in the first two exchanges. Thus, the participants identities are not transmitted in the clear. Aggressive Mode: The initiator and recipient accomplish the same objectives, but only in two exchanges, and a total of three messages: First message: The initiator proposes the SA, initiates a Diffie-Hellman exchange, and sends a nonce and its IKE identity. Second message: The recipient accepts the SA, authenticates the initiator, and sends a nonce, its IKE identity, and, if using certificates, the recipients certificate. Third message: The initiator authenticates the recipient, confirms the exchange, and, if using certificates, sends the initiators certificate.

Because the participants identities are exchanged in the clear (in the first two messages), Aggressive mode does not provide identity protection. Note: When a dialup VPN user negotiates an AutoKey IKE tunnel with a preshared key, Aggressive mode must be used. Note also that a dialup VPN user can use an e-mail address or a fully qualified domain name (FQDN) as its IKE ID, but not an IP address.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

7KH 'LIILH+HOOPDQ ([FKDQJH


A Diffie-Hellman exchange allows the participants to produce a shared secret value. The strength of the technique is that it allows the participants to create the secret value over an unsecured medium without passing the secret value through the wire. There are five Diffie-Hellman (DH) groups (NetScreen supports groups 1, 2, and 5). The size of the prime modulus used in each groups calculation differs as follows: DH Group 1: 768-bit modulus3 DH Group 2: 1024-bit modulus DH Group 5: 1536-bit modulus

The larger the modulus, the more secure the generated key is considered to be; however, the larger the modulus, the longer the key-generation process takes. Because the modulus for each DH group is a different size, the participants must agree to use the same group4.

3KDVH 
After the participants have established a secure and authenticated channel, they proceed through Phase 2, in which they negotiate the SAs to secure the data to be transmitted through the IPSec tunnel. Similarly to the process for Phase 1, the participants exchange proposals to determine which security parameters to employ in the SA. A Phase 2 proposal also includes a security protocoleither Encapsulating Security Payload (ESP) or Authentication Header (AH), and selected encryption and authentication algorithms. The proposal can also specify a Diffie-Hellman group, if Perfect Forward Secrecy (PFS) is desired. Note: For more about Diffie-Hellman groups, see The Diffie-Hellman Exchange on page 281. For more about PFS, see Perfect Forward Secrecy on page 282. Regardless of the mode used in Phase 1, Phase 2 always operates in Quick mode and involves the exchange of three messages4.

3. 4.

The strength of DH Group 1 security has depreciated, and NetScreen does not recommend its use. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals. The same guideline applies to multiple proposals for Phase 2 negotiations.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

NetScreen devices support up to four proposals for Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you will accept. NetScreen also provides a replay protection feature. Use of this feature does not require negotiation because packets are always sent with sequence numbers. You simply have the option of checking the sequence numbers or not. (For more information about replay protection, see below.)

3HUIHFW )RUZDUG 6HFUHF\


Perfect Forward Secrecy (PFS) is a method for deriving Phase 2 keys independent from and unrelated to the preceding keys. Alternatively, the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2 keys are derived. The SKEYID_d key can generate Phase 2 keys with a minimum of CPU processing. Unfortunately, if an unauthorized party gains access to the SKEYID_d key, all your encryption keys are compromised. PFS addresses this security risk by forcing a new Diffie-Hellman key exchange to occur for each Phase 2 tunnel. Using PFS is thus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.

5HSOD\ 3URWHFWLRQ
A replay attack occurs when somebody intercepts a series of packets and uses them later either to flood the system, causing a denial-of-service (DoS), or to gain entry to the trusted network. The replay protection feature enables NetScreen devices to check every IPSec packet to see if it has been received before. If packets arrive outside a specified sequence range, the NetScreen device rejects them.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

3DFNHW )ORZ 3ROLF\%DVHG /$1WR/$1 931


To see the various components comprising the creation of an IPSec tunnel in relation to each other, the following example illustrates how a packet flows through a tunnel. A company based in Tokyo has just opened a branch office in Paris and needs to connect the two sites through an IPSec tunnel. The tunnel uses Manual Key, the ESP protocol, 3DES for encryption and SHA-1 for authentication. The NetScreen devices protecting each site are in NAT mode. The addresses are as follows: Tokyo: Outgoing interface (ethernet1, Untrust zone): 201.22.3.14 Trust zone: 10.1.1.0/24 Paris: Outgoing interface (ethernet1, Untrust zone): 203.3.3.10 Trust zone: 10.2.2.0/24
Outgoing Interface eth1, 201.22.3.14 Trust Zone 10.1.1.0/24 Tokyo Internet IPSec Tunnel Remote Gateway Outgoing Interface eth1, 203.3.3.10 Internet Remote Gateway IPSec Tunnel Paris Trust Zone 10.2.2.0/24

Untrust Zone Paris LAN

Untrust Zone Tokyo LAN

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

7XQQHO 1HJRWLDWLRQ

The path of a packet coming from 10.1.1.10 and going to 10.2.2.20 through an IPSec tunnel proceeds as follows: 1. 2. 3. The host on the 10.1.1.0/24 subnet sends a packet to a server on the 10.2.2.0/24 subnet. The packet reaches its gateway; that is, the Netscreen device in Tokyo. The Netscreen device in Tokyo performs the following operations: It checks its Access Control List (ACL) and (using the source and destination address) determines to send the packet through the VPN tunnel to the Paris office. It encrypts the entire packet (including the original header) and puts a new header on the packet. In the outer header the source IP address is 201.22.3.14, and the destination IP address is 203.3.3.10. It sends the packet to 203.3.3.10; that is, the outgoing interface IP address of the NetScreen device in Paris. The Netscreen device in Paris performs the following operations: Using the SPI, destination IP address, and IPSec protocol contained in the outer packet header, it locates the SA and keys. It decrypts the packet, uncovering its ultimate destination. It checks the Access Control List (ACL) and, finding an access policy that grants access, forwards the packet to its destination.

4.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

,36(& 1$7 75$9(56$/


Network Address Translation (NAT) and Network Address Port Translation (NAPT) are Internet standards that allows a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. NAT devices generate these external addresses from predetermined pools of IP addresses. When setting up an IPSec tunnel, the presence of a NAT device along the data path has no effect on Phase 1 and Phase 2 IKE negotiations, which always encapsulate IKE packets within User Datagram Protocol (UDP) packets. However, after the Phase 2 negotiations are completed, performing NAT on the IPSec packets causes the tunnel to fail. Of the many reasons why NAT causes disruption to IPSec5, one reason is that, for the Encapsulating Security Protocol (ESP), NAT devices cannot discern the location of the Layer 4 header (because it is encrypted) for port translation. For the Authentication Header (AH) protocol, NAT devices can modify the port number, but the authentication check, which includes the entire IPSec packet, fails. To solve this problem, NetScreen devices (with ScreenOS 3.0.0 or later) and the NetScreen-Remote client (version 6.0 or later) can apply the NAT-Traversal (NAT-T) feature. NAT-T adds a layer of UDP encapsulation after detecting one or more NAT devices along the data path during Phase 1 exchanges.

5.

For a list of IPSec/NAT incompatibilities, see draft-ietf-ipsec-nat-regts-00.txt by Bernard Aboba.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

7UDYHUVLQJ D 1$7 'HYLFH


In the following illustration, a NAT device at the perimeter of a hotel LAN receives a packet from a VPN dialup client with IP address 200.1.1.1, assigned by its ISP. For all outbound traffic, the NAT device replaces the original source IP address in the outer header with a new address 210.2.2.2. During Phase 1 negotiations, the VPN client and the NetScreen device detect that both VPN participants support NAT-T, that a NAT server is present along the data path, and that it is located in front of the VPN client.

Hotel NAT Device Internet VPN Dialup Client VPN Tunnel Src IP 200.1.1.1 -> 210.2.2.2 NetScreen Device

Corporate

Encapsulating the IPSec packets within UDP packetswhich both the VPN client and the NetScreen device do solves the problem of the authentication check failure. The NAT server processes them as UDP packets, changing the source port in the UDP header and leaving the SPI in the AH or ESP header unmodified. The VPN participants strip off the UDP layer and process the IPSec packets, which pass the authentication check because none of the authenticated content has been changed.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

IPSec Packet without NAT-T


Outer IP Header The outer headers contain identical information except that the protocol changes from 50 or 51 (AH or ESP respectively) to 500 (UDP). AH or ESP Header

Data Payload

AH or ESP

Trailer

IPSec Packet with NAT-T


Outer IP Header UDP Header NAT-T Header AH or ESP Header

Data Payload

AH or ESP

Trailer

Note: When NAT-T is enabled, the NetScreen device applies it only when necessary; that is, when the it detects a NAT server between the remote host and the NetScreen device.

8'3 &KHFNVXP
All UDP packets contain a UDP checksum, a calculated value that ensures UDP packets are free of transmission errors. A NetScreen device does not require use of the UDP checksum for NAT-T, so the WebUI and CLI present the checksum as an optional setting. Even so, some NAT devices require a checksum, so you might have to enable this setting.

7KH .HHSDOLYH )UHTXHQF\ 9DOXH


When a NAT server assigns an IP address to a host, the server determines how long the new address remains valid when no traffic occurs. For example, a NAT device might invalidate any generated IP address that remains unused for 20 seconds. Therefore, it is usually necessary for the IPSec participants to send periodic keepalive packets empty UDP packetsthrough the NAT device, so that the NAT mapping does not change until the Phase 1 and Phase 2 SAs expire.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

Note: NAT servers have different session timeout intervals, depending on the manufacturer and model. It is important to determine what the interval is for the NAT server, and to set the keepalive frequency value below that.

,36HF 1$77UDYHUVDO DQG ,QLWLDWRU5HVSRQGHU 6\PPHWU\


When two NetScreen devices establish a tunnel in the absence of a NAT device, either device can serve as initiator or responder. However, if either host resides behind a NAT device, such initiator/responder symmetry might be impossible. This happens whenever the NAT device generates IP addresses dynamically.
Note: Security zones depicted below are from the perspective of NetScreen B.

Untrust Zone NAT Device

Trust Zone

NetScreen A Host A

Internet Tunnel

NetScreen B

Host B 210.1.1.1

211.1.10.10 210.1.1.2

In the above illustration, NetScreen B resides in a subnet located behind a NAT device. If the NAT device generates the new IP address (210.1.1.1) dynamically from a pool of IP addresses, NetScreen A cannot unambiguously identify NetScreen B. Therefore, NetScreen A cannot successfully initiate a tunnel with NetScreen B. NetScreen A must be the responder, NetScreen B must be the initiator, and they must perform Phase 1 negotiations in Aggressive mode. However, if the NAT device generates the new IP address using a mapped IP (MIP) address, or some other one-to-one addressing method, NetScreen A can unambiguously identify NetScreen B. Consequently, either NetScreen A or NetScreen B can be the initiator, and both can use Main mode or Aggressive mode for Phase 1.
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

Note: If you enable NAT-T on the responder and configure it to view the initiator as a static peer, then peers of the following types must use the same P1 proposal:
Peers with dynamically assigned IP addresses Dialup VPN users NAT-T-enabled peers with static IP addresses

([DPSOH (QDEOLQJ 1$77UDYHUVDO


In the following example, a NAT device at the perimeter of a hotel LAN assigns an address to the VPN dialup client used by Michael Smith, a salesman attending a convention. For Michael Smith to reach the corporate LAN via a dialup VPN tunnel, you must enable NAT-T for the remote gateway msmith, configured on the NetScreen device, and for the remote gateway configured on the VPN dialup client. You also enable the NetScreen device to include a UDP checksum in its transmissions, and you set the keepalive frequency to 8 seconds.

Hotel NAT Device Internet VPN Dialup Client VPN Tunnel NetScreen Device

Corporate

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  ,36HF

,36HF 1$7 7UDYHUVDO

:HE8,
1. VPNs >> Gateway(P1) >> New Remote Tunnel Gateway: Enter the necessary parameters for the new tunnel gateway as described in Chapter 12, Routing-Based VPNs or Chapter 13, Policy-Based VPNs, include the following, and then click OK: Nat-Traversal: Enable UDP Checksum: Enable Keepalive Frequency: 8 Note: The NetScreen device enables NAT traversal automatically for dial-up VPNs.

&/,
1. 2. 3. 4. set ike gateway msmith nat-traversal set ike gateway msmith nat-traversal enable-udp-checksum set ike gateway msmith nat-traversal keepalive-frequency 8 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr

3XEOLF .H\ &U\SWRJUDSK\



This chapter provides an introduction to public key cryptography and the use of certificates and certificate revocation lists (CRLs) within the context of Public Key Infrastructure (PKI). The material is organized into the following sections: Introduction to Public Key Cryptography on page 292 PKI on page 294 Certificates and CRLs on page 297 Obtaining a Certificate Manually on page 298 Obtaining a Certificate Automatically on page 304 Checking for Revocation Using OCSP on page 308 Configuring for OCSP on page 308

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

,QWURGXFWLRQ WR 3XEOLF .H\ &U\SWRJUDSK\

,1752'8&7,21 72 38%/,& .(< &5<372*5$3+<


In public key cryptography, a public/private key pair is used to encrypt and decrypt data. Data encrypted with a public key, which the owner makes available to the public, can only be decrypted with the corresponding private key, which the owner keeps secret and protected. For example, if Alice wants to send Bob an encrypted message, Alice can encrypt it with Bobs public key and send it to him. Bob then decrypts the message with his private key. The reverse is also useful; that is, encrypting data with a private key and decrypting it with the corresponding public key. This is known as creating a digital signature. For example, if Alice wants to present her identity as the sender of a message, she can encrypt the message with her private key and send the message to Bob. Bob then decrypts the message with Alices public key, thus verifying that Alice is indeed the sender. Public/private key pairs also play an important role in the use of digital certificates. The procedure for signing a certificate (by a CA) and then verifying the signature works as follows (by the recipient):

6LJQLQJ D &HUWLILFDWH
1. 2. 3. The Certificate Authority (CA) that issues a certificate hashes the certificate by using a hash algorithm (MD5 of SHA-1) to generate a digest. The CA then signs the certificate by encrypting the digest with its private key. The result is a digital signature. The CA then sends the digitally signed certificate to the person who requested it.

9HULI\LQJ D 'LJLWDO 6LJQDWXUH


1. 2. 3. When the recipient gets the certificate, he or she also generates another digest by applying the same hash algorithm (MD5 of SHA-1) on the certificate file. The recipient uses the CAs public key to decrypt the digital signature. The recipient compares the decrypted digest with the digest he or she just generated. If the two digests match, the recipient can confirm the integrity of the CAs signature and, by extension, the integrity of the accompanying certificate.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

,QWURGXFWLRQ WR 3XEOLF .H\ &U\SWRJUDSK\

Sender (CA) 1. Using either the MD5 or SHA-1 hash algorithm, the CA makes digest A from the certificate. 2. Using the its private key, the CA encrypts digest A. The result is digest B, the digital signature. 3. The CA sends the digitally signed certificate to the person who requested it. Digest A

1 Cert Hash Algorithm (MD5 or SHA-1) Digest B 2 CAs Private Key

1. Using either MD5 or SHA-1, the recipient makes digest A from the certificate. 2. Using the CAs public key, the recipient decrypts digest B. 3. The recipient compares digest A with digest B. If they match, the recipient knows that the certificate has not been tampered with.

Recipient Digest A 3 Compare

1 Cert Hash Algorithm (MD5 or SHA-1) Digest B 2 CAs Public Key

The procedure for digitally signing messages sent between two participants in an IPSec session works very similarly, with the following differences: Instead of making a digest from the CA certificate, the sender makes it from the data in the IP packet payload. Instead of using the CAs public/private key pair, the participants use the senders public/private key pair.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

3.,

3.,
The term Public Key Infrastructure (PKI) refers to the hierarchical structure of trust required for the successful implementation of public key cryptography. To verify the trustworthiness of a certificate, you must be able to track a path of certified CAs from the one issuing your local certificate back to a root authority of a CA domain.

PKI Hierarchy of Trust CA Domain The root level CA validates subordinate CAs.

Subordinate CAs validate local certificates and other CAs.

Local certificates contain the users public key.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

3.,

If certificates are used solely within an organization, that organization can have its own CA domain within which a company CA issues and validates certificates among its employees. If that organization later wants its employees to be able to exchange their certificates with those from another CA domain (for example, with employees at another organization that also has its own CA domain), the two CAs can develop cross-certification; that is, they can agree to trust the authority of each other. In this case, the PKI structure does not extend vertically but horizontally.

CA Domain A

CA Domain B

Cross-certification

Users in CA domain A can use their certificates and key pairs with users in CA domain B because the CAs have cross-certified each other.

For convenience and practicality, PKI must be transparently managed and implemented. Toward this goal, the NetScreen ScreenOS does the following: 1. 2. Generates a public/private key pair when you create a certificate request. Supplies that public key as part of the certificate request in the form of a text file for transmission to a Certificate Authority (CA) for certificate enrollment (PKCS10 file).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

3.,

3.

Supports loading the local certificate, the CA certificate, and the certificate revocation list (CRL)1 into the unit. You can also specify an interval for refreshing the CRL online. For more information on CRLs, see Certificates and CRLs on page 297.

4. 5. 6.

7.

Provides certificate delivery when establishing an IPSec tunnel. Supports certificate path validation upward through eight levels of CA authorities in the PKI hierarchy. Supports the PKCS #7 cryptographic standard, which means the NetScreen device can accept X.509 certificates and CRLs packaged within a PKCS #7 envelope2. PKCS #7 support allows you to submit multiple X.509 certificates within a single PKI request. You can now configure PKI to validate all the submitted certificates from the issuing CA at one time. Supports online CRL retrieval via LDAP or HTTP.

1. 2.

The Certificate Authority usually provides a CRL. Although you can load a CRL into the NetScreen device, you cannot view it once loaded. NetScreen supports a PKCS #7 file size of up to 7 Kilobytes.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

&(57,),&$7(6 $1' &5/6


A digital certificate is an electronic means for verifying your identity through the word of a trusted third party, known as a Certificate Authority (CA). The CA server you use can be owned and operated by an independent CA3, or by your own organization, in which case you become your own CA. If you use an independent CA, you must contact them for the addresses of their CA and CRL servers (for obtaining certificates and certificate revocation lists), and for the information they require when submitting personal certificate requests. When you are your own CA, you determine this information yourself. To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following: Obtain a personal certificate (also known as a local certificate) from a CA, and load the certificate in the NetScreen device. Obtain a CA certificate for the CA that issued the personal certificate (basically verifying the identity of the CA verifying you), and load the CA certificate in the NetScreen device. You can perform this task manually, or automatically using Simple Certificate Enrollment Protocol (SCEP). If the certificate does not contain a certificate distribution point (CDP) extension, and you cannot automatically retrieve the CRL via LDAP or HTTP, you can retrieve a CRL manually and load that in the NetScreen device.

During the course of business, there are several events that make it necessary to revoke a certificate. You might wish to revoke a certificate if you suspect that it has been compromised or when a certificate holder leaves a company. Managing certificate revocations and validation can be accomplished locally (which is a limited solution) or by referencing a CAs CRL, which you can automatically access online at daily, weekly, or monthly intervals, or at the default interval set by the CA.

3.

NetScreen supports the following CAs: Baltimore , Entrust , Microsoft, Netscape, RSA Keon , and Verisign .

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

2EWDLQLQJ D &HUWLILFDWH 0DQXDOO\


To obtain a signed digital certificate using the manual method, you must complete several tasks in the following order: 1. 2. 3. 4. 5. Configure default server settings. Generate a public/private key pair. Fill out the Certificate Request. Submit your request to your CA of choice. After you receive your signed certificate, you must load it into the NetScreen device along with the CA certificate. A local certificate for the NetScreen device, to validate your identity with each tunnel connection A CA Certificate (their public key), to be used to verify the peers certificate If the Certificate Revocation List (CRL) was included with the CA certificate4, a CRL to identify invalid certificates

You now have the following items for the following uses:

When you receive these files (the certificate files typically have the extension .cer, and the CRL typically has the extension .crl), load them into your NetScreen using the procedure described in the following section. Note: If you are planning to use e-mail to submit a PKCS10 file to obtain your certificates, you must properly configure your NetScreen settings so that you can send e-mail to your system administrator. You have to modify the route table, correctly set your primary and secondary domain servers, and specify the SMTP server and e-mail address settings.

4.

A CRL might accompany a CA certificate and be stored in the NetScreen database. Alternatively, the CA certificate might contain the CRL URL (either LDAP or HTTP) for a CRL that is stored in the CAs database. If the CRL is unobtainable by either method, you can manually enter the default server settings for the CRL URL in the NetScreen device, as explained in Example: Configuring Default Server Settings for a CRL on page 303.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

([DPSOH 5HTXHVWLQJ D &HUWLILFDWH 0DQXDOO\


When you request a certificate, the NetScreen device generates a key pair. The public key becomes incorporated in the request itself and, eventually, in the digitally signed local certificate you receive from the CA. In the following example, the security administrator is making a certificate request for Michael Zhang in the Development department at NetScreen Technologies in Santa Clara, California. The certificate is going to be used for a NetScreen-100 at IP address 10.10.5.44. The administrator instructs the NetScreen device to write the request to a file, which he then copies and pastes in the certificate request text field at the CAs certificate enrollment site. After the enrollment process is complete, the CA usually sends the certificates via e-mail to the security administrator.

:HE8,
1. Certificates >> Local >> Certificate Request: Enter the following, and then click Generate: Name: Michael Zhang Phone: (408) 330-7800 Unit/Department: Development Organization: NetScreen Technologies County/Locality: Santa Clara State: CA Country: US E-mail: (leave blank; some CAs do not support this field) Note: If no e-mail address appears in the local certificate, you cannot use an e-mail address as the local IKE ID when configuring the NetScreen device as a dynamic peer. Instead, you can use an IP address (if it is in the local certificate), or you can leave the local ID field empty. By default the NetScreen device sends its hostname.domainname. If you do not specify a local ID for a dynamic peer, enter the hostname.domainname of that peer on the device at the other end of the IPSec tunnel in the peer ID field. IP Address: 10.10.5.44
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

Write to file: (select) Create new key pair of 10245 length: (select) The NetScreen generates a PKCS #10 file and prompts you to open the file or save it to disk. 2. Open the file, and copy its contents, taking care to copy the entire text but not any blank spaces before or after the text. (Start at -----BEGIN CERTIFICATE REQUEST-----, and end at -----END CERTIFICATE REQUEST-----.) Follow the certificate request directions at the CAs Web site, pasting the PKCS #10 file in the appropriate field when required. When you receive the certificate from the CA via e-mail, copy it to a text file, and save it to your workstation (to be loaded to the NetScreen device later through the WebUI) or to a TFTP server (to be loaded later through the CLI).

3. 4.

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set pki x509 dn country-name US set pki x509 dn state-name CA set pki x509 dn local-name Santa Clara set pki x509 dn org-name NetScreen Technologies set pki x509 dn org-unit-name Development set pki x509 dn name Michael Zhang set pki x509 dn ip 10.10.5.44 set pki x509 default send-to mzhang@netscreen.com6 exec pki rsa new-key 1024 The certificate request is sent via e-mail to mzhang@netscreen.com.
5. 6. The value 1024 indicates the bit length of the key pair. If you are using the certificate for SSL (see Secure Sockets Layer on page 128), be sure to use a bit length that your Web browser also supports. Using the e-mail address assumes that you have already configured the IP address for your SMTP server (set admin mail server-name <IP address or server name>).

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

10. Copy the contents of the request, taking care to copy the entire text but not any blank spaces before or after the text. (Start at -----BEGIN CERTIFICATE REQUEST-----, and end at -----END CERTIFICATE REQUEST-----.) 11. Follow the certificate request directions at the CAs Web site, pasting the PKCS #10 file in the appropriate field when required. When you receive the certificate from the CA via e-mail, copy it to a text file, and save it to your workstation (to be loaded to the NetScreen device later through the WebUI) or to a TFTP server (to be loaded later through the CLI).

([DPSOH /RDGLQJ &HUWLILFDWHV


The CA returns the following three files to you for loading into the NetScreen device: A CA certificate, which contains the CAs public key A local certificate that identifies your local machine (your public key) A CRL, which lists any certificates revoked by the CA

For the WebUI example, you have downloaded the files to the administrators workstation. For the CLI example, you have downloaded them to a TFTP server with IP address 198.168.1.5. Note: NetScreen devices, including virtual systems, configured with ScreenOS 2.5 or later support loading multiple local certificates from different CAs. This example illustrates how to load two certificate files named auth.cer (CA certificate) and local.cer (your public key), and the CRL file named distrust.crl.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

:HE8,
1. 2. 3. 4. 5. Certificates >> CA >> Load: Click Browse. Navigate to the certificate file directory, select auth.cer, and then click Open. The directory path and file name appear in the Browse field in the Load Certificate or CRL dialog box. Click Load. The certificate file loads, and then the Load Certificate or CRL dialog box reappears. Certificates >> Local >> Load: Click Browse. Navigate to the certificate file directory, select local.cer, and then click Open. The directory path and file name for local.cer appear in the Browse field in the Load Certificate or CRL dialog box. 6. 7. 8. 9. Click Load. The certificate file loads, and then the Load Certificate or CRL dialog box reappears. Certificates >> CRL >> Load: Click Browse. Navigate to the certificate file directory, select distrust.crl, and then click Open. Click Load. The CRL file loads.

&/,
1. 2. 3. exec pki x509 tftp 198.168.1.5 cert-name auth.cer exec pki x509 tftp 198.168.1.5 cert-name local.cer exec pki x509 tftp 198.168.1.5 crl-name distrust.crl

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

([DPSOH &RQILJXULQJ 'HIDXOW 6HUYHU 6HWWLQJV IRU D &5/


In Phase 1 negotiations, participants check the CRL list to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded in the NetScreen database, the NetScreen 7 device tries to retrieve the CRL through the LDAP or HTTP CRL location defined within the certificate itself. If there is no URL address defined in the certificate, the NetScreen device uses the URL of the server that you define. Note: With ScreenOS 2.5 and later, you can disable the checking of a CRLs digital signature when you load the CRL. However, disabling CRL certificate checking compromises the security of your NetScreen device. This example shows how to configure the default server to check the CRL daily by going to the LDAP server at 2.2.2.121 and locating the CRL file.

:HE8,
Certificates >> CA >> Default Server Settings: Enter the following, and the click OK. LDAP Server: 2.2.2.121 CRL URL: ldap:///CN=Netscreen, CN=ns2001,CN=Public KeyServices, CN=Services,CN=Configuration,DC=NS2001,DC=com?CertificateRevocat ionList?base?objectclass=CRLDistribution Point CRL Refresh Frequency: Daily X509 Cert_Path Validation Level: Full

7.

The CRL distribution point extension (.cdp) in an X509 certificate can be either an HTTP URL or an LDAP URL.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

&/,
1. 2. set pki ldap server-name 2.2.2.121 set pki ldap crl-url ldap:///CN=Netscreen,CN=ns2001,CN=PublicKey Services,CN=Services,CN=Configuration,DC=NS2000,DC=com?Certificate RevocationList?base?objectclass=CRLDistributionPoint set pki x509 default crl-refresh daily set pki x509 default cert-path full

3. 4.

2EWDLQLQJ D &HUWLILFDWH $XWRPDWLFDOO\


To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following: Obtain a personal certificate (also known as a local certificate) from a certificate authority (CA), and load the certificate in the NetScreen device. Obtain a CA certificate for the CA that issued the personal certificate (basically verifying the identity of the CA verifying you), and load the CA certificate in the NetScreen device. You can perform this task manually, or automatically using Simple Certificate Enrollment Protocol (SCEP).

Because the manual method of requesting CA certificates has steps requiring you to copy information from one certificate to another, it can be a somewhat lengthy process. To bypass these steps, use the automatic method.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

([DPSOH 5HTXHVWLQJ D &HUWLILFDWH $XWRPDWLFDOO\


In this example, you use the automatic method to request a certificate.

:HE8,
1. Certificates >> Local >> Certificate Request: Enter the following, and then click Generate: Name: Michael Zhang Phone: (408) 330-7800 Unit/Department: Development Organization: NetScreen Technologies County/Locality: Santa Clara State: CA Country: US Email: (leave blank; some CAs do not support this field) Note: If no e-mail address appears in the local certificate, you cannot use an e-mail address as the local IKE ID when configuring the NetScreen device as a dynamic peer. Instead, you can use a fully-qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. By default the NetScreen device sends its hostname.domainname. If you do not specify a local ID for a dynamic peer, enter the hostname.domainname of that peer on the device at the other end of the IPSec tunnel in the peer ID field. IP Address: 10.10.5.44 Automatically Enroll to CA: (select radio button) Create new key pair of 10248 length: (select) The NetScreen device generates a PKCS #10 file and prompts you to open the file or save it to disk.
8. The value 1024 indicates the bit length of the key pair. If you are using the certificate for SSL, be sure to use a bit length that your Web browser also supports.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

2. 3.

Contact your certificate authority to inform them of your certificate request. They must authorize the certificate request before you can download the certificate. You can wait for the system to download the certificate automatically using SCEP (if your CA supports it). This might take fifteen minutes or longer, so you might want to quicken the process by selecting the Certificate >> Pending >> Retrieve option.

&/,
1. 2. 3. 4. 5. Specify a certificate authority CA CGI path. set pki auth -1 scep ca-cgi http://pilotonsiteipsec.verisign.com/cgi-bin/pkiclient.exe9 Specify a registration authority RA CGI path. set pki auth -1 scep ra-cgi http://pilotonsiteipsec.verisign.com/cgi-bin/pkiclient.exe10 Generate an RSA key pair, specifying a key length of 1024 bits. exec pki rsa new 1024 Initiate the SCEP operation to request a local certificate. exec pki x509 scep -1 If this is the first attempt to apply for a certificate from this certificate authority, a prompt appears presenting a fingerprint value for the CA certificate. (Otherwise, go on to Step 6.) You need to contact the certificate authority to confirm that this is the correct CA certificate. Execute the following command to get the devices authentication mode. get pki auth -1 scep If the authentication mode is auto, go on to Step 6. Otherwise, execute: set pki auth -1 scep auth passed
9. The Common Gateway Interface (CGI) is a standard way for a web server to pass a user request to an application program, and to receive data back. CGI is part of the Hypertext Transfer Protocol (HTTP).

10. You must specify an RA CGI path even if the RA does not exist. If the RA does not exist, use the value specified for the CA CGI.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&HUWLILFDWHV DQG &5/V

6. 7.

When the confirmation prompt appears, contact your certificate authority administrator to approve the local certificate request. (Optional) Display a list of pending certificates. This allows you to see and record the index number identifying the certificate. get pki x509 list pending-cert (Optional) Obtain the local certificate from the CA (using the index number obtained in Step 7) to identify the certificate. exec pki x509 scep 1 If you do not execute Steps 7 and 8, the NetScreen device still retrieves the certificate automatically from the CA. However, there is a time delay of at least 15 minutes. This delay period depends upon how you configured the device. The configuration command for this feature is: set pki auth -1 scep polling-int <number> where <number> is time in minutes. The minimum is 15.

8.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&KHFNLQJ IRU 5HYRFDWLRQ 8VLQJ 2&63

&+(&.,1* )25 5(92&$7,21 86,1* 2&63


When a NetScreen device performs an operation that uses a certificate, it may be necessary to check the certificate for premature revocation. The default way to check the revocation status of a digital certificate is to use CRL. Online Certificate Status Protocol (OCSP) is an alternative way to check the status of a digital certificate. OCSP may provide additional information about the certificate. It may also provide the certificate status in a more timely manner. When a NetScreen device uses OCSP, it is referred to as the OCSP client (or requester). This client sends a verification request to a server device called the OCSP responder. The clients request contains the identity of the certificate to check. Before the NetScreen device can perform any OCSP operation, you must configure it to recognize the location of the OCSP responder. After receiving the request, the OCSP responder confirms that the status information for the certificate is available, then returns the current status to the client. Besides the certificates revocation status, the generated response includes the name of the responder and the validity interval of the response. Unless the response is an error message, the responder signs the response using the responders private key. The OCSP client verifies the validity of the response signature.

&RQILJXULQJ IRU 2&63


You can use CLI commands to configure a NetScreen device to support OCSP operation. Most of these commands use an identification number to associate the revocation reference URL with the CA certificate. You can obtain this ID number using the following CLI command: ns-> get pki x509 list ca-cert Note: The NetScreen device dynamically assigns the ID number to the CA certificate when you list the CA certificates. This number might change after you modify the certificate store.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&KHFNLQJ IRU 5HYRFDWLRQ 8VLQJ 2&63

6SHFLI\LQJ (LWKHU &5/ RU 2&63 IRU 5HYRFDWLRQ &KHFNLQJ


To specify the revocation check method (CRL, OCSP, both, or none) for a certificate of a particular CA, use the following CLI syntax: ns-> set pki authority <id_num> cert-status revoc { CRL | OCSP | all | none } where <id_num> is the identification number for the certificate. The following example specifies OCSP revocation checking. ns-> set pki authority 3 cert-status revocation-check ocsp The ID number 3 identifies the certificate of the CA.

'LVSOD\LQJ &HUWLILFDWH 5HYRFDWLRQ 6WDWXV $WWULEXWHV


To display the revocation check attributes for a particular CA, use the following CLI syntax: ns-> get pki authority <id_num> cert-status where <id_num> is the identification number for the certificate issued by the CA. To display the revocation status attributes for the CA that issued certificate 7: ns-> get pki authority 7 cert-status

6SHFLI\LQJ WKH 85/ RI DQ 2&63 5HVSRQGHU IRU D &HUWLILFDWH


To specify the URL string of an OCSP responder for a particular certificate, use the following CLI syntax: ns-> set pki authority <id_num> cert-status ocsp url <url_str> To specify the URL string of an OCSP responder (http:\\192.168.10.10) for the CA with certificate at index 5, use the following CLI syntax: ns-> set pki authority 5 cert-status ocsp url http:\\192.168.10.10 To remove the URL (http:\\192.168.2.1) of a CRL server for a certificate 5: ns-> unset pki authority 5 cert-status ocsp url http:\\192.168.2.1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3XEOLF .H\ &U\SWRJUDSK\

&KHFNLQJ IRU 5HYRFDWLRQ 8VLQJ 2&63

5HPRYLQJ &HUWLILFDWH 5HYRFDWLRQ &KHFN $WWULEXWHV


To remove all attributes related to a certificate revocation check for a CA that issued a particular certificate, use the following syntax: ns-> unset pki authority <id_num> cert-status To remove all revocation attributes related to certificate 1: ns-> unset pki authority 1 cert-status

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr !

5RXWLQJ%DVHG 931V



The configuration of a NetScreen device for virtual private network (VPN) support is particularly flexible with USGA. In ScreenOS releases prior to 3.1.0, VPN tunnels are treated as objects (or building blocks) that together with source, destination, service, and action, comprise an access policy that permits VPN traffic. (Actually, the VPN policy action is tunnel, but the action permit is implied, if unstated). In ScreenOS 3.1.0, the concept of a VPN tunnel has shifted. In addition1 to the previous notion of a tunnel as an object used to build policiessee Chapter 13, Policy-Based VPNsa tunnel can also be viewed as a network resource used to transport traffic. Thus, you can consider a tunnel as a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, USGA allows you the freedom to decouple the regulation of traffic from the means of its delivery. This chapter presents an overview of the VPN concepts in USGA, and offers four examples of device configurations supporting LAN-to-LAN VPNs. The main sections are as follows: Tunnel Interfaces on page 312 Example: Tunnel Bound to Tunnel Interface on page 312 LAN-to-LAN VPNs on page 320 Example: Routing-Based LAN-to-LAN VPN, Manual Key on page 323 Example: Routing-Based LAN-to-LAN VPN, AutoKey IKE on page 334 Example: Routing-Based LAN-to-LAN VPN, Dynamic Peer on page 339 Dialup-to-LAN VPN, Dynamic Peer on page 354 Example: Routing-Based Dialup-to-LAN VPN, Dynamic Peer on page 355 Hub-and-Spoke VPNs on page 363 Example: Hub-and-Spoke VPNs on page 364 Back-to-Back VPNs on page 371 Example: Back-to-Back VPNs on page 372

1.

ScreenOS 3.1.0 continues to support pre-USGA VPN configuration concepts and methods.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

7811(/ ,17(5)$&(6
When you configure the remote gateway for a VPN tunnel, you must also specify a security zone interface as the local gateway2. After configuring the rest of the tunnel, you can create a tunnel interface and bind it to the VPN tunnel. Now you have a VPN tunnel that is bound both to a tunnel interface and to a local zone interface. You can set up routes to the tunnel interface to direct traffic through the tunnel. Conceptually, you can view VPN tunnels as pipes that you have laid. They extend from the local device to remote gateways, and the tunnel interfaces are the openings to these pipes. The pipes are always there, available for use whenever the routing engine directs traffic to one of their interfaces.

([DPSOH 7XQQHO %RXQG WR 7XQQHO ,QWHUIDFH


In this example, you configure a VPN tunnel between the corporate site and a branch office. The tunnel has the following characteristics: The VPN tunnel is bound to a tunnel interface named tunnel.1. AutoKey IKE VPN using a preshared key (netscreen1), Main mode, Encapsulating Security Protocol (ESP), Diffie-Hellman Group 2, 3DES encryption, and SHA-1 authentication. The interface specified as the local gateway on the corporate site is 210.1.1.1. (The branch office uses this address as the remote gateway in its IKE configuration.) The NetScreen device at the corporate site is running ScreenOS 3.1.0. The NetScreen device at the remote site is running an earlier version of ScreenOS.

Note: Only the configuration for the corporate end of the tunnel is given below. For information on configuring a NetScreen device running pre-USGA ScreenOS, see the NetScreen Concepts & Examples ScreenOS Reference Guide for the version of ScreenOS that is appropriate for your device.

2.

Your IKE peer uses the IP address of your local gateway interface (or outgoing-interface) when configuring the remote gateway on his NetScreen device.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

Note: The castle icon represents a security zone interface.

Untrust-VR Routing Domain Default Gateway 210.1.1.254

Trust-VR Routing Domain

Branch1 10.2.1.0/24 Gateway 211.2.2.2/24

tunnel.1

VPN tunnel: to_branch1

Zone: Sales 10.1.1.1/24 eth2/1

Zone: Untrust 210.1.1.1/24 eth1/2

The NetScreen device sends the encapsulated VPN traffic to the external router acting as the default gateway.

:HE8,
6HFXULW\ =RQHV
1. Zone >> New Entry: Enter the following, and then click OK: Name: Sales Virtual Router Name: trust-vr Note: The Untrust zone is preconfigured. You do not have to create it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

,QWHUIDFHV =RQHV DQG 7XQQHO


2. Interfaces >> Edit (for ethernet2/1): Enter the following, and then click OK: IP Address: 10.1.1.1 Netmask: 255.255.255.0 Zone Name: Sales Interface Mode: Route 3. Interfaces >> Edit (for ethernet1/2): Enter the following, and then click OK: IP Address: 210.1.1.1 Netmask: 255.255.255.0 Zone Name: Untrust 4. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: Untrust Unnumbered: (select) Interface: ethernet1/2(Untrust)3

3.

The source interface must be in the same zone to which the tunnel interface is bound; in this case, the Untrust zone. The unnumbered tunnel interface borrows the IP address of the specified security zone interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

931
5. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: branch1 Remote Gateway Static IP Address: (select) IP Address: 211.2.2.2 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet1/24 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen1 6. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: to_branch1 Enable Replay Protection: (select) Remote Gateway Tunnel: branch1 Phase 2 Proposal: g2-esp-3des-sha Bind to: Tunnel Interface: tunnel.1 Enable Proxy-ID: (select) Local IP: 10.1.1.0 Netmask: 255.255.255.0 Remote IP: 10.2.1.0 Netmask: 255.255.255.0 Service: ANY

4.

The outgoing interface does not have to be in the same zone to which the tunnel interface is bound.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

$GGUHVVHV
7. Address >> New Address: Enter the following, and then click OK: Address Name: sales-any IP Address/Domain Name: 10.1.1.0 Netmask: 255.255.255.0 Zone: Sales 8. Address >> New Address: Enter the following, and then click OK: Address Name: branch1 IP Address/Domain Name: 10.2.1.0 Netmask: 255.255.255.0 Zone: Untrust

5RXWHV
9. Routing >> Route Table >> New Entry: Enter the following, and then click OK 5: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: untrust-vr 10. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 10.2.1.0 Netmask: 255.255.255.0 Gateway IP Address Interface: tunnel.1

5.

This route exists by default and does not need to be configured for this example. Its inclusion here is purely to illustrate how to configure it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 210.1.1.2546 Interface: ethernet1/2(untrust-vr) Note: Because the interface for the Sales zone (eth2/1) is in Route mode, the NetScreen device automatically makes an entry for it in the untrust-vr route table. You do not have to enter one manually.

3ROLFLHV
12. Policy (From Zone: Sales, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: sales-any Destination Address: branch1 Service: Any Action: Permit 13. Policy (From Zone: Untrust, To Zone: Sales) >> New Policy: Enter the following, and then click OK: Source Address: branch1 Destination Address: sales-any Service: Any Action: Permit

6. Setting a route to the external router designated as the default gateway is essential for both outbound VPN and network traffic. In this example, the NetScreen device sends encapsulated VPN traffic to this router as the first hop along its route to the remote peers gateway. In the illustration for this example, the concept is presented by depicting the tunnel passing through the router.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

&/,
6HFXULW\ =RQHV
1. set zone name sales Note: The Untrust zone is preconfigured. You do not have to create it.

,QWHUIDFHV =RQHV DQG 7XQQHO


2. 3. 4. 5. 6. 7. 8. set interface eth2/1 zone sales set interface eth2/1 ip 10.1.1.1 255.255.255.0 set interface eth2/1 route set interface eth1/2 zone untrust set interface eth1/2 ip 210.1.1.1 255.255.255.0 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface eth1/2

931
9. set ike gateway branch1 ip 211.2.2.2 main outgoing-interface eth1/2 preshare netscreen1 proposal pre-g2-3des-sha 10. set vpn to_branch1 gateway branch1 replay proposal g2-esp-3des-sha 11. set vpn to_branch bind interface tunnel.1 12. set vpn to_branch1 proxy-id local-ip 10.1.1.0 255.255.255.0 remote-ip 10.2.1.0 255.255.255.0 any

$GGUHVVHV
13. set address sales sales-any 10.1.1.0 255.255.255.0 14. set address untrust branch1 10.2.1.0 255.255.255.0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

7XQQHO ,QWHUIDFHV

5RXWHV
15. set vrouter trust-vr route 0.0.0.0 0.0.0.0 vrouter untrust-vr 16. set vrouter untrust-vr route 10.2.1.0 255.255.255.0 interface tunnel.1 17. set vrouter untrust-vr route 0.0.0.0 0.0.0.0 interface eth1/2 gateway 210.1.1.254 Note: Because the interface for the Sales zone (eth2/1) is in Route mode, the NetScreen device automatically makes an entry for it in the untrust-vr route table. You do not have to enter one manually.

3ROLFLHV
18. set policy from sales to untrust sales-any branch1 any permit 19. set policy from untrust to sales branch1 sales-any any permit 20. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

/$172/$1 9316
An IPSec VPN tunnel exists between two gateways, and each gateway needs an IP address. When both gateways have static IP addresses, you can configure the following kinds of tunnels: LAN-to-LAN VPN, Manual Key tunnel LAN-to-LAN VPN, AutoKey IKE tunnel (with a preshared key or certificates)

When one gateway has a static address and the other has a dynamically assigned address, you can configure the following kind of tunnel: Dynamic Peer LAN-to-LAN VPN, AutoKey IKE tunnel (with a preshared key or certificates) As used here, a static LAN-to-LAN VPN involves an IPSec tunnel connecting two LANs, each with a NetScreen device operating as a secure gateway. The physical interface or subinterface used as the outgoing interface on both devices has a fixed IP address, and the internal hosts also have static IP addresses. If the NetScreen device is in Transparent mode, the VLAN1 address or the System IP addressboth of which are fixed addressesis used.7 (See Example: Routing-Based LAN-to-LAN VPN, Manual Key on page 323, and Example: Routing-Based LAN-to-LAN VPN, AutoKey IKE on page 334.) With a static LAN-to-LAN VPN, hosts at either end of the tunnel can initiate the VPN tunnel setup because the IP address of the remote gateway remains constant and thus reachable. If the outgoing interface of one of the NetScreen devices has a dynamically assigned IP address, that device is termed a dynamic peer and the VPN is configured differently. (See Example: Routing-Based LAN-to-LAN VPN, Dynamic Peer on page 339.) With a dynamic peer LAN-to-LAN VPN, only hosts behind the dynamic peer can initiate the VPN tunnel setup because only their remote gateway has a fixed IP address and is thus reachable from their local gateway. However, after a tunnel has been set up between a dynamic peer and a static peer, hosts behind either gateway can initiate VPN traffic if the destination hosts have fixed IP addresses.

7.

If you set both the System IP and the VLAN1 IP address, the VLAN1 address takes priority and is the address to which you can terminate a VPN.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

7XQQHO ,QWHUIDFHV
Beyond the VPN tunnel termination points (the local and remote gateways), you can also configure tunnel interfaces in either a security zone or in a tunnel zone through which the NetScreen device directs traffic to and from the VPN tunnel8. You can bind a VPN tunnel to a specific numbered (with IP address/netmask) or unnumbered (without IP address/netmask) tunnel interface in a security zone. If the tunnel interface is unnumbered, it borrows the IP address from the interface of the security zone in which you created it.
Tunnel Interfaces Tunnel Zone Security Zone Interfaces VPN Tunnel

Numbered

When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. In such cases, you must create a policy-based VPN configuration. When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface. Doing so allows you to create a routing-based VPN configuration.

Numbered or Unnumbered

Security Zone

VPN Tunnel

The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface. Note: Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT. When a numbered tunnel interface is in a security zone and is the only interface in that zone, you do not need to create a security zone interface. In this case, the security zone supports VPN traffic via the tunnel interface, but no other kind of traffic.

Security

Numbered
Zone

VPN Tunnel

Generally, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT. For more information about policy-based NAT, see . You can create a numbered tunnel interface in either a tunnel zone or security zone.

8.

If you do not specify a tunnel interface, the tunnel uses the default interface for the security zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

If the tunnel interface does not need to support policy-based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered. You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows. Note: The security zone interface that you specify must be in the same zone to which you have bound the tunnel interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 0DQXDO .H\


In this example, a Manual Key tunnel provides a secure communication channel between offices in Tokyo and Paris, using ESP with 3DES encryption and SHA-1 authentication. The Trust zones at each site are in NAT mode. The addresses are as follows: Tokyo: - Trust interface (ethernet1): 192.168.10.1/24 - Untrust interface (ethernet3): 201.22.3.14/24 Paris: - Trust Interface (ethernet1): 172.16.5.1/24 - Untrust interface (ethernet3): 203.3.3.10/24

The Trust security zone and the Untrust-Tun tunnel zone are in the Trust-VR routing domain. The Untrust security zone is in the Untrust-VR routing domain. The Untrust zone interface (ethernet3) serves as the outgoing interface for the VPN tunnel.
Topology of the zones configured on the NetScreen device in Tokyo. Tokyo
Paris

Topology of the zones configured on the NetScreen device in Paris.


Tokyo

Paris

Trust Zone

Untrust Zone

Untrust Zone

Trust Zone

Tokyo Trust Zone eth1, 192.168.10.1/24

Outgoing Interface Untrust Zone eth3, 201.22.3.14/24 Gateway 201.22.3.20 Internet VPN Tunnel Tunnel Interface Tunnel.1

Outgoing Interface Untrust Zone eth3, 203.3.3.10/24 Gateway 203.3.3.1

Paris Trust Zone eth1, 172.16.5.1/24

Tunnel Interface Tunnel.1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

To set up the tunnel, perform the following five steps on the NetScreen devices at both ends of the tunnel: 1. 2. 3. 4. 5. Assign IP addresses to the physical interfaces bound to the security zones and to the tunnel interface. Configure the VPN tunnel, designate its outgoing interface in the Untrust zone, bind it to the tunnel interface, and configure its proxy-ID. Enter the IP addresses for the local and remote endpoints in the trust and untrust address books. Enter a default route from the Trust-VR to the Untrust-VR, another default route to the external router in the Untrust-VR, and a route to the destination via the tunnel interface. Set up access policies for VPN traffic to pass between each site.

:HE8, 7RN\R
,QWHUIDFHV 6HFXULW\ =RQHV DQG 7XQQHO
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 192.168.10.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 201.22.3.14 Netmask: 255.255.255.0 Zone Name: Untrust 3. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: Untrust Unnumbered: (select) Interface: ethernet3(Untrust)
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

931
4. VPNs >> Manual Key >> New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Tokyo_Paris Gateway IP: 203.3.3.10 Security Index: 3020 (Local), 3030 (Remote) Outgoing Interface: ethernet3 Bind to Tunnel Interface: (select), tunnel.1 ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a

$GGUHVVHV
5. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: 192.168.10.0 Netmask: 255.255.255.0 Zone: Trust 6. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Paris_office IP Address/Domain Name: 172.16.5.0 Netmask: 255.255.255.0 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

5RXWHV
7. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 8. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 201.22.3.20 Interface: ethernet3 9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 172.16.5.0 Netmask: 255.255.255.0 Gateway IP Address: 0.0.0.0 Interface: Tunnel.1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

3ROLFLHV
10. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: To Paris Source Address: Trust_LAN Destination Address: Paris_office Service: ANY Action: Permit 11. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: From Paris Source Address: Paris_office Destination Address: Trust_LAN Service: ANY Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

:HE8, 3DULV
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.16.5.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.3.3.10 Netmask: 255.255.255.0 Zone Name: Untrust 3. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: Untrust Unnumbered: (select) Interface: ethernet3(Untrust)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

931
4. VPNs >> Manual Key >> New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Paris_Tokyo Gateway IP: 201.22.3.14 Security Index: 3030 (Local), 3020 (Remote) Outgoing Interface: ethernet3(Untrust) Bind to Tunnel Interface: (select), tunnel.1 ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a

$GGUHVVHV
5. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: 172.16.5.0 Netmask: 255.255.255.0 Zone: Trust 6. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Tokyo_office IP Address/Domain Name: 192.168.10.0 Netmask: 255.255.255.0 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

5RXWHV
7. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 8. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 203.3.3.1 Interface: ethernet3 9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 192.168.10.0 Netmask: 255.255.255.0 Gateway IP Address: 0.0.0.0 Interface: Tunnel.1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

3ROLFLHV
10. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: To Tokyo Source Address: Trust_LAN Destination Address: Tokyo_office Service: ANY Action: Permit 11. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: From Tokyo Source Address: Tokyo_office Destination Address: Trust_LAN Service: ANY Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

&/, 7RN\R
,QWHUIDFHV =RQHV DQG 7XQQHO
1. 2. 3. 4. 5. 6. 7. set interface ethernet1 zone trust set interface ethernet1 ip 192.168.10.1/24 set interface ethernet1 nat9 set interface ethernet3 zone untrust set interface ethernet3 ip 201.22.3.14/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3 set vpn tokyo_paris manual 3020 3030 gateway 203.3.3.10 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a set vpn tokyo_paris bind interface tunnel.1

931
8. 9.

$GGUHVVHV
10. set address trust Trust_LAN 192.168.10.0/24 11. set address untrust paris_office 172.16.5.0/24

5RXWH
12. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 13. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.20 14. set vrouter untrust-vr route 172.16.5.0/24 interface tunnel.1

3ROLFLHV
15. set policy name To Paris from trust to untrust Trust_LAN paris_office any permit 16. set policy name From Paris from untrust to trust paris_office Trust_LAN any permit 17. save
9. By default, the Trust zone is in NAT mode. This command is unnecessary but is included to maintain symmetry with the WebUI configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

&/, 3DULV
,QWHUIDFHV =RQHV DQG 7XQQHO
1. 2. 3. 4. 5. 6. 7. set interface ethernet1 zone trust set interface ethernet1 ip 172.16.5.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust set interface ethernet3 ip 203.3.3.10/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3

931
8. 9. set vpn paris_tokyo manual 3030 3020 gateway 201.22.3.14 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a set vpn paris_tokyo bind interface tunnel.1

$GGUHVVHV
10. set address trust Trust_LAN 172.16.5.0/24 11. set address untrust tokyo_office 192.168.10.0/24

5RXWH
12. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 13. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.3.3.1 14. set vrouter untrust-vr route 192.168.10.0/24 interface tunnel.1

3ROLFLHV
15. set policy name To Tokyo from trust to untrust Trust_LAN tokyo_office any permit 16. set policy name From Tokyo from untrust to trust tokyo_office Trust_LAN any permit 17. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 $XWR.H\ ,.(


In this example, an AutoKey IKE tunnel using either a preshared secret or a pair of certificates (one at each end of the tunnel) provides the secure connection between the Tokyo and Paris offices. The Phase 1 negotiations are in Main mode, and the tunnel uses ESP with 3DES encryption and SHA-1 authentication.

Topology of the zones configured on the NetScreen device in Tokyo. Tokyo


Paris

Topology of the zones configured on the NetScreen device in Paris.


Tokyo

Paris

Trust Zone

Untrust Zone

Untrust Zone

Trust Zone

Tokyo Trust Zone eth1, 192.168.10.1/24

Outgoing Interface Untrust Zone eth3, 201.22.3.14/24 Gateway 201.22.3.20 Internet VPN Tunnel Tunnel Interface Tunnel.1

Outgoing Interface Untrust Zone eth3, 203.3.3.10/24 Gateway 203.3.3.1

Paris Trust Zone eth1, 172.16.5.1/24

Tunnel Interface Tunnel.1

Setting up a routing-based AutoKey IKE tunnel using either a preshared secret or certificates involves the following two steps: 1. 2. Define the remote gateway and key exchange mode, and specify either a preshared secret or a certificate. Create the Autokey IKE VPN entry, bind the tunnel to a tunnel interface, and configure a proxy-ID.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

Note: The full AutoKey IKE configuration also involves the following procedures: Defining security zone interface IP addresses Creating an unnumbered tunnel interface Making address book entries for the local and remote end entities Setting up routes Configuring access policies.

However, because those steps are the same as those explained in Example: Routing-Based LAN-to-LAN VPN, Manual Key on page 323, they are omitted here. In the following examples, the preshared key is h1p8A24nG5. It is assumed that both participants already have certificates. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

:HE8, 7RN\R
1. VPNs >>Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Paris Remote Gateway Static IP Address: (select) IP Address: 203.3.3.10 Mode (Initiator): Main (ID Protection) Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

2.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: Tokyo_Paris Remote Gateway Tunnel: To_Paris Phase 2 Proposal: nopfs-esp-3des-sha Bind to Tunnel Interface: (select), tunnel.1 Enable Proxy-ID: (select) Local IP: 192.168.10.0 Netmask: 255.255.255.0 Remote IP: 172.16.5.0 Netmask: 255.255.255.0 Service: ANY

:HE8, 3DULV
1. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Tokyo Remote Gateway Static IP Address: (select) IP Address: 201.22.3.14 Mode (Initiator): Main (ID Protection) Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

Preferred certificate Peer CA: Entrust Preferred certificate Peer Type: X509-SIG 2. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: Paris_Tokyo Remote Gateway Tunnel: To_Tokyo Phase 2 Proposal: nopfs-esp-3des-sha Bind to Tunnel Interface: (select), tunnel.1 Enable Proxy-ID: (select) Local IP: 172.16.5.0 Netmask: 255.255.255.0 Remote IP: 192.168.10.0 Netmask: 255.255.255.0 Service: ANY

&/, 7RN\R
3UHVKDUHG .H\
1. 2. 3. 4. 5. set ike gateway to_paris ip 203.3.3.10 main outgoing-interface eth3 preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 set vpn tokyo_paris gateway to_paris tunnel proposal nopfs-esp-3des-sha set vpn tokyo_paris bind interface tunnel.1 set vpn tokyo_paris proxy-id local-ip 192.168.10.0/24 remote-ip 172.16.5.0/24 any save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

&HUWLILFDWH
1. 2. 3. 4. 5. set ike gateway to_paris ip 203.3.3.10 main outgoing-interface eth3 proposal rsa-g2-3des-sha set vpn tokyo_paris gateway to_paris tunnel proposal nopfs-esp-3des-sha set vpn tokyo_paris bind interface tunnel.1 set vpn tokyo_paris proxy-id local-ip 192.168.10.0/24 remote-ip 172.16.5.0/24 any save

&/, 3DULV
3UHVKDUHG .H\
1. 2. 3. 4. 5. set ike gateway to_tokyo ip 201.22.3.14 main outgoing-interface eth3 preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 set vpn paris_tokyo gateway to_tokyo tunnel proposal nopfs-esp-3des-sha set vpn paris_tokyo bind interface tunnel.1 set vpn paris_tokyo proxy-id local-ip 172.16.5.0/24 remote-ip 192.168.10.0/24 any save

&HUWLILFDWH
1. 2. 3. 4. 5. set ike gateway to_tokyo ip 201.22.3.14 main outgoing-interface eth3 proposal rsa-g2-3des-sha set vpn paris_tokyo gateway to_tokyo tunnel proposal nopfs-esp-3des-sha set vpn paris_tokyo bind interface tunnel.1 set vpn paris_tokyo proxy-id local-ip 172.16.5.0/24 remote-ip 192.168.10.0/24 any save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

([DPSOH 5RXWLQJ%DVHG /$1WR/$1 931 '\QDPLF 3HHU


In this example, a VPN tunnel securely connects the users in the Trust zone behind NetScreen A to the mail server in the corporate DMZ zone, protected by NetScreen B. The Untrust zone interface for NetScreen B has a static IP address. The ISP serving NetScreen A assigns the IP address for its Untrust zone interface dynamically via DHCP. Because only NetScreen B has a fixed address for its Untrust zone, VPN traffic must originate from hosts behind NetScreen A. After NetScreen A has established the tunnel, traffic through the tunnel can originate from either end.

Topology of the zones configured on NetScreen A at the branch office. A


B A

Topology of the zones configured on NetScreen B at the corporate site. B

Trust Zone

Untrust Zone

Untrust Zone

DMZ Zone

Branch Office Trust Zone eth1, 10.10.10.1/24

Outgoing Interface Untrust Zone eth3 and gateway dynamically assigned by ISP

Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Corporate Office DMZ Zone eth2, 172.30.5.1/24 Mail Server 172.30.5.5

Internet NetScreen A SMTP or POP3 Request Tunnel Interface Tunnel.1 VPN Tunnel DHCP Server 203.2.3.1 NetScreen B Tunnel Interface Tunnel.1 IDENT Request

Note: Before making an SMTP or POP3 connection to the corporate mail server, Phil must first initiate an HTTP, FTP, or Telnet connection so that NetScreen A can authenticate him.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

In this example, authentication user Phil (login name: pmason; password: Nd4syst4) wants to get his e-mail from the mail server at the corporate site. When he attempts to do so, he is authenticated twice: first, NetScreen A authenticates him locally before allowing traffic from him through the tunnel10; second, the mail server program authenticates him, sending the IDENT request through the tunnel. Note: The mail server can send the IDENT request through the tunnel only if the NetScreen A and B administrators add a custom service for it (TCP, port 113) and set up access policies allowing that traffic through the tunnel to the 10.10.10.0/24 subnet. The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates, and that the e-mail address jking@abc.com appears in the local certificate on NetScreen A. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

:HE8, 1HW6FUHHQ $
,QWHUIDFHV 6HFXULW\ =RQHV DQG 7XQQHO
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 10.10.10.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save11 : IP Address: Obtain IP using DHCP (select) Zone Name: Untrust

10. Because Phil is an authentication user, before he can make an SMTP of POP3 request, he must first initiate an HTTP, FTP, or Telnet connection so that NetScreen A can respond with a firewall user/login prompt to authenticate him. After NetScreen A authenticates him, he has permission to contact the corporate mail server via the VPN tunnel. 11. You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

3.

Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: Untrust Unnumbered: (select) Interface: ethernet3(Untrust)

8VHU
4. Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: pmason Authentication User: (select) User Password: Nd4syst4 Confirm Password: Nd4syst4

$GGUHVVHV
5. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Trusted network IP Address/Domain Name: 10.10.10.0 Netmask: 255.255.255.0 Zone: Trust 6. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

6HUYLFHV
7. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 8. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK: Group Name: Remote_Mail Group Members << Available Members: HTTP FTP Telnet Ident MAIL POP3

931
9. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Mail Remote Gateway: Static IP Address: (select) IP Address: 203.10.20.1 Mode (Initiator): Aggressive Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Local ID: jking@abc.com

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

For certificate: Phase 1 Proposal: rsa-g2-3des-sha 10. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: branch_corp Remote Gateway Tunnel: To_Mail Phase 2 Proposal: nopfs-esp-3des-sha Bind to Tunnel Interface: (select), tunnel.1 Enable Proxy-ID: (select) Local IP: 10.10.10.0 Netmask: 255.255.255.0 Remote IP: 172.30.5.5 Netmask: 255.255.255.255 Service: Remote_Mail

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

5RXWHV
11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 12. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 0.0.0.012 Interface: ethernet3(untrust) 13. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 172.30.5.5 Netmask: 255.255.255.255 Gateway IP Address: 0.0.0.0 Interface: Tunnel.1

12. The ISP provides the gateway IP address dynamically through DHCP.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

3ROLFLHV
14. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Trusted network Destination Address: Mail Server Service: Remote_Mail Action: Permit 15. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: Trusted network Service: Remote_Mail Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

:HE8, 1HW6FUHHQ %
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet2): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: DMZ 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust 3. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: DMZ Unnumbered: (select) Interface: ethernet2(DMZ)

$GGUHVVHV
4. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: DMZ

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

5.

Address >> Address >> New Address: Enter the following, and then click OK: Address Name: branch office IP Address/Domain Name: 10.10.10.0 Netmask: 255.255.255.0 Zone: Untrust

6HUYLFHV
6. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 7. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK: Group Name: Remote_Mail Group Members << Available Members: Ident MAIL POP3

931
8. VPNs >> Gateway (P1) >> New Remote Gateway: Enter the following, and then click OK: Gateway Name: To_branch Remote Gateway: Dynamic IP Address: (select) Peer ID: jking@abc.com Mode (Initiator): Aggressive Outgoing Interface: ethernet3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha 9. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: corp_branch Remote Gateway Tunnel: To_branch Phase 2 Proposal: nopfs-esp-3des-sha Bind to Tunnel Interface: (select), tunnel.1 Enable Proxy-ID: (select) Local IP: 172.30.5.5 Netmask: 255.255.255.255 Remote IP: 10.10.10.0 Netmask: 255.255.255.0 Service: Remote_Mail

5RXWH
10. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 203.10.20.2 Interface: ethernet3(untrust)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 10.10.10.0 Netmask: 255.255.255.0 Gateway IP Address: 0.0.0.0 Interface: Tunnel.1

3ROLFLHV
12. Policies >> Policy (From Zone DMZ, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: branch office Service: Remote_Mail Action: Permit 13. Policies >> Policy (From Zone Untrust, To Zone DMZ) >> New Policy: Enter the following, and then click OK: Source Address: branch office Destination Address: Mail Server Service: Remote_Mail Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

&/, 1HW6FUHHQ $
,QWHUIDFHV 6HFXULW\ =RQHV DQG 7XQQHO
1. 2. 3. 4. 5. 6. 7. 8. set interface ethernet1 zone trust set interface ethernet1 ip 10.10.10.1/24 set interface ethernet1 nat13 set interface ethernet3 zone untrust set interface ethernet3 dhcp set dhcp client server 201.2.3.1 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3

8VHU
9. set user pmason password Nd4syst4

$GGUHVVHV
10. set address trust trusted network 10.10.10.0 255.255.255.0 11. set address untrust mail server 172.30.5.5 255.255.255.255

6HUYLFHV
12. 13. 14. 15. 16. 17. set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add http set group service remote_mail add ftp set group service remote_mail add telnet set group service remote_mail add ident

13. By default, the Trust zone is in NAT mode. This command is unnecessary but is included to maintain symmetry with the WebUI configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

18. set group service remote_mail add mail 19. set group service remote_mail add pop3

931
Preshared Key: 20. set ike gateway to_mail ip 203.10.20.4 aggressive outgoing-interface eth3 local-id jking@abc.com preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 21. set vpn branch_corp gateway to_mail tunnel proposal nopfs-esp-3des-sha 22. set vpn branch_corp bind interface tunnel.1 23. set vpn branch_corp proxy-id local-ip 10.10.10.0/24 remote-ip 172.30.5.5/32 remote_mail Certificate: 18. set ike gateway to_mail ip 203.10.20.4 aggressive outgoing-interface eth3 local-id jking@abc.com proposal rsa-g2-3des-sha 19. set vpn branch_corp gateway to_mail tunnel proposal nopfs-esp-3des-sha 20. set vpn branch_corp bind interface tunnel.1 21. set vpn branch_corp proxy-id local-ip 10.10.10.0/24 remote-ip 172.30.5.5/32 remote_mail

5RXWHV
22. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 23. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 24. set vrouter-untrust-vr route 172.30.5.5/32 interface tunnel.1

3ROLFLHV
25. set policy from trust to untrust trusted network mail server remote_mail permit auth 26. set policy from untrust to trust mail server trusted network remote_mail permit 27. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

&/, 1HW6FUHHQ %
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. 5. 6. set interface ethernet2 zone dmz set interface ethernet2 ip 172.30.5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.10.20.1/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3

$GGUHVVHV
7. 8. set address dmz mail server 172.30.5.5/32 set address untrust branch office 10.10.10.0/24

6HUYLFHV
9. 10. 11. 12. 13. set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add ident set group service remote_mail add mail set group service remote_mail add pop3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

/$1WR/$1 931V

931
Preshared Key: 14. set ike gateway to_branch dynamic name@company.com aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha 15. set vpn corp_branch gateway to_branch tunnel proposal nopfs-esp-3des-sha 16. set vpn to_branch bind interface tunnel.1 17. set vpn to_branch proxy-id local-ip 172.30.5.5/32 remote-ip 10.10.10.0/24 remote_mail 18. Certificate: 13. set ike gateway to_branch dynamic name@company.com aggressive outgoing-interface ethernet3 proposal rsa-g2-3des-sha 14. set vpn corp_branch gateway to_branch tunnel proposal nopfs-esp-3des-sha 15. set vpn to_branch bind interface tunnel.1 16. set vpn to_branch proxy-id local-ip 172.30.5.5/32 remote-ip 10.10.10.0/24 remote_mail

5RXWH
17. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.10.20.2 18. set vrouter untrust-vr route 10.10.10.0/24 interface tunnel.1

3ROLFLHV
19. set policy from dmz to untrust mail server branch office remote_mail permit 20. set policy from untrust to dmz branch office mail server remote_mail permit 21. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

',$/8372/$1 931 '<1$0,& 3((5


NetScreen devices also support VPN dialup connections. You can configure a NetScreen security gateway with a static IP address to secure an IPSec tunnel with a NetScreen-Remote client or with another NetScreen device with a dynamic IP address. You can configure policy-based VPN tunnels for VPN dialup users. For a dialup dynamic peer client14, you can configure either a policy-based or routing-based VPN. Because a dialup dynamic peer client can support a virtual internal IP address, which the NetScreen-Remote does, you can configure a routing table entry to that virtual internal address via a designated tunnel interface, allowing you to configure a routing-based VPN tunnel between the NetScreen device and that peer. Note: The dialup-to-LAN dynamic peer is nearly identical to the LAN-to-LAN dynamic peer except that the internal IP address for the dialup client is a virtual address.

14. A dialup dynamic peer client is a dialup client that supports a virtual internal IP address.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

([DPSOH 5RXWLQJ%DVHG 'LDOXSWR/$1 931 '\QDPLF 3HHU


In this example, a VPN tunnel securely connects the user behind the NetScreen-Remote to the Untrust zone interface of the NetScreen device protecting the mail server in the DMZ zone. The Untrust zone interface has a static IP address. The NetScreen-Remote client has a dynamically assigned external IP address and a static (virtual) internal IP address, which must be known to the administrator of the NetScreen device so that he can add it to the Untrust address book for use in access policies to tunnel traffic from that source. After the NetScreen-Remote client establishes the tunnel, traffic through the tunnel can originate from either end.

Remote User: Phil NetScreen-Remote SMTP Request Internet VPN Tunnel

Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Corporate Office DMZ Zone eth2, 172.30.5.1/24 Mail Server 172.30.5.5 IDENT Request

Internal IP Address 10.10.10.1

External IP Address Dynamic

Untrust Zone

DMZ Zone

In this example, Phil wants to get his e-mail from the mail server at the company site. When he attempts to do so, he is authenticated by the mail server program, which sends him an IDENT request through the tunnel. Note: The mail server can send the IDENT request through the tunnel only if the NetScreen-100 administrator adds a custom service for it (TCP, port 113) and sets up an outgoing access policy allowing that traffic through the tunnel to 10.10.10.1. The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates, and that the local certificate on the NetScreen-Remote contains the IP address 10.10.10.1. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet2): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: DMZ 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust

$GGUHVVHV
3. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: DMZ 4. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Phil IP Address/Domain Name: 10.10.10.1 Netmask: 255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

6HUYLFHV
5. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 6. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK: Group Name: Remote_Mail Group Members << Available Members: Ident MAIL POP3

931
7. VPNs >> Gateway (P1) >> New Remote Gateway: Enter the following, and then click OK: Gateway Name: To_Phil Remote Gateway: Dynamic IP Address: (select) Peer ID: 10.10.10.1 Mode (Initiator): Aggressive Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

8.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: corp_Phil Remote Gateway Tunnel: To_Phil Phase 2 Proposal: nopfs-esp-3des-sha

5RXWH
9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 203.10.20.2 Interface: ethernet3(untrust)

3ROLF\
10. Policies >> Policy (From Zone DMZ, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: branch office Service: Remote_Mail Action: Tunnel VPN Tunnel: corp_Phil Create matching VPN policy: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

&/,
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. set interface ethernet2 zone dmz set interface ethernet2 ip 172.30.5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.10.20.1/24

$GGUHVVHV
5. 6. set address dmz mail server 172.30.5.5/32 set address untrust phil 10.10.10.1/32

6HUYLFHV
7. 8. 9. 10. 11. set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add ident set group service remote_mail add mail set group service remote_mail add pop3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

931
Preshared Key: 12. set ike gateway to_phil dynamic 10.10.10.1 aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha 13. set vpn corp_phil gateway to_phil tunnel proposal nopfs-esp-3des-sha Certificate: 13. set ike gateway to_phil dynamic name@company.com aggressive outgoing-interface ethernet3 proposal rsa-g2-3des-sha 14. set vpn corp_phil gateway to_phil tunnel proposal nopfs-esp-3des-sha

5RXWH
15. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.10.20.2

3ROLFLHV
16. set policy from dmz to untrust mail server phil remote_mail tunnel vpn corp_phil 17. set policy from untrust to dmz phil mail server remote_mail tunnel vpn corp_phil 18. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

1HW6FUHHQ5HPRWH
1. 2. 3. 4. Click Options >> Global Policy Settings, and select the Allow to Specify Internal Network Address check box. Options >> Secure >> Specified Connections. Click the Add a new connection button, and type Mail next to the new connection icon that appears. Configure the connection options: Connection Security: Secure Remote Party ID Type: IP Address IP Address: 172.30.5.5 Connect using Secure Gateway Tunnel: (select) ID Type: IP Address; 203.10.20.1 5. 6. Click the PLUS symbol, located to the left of the unix icon, to expand the connection policy. Click My Identity: Do either of the following: Click Pre-shared Key >> Enter Key: Type h1p8A24nG5, and then click OK. ID Type: Internal Network IP Address: Type 10.10.10.1. or Select a certificate from the Select Certificate drop-down list. ID Type: (select IP Address); Internal Network IP Address: Type 10.10.10.1. 7. Click the Security Policy icon, and select Aggressive Mode.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

'LDOXSWR/$1 931 '\QDPLF 3HHU

8. 9.

Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further. Click Authentication (Phase 1) >> Proposal 1: Select the following Encryption and Data Integrity Algorithms: Encrypt Alg: Triple DES Hash Alg: SHA-1 Key Group: Diffie-Hellman Group 2

10. Click Key Exchange (Phase 2) >> Proposal 1: Select the following IPSec Protocols: Encapsulation Protocol (ESP): (select) Encrypt Alg: 3DES Hash Alg: SHA-1 Encapsulation: Tunnel 11. Click the Save button.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

+8%$1'632.( 9316
If you create two VPN tunnels that terminate at a NetScreen device, you can set up a pair of routes so that the NetScreen device directs traffic exiting one tunnel to the other tunnel. If both tunnels are contained within a single zone, you do not need to create an access policy to permit the traffic to pass from one tunnel to the other. You only need to define the routes. Such an arrangement is known as hub-and-spoke VPNs.

Remote Sites Untrust Zone Hub-and-Spoke VPN Tunnels

The NetScreen device routes traffic from one tunnel to the other tunnel.

You can also configure multiple VPNs in one zone and route traffic between any two tunnels.

Untrust Zone

Multiple Hub-and-Spoke VPN Tunnels

The NetScreen device routes traffic between tunnels.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

([DPSOH +XEDQG6SRNH 931V


In this example, two branch offices in Tokyo and Paris communicate with each other via a pair of VPN tunnels VPN1 and VPN2. Each tunnel originates at the remote site and terminates at the corporate site in New York. The NetScreen device at the corporate site routes traffic exiting one tunnel into the other tunnel. Because both remote endpoints are in the same zone (the Untrust Zone), the NetScreen device at the corporate site only needs to do a route lookup, not a policy lookup, when conducting traffic from tunnel to tunnel. (An access policy is only required to permit traffic when it flows between security zones, not within a security zone.) You bind the tunnels to the tunnel interfacestunnel.1 and tunnel.2which are both unnumbered. The tunnels use AutoKey IKE, with preshared keys, Diffie-Hellman Group 2, 3DES encryption, and SHA-1 authentication. The Untrust zone interface is ethernet3. Note: Only the configuration for the NetScreen device at the corporate site is provided below.

Untrust Zone

Untrust VR Routing Domain

Outgoing Interface eth3 IP 123.1.1.1

Default Gateway Tokyo 110.1.1.1 IP 123.1.1.2 (Spoke)


Internet

Tokyo LAN 10.10.1.0/24

VPN1 VPN2 New York Corporate Site (Hub) Interface: tunnel.1 Interface: tunnel.2 Paris 220.2.2.2 (Spoke)
Paris LAN 10.20.1.0/24

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

:HE8,
=RQHV
1. Zone >> Zone >>Edit (for Untrust): Enter the following, and then click OK: Block Intra-Zone Traffic: (clear)

,QWHUIDFHV =RQHV DQG 7XQQHOV


2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click OK: IP Address: 123.1.1.1 Netmask: 255.255.255.0 Zone Name: Untrust 3. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name: tunnel.: 1 Unnumbered: (select) Interface: ethernet3(Untrust) 4. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name: tunnel.: 2 Unnumbered: (select) Interface: ethernet3(Untrust)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

931 IRU 7RN\R 2IILFH


5. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: Tokyo Remote Gateway Static IP Address: (select) IP Address: 110.1.1.1 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet3 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen1 6. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: VPN1 Enable Replay Protection: (select) Remote Gateway Tunnel: Tokyo Phase 2 Proposal: g2-esp-3des-sha Enable Proxy-ID: (select)15 Local IP: 10.0.0.0 Netmask: 255.0.0.0 Remote IP: 10.10.1.0 Netmask: 255.255.255.0 Service: ANY

15. When configuring the VPN tunnel on the NetScreen device protecting the Tokyo and Paris offices, do either of the following: (Routing-based VPN) Select the Enable Proxy-ID check box and enter 10.10.1.0 255.255.255.0 (Tokyo) and 10.20.1.0 255.255.255.0 (Paris) for the Local IP and Netmask, and 10.0.0.0 255.0.0.0 for the Remote IP and Netmask. (Policy-based VPN) Make an entry in the Trust zone address book for 10.10.1.0 255.255.255.0 (Tokyo) and 10.20.1.0 255.255.255.0 (Paris) and another in the Untrust zone address book for 10.0.0.0 255.0.0.0, and use those as the source and destination addresses in the access policy referencing the VPN tunnel to the hub site.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

931 IRU 3DULV 2IILFH


7. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: Paris Remote Gateway Static IP Address: (select) IP Address: 220.2.2.2 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet3 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen2 8. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: VPN2 Enable Replay Protection: (select) Remote Gateway Tunnel: Paris Phase 2 Proposal: g2-esp-3des-sha Enable Proxy-ID: (select) Local IP: 10.0.0.0 Netmask: 255.0.0.0 Remote IP: 10.20.1.0 Netmask: 255.255.255.0 Service: ANY

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

5RXWHV
9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 10.10.1.0 Netmask: 255.255.255.0 Interface: tunnel.1(untrust-vr) 10. Routing >> Route Table >> New Entry: Enter the following, and then click OK Virtual Router Name: untrust_vr Network Address: 10.20.1.0 Netmask: 255.255.255.0 Interface: tunnel.2(untrust-vr) 11. Routing >> Route Table >> New Entry: Enter the following, and then click OK Virtual Router Name: untrust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 123.1.1.2 Interface: ethernet3(untrust-vr)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

&/,
=RQH
1. unset zone untrust block

,QWHUIDFHV =RQHV DQG 7XQQHOV


2. 3. 4. 5. 6. 7. set interface ethernet3 zone untrust set interface ethernet3 ip 123.1.1.1/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface eth3 set interface tunnel.2 zone untrust set interface tunnel.2 ip unnumbered interface eth3

931 IRU 7RN\R 2IILFH


8. set ike gateway Tokyo ip 110.1.1.1 main outgoing-interface eth3 preshare netscreen1 proposal pre-g2-3des-sha 9. set vpn VPN1 gateway Tokyo replay proposal g2-esp-3des-sha 10. set vpn VPN1 bind interface tunnel.1 11. set vpn VPN1 proxy-id local-ip 10.0.0.0/8 remote-ip 10.10.1.0/24 any16

16. When configuring the VPN tunnel on the NetScreen device protecting the Tokyo and Paris offices, do either of the following: (Routing-based VPN) Enter the following commands: set vpn VPN1 proxy-id local-ip 10.10.1.0/24 remote-ip 10.0.0.0/8 (Tokyo) and set vpn VPN1 proxy-id local-ip 10.20.1.0/24 remote-ip 10.0.0.0/8 (Paris). (Policy-based VPN) Make an entry in the Trust zone address book for 10.10.1.0/24 (Tokyo) and 10.20.1.0/24 (Paris) and another in the Untrust zone address book for 10.0.0.0/8, and use those as the source and destination addresses in the access policy referencing the VPN tunnel to the hub site.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

+XEDQG6SRNH 931V

931 IRU 3DULV 2IILFH


12. set ike gateway Paris ip 220.2.2.2 main outgoing-interface eth3 preshare netscreen1 proposal pre-g2-3des-sha 13. set vpn VPN2 gateway Paris replay proposal g2-esp-3des-sha 14. set vpn VPN2 bind interface tunnel.2 15. set vpn VPN2 proxy-id local-ip 10.0.0.0/8 remote-ip 10.20.1.0/24 any

5RXWHV
16. 17. 18. 19. set vrouter untrust-vr route 10.10.1.0/24 interface tunnel.1 set vrouter untrust-vr route 10.20.1.0/24 interface tunnel.2 set vrouter untrust-vr route 0.0.0.0/0 interface eth3 gateway 123.1.1.2 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

%$&.72%$&. 9316
You can enforce access policies at the hub site for traffic passing from one VPN tunnel to another by putting the spoke sites in different zones. Because they are in different zones, the NetScreen device at the hub must do a policy lookup before routing the traffic from one tunnel to another. Thus you can control the traffic flowing via the VPN tunnels between the spoke sites. Such an arrangement is called back-to-back VPNs.

Back-to-Back VPNs
X1 Zone X2 Zone

Spoke A

Spoke B

VPN1 Policy Lookup

VPN2

Hub

A few benefits of back-to-back VPNs: You can conserve the number of VPNs you need to create. For example, perimeter site A can link to the hub, and to perimeter sites B, C, D, but A only has to set up one VPN tunnel. Especially for NetScreen-5XP users, who can use a maximum of just ten VPN tunnels concurrently, applying the hub-and-spoke method dramatically increases their VPN options and capabilities.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

The administrator at the hub device can completely control VPN traffic between perimeter sites. For example, He or she might permit only HTTP traffic to flow from sites A to B, but allow any kind of traffic to flow from B to A. He or she can allow traffic originating from A to reach C, but deny traffic originating from C to reach A. He or she can allow a specific host at A to reach the entire D network, while allowing only a specific host at D to reach a different host at A. The administrator at the hub device can completely control outbound traffic from all perimeter networks. At each perimeter site, there must first be an access policy that tunnels all outbound traffic through the spoke VPNs to the hub; for example: set policy from trust to untrust any any any tunnel vpn <name> (where <name> defines the specific VPN tunnel from each perimeter site to the hub). At the hub, the administrator can control Internet access, allowing certain kinds of traffic (such as HTTP only), performing URL blocking on undesirable Web sites, and so on. Regional hubs can be used and interconnected via spoke tunnels, allowing spoke sites in one region to reach spoke sites in another.

([DPSOH %DFNWR%DFN 931V


The following example is similar to Example: Hub-and-Spoke VPNs on page 364 except that the NetScreen device at the hub site in New York performs policy checking on the traffic it routes between the two tunnels to the branch offices in Tokyo and Paris. By putting each remote site in a different zone, you control the VPN traffic at the hub. The Tokyo LAN address is in the user-defined X1 zone, and the Paris LAN address is in the user-defined X2 zone. Both zones are in the Trust-VR routing domain. Note: To create user-defined zones, you must first obtain and load a zone software key on the NetScreen device. You bind the VPN1 tunnel to the tunnel.1 interface and the VPN2 tunnel to the tunnel.2 interface. Although you do not assign IP addresses to the X1 and X2 zone interfaces, you do give addresses to both tunnel interfaces. Routes for these interfaces automatically appear in the Trust-VR routing table. By putting the IP address for a tunnel interface in the same subnet as that of the destination, traffic destined for that subnet is routed to the tunnel interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

The outgoing interface is ethernet3, which is bound to the Untrust zone. As you can see in the illustration below, both tunnels terminate in the Untrust zone; however, the endpoints for the traffic that makes use of the tunnels are in the X1 and X2 zones. The tunnels use AutoKey IKE, with preshared keys, Diffie-Hellman Group 2, 3DES encryption, and SHA-1 authentication. Because the tunnels are routing-based (that is, the correct tunnel is determined by routing, not by a tunnel name specified in an access policy), proxy IDs are included in the configuration of each tunnel. Note: Only the configuration for the NetScreen device at the hub site is provided below.
New York Outgoing Interface Untrust Zone eth3, IP 123.1.1.1/24 Trust-VR Routing Domain New York Corporate Site (Hub) Trust Zone
Policy Lookup

Default Gateway IP 123.1.1.2 VPN1

Tokyo (Spoke) 110.1.1.1 Paris (Spoke) 220.2.2.2

Untrust-VR Routing Domain

Interface: tunnel.1 10.10.1.2/24

VPN2

X1 Zone

Tokyo LAN 10.10.1.0/24

X2 Zone eth1, 10.1.1.1/24 Interface: tunnel.2 10.20.1.2/24

Paris LAN 10.20.1.0/24

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

:HE8,
6HFXULW\ =RQHV
1. Zone >> New Entry: Enter the following, and then click OK: Name: X1 Virtual Router Name: Trust-VR 2. Zone >> New Entry: Enter the following, and then click OK: Name: X2 Virtual Router Name: Trust-VR

,QWHUIDFHV 8QWUXVW =RQH DQG 7XQQHOV


3. Interfaces >> Edit (for ethernet3): Enter the following, and then click OK: IP Address: 123.1.1.1 Netmask: 255.255.255.0 Zone Name: Untrust 4. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name: tunnel.: 1 Zone: X1 Fixed IP: (select) IP Address: 10.10.1.2 Netmask:255.255.255.0 5. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name: tunnel.: 2 Zone: X2 Fixed IP: (select) IP Address: 10.20.1.2 Netmask:255.255.255.0
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

931 IRU 7RN\R 2IILFH


6. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: Tokyo Remote Gateway Static IP Address: (select) IP Address: 110.1.1.1 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet3 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen1 7. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: VPN1 Enable Replay Protection: (select) Remote Gateway Tunnel: Tokyo Phase 2 Proposal: g2-esp-3des-sha Enable Proxy-ID: (select)17 Local IP: 10.20.1.0 Netmask: 255.255.255.0 Remote IP: 10.10.1.0 Netmask: 255.255.255.0 Service: ANY
17. When configuring the VPN tunnel on the NetScreen device protecting the Tokyo and Paris offices, do either of the following: (Routing-based VPN) Select the Enable Proxy-ID check box and enter 10.10.1.0 255.255.255.0 (Tokyo) and 10.20.1.0 255.255.255.0 (Paris) for the Local IP and Netmask, and 10.20.1.0 255.255.255.0 (Tokyo) and 10.10.1.0 255.255.255.0 (Paris) for the Remote IP and Netmask. (Policy-based VPN) Make an entry in the Trust zone address book for 10.10.1.0/24 (Tokyo) and 10.20.1.0/24 (Paris) and another in the Untrust zone address book for 10.20.1.0/24 (Tokyo) and 10.10.1.0/24 (Paris). Use those as the source and destination addresses in the access policy referencing the VPN tunnel to the hub site.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

931 IRU 3DULV 2IILFH


8. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: Paris Remote Gateway Static IP Address: (select) IP Address: 220.2.2.2 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet3 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen2 9. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: VPN2 Enable Replay Protection: (select) Remote Gateway Tunnel: Paris Phase 2 Proposal: g2-esp-3des-sha Enable Proxy-ID: (select) Local IP: 10.10.1.0 Netmask: 255.255.255.0 Remote IP: 10.20.1.0 Netmask: 255.255.255.0 Service: ANY

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

5RXWHV
10. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: untrust-vr 11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 123.1.1.2 Interface: ethernet3(untrust-vr)

$GGUHVVHV
12. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Tokyo LAN IP Address/Domain Name: 10.10.1.0 Netmask: 255.255.255.0 Zone: X1 13. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: Paris LAN IP Address/Domain Name: 10.20.1.0 Netmask: 255.255.255.0 Zone: X2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

3ROLFLHV
14. Policy (From Zone: X1, To Zone: X2) >> New Policy: Enter the following, and then click OK: Source Address: Tokyo LAN Destination Address: Paris LAN Service: ANY Action: Permit 15. Policy (From Zone: X2, To Zone: X1) >> New Policy: Enter the following, and then click OK: Source Address: Paris LAN Destination Address: Tokyo LAN Service: ANY Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

&/,
6HFXULW\ =RQHV
1. 2. 3. 4. set zone name X1 set zone x1 vrouter trust-vr set zone name x2 set zone x2 vrouter trust-vr

,QWHUIDFHV 8QWUXVW =RQH DQG 7XQQHOV


5. 6. 7. 8. 9. 10. set interface eth3 zone untrust set interface eth3 ip 123.1.1.1/24 set interface tunnel.1 zone x1 set interface tunnel.1 ip 10.10.1.2/24 set interface tunnel.2 zone x2 set interface tunnel.2 ip 10.20.1.2/24

931 IRU 7RN\R 2IILFH


11. set ike gateway Tokyo ip 110.1.1.1 main outgoing-interface eth3 preshare netscreen1 proposal pre-g2-3des-sha 12. set vpn VPN1 gateway Tokyo replay proposal g2-esp-3des-sha 13. set vpn VPN1 bind interface tunnel.1 14. set vpn VPN1 proxy-id local-ip 10.20.1.0/24 remote-ip 10.10.1.0/24 any18

18. When configuring the VPN tunnel on the NetScreen device protecting the Tokyo and Paris offices, do either of the following: (Routing-based VPN) Enter the following commands: set vpn VPN1 proxy-id local-ip 10.20.1.0/24 remote-ip 10.10.1.0/24 (Tokyo) and set vpn VPN1 proxy-id local-ip 10.10.1.0/24 remote-ip 10.20.1.0/24 (Paris). (Policy-based VPN) Make an entry in the Trust zone address book for 10.10.1.0/24 (Tokyo) and 10.20.1.0/24 (Paris) and another in the Untrust zone address book for 10.20.1.0/24 (Tokyo) and 10.10.1.0/24 (Paris). Use those as the source and destination addresses in the access policies referencing the VPN tunnel to the hub site.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  5RXWLQJ%DVHG 931V

%DFNWR%DFN 931V

931 IRU 3DULV 2IILFH


15. set ike gateway Paris ip 220.2.2.2 main outgoing-interface eth3 preshare netscreen2 proposal pre-g2-3des-sha 16. set vpn VPN2 gateway Paris replay proposal g2-esp-3des-sha 17. set vpn VPN2 bind interface tunnel.2 18. set vpn VPN2 proxy-id local-ip 10.10.1.0/24 remote-ip 10.20.1.0/24 any

5RXWH
19. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 20. set vrouter untrust-vr route 0.0.0.0/0 interface eth3 gateway 123.1.1.2

$GGUHVVHV
21. set address x1 Tokyo LAN 10.10.1.0/24 22. set address x2 Paris LAN 10.20.1.0/24

3ROLFLHV
23. set policy from x1 to x2 Tokyo LAN Paris LAN any permit19 24. set policy from x2 to x1 Paris LAN Tokyo LAN any permit19 25. save

19. You can ignore the following message, which appears because tunnel interfaces are in NAT mode: Warning: Some interfaces in the <zone_name> zone are in NAT mode. Traffic might not pass through them!

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr "

3ROLF\%DVHG 931V



A policy-based VPN is a configuration in which a specific VPN tunnel is referenced in an access policy whose action is set as tunnel. Contrast a policy-based VPN with a routing-based VPN configuration, in which the access policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface might be bound to a VPN tunnel or to a tunnel zone. Note: For examples of routing-based VPNs, see Chapter 12, . For information on binding a tunnel interface to a VPN tunnel, see Tunnel Interfaces on page 383. This chapter presents examples of the following kinds of policy-based VPN tunnels: LAN-to-LAN VPNs on page 382 Example: Policy-Based LAN-to-LAN VPN, Manual Key on page 385 Example: Policy-Based LAN-to-LAN VPN, AutoKey IKE on page 394 Example: Policy-Based LAN-to-LAN VPN, Dynamic Peer on page 398 Dialup-to-LAN VPNs on page 410 Example: Policy-Based Dialup-to-LAN VPN, Manual Key on page 411 Example: Policy-Based Dialup-to-LAN VPN, AutoKey IKE on page 417 Example: Policy-Based Dialup-to-LAN VPN, Dynamic Peer on page 423 Tunnel Zones and Policy-Based NAT on page 431 Example: Tunnel Interface in a Tunnel Zone on page 433

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

/$172/$1 9316
An IPSec VPN tunnel exists between two gateways, and each gateway needs an IP address. When both gateways have static IP addresses, you can configure the following kinds of tunnels: LAN-to-LAN VPN, Manual Key tunnel LAN-to-LAN VPN, AutoKey IKE tunnel (with a preshared key or certificates)

When one gateway has a static address and the other has a dynamically assigned address, you can configure the following kind of tunnel: Dynamic Peer LAN-to-LAN VPN, AutoKey IKE tunnel (with a preshared key or certificates) As used here, a static LAN-to-LAN VPN involves an IPSec tunnel connecting two LANs, each with a NetScreen device operating as a secure gateway. The physical interface or subinterface used as the outgoing interface on both devices has a fixed IP address, and the internal hosts also have static IP addresses. If the NetScreen device is in Transparent mode, the VLAN1 address or the System IP addressboth of which are fixed addressesis used1. (See Example: Policy-Based LAN-to-LAN VPN, Manual Key on page 385, and Example: Policy-Based LAN-to-LAN VPN, AutoKey IKE on page 394.) With a static LAN-to-LAN VPN, hosts at either end of the tunnel can initiate the VPN tunnel setup because the IP address of the remote gateway remains constant and thus reachable. If the outgoing interface of one of the NetScreen devices has a dynamically assigned IP address, that device is termed a dynamic peer and the VPN is configured differently. (See Example: Policy-Based LAN-to-LAN VPN, Dynamic Peer on page 398.) With a dynamic peer LAN-to-LAN VPN, only hosts behind the dynamic peer can initiate the VPN tunnel setup because only their remote gateway has a fixed IP address and is thus reachable from their local gateway. However, after a tunnel has been set up between a dynamic peer and a static peer, hosts behind either gateway can initiate VPN traffic if the destination hosts have fixed IP addresses.

1.

If you set both the System IP and the VLAN1 IP address, the VLAN1 address takes priority and is the address to which you can terminate a VPN.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

7XQQHO ,QWHUIDFHV
Beyond the VPN tunnel termination points (the local and remote gateways), you can also configure tunnel interfaces in either a security zone or in a tunnel zone through which the NetScreen device directs traffic to and from the VPN tunnel2. You can bind a VPN tunnel to a specific numbered (with IP address/netmask) or unnumbered (without IP address/netmask) tunnel interface in a security zone. If the tunnel interface is unnumbered, it borrows the IP address from the interface of the security zone in which you created it.
Tunnel Interfaces Tunnel Zone Security Zone Interfaces VPN Tunnel

Numbered

When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. In such cases, you must create a policy-based VPN configuration. When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface. Doing so allows you to create a routing-based VPN configuration.

Numbered or Unnumbered

Security Zone

VPN Tunnel

The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface. Note: Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT. When a numbered tunnel interface is in a security zone and is the only interface in that zone, you do not need to create a security zone interface. In this case, the security zone supports VPN traffic via the tunnel interface, but no other kind of traffic.

Security

Numbered
Zone

VPN Tunnel

Generally, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT. For more information about policy-based NAT, see Chapter 15, . You can create a numbered tunnel interface in either a tunnel zone or security zone.

2.

If you do not specify a tunnel interface, the tunnel uses the default interface for the security zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

If the tunnel interface does not need to support policy-based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered. You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows. Note: The security zone interface that you specify must be in the same zone to which you have bound the tunnel interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

([DPSOH 3ROLF\%DVHG /$1WR/$1 931 0DQXDO .H\


In this example, a Manual Key tunnel provides a secure communication channel between offices in Tokyo and Paris, using ESP with 3DES encryption and SHA-1 authentication. The Trust zones at each site are in NAT mode. The addresses are as follows: Tokyo: - Trust interface (ethernet1): 192.168.10.1/24 - Untrust interface (ethernet3): 201.22.3.14/24 Paris: - Trust Interface (ethernet1): 172.16.5.1/24 - Untrust interface (ethernet3): 203.3.3.10/24

The Trust security zone and the Untrust-Tun tunnel zone are in the Trust-VR routing domain. The Untrust security zone is in the Untrust-VR routing domain. The Untrust zone interface (ethernet3) serves as the outgoing interface for the VPN tunnel.

Topology of the zones configured on the NetScreen device in Tokyo. Tokyo


Paris

Topology of the zones configured on the NetScreen device in Paris.


Tokyo

Paris

Trust Zone

Untrust-Tun Zone

Untrust Zone

Untrust Zone

Untrust-Tun Zone

Trust Zone

Tokyo Trust Zone eth1, 192.168.10.1/24

Outgoing Interface Untrust Zone eth3, 201.22.3.14/24 Gateway 201.22.3.20 Internet VPN Tunnel

Outgoing Interface Untrust Zone eth3, 203.3.3.10/24 Gateway 203.3.3.1

Paris Trust Zone eth1, 172.16.5.1/24

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

To set up the tunnel, perform the following five steps on the NetScreen devices at both ends of the tunnel: 1. 2. 3. 4. 5. Assign IP addresses to the physical interfaces bound to the security zones. Configure the VPN tunnel, designate its outgoing interface in the Untrust zone. By default, the tunnel is bound to the Untrust-Tun tunnel zone. Enter the IP addresses for the local and remote endpoints in the trust and untrust address books. Enter a default route from the Trust-VR to the Untrust-VR, and another default route to the external router in the Untrust-VR. Set up access policies for VPN traffic to pass bidirectionally through the tunnel.

:HE8, 7RN\R
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 192.168.10.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 201.22.3.14 Netmask: 255.255.255.0 Zone Name: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

931
3. VPNs >> Manual Key >> New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Tokyo_Paris Gateway IP: 203.3.3.10 Security Index: 3020 (Local), 3030 (Remote) Outgoing Interface: ethernet3 Bind to Tunnel Zone: (select), Untrust-Tun ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a

$GGUHVVHV
4. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: 192.168.10.0 Netmask: 255.255.255.0 Zone: Trust 5. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Paris_office IP Address/Domain Name: 172.16.5.0 Netmask: 255.255.255.0 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

5RXWHV
6. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 7. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 201.22.3.20 Interface: ethernet3

3ROLFLHV
8. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: To/From Paris Source Address: Trust_LAN Destination Address: Paris_office Service: ANY Action: Tunnel VPN: Tokyo_Paris Create matching VPN policy: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

:HE8, 3DULV
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.16.5.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.3.3.10 Netmask: 255.255.255.0 Zone Name: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

931
3. VPNs >> Manual Key >> New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Paris_Tokyo Gateway IP: 201.22.3.14 Security Index: 3030 (Local), 3020 (Remote) Outgoing Interface: ethernet3(Untrust) Bind to Tunnel Zone: (select), Untrust-Tun ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a

$GGUHVVHV
4. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: 172.16.5.0 Netmask: 255.255.255.0 Zone: Trust 5. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Tokyo_office IP Address/Domain Name: 192.168.10.0 Netmask: 255.255.255.0 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

5RXWHV
6. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 7. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust_vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 203.3.3.1 Interface: ethernet3

3ROLF\
8. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: To/From Tokyo Source Address: Trust_LAN Destination Address: Tokyo_office Service: ANY Action: Tunnel VPN: Paris_Tokyo Create matching VPN policy: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

&/, 7RN\R
,QWHUIDFHV =RQHV DQG 7XQQHO
1. 2. 3. 4. 5. set interface ethernet1 zone trust set interface ethernet1 ip 192.168.10.1/24 set interface ethernet1 nat3 set interface ethernet3 zone untrust set interface ethernet3 ip 201.22.3.14/24

931
6. 7. set vpn tokyo_paris manual 3020 3030 gateway 203.3.3.10 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a set vpn tokyo_paris bind zone untrust-tun4

$GGUHVVHV
8. 9. set address trust Trust_LAN 192.168.10.0/24 set address untrust paris_office 172.16.5.0/24

5RXWHV
10. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 11. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.20

3ROLFLHV
12. set policy name To/From Paris from trust to untrust Trust_LAN paris_office any tunnel vpn tokyo_paris 13. set policy name To/From Paris from untrust to trust paris_office Trust_LAN any tunnel vpn tokyo_paris 14. save

3. 4.

By default, the Trust zone is in NAT mode. This command is unnecessary but is included to maintain symmetry with the WebUI configuration. By default, a VPN tunnel is bound to the Untrust-Tun tunnel zone. This command is also unnecessary but is included to match the WebUI configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

&/, 3DULV
,QWHUIDFHV =RQHV DQG 7XQQHO
1. 2. 3. 4. 5. set interface ethernet1 zone trust set interface ethernet1 ip 172.16.5.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust set interface ethernet3 ip 203.3.3.10/24

931
6. 7. set vpn paris_tokyo manual 3030 3020 gateway 201.22.3.14 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a set vpn paris_tokyo bind zone untrust-tun

$GGUHVVHV
8. 9. set address trust Trust_LAN 172.16.5.0/24 set address untrust tokyo_office 192.168.10.0/24

5RXWH
10. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 11. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.3.3.1

3ROLFLHV
12. set policy name To/From Tokyo from trust to untrust Trust_LAN tokyo_office any tunnel vpn paris_tokyo 13. set policy name To/From Tokyo from untrust to trust tokyo_office Trust_LAN any tunnel vpn paris_tokyo 14. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

([DPSOH 3ROLF\%DVHG /$1WR/$1 931 $XWR.H\ ,.(


In this example, an AutoKey IKE tunnel using either a preshared secret or a pair of certificates (one at each end of the tunnel) provides the secure connection between the Tokyo and Paris offices. The Phase 1 negotiations are in Main mode, and the tunnel uses ESP with 3DES encryption and SHA-1 authentication.

Topology of the zones configured on the NetScreen device in Tokyo. Tokyo


Paris

Topology of the zones configured on the NetScreen device in Paris.


Tokyo

Paris

Trust Zone

Untrust-Tun Zone

Untrust Zone

Untrust Zone

Untrust-Tun Zone

Trust Zone

Tokyo Trust Zone eth1, 192.168.10.1/24

Outgoing Interface Untrust Zone eth3, 201.22.3.14/24 Gateway 201.22.3.20 Internet VPN Tunnel

Outgoing Interface Untrust Zone eth3, 203.3.3.10/24 Gateway 203.3.3.1

Paris Trust Zone eth1, 172.16.5.1/24

Setting up the AutoKey IKE tunnel using AutoKey IKE with either a preshared secret or certificates involves the following two steps: 1. 2. Define the remote gateway and key exchange mode, and specify either a preshared secret or a certificate. Create the Autokey IKE VPN entry.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

Note: You also need to define security zone interface IP addresses, create address book entries for the local and remote end entities, set up default routes, and configure access policies. However, because those steps are the same as those explained in Example: Policy-Based LAN-to-LAN VPN, Manual Key on page 385, they are omitted here. In the following examples, the preshared key is h1p8A24nG5. It is assumed that both participants already have certificates. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

:HE8, 7RN\R
1. VPNs >>Gateway (P1) >>New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Paris Remote Gateway Static IP Address: (select) IP Address: 203.3.3.10 Mode (Initiator): Main (ID Protection) Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha 2. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: Tokyo_Paris Remote Gateway Tunnel: To_Paris Phase 2 Proposal: nopfs-esp-3des-sha

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

Bind to Tunnel Zone: (select), Untrust-Tun

:HE8, 3DULV
1. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Tokyo Remote Gateway Static IP Address: (select) IP Address: 201.22.3.14 Mode (Initiator): Main (ID Protection) Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha Preferred certificate Peer CA: Entrust Preferred certificate Peer Type: X509-SIG 2. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: Paris_Tokyo Remote Gateway Tunnel: To_Tokyo Phase 2 Proposal: nopfs-esp-3des-sha Bind to Tunnel Zone: (select), Untrust-Tun

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

&/, 7RN\R
3UHVKDUHG .H\
1. 2. 3. 4. set ike gateway to_paris ip 203.3.3.10 main outgoing-interface eth3 preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 set vpn tokyo_paris gateway to_paris tunnel proposal nopfs-esp-3des-sha set vpn tokyo_paris bind interface tunnel.1 save

&HUWLILFDWH
1. 2. 3. 4. set ike gateway to_paris ip 203.3.3.10 main outgoing-interface eth3 proposal rsa-g2-3des-sha set vpn tokyo_paris gateway to_paris tunnel proposal nopfs-esp-3des-sha set vpn tokyo_paris bind zone untrust-tun save

&/, 3DULV
3UHVKDUHG .H\
1. 2. 3. 4. set ike gateway to_tokyo ip 201.22.3.14 main outgoing-interface eth3 preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 set vpn paris_tokyo gateway to_tokyo tunnel proposal nopfs-esp-3des-sha set vpn paris_tokyo bind zone untrust-tun save

&HUWLILFDWH
1. 2. 3. 4. set ike gateway to_tokyo ip 201.22.3.14 main outgoing-interface eth3 proposal rsa-g2-3des-sha set vpn paris_tokyo gateway to_tokyo tunnel proposal nopfs-esp-3des-sha set vpn paris_tokyo bind zone untrust-tun save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

([DPSOH 3ROLF\%DVHG /$1WR/$1 931 '\QDPLF 3HHU


In this example, a VPN tunnel securely connects the users in the Trust zone behind NetScreen A to the mail server in the corporate DMZ zone, protected by NetScreen B. The Untrust zone interface for NetScreen B has a static IP address. The ISP serving NetScreen A assigns the IP address for its Untrust zone interface dynamically via DHCP. Because only NetScreen B has a fixed address for its Untrust zone, VPN traffic must originate from hosts behind NetScreen A. After NetScreen A has established the tunnel, traffic through the tunnel can originate from either end.

Topology of the zones configured on NetScreen A at the branch office. A


B A

Topology of the zones configured on NetScreen B at the corporate site. B

Trust Zone

Untrust Zone

Untrust Zone

DMZ Zone

Branch Office Trust Zone eth1, 10.10.10.1/24

Outgoing Interface Untrust Zone eth3 and gateway dynamically assigned by ISP Internet

Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Corporate Office DMZ Zone eth2, 172.30.5.1/24 Mail Server 172.30.5.5

SMTP or POP3 Request

NetScreen A

VPN Tunnel DHCP Server 203.2.3.1

NetScreen B

IDENT Request

Note: Before making an SMTP or POP3 connection to the corporate mail server, Phil must first initiate an HTTP, FTP, or Telnet connection so that NetScreen A can authenticate him.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

In this example, authentication user Phil (login name: pmason; password: Nd4syst4) wants to get his e-mail from the mail server at the corporate site. When he attempts to do so, he is authenticated twice: first, NetScreen A authenticates him locally before allowing traffic from him through the tunnel5; second, the mail server program authenticates him, sending the IDENT request through the tunnel. Note: The mail server can send the IDENT request through the tunnel only if the NetScreen A and B administrators add a custom service for it (TCP, port 113) and set up access policies allowing that traffic through the tunnel to the 10.10.10.0/24 subnet. The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates, and that the e-mail address jking@abc.com appears in the local certificate on NetScreen A. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

:HE8, 1HW6FUHHQ $
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 10.10.10.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save6 : IP Address: Obtain IP using DHCP (select) Zone Name: Untrust

5.

Because Phil is an authentication user, before he can make an SMTP of POP3 request, he must first initiate an HTTP, FTP, or Telnet connection so that NetScreen A can respond with a firewall user/login prompt to authenticate him. After NetScreen A authenticates him, he has permission to contact the corporate mail server via the VPN tunnel. You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI.

6.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

8VHU
3. Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: pmason Authentication User: (select) User Password: Nd4syst4 Confirm Password: Nd4syst4

$GGUHVVHV
4. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Trusted network IP Address/Domain Name: 10.10.10.0 Netmask: 255.255.255.0 Zone: Trust 5. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: Untrust

6HUYLFHV
6. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 7. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

Group Name: Remote_Mail Group Members << Available Members: HTTP FTP Telnet Ident MAIL POP3

931
8. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: To_Mail Remote Gateway: Static IP Address: (select) IP Address: 203.10.20.1 Mode (Initiator): Aggressive Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Local ID: jking@abc.com For certificate: Phase 1 Proposal: rsa-g2-3des-sha 9. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: branch_corp Remote Gateway Tunnel: To_Mail Phase 2 Proposal: nopfs-esp-3des-sha

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

5RXWHV
10. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 11. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 0.0.0.07 Interface: ethernet3(untrust)

3ROLF\
12. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Trusted network Destination Address: Mail Server Service: Remote_Mail Action: Tunnel VPN Tunnel: branch_corp Authentication: (select) Create matching VPN policy: (select)
7. The ISP provides the gateway IP address dynamically through DHCP.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

:HE8, 1HW6FUHHQ %
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet2): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: DMZ 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust

$GGUHVVHV
3. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: DMZ 4. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: branch office IP Address/Domain Name: 10.10.10.0 Netmask: 255.255.255.0 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

6HUYLFHV
5. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 6. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK: Group Name: Remote_Mail Group Members << Available Members: Ident MAIL POP3

931
7. VPNs >> Gateway (P1) >> New Remote Gateway: Enter the following, and then click OK: Gateway Name: To_branch Remote Gateway: Dynamic IP Address: (select) Peer ID: jking@abc.com Mode (Initiator): Aggressive Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

8.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: corp_branch Remote Gateway Tunnel: To_branch Phase 2 Proposal: nopfs-esp-3des-sha

5RXWH
9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 203.10.20.2 Interface: ethernet3(untrust)

3ROLF\
10. Policies >> Policy (From Zone DMZ, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: branch office Service: Remote_Mail Action: Tunnel VPN Tunnel: corp_branch Create matching VPN policy: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

&/, 1HW6FUHHQ $
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. 5. 6. set interface ethernet1 zone trust set interface ethernet1 ip 10.10.10.1/24 set interface ethernet1 nat8 set interface ethernet3 zone untrust set interface ethernet3 dhcp set dhcp client server 201.2.3.1

8VHU
7. set user pmason password Nd4syst4

$GGUHVVHV
8. 9. set address trust trusted network 10.10.10.0 255.255.255.0 set address untrust mail server 172.30.5.5 255.255.255.255

6HUYLFHV
10. 11. 12. 13. 14. 15. 16. 17.
8.

set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add http set group service remote_mail add ftp set group service remote_mail add telnet set group service remote_mail add ident set group service remote_mail add mail set group service remote_mail add pop3

By default, the Trust zone is in NAT mode. This command is unnecessary but is included to maintain symmetry with the WebUI configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

931
Preshared Key: 18. set ike gateway to_mail ip 203.10.20.4 aggressive outgoing-interface eth3 local-id jking@abc.com preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 19. set vpn branch_corp gateway to_mail tunnel proposal nopfs-esp-3des-sha Certificate: 18. set ike gateway to_mail ip 203.10.20.4 aggressive outgoing-interface eth3 local-id jking@abc.com proposal rsa-g2-3des-sha 19. set vpn branch_corp gateway to_mail tunnel proposal nopfs-esp-3des-sha

5RXWHV
20. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 21. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3

3ROLFLHV
22. set policy from trust to untrust trusted network mail server remote_mail tunnel vpn branch_corp auth 23. set policy from untrust to trust mail server trusted network remote_mail tunnel vpn branch_corp 24. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

&/, 1HW6FUHHQ %
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. set interface ethernet2 zone dmz set interface ethernet2 ip 172.30.5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.10.20.1/24

$GGUHVVHV
5. 6. set address dmz mail server 172.30.5.5/32 set address untrust branch office 10.10.10.0/24

6HUYLFHV
7. 8. 9. 10. 11. set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add ident set group service remote_mail add mail set group service remote_mail add pop3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

/$1WR/$1 931V

931
Preshared Key: 12. set ike gateway to_branch dynamic name@company.com aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha 13. set vpn corp_branch gateway to_branch tunnel proposal nopfs-esp-3des-sha Certificate: 13. set ike gateway to_branch dynamic name@company.com aggressive outgoing-interface ethernet3 proposal rsa-g2-3des-sha 14. set vpn corp_branch gateway to_branch tunnel proposal nopfs-esp-3des-sha

5RXWH
15. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.10.20.2

3ROLFLHV
16. set policy from dmz to untrust mail server branch office remote_mail tunnel vpn corp_branch 17. set policy from untrust to dmz branch office mail server remote_mail tunnel vpn corp_branch 18. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

',$/8372/$1 9316
NetScreen devices also support VPN dialup connections. You can configure a NetScreen security gateway with a static IP address to secure an IPSec tunnel with a NetScreen-Remote client or with another NetScreen device with a dynamic IP address. You can configure tunnels for VPN dialup users on a per-user basis or form users into a VPN dialup group for which you need only configure one tunnel. For more information on creating VPN dialup groups, see Dialup User Groups on page 217. This section describes the procedures for setting up three types of Dialup-to-LAN VPNs: Dialup-to-LAN VPN, Manual Key tunnel Dialup-to-LAN VPN, AutoKey IKE tunnel (with a preshared secret or certificates) Dynamic Peer Dialup-to-LAN VPN, AutoKey IKE tunnel (with a preshared key or certificates) Note: The dialup-to-LAN dynamic peer is nearly identical to the LAN-to-LAN dynamic peer except that the internal IP address for the dialup client is a virtual address.

If the dialup client can support a virtual internal IP address, which the NetScreen-Remote does, you can also create

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 0DQXDO .H\


In this example, a remote user (Wendy) needs to access a UNIX server in the Trust zone at the corporate site via a dialup VPN tunnel. The tunnel uses 3DES for encryption and SHA-1 for authentication.
Remote User: Wendy NetScreen-Remote Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Corporate Office Trust Zone eth1, 172.30.5.1/24 UNIX Server 172.30.5.6

Internet VPN Tunnel

Untrust Zone

Trust Zone

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: Trust 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

$GGUHVV
3. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: UNIX IP Address/Domain Name: 172.30.5.6 Netmask: 255.255.255.255 Zone: Trust

0DQXDO .H\ 8VHU


4. Users >> Users >> New Manual Key User: Enter the following, and then click OK: User Name: Wendy Security Index: 3000 (Local), 3000 (Remote) Outgoing Interface: ethernet3 ESP: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password9: PNas134a

9.

Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you configure the tunnel do the following: (1) Return to the Manual Key User configuration dialog box by clicking Edit in the Configure column for the Manual Key user Wendy); (2) copy the two generated hexadecimal keys; and (3) use those hexadecimal keys when configuring the NetScreen-Remote end of the tunnel.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

5RXWHV
5. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: (select), untrust-vr 6. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 203.10.20.2 Interface: ethernet3(untrust)

3ROLF\
7. Policies >> (From >> New Policy: Enter the following, and then click OK: Source Address: Dial-up VPN Destination Address: UNIX Service: ANY Action: Tunnel VPN Tunnel: Dialup UserWendy Create matching outgoing VPN policy: (clear)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

&/,
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. set interface ethernet1 zone trust set interface ethernet1 ip 172.30.5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.10.20.1/24

$GGUHVV
5. set address trust unix 172.30.5.6/32

0DQXDO .H\ 8VHU


6. set user wendy dialup 3000 3000 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a10

5RXWHV
7. 8. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.10.20.2

3ROLF\
9. set policy from untrust to trust dial-up vpn unix any tunnel vpn-dialup wendy 10. save

10. Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you configure the tunnel do the following: (1) Enter the command get user wendy; (2) copy the two generated hexadecimal keys; and (3) use those hexadecimal keys when configuring the NetScreen-Remote end of the tunnel.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

1HW6FUHHQ5HPRWH 6HFXULW\ 3ROLF\ (GLWRU


1. 2. 3. Click Options >> Secure >> Specified Connections. Click the Add a new connection button, and type Unix next to the new connection icon that appears. Configure the connection options: Connection Security: Secure Remote Party ID Type: IP Address IP Address: 172.30.5.6 Connect using Secure Gateway Tunnel: (select) ID Type: IP Address; 203.10.20.1 4. 5. 6. 7. Click the PLUS symbol, located to the left of the unix icon, to expand the connection policy. Click Security Policy, and select Use Manual Keys. Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Key Exchange (Phase 2) to expand the policy further. Click Proposal 1, and select the following IPSec Protocols: Encapsulation Protocol (ESP): (select) Encrypt Alg: 3DES Hash Alg: SHA-1 Encapsulation: Tunnel

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

8. 9.

Click Inbound Keys, and in the Security Parameters Index field, type 3000. Click Enter Key, enter the following11, and then click OK: Choose key format: Binary ESP Encryption Key: dccbee96c7e546bc ESP Authentication Key: dccbe9e6c7e546bcb0b667794ab7290c

10. Click Outbound Keys, and in the Security Parameters Index field, type 3000. 11. Click Enter Key, enter the following11, and then click OK: Choose key format: Binary ESP Encryption Key: dccbee96c7e546bc ESP Authentication Key: dccbe9e6c7e546bcb0b667794ab7290c 12. Click the Save button.

11. These are the two generated keys that you copied after configuring the NetScreen device.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 $XWR.H\ ,.(


In this example, an AutoKey IKE tunnel using either a preshared secret or a pair of certificates (one at each end of the tunnel12) provides the secure communication channel between the IKE user Wendy and the UNIX server. The tunnel again uses ESP with 3DES encryption and SHA-1 authentication. Setting up the AutoKey IKE tunnel using AutoKey IKE with either a preshared secret or certificates requires you to do the following at the corporate site: 1. 2. 3. 4. 5. 6. Configure interfaces for the Trust and Untrust zones. Enter the address of the UNIX server in the Trust zone address book. Define Wendy as an IKE user. Configure the remote gateway and AutoKey IKE VPN. Set up default routes Create an access policy from the Untrust zone to the Trust zone permitting access to the UNIX from the dialup user.
Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Remote User: Wendy NetScreen-Remote

Corporate Office Trust Zone eth1, 172.30.5.1/24 UNIX Server 172.30.5.6

Internet VPN Tunnel

Untrust Zone

Trust Zone

12. The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates. For more information about certificates, see Certificates and CRLs on page 297.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

:HE8, 1HW6FUHHQ
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: Trust 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust

$GGUHVV
3. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: UNIX IP Address/Domain Name: 172.30.5.6 Netmask: 255.255.255.255 Zone: Trust

8VHU
4. Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: Wendy Status: Enable (select) IKE User: (select) Simple Identity: (select) IKE Identity: wparker@email.com
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

5.

VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: Wendy_NSR Remote Gateway Dialup User: (select) User/Group: Dialup UserWendy Mode (Initiator): Aggressive For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha

6.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: Wendy_UNIX Remote Gateway Tunnel: Wendy_NSR Phase 2 Proposal: nopfs-esp-3des-sha

7.

Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Source Address: Dial-Up VPN Destination Address: UNIX Service: ANY Action: Tunnel VPN Tunnel: Wendy_UNIX Create matching outgoing policy: (clear)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

&/,
1. 2. 3. 4. 5. 1. 2. 3. 4. set address trust unix 172.30.5.6 255.255.255.255 set user wendy ike-id wparker@email.com set ike gateway wendy_nsr dialup wendy aggressive preshare h1p8A24nG5 proposal pre-g2-3des-sha-1 set vpn wendy_unix gateway wendy_nsr tunnel proposal nopfs-esp-3des-sha-1 set policy incoming dial-up vpn unix any tunnel vpn wendy_unix set ike gateway wendy_nsr dialup wendy aggressive proposal rsa-g2-3des-sha-1 set vpn wendy_unix gateway wendy_nsr tunnel proposal nopfs-esp-3des-sha-1 set policy incoming dial-up vpn unix any tunnel vpn wendy_unix save

Preshared Key:

Certificates:

1HW6FUHHQ5HPRWH 6HFXULW\ 3ROLF\ (GLWRU


1. 2. 3. Click Options >> Secure >> Specified Connections. Click the Add a new connection button, and type UNIX next to the new connection icon that appears. Configure the connection options: Connection Security: Secure Remote Party ID Type: IP Address IP Address: 172.30.5.6 Connect using Secure Gateway Tunnel: (select) ID Type: IP Address; 203.10.20.4 4. 5. Click the PLUS symbol, located to the left of the UNIX icon, to expand the connection policy. Click My Identity: Do either of the following:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

Click Pre-shared Key >> Enter Key: Type h1p8A24nG5, and then click OK. ID Type: (select E-mail Address), and type wparker@email.com. or Select a certificate from the Select Certificate drop-down list. ID Type: (select E-mail Address)13 6. 7. Click the Security Policy icon, and select Aggressive Mode. Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further.

13. The e-mail address from the certificate appears in the identifier field automatically.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

8.

Click Authentication (Phase 1) >> Proposal 1: Select the following Encryption and Data Integrity Algorithms: Encrypt Alg: Triple DES Hash Alg: SHA-1 Key Group: Diffie-Hellman Group 2

9.

Click Key Exchange (Phase 2) >> Proposal 1: Select the following IPSec Protocols: Encapsulation Protocol (ESP): (select) Encrypt Alg: 3DES Hash Alg: SHA-1 Encapsulation: Tunnel

10. Click the Save button.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

([DPSOH 3ROLF\%DVHG 'LDOXSWR/$1 931 '\QDPLF 3HHU


In this example, a VPN tunnel securely connects the user behind the NetScreen-Remote to the Untrust zone interface of the NetScreen device protecting the mail server in the DMZ zone. The Untrust zone interface has a static IP address. The NetScreen-Remote client has a dynamically assigned external IP address and a static (virtual) internal IP address, which must be known to the administrator of the NetScreen device so that he can add it to the Untrust address book for use in access policies to tunnel traffic from that source. After the NetScreen-Remote client establishes the tunnel, traffic through the tunnel can originate from either end.

Remote User: Phil NetScreen-Remote SMTP Request Internet VPN Tunnel

Outgoing Interface Untrust Zone eth3, 203.10.20.1/24 Gateway 203.10.20.2

Corporate Office DMZ Zone eth2, 172.30.5.1/24 Mail Server 172.30.5.5 IDENT Request

Internal IP Address 10.10.10.1

External IP Address Dynamic

Untrust Zone

DMZ Zone

In this example, Phil wants to get his e-mail from the mail server at the company site. When he attempts to do so, he is authenticated by the mail server program, which sends him an IDENT request through the tunnel. Note: The mail server can send the IDENT request through the tunnel only if the NetScreen-100 administrator adds a custom service for it (TCP, port 113) and sets up an outgoing access policy allowing that traffic through the tunnel to 10.10.10.1. The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates, and that the local certificate on the NetScreen-Remote contains the e-mail address pmason@email.com. (For more information about obtaining and loading certificates, see Certificates and CRLs on page 297.)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

:HE8,
,QWHUIDFHV 6HFXULW\ =RQHV
1. Interfaces >> Physical >> Edit (for ethernet2): Enter the following, and then click Save: IP Address: 172.30.5.1 Netmask: 255.255.255.0 Zone Name: DMZ 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 203.10.20.1 Netmask: 255.255.255.0 Zone Name: Untrust

$GGUHVVHV
3. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Mail Server IP Address/Domain Name: 172.30.5.5 Netmask: 255.255.255.255 Zone: DMZ 4. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: Phil IP Address/Domain Name: 10.10.10.1 Netmask: 255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

6HUYLFHV
5. Services >> Custom >> New Service: Enter the following, and then click OK: Service Name: Ident Source Port: (Low) 113, (High) 113 Transport: TCP (select) 6. Services >> Custom >> New Group: Enter the following, move the following services, and then click OK: Group Name: Remote_Mail Group Members << Available Members: Ident MAIL POP3

931
7. VPNs >> Gateway (P1) >> New Remote Gateway: Enter the following, and then click OK: Gateway Name: To_Phil Remote Gateway: Dynamic IP Address: (select) Peer ID: pmason@email.com Mode (Initiator): Aggressive Outgoing Interface: ethernet3 For preshared key: Phase 1 Proposal: pre-g2-3des-sha Preshared Key: h1p8A24nG5 For certificate: Phase 1 Proposal: rsa-g2-3des-sha

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

8.

VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: corp_Phil Remote Gateway Tunnel: To_Phil Phase 2 Proposal: nopfs-esp-3des-sha

5RXWH
9. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: (select), 203.10.20.2 Interface: ethernet3(untrust)

3ROLF\
10. Policies >> Policy (From Zone: DMZ, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: Mail Server Destination Address: branch office Service: Remote_Mail Action: Tunnel VPN Tunnel: corp_Phil Create matching VPN policy: (select)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

&/,
,QWHUIDFHV 6HFXULW\ =RQHV
1. 2. 3. 4. set interface ethernet2 zone dmz set interface ethernet2 ip 172.30.5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.10.20.1/24

$GGUHVVHV
5. 6. set address dmz mail server 172.30.5.5/32 set address untrust phil 10.10.10.1/32

6HUYLFHV
7. 8. 9. 10. 11. set service ident protocol tcp src-port 113-113 set group service remote_mail set group service remote_mail add ident set group service remote_mail add mail set group service remote_mail add pop3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

931
Preshared Key: 12. set ike gateway to_phil dynamic pmason@email.com aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha 13. set vpn corp_phil gateway to_phil tunnel proposal nopfs-esp-3des-sha Certificate: 13. set ike gateway to_phil dynamic pmason@email.com aggressive outgoing-interface ethernet3 proposal rsa-g2-3des-sha 14. set vpn corp_phil gateway to_phil tunnel proposal nopfs-esp-3des-sha

5RXWH
15. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 203.10.20.2

3ROLFLHV
16. set policy from dmz to untrust mail server phil remote_mail tunnel vpn corp_phil 17. set policy from untrust to dmz phil mail server remote_mail tunnel vpn corp_phil 18. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

1HW6FUHHQ5HPRWH
1. 2. 3. 4. Click Options >> Global Policy Settings, and select the Allow to Specify Internal Network Address check box. Options >> Secure >> Specified Connections. Click the Add a new connection button, and type Mail next to the new connection icon that appears. Configure the connection options: Connection Security: Secure Remote Party ID Type: IP Address IP Address: 172.30.5.5 Connect using Secure Gateway Tunnel: (select) ID Type: IP Address; 203.10.20.1 5. 6. Click the PLUS symbol, located to the left of the unix icon, to expand the connection policy. Click My Identity: Do either of the following: Click Pre-shared Key >> Enter Key: Type h1p8A24nG5, and then click OK. ID Type: Internal Network IP Address: Type 10.10.10.1. or Select a certificate from the Select Certificate drop-down list. ID Type: (select IP Address); Internal Network IP Address: Type 10.10.10.1. 7. Click the Security Policy icon, and select Aggressive Mode.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

'LDOXSWR/$1 931V

8. 9.

Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further. Click Authentication (Phase 1) >> Proposal 1: Select the following Encryption and Data Integrity Algorithms: Encrypt Alg: Triple DES Hash Alg: SHA-1 Key Group: Diffie-Hellman Group 2

10. Click Key Exchange (Phase 2) >> Proposal 1: Select the following IPSec Protocols: Encapsulation Protocol (ESP): (select) Encrypt Alg: 3DES Hash Alg: SHA-1 Encapsulation: Tunnel 11. Click the Save button.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

7811(/ =21(6 $1' 32/,&<%$6(' 1$7


A tunnel zone is a logical creation that allows you to bind one or more tunnel interfaces to it. If you bind a tunnel interface to a security zone you can configure the tunnel interface as unnumbered (that is, without an IP address) or assign it an IP address and netmask. If you bind a tunnel interface to a tunnel zone, you must assign it an IP address. Giving a tunnel interface an IP address and netmask automatically makes an entry in the route table for that interface. It also allows you to create one or more Dynamic IP (DIP) pools in the same subnet for the application of policy-based network address translation (NAT) on traffic passing through that interface14. In the case where the source and destination addresses are in an overlapping address space, you can use policy-based NAT to change the source address on outbound traffic to that of a neutral address space. On the other end of the tunnel, the admin can create a mapped IP (MIP) using an address in another neutral space. For bidirectional VPN traffic between two end entities with overlapping addresses, policy-based NAT and MIPs are required at both ends of the tunnel.

14. The range of addresses in a DIP pool must be in the same subnet as the interface, but the pool must not include the interface IP address or any MIP or VIP addresses that might also be in that subnet.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

Topology of the zones configured on NetScreen A at the branch office.

Topology of the zones configured on NetScreen B at the branch office.

Trust Zone

Tunnel Zone

Untrust Zone

Untrust Zone

Tunnel Zone

Trust Zone

server B 10.10.1.5 network A 10.10.1.0/24 server A 10.10.1.8

NetScreen A

Internet

NetScreen B

network B 10.10.1.0/24

Tunnel.1 10.10.2.1/24

Tunnel.1 10.10.3.1/24

DIP 5 10.10.2.10 10.10.2.20 MIP 10.10.2.8 > 10.10.1.8

DIP 6 10.10.3.10 10.10.3.20 MIP 10.10.3.5 > 10.10.1.5

Users at network A can access server B. Users at network B can access server A. All traffic flows through the VPN tunnel between the two sites. network A server B

server A

VPN Tunnel

network B

A tunnel zone is conceptually affiliated with a security zone in a child-parent relationship. The security zone acting as the parent, which you can also conceive of as a carrier zone, provides the firewall protection to the encapsulated traffic. The tunnel zone provides packet encapsulation/decapsulation, andby supporting tunnel interfaces with IP addresses and netmasks that can host DIP poolscan also provide policy-based NAT services.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

Security Zone Tunnel Zone Traffic to or from a VPN tunnel


The tunnel interfacewhich when bound to a tunnel zone must have an IP address/netmask supports policy-based NAT for pre-encapsulated and post-decapsulated VPN traffic.

The interface of the security zone hosting the tunnel zone provides firewall protection for the encapsulated traffic.

Tunnel Interface

VPN Tunnel Security Zone Interface

Outbound traffic enters the tunnel zone via the tunnel interface, is encapsulated, and exits via the security zone interface. Inbound traffic enters via the security zone interface, is decapsulated in the tunnel zone, and exits via the tunnel interface.

When upgrading to ScreenOS 3.1.0, existing tunnel interfaces are bound by default to the preconfigured untrust-tunnel zone, which is a child of the preconfigured untrust security zone. You can bind multiple tunnel zones to the same security zone; however, you cannot bind a tunnel zone to another tunnel zone.

([DPSOH 7XQQHO ,QWHUIDFH LQ D 7XQQHO =RQH


In this example, you configure a VPN tunnel between the corporate site and a branch office; however, the address space for the VPN end entities overlaps. To overcome this conflict, you can use NAT to modify the source address on outbound VPN traffic and a MIP to modify the destination address on inbound VPN traffic. The tunnel parameters are the same as in the previous example: AutoKey IKE, preshared key (netscreen1), Main mode, ESP, Diffie-Hellman Group 2, 3DES, and SHA-1. The interface specified as the local gateway on the corporate site is 210.1.1.1. (The branch office uses this address as the remote gateway in its IKE configuration.) The NetScreen device at the corporate site is running ScreenOS 3.1.0. The NetScreen device at the remote site is running an earlier version of ScreenOS.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

Note: Only the configuration for the corporate end of the tunnel is given below. For information on configuring a NetScreen device running pre-USGA ScreenOS, see the NetScreen Concepts & Examples ScreenOS Reference Guide for the version of ScreenOS that is appropriate for your device.
Note: The castle icon represents a security zone interface. Untrust-VR Routing Domain branch1-ftp tunnel/1 MIP 30.1.1.5 host 10.1.1.5 VPN tunnel: to_branch1 Branch1 10.2.1.0/24

Default Gateway 210.1.1.254 Trust-VR Routing Domain

corp-ftp 10.1.1.2

Gateway 211.2.2.2/24 Zone: Untrust-Tun tunnel.1 10.2.1.1/24 DIP 10.2.1.6510.2.1.126 MIP 10.2.1.2 host 10.1.1.2 Zone: Untrust 210.1.1.1/24 eth1/2

Zone: Sales 10.1.1.1/24 eth2/1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

:HE8,
6HFXULW\ =RQHV
1. Zone >> New Entry: Enter the following, and then click OK: Name: Sales Virtual Router Name: trust-vr Note: The Untrust and Untrust-Tun zones are preconfigured. You do not have to create them.

,QWHUIDFHV =RQHV DQG 7XQQHO


2. Interfaces >> Edit (for ethernet2/1): Enter the following, and then click OK: IP Address: 10.1.1.1 Netmask: 255.255.255.0 Zone Name: Sales Interface Mode: Route 3. Interfaces >> Edit (for ethernet1/2): Enter the following, and then click OK: IP Address: 210.1.1.1 Netmask: 255.255.255.0 Zone Name: Untrust 4. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name Tunnel.: 1 Zone: Untrust-Tun Fixed IP: (select) IP Address: 10.2.1.1 Netmask: 255.255.255.0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

931
5. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: branch1 Remote Gateway Static IP Address: (select) IP Address: 211.2.2.2 Mode (Initiator) Main (ID Protection): (select) Outgoing Interface: ethernet1/215 Phase 1 Proposal: pre-g2-3des-sha Preshared Key: netscreen1 6. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: to_branch1 Enable Replay Protection: (select) Remote Gateway Tunnel: branch1 Phase 2 Proposal: g2-esp-3des-sha

$GGUHVVHV
7. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: sales-any IP Address/Domain Name: 10.1.1.0 Netmask: 255.255.255.0 Zone: Sales

15. The outgoing interface does not have to be in the same zone to which the tunnel interface is bound.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

8.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: corp-ftp IP Address/Domain Name: 10.1.1.2 Netmask: 255.255.255.255 Zone: Sales

9.

Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: branch1-any IP Address/Domain Name: 30.1.1.0 Netmask: 255.255.255.192 Zone: Untrust

10. Addresses >> Address >> New Address: Enter the following, and then click OK: Address Name: branch1-ftp IP Address/Domain Name: 30.1.1.5 Netmask: 255.255.255.255 Zone: Untrust

0,3
11. Interfaces >> MIP (for ethernet1/2) >> New Entry: Enter the following, and then click OK: Mapped IP Address: 10.2.1.2 Netmask: 255.255.255.255 Host IP Address: 10.1.1.2

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

',3
12. Interfaces >> Tunnel >> DIP (for tunnel.1) >> New Entry: Enter the following, and then click OK: ID: 5 Start: 10.2.1.65 End: 10.2.1.126 Port Translation Enable: (select)

5RXWHV
13. Routing >> Route Table >> New Entry: Enter the following, and then click OK 16: Virtual Router Name: trust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Hop Virtual Router Name: untrust-vr 14. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 30.1.1.0 Netmask: 255.255.255.0 Hop Virtual Router Name: tunnel.1

16. This route exists by default and does not need to be configured for this example. Its inclusion here is purely to illustrate how to configure it.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

15. Routing >> Route Table >> New Entry: Enter the following, and then click OK: Virtual Router Name: untrust-vr Network Address: 0.0.0.0 Netmask: 0.0.0.0 Gateway IP Address: 210.1.1.254 Interface: ethernet1/2(untrust-vr) Note: Because the interface for the Sales zone (eth2/1) is in Route mode, the NetScreen device automatically makes an entry for it in the untrust-vr route table. You do not have to enter one manually.

3ROLFLHV
16. Policy (From Zone: Sales, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: sales-any Destination Address: branch1-ftp Service: FTP NAT On: (select) DIP On: (select); 5 (10.2.1.6510.2.1.126)/X-late Action: Tunnel VPN Tunnel: to_branch1 17. Policy (From Zone: Untrust, To Zone: Global) >> New Policy: Enter the following, and then click OK: Source Address: branch1-any Destination Address: global MIP(10.2.1.2) Service: FTP Action: Tunnel VPN Tunnel: to_branch1
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

&/,
6HFXULW\ DQG 7XQQHO =RQHV
1. set zone name sales (The Untrust zone and the Untrust-Tun zones are preconfigured. You do not have to create them.)

,QWHUIDFHV =RQHV DQG 7XQQHO


2. 3. 4. 5. 6. 7. set interface eth2/1 zone sales set interface eth2/1 ip 10.1.1.1 255.255.255.0 set interface eth1/2 zone untrust set interface eth1/2 ip 210.1.1.1 255.255.255.0 set interface tunnel.1 zone untrust-tun set interface tunnel.1 ip 10.2.1.1 255.255.255.0

931
8. 9. set ike gateway branch1 ip 211.2.2.2 main outgoing-interface eth1/2 preshare netscreen1 proposal pre-g2-3des-sha set vpn to_branch1 gateway branch1 replay proposal g2-esp-3des-sha

$GGUHVVHV
10. 11. 12. 13. set address sales sales-any 10.1.1.0 255.255.255.0 set address sales corp-ftp 10.1.1.2 255.255.255.255 set address untrust branch1-any 30.1.1.0 255.255.255.192 set address untrust branch-ftp 30.1.1.5 255.255.255.255

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

0,3
14. set interface eth1/2 mip 10.2.1.217 host 10.1.1.2

',3
15. set interface tunnel.1 dip 5 10.2.1.65 10.2.1.126

5RXWHV
16. set vrouter trust-vr route 0.0.0.0 0.0.0.0 vrouter untrust-vr 17. set vrouter untrust-vr route 30.1.1.0 255.255.255.192 interface tunnel.1 18. set vrouter untrust-vr route 0.0.0.0 0.0.0.0 interface eth1/2 gateway 210.1.1.254 Note: Because the interface for the sales zone (eth2/1) is in Route mode, the NetScreen device automatically makes an entry for it in the untrust-vr route table. You do not have to enter one manually.

3ROLFLHV
19. set policy from sales to untrust sales-any branch1-ftp ftp nat dip 5 permit 20. set policy from untrust to global branch1-any mip(10.2.1.2) ftp permit 21. save

17. Because the default netmask is 255.255.255.255, you do not need to specify that in the command.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 931V

7XQQHO =RQHV DQG 3ROLF\%DVHG 1$7

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr #

/73
Introduction to L2TP on page 444 Packet Encapsulation and Decapsulation on page 448 L2TP Parameters on page 450 Example: Configuring an IP Pool and L2TP Default Settings on page 451 L2TP and L2TP-Over-IPSec on page 453 Example: Configuring L2TP on page 453 Example: Configuring L2TP-Over-IPSec on page 459



This chapter provides an introduction to Layer 2 Tunneling Protocol (L2TP), its use alone and with IPSec support, and then some configuration examples for L2TP and L2TP-over-IPSec:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

,QWURGXFWLRQ WR /73

,1752'8&7,21 72 /73
Layer 2 Tunneling Protocol (L2TP) provides a way for a dial-up user to make a virtual Point-to-Point Protocol (PPP) connection to an L2TP network server (LNS), which can be a NetScreen device. L2TP sends PPP frames through a tunnel between an L2TP access concentrator (LAC) and the LNS. Originally, L2TP was designed so that a LAC residing at an ISP site tunneled to an LNS at either another ISP or corporate site. The L2TP tunnel did not extend completely to the dial-up users computer, but only to the LAC at the dial-up users local ISP. (This is sometimes referred to as a compulsory L2TP configuration.)

Dial-up User

Dial-up Connection ISP Internet NetScreen Corporate LAN

L2TP Access Concentrator (LAC)

L2TP Tunnel (forwarding PPP sessions from LAC to LNS)

L2TP Network Server

With the capability of a NetScreen-Remote 5.0 client on a Windows 2000 or Windows NT, or a Windows 2000 client by itself to act as an LAC, the L2TP tunnel can extend directly to the dial-up users computer, thus providing end-to-end tunneling. (This approach is sometimes referred to as a voluntary L2TP configuration.)

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

,QWURGXFWLRQ WR /73

NetScreen-Remote or Windows 2000 ISP Internet NetScreen Device (LNS) Corporate LAN L2TP Tunnel (forwarding PPP sessions from LAC to LNS)

Because the PPP link extends from the dial-up user across the Internet to the NetScreen device (LNS), it is the NetScreen device, not the ISP, that assigns the client its IP address, DNS and WINS servers addresses, and authenticates the user, either from the internal database or from a RADIUS server. The dial-up user receives two IP addressesone for its physical connection to the ISP, and a logical one from the LNS. When the dial-up user contacts his or her ISP, perhaps using PPP, the ISP makes IP and DNS assignments, and authenticates the user. This allows users to connect to the Internet with a routable IP address, which becomes the outer IP address of the L2TP tunnel.
1 ISP

IP Address: 212.30.40.56 DNS: 209.6.15.3, 209.6.15.4

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

,QWURGXFWLRQ WR /73

Then, when the L2TP tunnel forwards the encapsulated PPP frames to the NetScreen device, the NetScreen device assigns the user an IP address, and DNS and WINS settings. The IP address can be a private, nonroutable address, which becomes the inner IP address of the L2TP tunnel.

Internet

NetScreen Device (LNS)

IP Address: 10.10.1.161 DNS: 189.16.2.4, 189.16.2.5 WINS: 10.20.1.48, 10.20.1.49 IP Address Pool 10.10.1.1 10.10.1.254

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

,QWURGXFWLRQ WR /73

ScreenOS 3.1.0 provides the following L2TP support: L2TP tunnels originating from a NetScreen-Remote 5.0 client on a workstation running Windows 20001 or Windows NT or a Windows 2000 client by itself For NetScreen-Remote 5.0, L2TP-over-IPSec with Main mode negotiations using certificates, and Aggressive mode using either a preshared key or certificates For Windows 2000, L2TP-over-IPSec with Main mode negotiations using certificates A combination of L2TP and IPSec in transport mode (L2TP-over-IPSec) Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) authentication using the internal user database (up to 1500 entries) and a RADIUS server2 Assignment of dialup users IP address, DNS servers, and WINS servers L2TP tunnels to the root system but not to virtual systems Note: To use L2TP, the NetScreen device must be operating at layer 3, with security zones in NAT or Route mode. When the NetScreen device is operating at layer 2, with security zones in Transparent mode, no L2TP-related material appears in the WebUI, and L2TP-related CLI commands elicit error messages.

1.

By default, Windows 2000 performs L2TP-over-IPSec. To force it to use L2TP only, you must navigate to the ProhibitIPSec key in the registry and change 0 (L2TP-over-IPSec) to 1 (L2TP only). (Before performing this, NetScreen recommends that you backup your registry.) Click Start >> Run: Type regedit. Double-click HKEY_LOCAL_MACHINE >> System >> CurrentControlSet >> Services >> RasMan >> Parameters. Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, and then click OK. Reboot. (If you do not find such an entry in the registry, see Microsoft WIndows documentation for information on how to create one.) To authenticate users, the NetScreen device checks the entries in its internal database or those in a RADIUS server, if one is used.

2.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

3DFNHW (QFDSVXODWLRQ DQG 'HFDSVXODWLRQ

3$&.(7 (1&$368/$7,21 $1' '(&$368/$7,21


L2TP employs encapsulation of packets as the means for transporting PPP frames from the LAC to the LNS. Before looking at specific examples for setting up L2TP and L2TP-over-IPSec, an overview of the encapsulation and decapsulation involved in the L2TP process is presented.

(QFDSVXODWLRQ
When a dialup user on an IP network sends data over an L2TP tunnel, the LAC encapsulates the IP packet within a series of layer 2 frames, layer 3 packets, and layer 4 segments. Assuming that the dialup user connects to the local ISP over a PPP link, the encapsulation proceeds as follows:

1. 2. 3. 4. 5. 6.

The data is placed in an IP payload. The IP packet is encapsulated in a PPP frame. The PPP frame is encapsulated in an L2TP frame. The L2TP frame is encapsulated in a UDP segment. The UDP segment is encapsulated in an IP packet. The IP packet is encapsulated in a PPP frame to make the physical connection between the dialup user and the ISP.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

3DFNHW (QFDSVXODWLRQ DQG 'HFDSVXODWLRQ

'HFDSVXODWLRQ
When the LAC initiates the PPP link to the ISP, the decapsulation and forwarding of the nested contents proceed as follows:
ISP

LNS

1. 2. 3. 4. 5.

6. 7.

The ISP completes the PPP link and assigns the users computer an IP address. Inside the PPP payload is an IP packet. The ISP removes the PPP header and forwards the IP packet to the LNS. The LNS removes the IP header. Inside the IP payload is a UDP segment specifying port 1701, the port number reserved for L2TP. The LNS removes the UDP header. Inside the UDP payload is an L2TP frame. The LNS processes the L2TP frame, using the tunnel ID and call ID in the L2TP header to identify the specific L2TP tunnel. The LNS then removes the L2TP header. Inside the L2TP payload is a PPP frame. The LNS processes the PPP frame, assigning the users computer a logical IP address. Inside the PPP payload is an IP packet. The LNS routes the IP packet to its ultimate destination, where the IP header is removed and the data in the IP packet is extracted.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 3DUDPHWHUV

/73 3$5$0(7(56
The LNS uses L2TP to provide the PPP settings for a dial-up user that typically come from an ISP. These settings are as follows: IP address The NetScreen device selects an address from a pool of IP addresses and assigns it to the dial-up users computer. The selection process operates cyclically through the IP address pool; that is, in a pool from 1.1.1.1 to 1.1.1.3, the addresses are selected in the following cycle: 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.1 1.1.1.2 ) DNS primary and secondary server IP addresses The NetScreen device provides these addresses for the dial-up users computer to use. WINS primary and secondary server IP addresses The NetScreen device also provides these addresses for the dial-up users computer to use.

The LNS also authenticates the user through a user name and password. You can enter the user in either the internal database or a RADIUS server. Note: The RADIUS server that you use for authenticating L2TP users can be the same server you use for network users, or it can be a different server. In addition, you can specify one of the following schemes for the PPP authentication: Challenge Handshake Authentication Protocol (CHAP), in which the NetScreen device sends a challenge (encryption key) to the dial-up user after he or she makes a PPP link request and the users login name and password are encrypted with the key Password Authentication Protocol (PAP), which sends the dial-up users password in the clear along with the PPP link request ANY, meaning that the NetScreen device negotiates CHAP, and then if that fails, PAP.

You can apply to dial-up users and dialup user groups the default L2TP parameters that you configure on the L2TP Default Configuration page (VPNs >> L2TP >> Default L2TP Settings Edit) or with the set l2tp default command. You can also apply L2TP parameters that you configure specifically for L2TP users on the User Configuration page (Users >> Users >> New Auth IKE/L2TP User) or with the set user <name> remote-settings command. The user-specific L2TP settings supersede the default L2TP settings.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 3DUDPHWHUV

([DPSOH &RQILJXULQJ DQ ,3 3RRO DQG /73 'HIDXOW 6HWWLQJV


In this example, you define an IP address pool with addresses ranging from 10.1.3.40 to 10.1.3.100. You specify DNS server IP addresses 210.11.6.2 (primary) and 210.11.6.3 (secondary). Database entries for dialup users are stored in a RADIUS server at the IP address 10.1.2.245, and the shared secret is Ooaw35GA3. The NetScreen device performs authentication using CHAP.

Trust Zone

RADIUS 10.1.2.245

Untrust Zone Internet

DNS 1 210.11.6.2 DNS 2 210.11.6.3

Note: The L2TP pool addresses must be in a different subnet from those in the Trust zone.

ethernet1, 10.1.2.1/24 L2TP IP Pool

ethernet3,

:HE8,
1. VPNs >> IP Pool >> New IP Pool: Enter the following, and then click Save: IP Pool Name: Sutro Start IP: 10.1.3.40 End IP: 10.1.3.100

3.

Instead of using actual words for passwords, which might be guessed or discovered through a dictionary attack, you can use an apparently random string of letters and numbers. To create such a string that you can easily remember, compose a sentence and use the first letter from each word. For example, Our old address was 35 Glenwood Avenue becomes Ooaw35GA.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 3DUDPHWHUV

2.

VPNs >> L2TP >> Default L2TP Settings Edit: Enter the following, and then click OK: IP Pool Name: Sutro Authentication Database: RADIUS PPP Authentication: CHAP RADIUS Server IP/Name: 10.1.2.245 RADIUS Secret: Ooaw35GA DNS Primary Server IP: 210.11.6.2 DNS Secondary Server IP: 210.11.40.3 WINS Primary Server IP: 0.0.0.0 WINS Secondary Server IP: 0.0.0.0

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set ippool sutro 10.1.3.40 10.1.3.100 set l2tp default ippool sutro set l2tp default auth radius set l2tp default server-name 10.1.2.245 set l2tp default radius-secret Ooaw35GA set l2tp default ppp-auth chap set l2tp default dns1 210.11.6.2 set l2tp default dns2 210.11.40.3 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

/73 $1' /7329(5,36(&


Although the dial-up user can be authenticated using CHAP or PAP, an L2TP tunnel is not encrypted, and therefore is not a true VPN tunnel. The purpose of L2TP is simply to permit the administrator of the local NetScreen device to determine the range of IP addresses for remote dial-up users. These addresses can then be referenced in access policies. To encrypt an L2TP tunnel, you need to apply an encryption scheme to the L2TP tunnel. Because L2TP assumes that the network between the LAC and the LNS is IP, you can employ IPSec to provide encryption. This combination is called L2TP-over-IPSec. L2TP-over-IPSec requires setting up both an L2TP tunnel and an IPSec tunnel with the same endpoints, and then linking them together in an access policy. L2TP-over-IPSec requires that the IPSec tunnel be in transport mode so that the tunnel endpoint addresses remain in the clear. (For information about transport mode and tunnel mode, see Modes on page 272.)

([DPSOH &RQILJXULQJ /73


In this example, you create a dialup user group called fs (for field-sales) and configure an L2TP tunnel called sales_corp, using ethernet3 (Untrust zone) as the outgoing interface for the L2TP tunnel. The NetScreen device applies the following default L2TP tunnel settings to the dialup user group: The users are authenticated via the internal database. PPP authentication uses CHAP. The range of addresses in the IP pool (named global) is from 10.10.2.100 to 10.10.2.1804. The DNS servers are 210.11.6.2 (primary) and 210.11.40.3 (secondary)

Note: An L2TP-only configuration is not secure. It is recommended only for debugging purposes.

4.

The addresses in the L2TP IP pool must be in a different subnet than the addresses in the corporate network.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

Auth/L2TP Dialup Users Group: fs Adam Untrust Zone DNS 1: 210.11.6.2 DNS 2: 210.11.40.3

IP Pool: global 10.10.2.100 10.10.2.180 Corporate Network Trust Zone

Betty Internet Outgoing Interface Carol L2TP Tunnel: sales_corp Untrust Zone eth3, 123.2.2.1/24 eth1, 10.20.1.1/24

:HE8,
&UHDWH 'LDOXS 8VHUV
1. Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: Adam Status: Enable Authentication User: (select) L2TP User: (select) User Password: AJbioJ15 Confirm Password: AJbioJ15

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

2.

Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: Betty Status: Enable Authentication User: (select) L2TP User: (select) User Password: BviPsoJ1 Confirm Password: BviPsoJ1

3.

Users >> Users >> New AUTH/IKE/L2TP User: Enter the following, and then click OK: User Name: Carol Status: Enable Authentication User: (select) L2TP User: (select) User Password: Cs10kdD3 Confirm Password: Cs10kdD3

&UHDWH D 'LDOXS 8VHU *URXS


4. Users >> Dialup Group >> New Group: Enter the following, and then click Add members: Group Name: fs Group Type: IKE/L2TP 5. Group Configuration: Move the following members, and then click OK: Group Members << Available Members: Adam Betty Carol

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

6HW WKH 'HIDXOW /73 6HWWLQJV


6. VPNs >> IP Pool >> New IP Pool: Enter the following, and then click Save: IP Pool Name: global Start IP: 10.10.2.100 End IP: 10.10.2.180 7. VPNs >> L2TP >> Default L2TP Settings Edit: Enter the following, and then click OK: IP Pool Name: global Authentication Database: Local PPP Authentication: CHAP DNS Primary Server IP: 210.11.6.2 DNS Secondary Server IP: 210.11.40.3 WINS Primary Server IP: 0.0.0.0 WINS Secondary Server IP: 0.0.0.0 8. VPNs >> L2TP >> New L2TP Tunnel: Enter the following, and then click OK: Name: sales_corp Dialup User/Group: fs Peer IP: 0.0.0.05 Host Name (optional): Enter the name of the computer acting as the LAC6. Outgoing Interface: ethernet3

5. 6.

Because the IP address of the peer is dynamic, enter 0.0.0.0 here. To find the name of a computer running Windows 2000, do the following: Click Start >> Settings >> Control Panel >> System. The System Properties dialog box appears. Click the Network Identification tab, and see entry following Full computer name.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

Secret (optional): Enter a secret shared between the LAC and the LNS. Note: To add a secret to the LAC for authenticating the L2TP tunnel, you must modify the Windows 2000 registry as follows: (1) Click Start >> Run, and then type regedit. The Registry Editor opens. (2) Click HKEY_LOCAL_MACHINE. (3) Right-click SYSTEM, and then select Find from the pop-up menu that appears. (4) Type ms_l2tpminiport, and then click Find Next. (5) In the Edit menu, highlight New, and then select String Value. (6) Type Password. (7) Double-click Password. The Edit String dialog box appears. (8) Type the password in the Value data field. This must be the same as the word in the L2TP Tunnel Configuration Secret field on the NetScreen device. (9) Reboot the computer running Windows 2000. When using L2TP-over-IPSec, which is the Windows 2000 default, tunnel authentication is unnecessary; all L2TP messages are encrypted and authenticated inside IPSec. Keep Alive: 607

&UHDWH DQ $FFHVV 3ROLF\


9. Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Source Address: Dial-Up VPN Destination Address: Any NAT: Off Service: ANY Action: Tunnel L2TP: sales_corp

7.

The Keep Alive value is the number of seconds of inactivity before the NetScreen device sends an L2TP hello signal to the LAC.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

&/,
&UHDWH 'LDOXS 8VHUV
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. set user adam type auth l2tp set user adam password AJbioJ15 set user betty type auth l2tp set user betty password BviPsoJ1 set user carol type auth l2tp set user carol password Cs10kdD3 set dialup-group fs set dialup-group fs + adam set dialup-group fs + betty set dialup-group fs + carol set ippool global 10.10.2.100 10.10.2.180 set l2tp default ippool global set l2tp default auth local set l2tp default ppp-auth chap set l2tp default dns1 210.11.6.2 set l2tp default dns2 210.11.40.3

&UHDWH D 'LDOXS 8VHU *URXS

6HW WKH 'HIDXOW /73 6HWWLQJV

&RQILJXUH DQ /73 7XQQHO


17. set l2tp sales_corp user fs outgoing-interface ethernet3

&UHDWH DQ $FFHVV 3ROLF\


18. set policy from untrust to trust dial-up vpn any any tunnel l2tp sales_corp 19. save
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  /73

/73 DQG /732YHU,36HF

([DPSOH &RQILJXULQJ /732YHU,36HF


This example uses the same L2TP tunnel created in the previous example (Example: Configuring L2TP on page 453). Additionally, you overlay an IPSec tunnel onto the L2TP tunnel to provide encryption. The IPSec tunnel negotiates Phase 1 in Aggressive Mode using a previously loaded certificate, 3DES encryption and SHA-1 authentication. The Phase 2 negotiation employs the Encapsulating Security Payload (ESP) protocol also using 3DES and SHA-1. The IPSec tunnel is in transport mode. The predefined Trust zone and the user-defined Dialup zone are in the trust-vr routing domain. The interfaces for the Dialup and Trust zones are ethernet2 (210.2.1.1/24) and ethernet1 (10.20.1.1/24) respectively. The Trust zone is in NAT mode.
Auth-IKE-L2TP Dialup Users Group: fs Adam Dialup Zone DNS 1: 210.11.6.2 DNS 2: 210.11.40.3

IP Pool: global 10.10.2.100 10.10.2.180 Corporate Network Trust Zone

Betty Internet Carol L2TP Tunnel: sales_corp VPN Tunnel: from_sales Outgoing Interface ethernet2, 210.2.1.1/24

ethernet1, 10.20.1.1/24

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

:HE8,
&UHDWH D =RQH
1. Zone >> Zone >> New Entry: Enter the following, and then click OK: Zone Name: Dialup Virtual Router Name: trust-vr Zone Type: Regular (select) Note: The Trust zone is preconfigured. You do not need to create it.

'HILQH ,QWHUIDFHV
2. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 10.20.1.1 Netmask: 255.255.255.0 Zone Name: Trust Interface Mode: NAT 3. Interfaces >> Physical >> Edit (for ethernet2): Enter the following, and then click Save: IP Address: 210.2.1.1 Netmask: 255.255.255.0 Zone Name: Dialup Interface Mode: Route

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

&UHDWH 'LDOXS 8VHUV


4. Users >> Users >> New Auth IKE/L2TP User: Enter the following, and then click OK: User Name: Adam Status Enable: (select) Authentication User: (select) L2TP User: (select) User Password: AJbioJ15 Confirm Password: AJbioJ15 IKE User: (select) Simple Identity: (select) IKE Identity: ajackson@abc.com8 5. Users >> Users >> New Auth IKE/L2TP User: Enter the following, and then click OK: User Name: Betty Status Enable: (select) Authentication User: (select) L2TP User: (select) User Password: BviPsoJ1 Confirm Password: BviPsoJ1 IKE User: (select) Simple Identity: (select) IKE Identity: bdavis@abc.com

8.

The IKE identity you enter must be the same as that which the Windows 2000 client sends, which is usually the e-mail address of the certificate installed on the Windows 2000 client.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

6.

Users >> Users >> New Auth IKE/L2TP User: Enter the following, and then click OK: User Name: Carol Status Enable: (select) Authentication User: (select) L2TP User: (select) User Password: Cs10kdD3 Confirm Password: Cs10kdD3 IKE User: (select) Simple Identity: (select) IKE Identity: cburnet@abc.com

&UHDWH D 'LDOXS 8VHU *URXS


7. Users >> Dialup Group >> New Group: Enter the following, and then click Add members: Group Name: fs Group Type: IKE 8. Group Configuration: Move the following members, and then click OK: Group Members << Available Members: Adam Betty Carol

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

6HW WKH 'HIDXOW /73 6HWWLQJV


9. VPNs >> IP Pool >> New IP Pool: Enter the following, and then click Save: IP Pool Name: global Start IP: 10.10.2.100 End IP: 10.10.2.180 10. VPNs >> L2TP >> Default L2TP Settings Edit: Enter the following, and then click OK: IP Pool Name: global Authentication Database: Local PPP Authentication: CHAP DNS Primary Server IP: 210.11.6.2 DNS Secondary Server IP: 210.11.40.3 WINS Primary Server IP: 0.0.0.0 WINS Secondary Server IP: 0.0.0.0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

11. VPNs >> L2TP >> New L2TP Tunnel: Enter the following, and then click OK: Name: sales_corp Dialup User/Group: fs Peer IP: 0.0.0.09 Host Name (optional): If you want to restrict the L2TP tunnel to a specific host, enter the name of the computer acting as the LAC10. Outgoing Interface: ethernet2 Secret (optional): Enter a secret shared between the LAC and the LNS11 Note: The host name and secret settings can usually be ignored. Only advanced users are recommended to use these. Keep Alive: 6012

9.

Because the IP address of the peer is dynamic, enter 0.0.0.0 here.

10. To find the name of a computer running Windows 2000, do the following: Click Start >> Settings >> Control Panel >> System. The System Properties dialog box appears. Click the Network Identification tab, and see entry following Full computer name. 11. To add a secret to the LAC for authenticating the L2TP tunnel, you must modify the Windows 2000 registry. See the note in the previous example. 12. The Keep Alive value is the number of seconds of inactivity before the NetScreen device sends an L2TP hello signal to the LAC.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

&RQILJXUH D 931 7XQQHO


12. VPNs >> Gateway (P1) >> New Remote Tunnel Gateway: Enter the following, and then click OK: Gateway Name: field Remote Gateway Dialup User: (select) User/Group: Dialup Group - fs Mode (Initiator): Aggressive Outgoing Interface: ethernet2 Phase 1 Proposal: rsa-g2-3des-sha 13. VPNs >> AutoKey (P2) >> New AutoKey IKE Entry: Enter the following, and then click OK: Name: from_sales Remote Gateway Tunnel: field Phase 2 Proposal: g2-esp-3des-sha Transport Mode: Enable (For L2TP-over-IPSec) Bind to Tunnel Zone: (select), Untrust-Tun

&UHDWH DQ $FFHVV 3ROLF\


14. Policies >> Policy (From Zone: Dialup, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Source Address: Dial-Up VPN Destination Address: Any Service: ANY Action: Tunnel VPN Tunnel: from_sales Create matching VPN policy: (select) L2TP: sales_corp

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

&/,
&UHDWH D =RQH
1. 2. set zone name dialup set zone dialup vrouter trust-vr

'HILQH ,QWHUIDFHV
3. 4. 5. 6. 7. 8. set interface ethernet1 zone trust set interface ethernet1 ip 10.20.1.1/24 set interface ethernet1 nat set interface ethernet2 zone dialup set interface ethernet2 ip 210.2.1.1/24 set interface ethernet2 route

&UHDWH 'LDOXS 8VHUV


1. 2. 3. 4. 5. 6. 7. 8. 9. set user adam type auth ike l2tp set user adam password AJbioJ15 set user adam ike-id ajackson@abc.com set user betty type auth ike l2tp set user betty password BviPsoJ1 set user betty ike-id bdavis@abc.com set user carol type auth ike l2tp set user carol password Cs10kdD3 set user carol ike-id cburnet@abc.com

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

&UHDWH D 'LDOXS 8VHU *URXS


10. 11. 12. 13. set dialup-group fs set dialup-group fs + adam set dialup-group fs + betty set dialup-group fs + carol

6HW WKH 'HIDXOW /73 6HWWLQJV


14. 15. 16. 17. 18. 19. set ippool global 10.10.2.100 10.10.2.180 set l2tp default ippool global set l2tp default auth local set l2tp default ppp-auth chap set l2tp default dns1 210.11.6.2 set l2tp default dns2 210.11.40.3

&RQILJXUH DQ /73 7XQQHO


20. set l2tp sales_corp user fs outgoing-interface ethernet2

&RQILJXUH D 931 7XQQHO


21. set ike gateway field dialup fs aggressive outgoing-interface ethernet2 proposal rsa-g2-3des-sha 22. set vpn from_sales gateway field transport proposal g2-esp-3des-sha

&UHDWH DQ $FFHVV 3ROLF\


23. set policy from dialup to trust dial-up vpn any any tunnel vpn from_sales l2tp sales_corp 24. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

1HW6FUHHQ5HPRWH 6HFXULW\ 3ROLF\ (GLWRU $GDP


1. 2. 3. Click Options >> Secure >> Specified Connections. Click the Add a new connection button, and type AJ next to the new connection icon that appears. Configure the connection options: Connection Security: Secure Remote Party ID Type: IP Address IP Address: 210.2.1.1 Protocol: UDP Port: L2TP Connect using Secure Gateway Tunnel: (clear) 4. 5. Click the PLUS symbol, located to the left of the AJ icon, to expand the connection policy. Click My Identity, and configure the following: Select a certificate from the Select Certificate drop-down list ID Type: E-mail Address 14 Port: L2TP 6. 7. Click the Security Policy icon, select Aggressive Mode and Enable Perfect Forward Secrecy (PFS). Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further.

13. To configure L2TP-over-IPSec tunnels for Betty and Carols NetScreen-Remote clients, follow the same procedure as that provided here for Adam. 14. The e-mail address from the certificate appears in the identifier field automatically.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

8.

Click Authentication (Phase 1) >> Proposal 1: Select the following Encryption and Data Integrity Algorithms: Encrypt Alg: Triple DES Hash Alg: SHA-1 Key Group: Diffie-Hellman Group 2

9.

Click Key Exchange (Phase 2) >> Proposal 1: Select the following IPSec Protocols: Encapsulation Protocol (ESP): (select) Encrypt Alg: 3DES Hash Alg: SHA-1 Encapsulation: Transport

10. Click the Save button. 11. You also need to set up the network connection for your Windows 2000 operating system using the Network Connection Wizard. Note: When configuring the wizard, you must enter a destination host name or IP address. Enter 210.2.1.1. Later, when initiating a connection and are prompted for a user name and password, enter adam, AJbioJ15. For more information, consult Microsoft Windows 2000 documentation.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  /73

/73 DQG /732YHU,36HF

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr $

3ROLF\%DVHG 1$7



This chapter describes policy-based NAT and how it can make use of a pool of Dynamic IP (DIP) and Mapped IP (MIP) addresses. While you can apply Network Address Translation (NAT) at either the interface level or policy level1, this chapter focusses exclusively on the policy-level application with particular emphasis on how it offers a solution for overlapping address space among VPN users. (For more information on an interface-level application of NAT, see Network Address Translation Mode on page 52.) This chapter contains the following three main sections: Dynamic IP on page 472 Mapped IP on page 476 Policy-Based NAT for Network Traffic on page 482

1.

You can use policy-based NAT with the NetScreen device in Route mode or NAT mode. When the NetScreen device is in NAT mode, the policy-level NAT parameters supersede the interface-level NAT parameters. For example, while the NetScreen device is in NAT mode, you can specify in an access policy a DIP pool other than that linked to the Untrusted interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

'\QDPLF ,3

'<1$0,& ,3
A DIP pool is a range of IP addresses from which the NetScreen device can dynamically take addresses to use when performing NAT on the source IP address of outgoing or incoming IP packets. The range of addresses in a DIP pool must be in the same subnet as the interface IP address, but the DIP pool should not contain the interface IP address, router IP address, or any Mapped or Virtual IP addresses that might also be on that subnet. There are three kinds of interfaces that you can link to Dynamic IP (DIP) pools: physical interfaces and subinterfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.

To DMZ Zone To Untrust Zone To Trust Zone

VPN Tunnels

NetScreen Firewall
10.10.1.2 10.10.1.20 210.10.1.2 210.10.1.20 220.10.1.2 220.10.1.20 10.20.1.2 10.30.1.2 10.20.1.20 10.30.1.20

DIP Pools

Trust Physical Interfaces

Untrust

DMZ

Tunnel

Tunnel

10.10.1.1/24 210.10.1.1/24

220.10.1.1/24 10.20.1.1/24 10.30.1.1/24

The physical interfaces lead to networks or VPN tunnels.

The tunnel interfaces lead only to VPN tunnels.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

'\QDPLF ,3

3RUW $GGUHVV 7UDQVODWLRQ


Using Port Address Translation (PAT), multiple hosts can share the same IP address, the NetScreen device maintaining a list of assigned port numbers to distinguish which session belongs to which host. With PAT enabled, up to ~64,500 hosts can share a single IP address. Some applications, such as NetBIOS Extended User Interface (NetBEUI) and Windows Internet Naming Service (WINS), require specific port numbers and cannot function properly if PAT is applied to them. For such applications, you can specify not to perform PAT (that is, to use a fixed port) when using DIP. For fixed port DIP, the NetScreen device hashes the original host IP address and saves it in its host hash table, allowing the NetScreen device to associate the right session with each host.

([DPSOH &UHDWLQJ D ',3 3RRO ZLWK 3$7


In this example, you create a tunnel interface and associate a DIP pool with it using the following parameters: Zone: Finance Interface IP address: 10.20.3.1/24 Interface ID: 8 DIP pool ID: 5 DIP pool range: 10.20.3.10 10.20.3.20 PAT enabled

:HE8,
1. Interfaces >> Tunnel >> New Entry: Enter the following, and then click Save: Tunnel Interface Name: 8 Zone Name: Finance IP Address: 10.20.3.1 Netmask: 255.255.255.0

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

'\QDPLF ,3

2.

Interfaces >> Tunnel >> Dynamic IP (DIP) >> New Entry: Enter the following, and then click OK: ID: 52 IP Address Range Start: 10.20.3.10 End: 10.20.3.20 Port Translation: (select)

&/,
1. 2. 3. set interface tunnel.8 ip 10.20.3.1 255.255.255.0 set interface tunnel.8 dip 5 10.20.3.10 10.20.3.20 save

Note: Because PAT is enabled by default, there is no argument for enabling it. To create the same DIP pool as defined above but without PAT (that is, with fixed port numbers), do the following: (WebUI) Interfaces >> Tunnel >> Dynamic IP (DIP) >> New Entry: Clear the Port Translation check box, and then click OK. (CLI) set interface tunnel.8 dip 5 10.20.3.10 10.20.3.20 fix-port

([DPSOH &KDQJLQJ D ',3 3RRO


In this example, you change the range of addresses in an existing DIP pool (ID 8) from 10.2.2.10 10.2.2.100 to 10.2.2.10 10.2.2.20. This DIP pool is associated with tunnel.2. Note that to change the DIP pool range through the CLI, you first remove (or unset) the existing dip pool, and then you create a new pool. Note: There are no access policies using this particular DIP pool. If there were, you would need to delete the policy or not use this DIP pool in that policy.
2. You can use the ID number displayed, which is the next available number sequentially, or type a different number.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

'\QDPLF ,3

:HE8,
Interfaces >> Tunnel >> Dynamic IP (for tunnel.2) >> Edit (for ID 8): Enter the following, and then click OK: IP Address Range End: 10.2.2.20

&/,
1. 2. 3. unset interface tunnel.2 dip 8 set interface tunnel.2 dip 8 10.2.2.10 10.2.2.20 save

([DPSOH 'HOHWLQJ D 7XQQHO ,QWHUIDFH


In this example, tunnel interface tunnel.2 is linked to DIP pool 8. DIP pool 8 is referenced in an outgoing access policy (ID 10). To remove the tunnel interface, you must first remove the access policy (or remove the reference to DIP pool 8 from the policy), then the DIP pool, and then the interface.

:HE8,
1. 2. 3. Policies >> Policy: Click Remove for Access Policy ID 10. Interfaces >> Tunnel >> Dynamic IP (for tunnel.2): Click Remove for DIP ID 8. Interfaces >> Tunnel: Click Remove for tunnel.2.

&/,
1. 2. 3. 4. unset policy 10 unset interface tunnel.2 dip 8 unset interface tunnel.2 save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

0$33(' ,3
Mapped IP (MIP) is a direct one-to-one mapping of traffic destined for one IP address to another IP address. You can create Mapped IP (MIP) addresses for tunnel interfaces and any interface in the Untrust zone. A MIP must be in the same subnet as the tunnel interface to which it is linked; however, for an interface in the Untrust zone, a MIP does not need to be in the same subnet. In either case, a MIP must not be the same as the interface address or be in any DIP pool that might also be on that subnet. Whereas DIP assigns IP addresses randomly, MIP provides a static mapping of one address to another. A MIP address provides a way to apply address translation to incoming traffic to reach a host at a specific IP address.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

Internet
Mapped IP: Inbound traffic is mapped from 200.2.2.10 on the subnet in the Untrust zone to 172.16.40 on the subnet in the Trust zone.

200.2.2.10

Public Address Space Private Address Space

Untrust Zone Subnet

Trust Zone Subnet

172.16.40.3

By setting up MIP addresses, you can configure the NetScreen device to route traffic destined for many different IP addresses on the subnet of the tunnel interface and any interface in the Untrust zone to specific addresses on the trusted network.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

0,3 DQG WKH *OREDO =RQH


Setting a MIP for an interface in any zone generates a book entry in the Global zone address book. The Global zone address book keeps all the MIPs of all interfaces, regardless of which zone the interfaces belong to. You can use these MIP addresses as the destination addresses in access policies between any two zones, and as the source addresses when defining a policy from the Global zone to any other zone.

([DPSOH $GGLQJ D 0,3 WR D 7XQQHO ,QWHUIDFH


In this example, the IP address space for the network in the Trust zone is 10.20.1.0/24 and the IP address for the tunnel interface tunnel.8 is 10.20.3.1. The physical IP address for a server on the network in the Trust zone is 10.20.1.25. To allow a remote site whose network in the Trust zone uses an overlapping address space to access the local server through a VPN tunnel, you create a MIP in the same subnet as the tunnel.8 interface. The MIP address is 10.20.3.25/32.

:HE8,
Interfaces >> Tunnel >> Mapped IP (for tunnel.8) >> New Entry: Enter the following, and then click OK: Mapped IP Address: 10.20.3.25 Netmask: 255.255.255.255 Host IP Address: 10.20.1.25

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

&/,
1. 2. set interface tunnel.8 mip 10.20.3.25 host 10.20.1.253 save

Note: When the remote administrator adds the untrusted address for the server to his address book, he must use the MIP (10.20.3.25), not the servers physical IP address (10.20.1.25). The remote administrator also needs to apply policy-based NAT (using DIP) on the outgoing packets bound for the server through the VPN so that the local administrator can add an untrusted address that does not conflict with the local trusted addresses. Otherwise, the source address in the incoming access policy would seem to come from the trusted network address space.

([DPSOH $GGLQJ D 0,3 WR DQ ,QWHUIDFH LQ WKH 8QWUXVW =RQH


When the NetScreen device is operating in NAT mode, an MIP provides a means for incoming traffic to reach a private address on a network within a zone. You can configure a MIP address to route traffic destined for an address on the subnet in the Untrust zone to a different address on the subnet in the Trust zone, regardless of the service and corresponding port number involved.

3. By default the netmask for a MIP is 255.255.255.255, mapping the address to a single host. You can also define a MIP for a range of addresses. For example, to define 2.1.10.128 as a MIP for the addresses 10.1.10.12910.1.10.254 within a class C subnet through the CLI, use the following syntax: set interface <interface name> mip 2.1.10.128 host 10.1.10.128 netmask 255.255.255.128 . Be careful not to use a range of addresses that includes the

interface or router addresses.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

This example explains how to map incoming traffic destined to the IP address 209.122.17.6 in the Untrust zone to the IP address 172.16.10.2 in the Trust zone.
Workstation#2 172.16.10.2 From Untrust Zone NetScreen device Workstation#1 172.16.10.1

Destination IP: 209.122.17.6

Destination IP: 172.16.10.2 Web Server 172.16.10.252

Mail Server 172.16.10.253

Trust Zone

:HE8,
Interfaces >> Physical >> MIP (for the interface for which you want to add a MIP) >> New Entry: Enter the following, and then click OK: Mapped IP Address: 209.122.17.6 Netmask: 255.255.255.255

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

0DSSHG ,3

Host IP Address: 172.16.10.2

&/,
1. 2. set interface ethernet1/2 mip 209.122.17.6 host 172.16.10.2 netmask 255.255.255.255 save

Note: You must define an access policy allowing the mapped IP address to be accessed. No address book entry is required for a Mapped IP. You can map an address-to-address or subnet-to-subnet relationship. When a subnet-to-subnet mapped IP configuration is defined, the netmask is applied to both the mapped IP subnet and the original IP subnet.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

3ROLF\%DVHG 1$7 IRU 1HWZRUN 7UDIILF

32/,&<%$6(' 1$7 )25 1(7:25. 75$)),&


You can use a DIP pool for an interface in the Untrust zone to translate the source address on outgoing network traffic. Applying NAT from a pool of IP addresses obfuscates the physical IP address of the interface in the Untrust zone, making it harder for anyone to target it for attacks. Note: For information and an example on policy-based NAT for VPN traffic, see Chapter 13, Tunnel Zones and Policy-Based NAT on page 431.

([DPSOH 1$7 RQ 2XWJRLQJ 1HWZRUN 7UDIILF


In this example, you use a DIP pool on the interface in the Untrust zone to perform NAT on outgoing network traffic. The IP address of the NetScreen device in the Untrust zone is 215.3.4.11. The addresses in the DIP pool range from 215.3.4.12 to 215.3.4.210.
Internet

DIP 6: 215.3.4.12 215.3.4.210 Untrust Zone eth3, 215.3.4.11/24

Trust Zone eth1, 172.16.40.11/24 Source IP Address: 172.16.40.1 Source IP Address: 172.16.40.10 Source IP Address: 172.16.40.100

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

3ROLF\%DVHG 1$7 IRU 1HWZRUN 7UDIILF

:HE8,
1. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: IP Address: 172.16.40.11 Netmask: 255.255.255.0 Zone Name: Trust 2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: IP Address: 215.3.4.11 Netmask: 255.255.255.0 Zone Name: Untrust 3. Interfaces >> Physical >> DIP (for ethernet3) >> New Entry: Enter the following, and then click OK: ID: 6 IP Address Range Start: 215.3.4.12 End: 215.3.4.210 Port Translation: Enable 4. Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Source Address: Any Destination Address: Any Service: Any NAT: On DIP On: (select); 6 (215.3.4.12215.3.4.210) Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  3ROLF\%DVHG 1$7

3ROLF\%DVHG 1$7 IRU 1HWZRUN 7UDIILF

&/,
1. 2. 3. 4. 5. set interface ethernet3 zone untrust set interface ethernet3 ip 215.3.4.11/24 set interface ethernet3 dip 6 215.3.4.12 215.3.4.210 set policy from untrust to trust any any nat dip 6 any permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr %

7UDIILF 6KDSLQJ
The topics discussed include: Applying Traffic Shaping on page 486 Managing Bandwidth at the Access Policy Level on page 486 Setting Service Priorities on page 492



This chapter discusses the various ways you can use your NetScreen device to manage limited bandwidth without compromising quality and availability of the network to all of your users.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

$33/<,1* 75$)),& 6+$3,1*


Traffic shaping is the allocation of the appropriate amount of network bandwidth to every user and application on an interface. The appropriate amount of bandwidth is defined as cost-effective carrying capacity at a guaranteed Quality of Service (QoS). You can use a NetScreen device to shape traffic by creating access policies and by applying appropriate rate controls to each class of traffic going through the NetScreen device.

0DQDJLQJ %DQGZLGWK DW WKH $FFHVV 3ROLF\ /HYHO


To classify traffic, you create an access policy which specifies the amount of guaranteed bandwidth, the maximum bandwidth, and the priority for each class of traffic. The physical bandwidth of every interface is allocated to the guaranteed bandwidth parameter for all policies. If there is any bandwidth left over, it is sharable by any other traffic. In other words, each policy gets its guaranteed bandwidth and shares whatever is left over on a priority basis (up to the limit of its maximum bandwidth specification). The traffic shaping function applies to traffic from all policies. If you turn off traffic shaping for an access policy, but traffic shaping is still turned on for other policies, the system applies a default traffic shaping policy to this policy assigning 0 guaranteed bandwidth, unlimited maximum bandwidth, and a priority of 7 (the lowest priority setting)1. If you do not want the system to assign this default traffic shaping policy to policies for which you have turned off traffic shaping, then turn off traffic shaping system wide via the CLI command set traffic-shaping mode off. You can set traffic shaping to automatic: set traffic-shaping mode auto. This allows the system to turn on traffic shaping when an access policy requires it, and turn off traffic shaping when policies do not require it.

1. You can enable a mapping of the NetScreen priority levels to the DiffServ Codepoint Marking system. For more information about DS Codepoint Marking, see Traffic Shaping on page 257.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

([DPSOH 7UDIILF 6KDSLQJ


In this example, you partition 45Mbps of bandwidth on a T3 interface among three departments on the same subnet. The interface ethernet1 is bound to the trust zone and ethernet3 is bound to the untrust zone.

Trust Zone Marketing: 10 Mbps In, 10 Mbps Out T345 Mbps

Untrust Zone

Internet Router Sales: 5 Mbps In, 10 Mbps Out DMZ for Servers Support: 5 Mbps In, 5 Mbps Out Router

DMZ Zone

:HE8,
1. 2. 3. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save: Traffic Bandwidth: 45000 Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save: Traffic Bandwidth: 45000 Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: Marketing Traffic Shaping Policy Source Address: Marketing

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

Destination Address: Any Service: Any Action: Permit VPN Tunnel: None2 Traffic Shaping: On Guaranteed Bandwidth: 10000 Maximum Bandwidth: 15000 4. Policies >> Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Name: Sales Traffic Shaping Policy Source Address: Sales Destination Address: Any Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 10000 Maximum Bandwidth: 10000 5. Policies >> Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Name: Support Traffic Shaping Policy Source Address: Support Destination Address: Any Service: Any
2. You can also do traffic shaping on VPN tunnels.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 5000 Maximum Bandwidth: 10000 6. Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Name: Allow Incoming Access to Marketing Source Address: Any Destination Address: Marketing Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 10000 Maximum Bandwidth: 10000 7. Policies >> Policy (From Zone: Untrust, To Zone: Trust) >> New Policy: Enter the following, and then click OK: Name: Allow Incoming Access to Sales Source Address: Any Destination Address: Sales Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 5000 Maximum Bandwidth: 10000

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

8.

Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: Allow Incoming Access to Support Source Address: Any Destination Address: Support Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 5000 Maximum Bandwidth: 5000

&/,
To enable traffic shaping by access policy, do the following: 1. 2. 3. 4. 5. 6. 7. 8. set interface ethernet1 bandwidth 45000 set interface ethernet3 bandwidth 45000 set policy name Marketing Traffic Shaping Policy from trust to untrust marketing any any permit traffic gbw 10000 priority 0 mbw 15000 set policy name Sales Traffic Shaping Policy from trust to untrust sales any any permit traffic gbw 10000 priority 0 mbw 10000 set policy name Support Traffic Shaping Policy from trust to untrust support any any permit traffic gbw 5000 priority 0 mbw 10000 set policy name Allow Incoming Access to Marketing from untrust to trust marketing any any permit traffic gbw 10000 priority 0 mbw 10000 set policy name Allow Incoming Access to Sales from untrust to trust sales any any permit traffic gbw 5000 priority 0 mbw 10000 set policy name Allow Incoming Access to Support from untrust to trust support any any permit traffic gbw 5000 priority 0 mbw 5000

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

$SSO\LQJ 7UDIILF 6KDSLQJ

9. 1. 2. 3. 4.

save set interface ethernet1 bandwidth 45000 set interface ethernet3 bandwidth 45000 set traffic-shaping mode auto save

Or, to enable traffic shaping at the interface level, do the following:

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

6(77,1* 6(59,&( 35,25,7,(6


The traffic shaping feature supported on NetScreen devices allows you to perform priority queuing on the bandwidth that is not allocated to guaranteed bandwidth, or is guaranteed but not used. Priority queuing is a feature that lets all your users and applications have access to available bandwidth as they need it, while ensuring that important traffic can get through, if necessary at the expense of less important traffic. Queuing allows NetScreen to buffer traffic in up to eight different priority queues. These eight queues are: High priority 2nd priority 3rd priority 4th priority 5th priority 6th priority 7th priority Low priority (default)

The priority setting for an access policy means that the bandwidth not already guaranteed to other access policies is queued on the basis of High priority first and Low priority last. Access policies with the same priority setting compete for bandwidth in a Round Robin fashion. The NetScreen device processes all of the traffic from all of the access policies with High priority before processing any traffic from access policies with the next lower priority setting, and so on, until all traffic requests have been processed. If traffic requests exceed available bandwidth, the lowest priority traffic is dropped. Caution Be careful not to allocate more bandwidth than the interface can support. The access policy configuration process does not prevent you from creating unsupported access policy configurations. You can lose data if the guaranteed bandwidth on contending access policies surpasses the traffic bandwidth set on the interface. If you do not allocate any guaranteed bandwidth, then you can use priority queuing to manage all of traffic on your network. That is, all High priority traffic is sent before any 2nd priority traffic is sent, and so on. The NetScreen device processes Low priority traffic only after all other traffic has been processed.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

([DPSOH 3ULRULW\ 4XHXLQJ


In this example, you configure the guaranteed and maximum bandwidth for three departmentsSupport, Sales, and Marketing as follows:
Outbound Guar.Max. Support Sales Marketing Total
*

Inbound Guar.Max. 10 7 3 20

Combined Guar.Max. 20 12 8 40

Priority

10 5 5 20

High 2 3

Megabits per second (Mbps)

If all three departments send and receive traffic concurrently through the NetScreen firewall, the NetScreen device must allocate 40 Mbps of bandwidth to fulfill the guaranteed access policy requirements. Of the 5 Mbps of available bandwidth remaining, 3 Mbps of available bandwidth goes to Sales to fulfill its maximum bandwidth allocation. Marketing traffic, having the lowest priority, uses the 8 Mbps of guaranteed traffic, and gets the remaining 2 Mbps towards its maximum bandwidth allocation. The interface ethernet1 is bound to the trust zone and ethernet3 is bound to the untrust zone.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

Trust Zone T3 (45 Mbps) Support: 10 Mbps Out, 10 Mbps In, High Priority

Untrust Zone

Internet Router Sales: 5 Mbps Out, 7 Mbps In, 2nd Priority DMZ for Servers DMZ Zone Router

Marketing: 5 Mbps Out, 3 Mbps In, 3rd Priority

:HE 8,
1. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: Sup-out Source Address: Support Destination Address: Any Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 10000 Maximum Bandwidth: 10000
1HW6FUHHQ &RQFHSWV ([DPSOHV 

&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

Traffic Priority: High priority DiffServ Codepoint Marking3: Enable 2. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: Sal-out Source Address: Sales Destination Address: Any Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 5000 Maximum Bandwidth: 5000 Traffic Priority: 2nd priority DiffServ Codepoint Marking: Enable 3. Policies >> Policy (From Zone Trust, To Zone Untrust) >> New Policy: Enter the following, and then click OK: Name: Mar-out Source Address: Marketing Destination Address: Any Service: Any Action: Permit

3.

Differentiated Services (DS) is a system for tagging (or marking) traffic at a position within a hierarchy of priority. DS Codepoint Marking maps the NetScreen priority level of the access policy to the first three bits of codepoint in the DS field in the IP packet header. For more information about DS Codepoint Marking, see Traffic Shaping on page 257.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

Traffic Shaping: On Guaranteed Bandwidth: 5000 Maximum Bandwidth: 5000 Traffic Priority: 3rd priority DiffServ Codepoint Marking: Enable 4. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: Sup-in Source Address: Any Destination Address: Support Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 10000 Maximum Bandwidth: 10000 Traffic Priority: High priority DiffServ Codepoint Marking: Enable 5. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: Sal-in Source Address: Any Destination Address: Sales Service: Any Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

Traffic Shaping: On Guaranteed Bandwidth: 7000 Maximum Bandwidth: 1000 Traffic Priority: 2nd priority DiffServ Codepoint Marking: Enable 6. Policies >> Policy (From Zone Untrust, To Zone Trust) >> New Policy: Enter the following, and then click OK: Name: Mar-in Source Address: Any Destination Address: Marketing Service: Any Action: Permit Traffic Shaping: On Guaranteed Bandwidth: 3000 Maximum Bandwidth: 5000 Traffic Priority: 3rd priority DiffServ Codepoint Marking: Enable

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  7UDIILF 6KDSLQJ

6HWWLQJ 6HUYLFH 3ULRULWLHV

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. set interface ethernet1 bandwidth 45000 set interface ethernet3 bandwidth 45000 set policy name sup-out from trust to untrust support any any permit traffic gbw 10000 priority 0 mbw 10000 dscp enable set policy name sal-out name from trust to untrust sales any any permit traffic gbw 5000 priority 2 mbw 5000 dscp enable set policy name mar-out from trust to untrust marketing any any permit traffic gbw 5000 priority 3 mbw 5000 dscp enable set policy name sup-in from untrust to trust any support any permit traffic gbw 10000 priority 0 mbw 10000 dscp enable set policy name sal-in from untrust to trust any sales any permit traffic gbw 7000 priority 2 mbw 10000 dscp enable set policy name mar-in from untrust to trust any marketing any permit traffic gbw 3000 priority 3 mbw 5000 dscp enable save

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr &

9LUWXDO 6\VWHPV
The specific topics discussed in this chapter are: Establishing a Virtual System on page 501 Defining Subinterfaces and VLAN Tags on page 504 Importing and Exporting Physical Interfaces on page 510 Logging On as a Virtual System Administrator on page 512 Communicating Between VLANs on page 514



This chapter discusses the concepts and implementation of virtual systems and Virtual Local Area Networks (VLANs) that are available on some NetScreen devices.

Some NetScreen devices can provide multi-tenant services via virtual systems, each of which is a unique security domain with its own management. Virtual systems can have their own administrators (called virtual system administrators), who can individualize their security domains by setting their own address books, user lists, custom services, VPNs, and access policies (although setting firewall security options, creating virtual system administrators and defining subinterfaces can only be done at the root level). Note: For more information on the various levels of administration that NetScreen supports, see Levels of Administration on page 136. Unless a virtual system has its own dedicated physical interfaces, it must be associated with at least one trusted VLAN1, which is bound to the virtual system through a logical trusted subinterface. The VLAN members of the same virtual system can communicate with each other. The VLAN members of different virtual systems cannot communicate with one another unless the participating virtual system administrators specifically configure access policies allowing the members of their respective systems to do so (see Communicating Between VLANs on page 514).
1. NetScreen supports VLANs compliant with the IEEE 802.1Q VLAN standard.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

Untrust Zone (Shared)

External Routers

External Switch

Internal Switch NetScreen Device Root

Internal Routers Trust Zone (Root) Vsys1-Trust Zone

Internet

Vsys 1 Vsys 2

Vsys2-Trust Zone

If the virtual system uses subinterfaces, the switch and router in the vsys-trust and shared untrust zones must have VLAN-support capabilities. If you create more than one subinterface on a physical interface, then you must define the connecting switch port as a trunk port2 and make it a member of all VLANs that use it. Virtual systems can support the following kinds of interfaces for their Untrust and Trust zones:
Untrust Zone Interface Types
Dedicated Physical Interface Subinterface (with VLAN tagging) Shared Physical Interface with Root System

Trust Zone Interface Types


Dedicated Physical Interface Subinterface (with VLAN tagging)

If a virtual system neither shares the Untrust zone interface with the root system nor has its own dedicated physical interface, it must be associated with a VLAN that is bound to the virtual system through a subinterface. The Untrust zone VLAN includes the 802.1Q-compliant router that receives its inbound and outbound traffic. The router tags the incoming frames so that when they reach the NetScreen device, it can direct them to the correct subinterface. Similarly, unless a virtual system has its own dedicated physical interface for its Trust zone, the internal switch and router it uses must be included as members in the Trust zone VLAN.
2. A trunk port allows a switch to bundle traffic from several VLANs through a single physical port, sorting the various packets by the VLAN identifier (VID) in their frame headers. When you associate a VLAN with an interface or subinterface, the NetScreen device automatically defines the physical port as a trunk port. When using VLANs at the root level in Transparent mode, you must manually define the physical ports as trunk ports with the following CLI command: set interface {trust | untrust} vlan trunk.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

(VWDEOLVKLQJ D 9LUWXDO 6\VWHP

(67$%/,6+,1* $ 9,578$/ 6<67(0


The root administrator or root-level read/write admin must complete the following tasks to set up a functional virtual system: Create and enter a virtual system Define all interfaces or subinterfaces and associate each subinterface with a VLAN (Optional) Assign a virtual system administrator

After completing these steps, the root level administrator can exit the virtual system and allow the virtual system administrator to log in and begin configuring addresses, users, services, addresses, VPNs, and access policies. If a virtual system has public (Internet routable) IP addresses in its Trust zone, it operates in Route mode, routing inbound traffic directly to those addresses. If a virtual system has private (not Internet routable) IP addresses, it operates in Network Address Translation (NAT) mode, translating the source addresses on outbound traffic and the destination addresses on inbound traffic using Mapped IP (MIP) addresses. Note: Only a root level administrator can set up MIPs for virtual systems. For more information, see Mapped IP on page 476. Although a virtual system cannot be in Transparent mode, because it requires unique interface or subinterface IP addresses, the root system can be in Transparent mode3. For the root system to support VLANs while operating in Transparent mode, use the following CLI command to enable the v1-trust and v1-untrust interfaces to act as trunk ports: set interface { trust | untrust } vlan trunk. A virtual system can also be reached via VPN tunnels; however, to support dialup users and dynamic peers, each virtual system must have its own Untrust zone interface or subinterface. If a virtual system is sharing the Untrust zone interface with the root system, it cannot support VPNs to dialup users and dynamic peers nor can it have an AutoKey IKE VPN to the same remote site as the root system does.

3.

When the root system is in Transparent mode, it cannot support virtual systems. It can, however, support root-level VLANs while in Transparent mode.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

(VWDEOLVKLQJ D 9LUWXDO 6\VWHP

([DPSOH &UHDWLQJ 9LUWXDO 6\VWHPV DQG 9LUWXDO 6\VWHP $GPLQLVWUDWRUV


In this example, you are a root level administrator. You create three virtual systems: 111, 222, 333. For virtual system 111, you create virtual system administrator Alice and the admin password wIEaS1v14. For virtual system 222, you create virtual system administrator Bob and the admin password pjF56Ms2. For virtual system 333, there is no virtual system administrator. Note: Virtual system names, admin names, and admin passwords are case-sensitive. Virtual system abc is different from virtual system ABC. After you create a virtual system through the WebUI, you remain at the root level. Entering the newly created virtual system requires a separate step: Vsys >> Vsys: Click Enter (for the virtual system you want to enter). The WebUI pages of the virtual system you have entered appear, with the name of the virtual system above the central display areaVirtual System Name: <Name>. When you create a virtual system through the CLI, you immediately enter the system that you have just created. (To enter an existing virtual system from the root level, use the enter vsys <name> command.) When you enter a virtual system, note that the CLI command prompt changes to include the name of the system in which you are now issuing commands.

:HE8,
1. Vsys >> Vsys >> New Virtual System: Enter the following, and then click OK: VSYS Name: 111 VSYS Admin Name: Alice VSYS Admin Password: wIEaS1v1 Confirm Password: wIEaS1v1
4. Only a root level administrator can create a virtual system administrators profile (user name and password). Because the NetScreen device uses the user name to determine the virtual system to which a user belongs, a virtual system administrator cannot change his or her user name. However, a virtual system administrator can (and should) change his or her password.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

(VWDEOLVKLQJ D 9LUWXDO 6\VWHP

2.

Vsys >> New Virtual System: Enter the following, and then click OK: VSYS Name: 222 VSYS Admin Name: Bob VSYS Admin Password: pjF56Ms2 Confirm Password: pjF56Ms2

3.

Vsys >> New Virtual System: Enter the following, and then click OK: VSYS Name: 333

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. ns500-> set vsys 111 ns500(111)-> set admin name Alice ns500(111)-> set admin password wIEaS1v1 ns500(111)-> save5 ns500(111)-> exit ns500-> set vsys 222 ns500(222)-> set admin name Bob ns500(222)-> set admin password pjF56Ms2 ns500(222)-> save ns500(222)-> exit ns500-> set vsys 333 ns500(333)-> save

5.

After issuing any commands, you must issue a save command before issuing an exit command or the NetScreen device loses your changes

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

'(),1,1* 68%,17(5)$&(6 $1' 9/$1 7$*6


The Trust zone subinterface links a virtual system to its internal VLAN. The Untrust zone subinterface links a virtual system to the public WAN, usually the Internet. A subinterface has the following attributes: A unique VLAN ID (from 1 to 4095) A public or private IP address (the IP address is private by default) A netmask for a class A, B, or C subnet An associated VLAN

A virtual system can have a single Untrust zone subinterface and multiple Trust zone subinterfaces. If a virtual system does not have its own Untrust zone subinterface, it shares the root level Untrust zone interface. NetScreen devices also support VLANs at the root level.
Vsys = Virtual System if = Interface sif = subinterface if NetScreen Device

Root

if sif sif sif sif sif sif

LAN VLAN.1 VLAN.2 VLAN.3 VLAN.4 VLAN.5 VLAN.6

Internet sif

Vsys1

Vsys2

sif

Vsys100

sif

VLAN.292

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

The NetScreen device supports IEEE 802.1Q-compliant VLAN tags. A tag is an added bit in the Ethernet frame header that indicates membership in a particular VLAN. By binding a VLAN to a virtual system, the tag also determines to which virtual system a frame belongs, and consequently, which access policy is applied to that frame. If a VLAN is not bound to a virtual system, access policies set in the root system of the NetScreen device are applied to the frame. A root level administrator can create a VLAN, assign members to it, and bind it to a virtual system. (The assigning of members to a VLAN can be done by several methodsprotocol type, MAC address, port numberand is beyond the scope of this manual.) The virtual system administrator, if there is one, then manages the virtual system through the creation of addresses, users, services, VPNs, and access policies. If there is no virtual system administrator, then a root level administrator performs these tasks. Note: If the super administrator does not associate a VLAN to a virtual system, the VLAN operates within the NetScreen device root system. There are three tasks that a root level administrator must perform to create a VLAN for a virtual system: Enter a virtual system, define a subinterface, and associate it with a VLAN. Note: All subnets in a virtual system must be disjointed; that is, there must be no overlapping IP addresses among the subnets in the same virtual system. For example: Subinterface1 2.2.2.1 255.255.255.0 and Subinterface2 2.2.3.1 255.255.255.0 are disjointed, and therefore, link to acceptable subnets. However, subnets with the following subinterfaces overlap, and are unacceptable within the same virtual system: Subinterface1 2.2.2.1 255.255.0.0 and subinterface2 2.2.3.1 255.255.0.0.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

([DPSOH 'HILQLQJ 7KUHH 6XELQWHUIDFHV DQG 9/$1 7DJV


In this example, you define subinterfaces and VLAN tags for three virtual systems111, 222, and 333. The first two subinterfaces are for two private virtual systems operating in NAT mode, and the third subinterface is for a public virtual system operating in Route mode. The subinterfaces are 10.1.1.1/24, 10.2.2.1/24, and 10.3.3.1/24. Create all three subinterfaces on ethernet3/2.

:HE8,
1. 2. Vsys >>Vsys: Click Enter (for virtual system 111). Interfaces >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save: ethernet3/2.: 1 IP Address: 10.1.1.1 Netmask: 255.255.255.0 VLAN Tag: 1 Zone Name: Trust-111 Interface Mode: NAT 3. 4. 5. Click the Exit Vsys button (on the left side of the screen) to return to the root level. Vsys >>Vsys: Click Enter (for virtual system 222). Interfaces >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save: ethernet3/2.: 2 IP Address: 10.2.2.1 Netmask: 255.255.255.0 VLAN Tag: 2 Zone Name: Trust-222 Interface Mode: NAT

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

6. 7. 8.

Click the Exit Vsys button to return to the root level. Vsys >>Vsys: Click Enter (for virtual system 333). Interfaces >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save: ethernet3/2.: 3 IP Address: 10.3.3.1 Netmask: 255.255.255.0 VLAN Tag: 10 Zone Name: Trust-333 Interface Mode: Route

9.

Click the Exit Vsys button to return to the root level.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

&/,
1. 2. 3. 4. 5. 6. 7. 8. 9. ns500-> enter vsys 111 ns500(111)-> set interface ethernet3/2.1 zone trust-111 ns500(111)-> set interface ethernet3/2.1 ip 10.1.1.1/24 tag 16 ns500(111)-> save ns500(111)-> exit ns500-> enter vsys 222 ns500(111)-> set interface ethernet3/2.2 zone trust-222 ns500(111)-> set interface ethernet3/2.2 ip 10.2.2.1/24 tag 2 ns500(222)-> save

10. ns500(222)-> exit

6.

You can define virtual systems to operate in Route mode or NAT mode. The default is NAT mode, which is why it is unnecessary to specify that in the CLI when creating the first two subinterfaces in this example.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

'HILQLQJ 6XELQWHUIDFHV DQG 9/$1 7DJV

11. ns500-> enter vsys 333 12. ns500(111)-> set interface ethernet3/2.3 zone trust-333 13. ns500(111)-> set interface ethernet3/2.3 ip 10.3.3.1/24 tag 3 14. ns500(333)-> set interface ethernet3/2.3 route 15. ns500(333)-> save 16. ns500(333)-> exit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

,PSRUWLQJ DQG ([SRUWLQJ 3K\VLFDO ,QWHUIDFHV

,03257,1* $1' (;3257,1* 3+<6,&$/ ,17(5)$&(6


In addition to assigning one or more subinterfaces to a virtual system, you can also dedicate one or more physical interfaces to a virtual system. In effect, you import a physical interface from the root system to a virtual system. After importing a physical interface to a virtual system, the virtual system has exclusive use of it. Note: Before you can import an interface to a virtual system, it must be in the Null zone at the root level.

([DPSOH ,PSRUWLQJ D 3K\VLFDO ,QWHUIDFH WR D 9LUWXDO 6\VWHP


In this example, you import the physical interface ethernet4/1 to virtual system 111. You bind it to the Untrust zone and assign it the IP address 210.1.1.1/24.

:HE8,
1. 2. 3. Vsys >>Vsys: Click Enter (for virtual system 111). Interfaces >> Physical: Click Import (for ethernet4/1). Interfaces >> Physical >> Edit (for ethernet4/1): Enter the following, and then click Save: IP Address: 210.1.1.1 Netmask: 255.255.255.0 Zone Name: Untrust-111 4. Click the Exit Vsys button (on the left side of the screen) to return to the root level.

&/,
1. 2. 3. 4. 5. 6. ns500-> enter vsys 111 ns500(111)-> set interface ethernet4/1 import ns500(111)-> set interface ethernet4/1 zone untrust-111 ns500(111)-> set interface ethernet4/1 ip 210.1.1.1/24 ns500(111)-> save ns500(111)-> exit
([DPSOHV 

1HW6FUHHQ &RQFHSWV

&KDSWHU  9LUWXDO 6\VWHPV

,PSRUWLQJ DQG ([SRUWLQJ 3K\VLFDO ,QWHUIDFHV

([DPSOH ([SRUWLQJ D 3K\VLFDO ,QWHUIDFH IURP D 9LUWXDO 6\VWHP


In this example, you bind the physical interface ethernet4/1 to the Null zone in virtual system 111 and assign it the IP address 0.0.0.0/0. Then you export interface ethernet4/1 to the root system.

:HE8,
1. 2. Vsys >>Vsys: Click Enter (for virtual system 111). Interfaces >> Physical >> Edit (for ethernet4/1): Enter the following, and then click Save: IP Address: 0.0.0.0 Netmask: 0.0.0.0 Zone Name: Null 3. 4. Interfaces >> Physical: Click Export (for ethernet4/1). Interface ethernet4/1 is now available for use in the root system. Click the Exit Vsys button (on the left side of the screen) to return to the root level.

&/,
1. 2. 3. 4. 5. 6. ns500-> enter vsys 111 ns500(111)-> set interface ethernet4/1 zone null ns500(111)-> set interface ethernet4/1 ip 0.0.0.0/0 ns500(111)-> set interface ethernet4/1 export ns500(111)-> save Interface ethernet4/1 is now available for use in the root system. ns500(111)-> exit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

/RJJLQJ 2Q DV D 9LUWXDO 6\VWHP $GPLQLVWUDWRU

/2**,1* 21 $6 $ 9,578$/ 6<67(0 $'0,1,675$725


Whereas a root level administrator enters a virtual system from the root level, a virtual system administrator enters his or her virtual system directly. When a root level administrator exits a virtual system, he or she exits to the root system. When a virtual system administrator exits a virtual system, the connection is immediately severed. The following example shows how to log on to a virtual system as a virtual system administrator, change your password, and log off.

([DPSOH /RJJLQJ 2Q DQG &KDQJLQJ <RXU 3DVVZRUG


In this example, you, as the virtual system administrator log on to your virtual system, using your assigned login name jsmith and password Pd50iH10. You change your password to I6Dls13guh, and then log out. Note: A virtual system administrator cannot change his or her login name (user name) because the NetScreen device uses that name, which must be unique among all virtual system administrators, to route the login connection to the appropriate virtual system.

:HE8,
/RJJLQJ 2Q
1. 2. In the URL field in your Web browser, enter the Untrust zone subinterface IP address. When the Network Password dialog box appears, enter the following, and then click OK: User Name: jsmith Password: Pd50iH10

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

/RJJLQJ 2Q DV D 9LUWXDO 6\VWHP $GPLQLVWUDWRU

&KDQJLQJ \RXU 3DVVZRUG


3. Admin >> Admin >> Edit: Enter the following, and then click OK: Old Password: Pd50iH10 New Password: I6Dls13guh Confirm New Password: I6Dls13guh

/RJJLQJ 2II
4. Click the logout button, located among the information buttons in the upper right corner of the WebUI.

&/,
/RJJLQJ 2Q
1. 2. From a Secure Command Shell (SCS), Telnet, or HyperTerminal session command-line prompt, type the Untrust zone subinterface IP address of the virtual system. Log in with the following user name and password: User Name: jsmith Password: Pd50iH10

&KDQJLQJ \RXU 3DVVZRUG


3. 4. set admin password I6Dls13guh save

/RJJLQJ 2II
5. exit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

&RPPXQLFDWLQJ %HWZHHQ 9/$1V

&20081,&$7,1* %(7:((1 9/$16


A host in the Trust zone VLAN of one virtual system can communicate with a host in the Trust zone VLAN of another virtual system if the virtual system administrators create access policies to permit interVLAN communication. Traffic between root-level VLANs operates within the parameters set by root-level access policies. Traffic between virtual system VLANs operates within the parameters set by the participating virtual system access policies7. Only that traffic allowed to leave the originating virtual system and that traffic allowed to enter the destination virtual system is passed. In other words, the virtual system administrators of both virtual systems must set access policies allowing the traffic to flow in the appropriate directionoutgoing and incoming.

([DPSOH ,QWHU9/$1 &RPPXQLFDWLRQ


In this example, you set up two sets of access policies to enable traffic between a workstation (work_js with the IP address 10.5.5.20/32) in VLAN 1 and a server (ftp_server with the IP address 10.2.2.2/32) in VLAN 2. The connection is possible if the following two conditions are met: The virtual system administrator for virtual system 111 has set an outgoing access policy permitting traffic from the workstation in VLAN 1 to the server in VLAN 2. The virtual system administrator for virtual system 222 has set an incoming access policy permitting traffic from the workstation in VLAN 1 to the server in VLAN 2.

Also, notice that the switch in front of the trusted port is configured for Layer 2. This forces traffic from VLAN 1 going to VLAN 2 to go through the switch. If the switch were a Layer 3 switch, VLAN1 could pass traffic directly with VLAN2, and visa versa, bypassing all access policies. Thus, the switch on the trusted side of the NetScreen device becomes part of the security domain.

7.

Access policies set in the root system do not affect access policies set in virtual systems, and vice versa.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

&RPPXQLFDWLQJ %HWZHHQ 9/$1V

NetScreen Device Layer 2 Switch Virtual System 111 VLAN 1 work_js 10.5.5.20/32

ftp_server 10.2.2.2/32 Virtual System 222 VLAN 2

:HE8,
9V\V 
1. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: work_js IP Address/Domain Name: 10.5.5.20 Netmask: 255.255.255.255 Zone: Trust-111 2. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: ftp_server IP Address/Domain Name: 10.2.2.2 Netmask: 255.255.255.255 Zone: Untrust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

&RPPXQLFDWLQJ %HWZHHQ 9/$1V

3.

Policies >> Policy (From Zone: Trust-111 To Zone: Untrust) >> New Policy: Enter the following, and then click OK: Source Address: work_js Destination Address: ftp_server Service: FTP-Get Action: Permit

9V\V 
1. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: ftp_server IP Address/Domain Name: 10.2.2.2 Netmask: 255.255.255.255 Zone: Trust-222 2. Address >> Address >> New Address: Enter the following, and then click OK: Address Name: work_js IP Address/Domain Name: 10.5.5.20 Netmask: 255.255.255.255 Zone: Untrust 3. Policies >> Policy (From Zone: Untrust ,To Zone: Trust-222)>> New Policy: Enter the following, and then click OK: Source Address: work_js Destination Address: ftp_server Service: FTP-Get Action: Permit

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

&RPPXQLFDWLQJ %HWZHHQ 9/$1V

&/,
9V\V 
1. 2. 3. 4. set address trust-111 work_js 10.5.5.20/32 set address untrust ftp_server 10.2.2.2/32 set policy from trust-111 to untrust work_js ftp_server ftp-get permit save

9V\V 
1. 2. 3. 4. set address trust-222 ftp_server 10.2.2.2/32 set address untrust work_js 10.5.5.20/32 set policy from untrust to trust-222 work_js ftp_server ftp-get permit save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  9LUWXDO 6\VWHPV

&RPPXQLFDWLQJ %HWZHHQ 9/$1V

1HW6FUHHQ &RQFHSWV

([DPSOHV



8uhr '

+LJK $YDLODELOLW\
Cabling Procedure on page 521 Redundant Groups on page 523 Disabling HA on page 528 Path Monitoring on page 530



This chapter explains the following aspects of setting up two or more NetScreen-500, -204, and -208 devices for high availability (HA):

You configure NetScreen units for HA by cabling two or more devices together. If one unit fails, the second (backup) 1 unit can assume its functions with no service interruption. The backup unit maintains all sessions and Security Associations (SAs), thus preventing interruption of VPN traffic. Because the master and backup units continuously update configurations and access policies, there is no loss of enforcement capability. In each redundant group (cluster) of NetScreen devices, there is always one master device and at least one backup device. You can configure a specific unit as the master, or you can allow the system to automatically elect a master dynamically based on which unit boots up first.2 If a master unit detects a backup unit failure, it generates a system alarm. If the master unit fails, the remaining backup units elect a new master unit to which traffic is seamlessly redirected. During a fail-over event, NetScreen devices also notify the adjacent networking devices upstream and downstream so that the entire network can quickly converge to the new data path. When changing state between master and backup, both NetScreen units generate alarms, which can take the form of SNMP vendor-specific traps, e-mail alerts from the master unit, or any other configured logging mechanism.

1. 2.

Because of special requirements, sessions generated from H.323-related applications (such as NetMeeting) are not maintained on the backup unit. If two units in an HA cluster boot up simultaneously, the one with the lowest media access control (MAC) address is selected the master.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

You can enable authentication and encryption for HA communication involving configuration and keying material and control protocol material between the master and backup units to increase security. Note: The session sync material is not encrypted. To ensure the integrity of the data paths between the NetScreen interfaces and the adjacent networking devices, you can configure and enable path monitoring, in which each device in the redundant group continually monitors the accessibility of specified devices on connected networks. Each backup unit continually compares its ability to access these addresses with that of the master unit. Should a backup unit achieve better results than the master, it then becomes the master. To implement HA configuration, you need to perform the following steps: 1. 2. 3. 4. 5. 6. 7. Cable the NetScreen units together, as described in Cabling Procedure on page 521. For NetScreen devices that do not have dedicated physical HA interfaces, bind an available interface to the HA zone. Create redundant groups. Specify device priority. (This task is optional). Enter the password(s), if you want to encrypt or authenticate HA communications between members of a redundant group. Set up IP addresses with which the units can perform path monitoring tests. (This task is optional.) Synchronize configurations.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

&DEOLQJ 3URFHGXUH

&$%/,1* 352&('85(
Which HA cabling procedure to use depends on the physical interfaces available on your NetScreen device. For example, the NetScreen-500 has two dedicated physical HA interface ports, HA-1 and HA-2, while the NetScreen-208 has no dedicated physical HA ports. The following are guidelines for cabling your HA cluster.

*HQHUDO &DEOLQJ 5XOHV


The rules to follow when you connect two NetScreen devices in an HA cluster are as follows. If the device has dedicated HA ports, use them to connect the two devices. Such ports are bound by default to the HA zone, a special security zone used exclusively for HA purposes. If the device does not have dedicated physical HA interfaces, you can use another available physical interface. To make this interface serve as an HA port, you must bind it to the HA zone. Some NetScreen devices have non-dedicated physical interfaces bound to the HA zone by default, as with physical interface ethernet4 (on the NetScreen-204) and ethernet8 (on the NetScreen-208). Both devices must be of the same model. For example, you cannot establish an HA connection between a NetScreen-500 device and a NetScreen-208 device. Both devices must run the same version of ScreenOS. Be sure to update both units with the same ScreenOS version before connecting them. The cables between the two NetScreen devices must connect to identical ports on each side. For example, if you connect the cable to ethernet8 on one NetScreen-208 unit, you must connect it to etherne8 on the other unit.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

&DEOLQJ 3URFHGXUH

%LQGLQJ D 1RQ'HGLFDWHG ,QWHUIDFH WR WKH +$ =RQH


Even when a NetScreen device has no dedicated physical HA interface ports, the device might already have a physical interface bound to the HA zone. For example, interface ethernet4 of the NetScreen-204 (and interface ethernet8 of the NetScreen-208) are bound to the HA zone by default. Consequently, you can use these ports as HA connection points. However, in some situations there may be no physical interface currently bound to the HA zone, or you might need to pass HA traffic through a different interface. In such situations, you must bind the other interface to the HA zone. Note: Because HA communication is a Layer 2 process, the HA interface does not have an IP address or subnet mask. In the following example, the administrator sets up interface ethernet8 for HA communication.

:HE8,
Interfaces >> Physical >> Edit (for HA): Enter the following, and then click Save. Zone Name: HA

&/,
set interface ethernet8 zone HA

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

5('81'$17 *52836
Before two NetScreen devices can interact with each other in HA mode, you must configure them in a redundant group. In a redundant group, one of the NetScreen units acts as the master unit, performing firewall, VPN, and traffic management. The backup unit acts as a hot stand-by, automatically keeping up with all configuration and session state information. If the master unit fails, one of the backup units automatically becomes the new master unit. When the failed unit is repaired and placed back in service, it becomes a backup unit for the existing master unit. You can also specify device priority in the redundant group hierarchy. The device with the number closest to 1 is the master unit. A value of 0 disables high availability and shuts down dedicated HA ports. Alternatively, you can allow the devices to elect a master and determine priority numbers automatically during startup. The device that boots up first becomes the master. If you have more than two units in the redundant group, the order in which each of the subsequent units boots up determines their priority within the group. Note: If two units boot up simultaneously, the unit with the lower MAC address becomes the master. For some NetScreen devices, the HA status of the unit is indicated by the Status LED, while for others the status is indicated by the HA LED on the front panel or on the Auxiliary board. The LED on the master unit glows green. The LED on the backup unit glows yellow. If the LED is dark, that indicates that the unit is not configured for HA. When forming a redundant group, it is important to configure the Manage IP address on each NetScreen device for the interfaces through which you intend to manage the device and from which you plan to perform path monitoring. The Manage IP remains associated with the unique MAC address for its interface, while virtual MAC addresses, associated with the interface IP addresses, are identical among all the members of the redundant group. The virtual MAC addresses are created when you set a group ID number. The virtual MACs are formed as follows: 0010dbff<group_number><interface_value>.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

At any time, you can synchronize the master units configuration file among all members of its redundant group. In the WebUI, click the Sync All Files button on the Configure >> HA page. In the CLI, use the exec ha file-sync command. Note: When you synchronize all the files from the master unit, the backup units manage IP addresses are replaced with those of the master unit. Consequently, you lose the ability to manage the backup units. To reconfigure the manage IP addresses, you must enter the set interface mange-ip <ip_addr> command via the console port on each backup unit.

([DPSOH )RUPLQJ D 5HGXQGDQW *URXS


In the following example, the administrator places two NetScreen devices in a redundant group with the ID number 3. He assigns each device with the same group ID number and determines the master and backup units by assigning them priority numbers. He also configures Manage IP addresses for the trusted and untrusted interfaces on both devices. Through the CLI, the administrator also sets up the backup unit in a link-up state. During a failover, when a backup unit in a link-up state becomes the active device, it does not need to perform 802.1Q trunk negotiations nor execute the Spanning Tree Protocol (STP), which can take anywhere from 30 to 50 seconds to complete. The new master unit simply sends out a series of ARPs, alerting other network devices to its presence. Also, through the CLI, the administrator indicates a secondary path for the backup to communicate with the master. In case the backup does not receive a heartbeat from the master along the primary HA path, the backup sends a message along the secondary path to confirm that the master unit is truly down. If the master unit is still up (perhaps only the cable carrying HA traffic has been damaged, causing the heartbeat loss) and the backup promotes itself to master, two devices would be acting as the master, resulting in a condition known a split-brain scenario. Use of a secondary path to confirm the masters condition can help avoid such a problem. Note: When a NetScreen device has no dedicated HA interfaces, you must also specify a physical interface (such as ethernet4) to act as the Virtual HA interface.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

In this example, two NetScreen devices are grouped in an HA cluster. Each device uses the following physical interfaces: ethernet8 is the Virtual HA interface. ethernet4 is the interface bound to the Trusted zone. ethernet5 is the interface bound to the Untrusted zone.

External
IP Address of ethernet5, (bound to Untrusted zone): 211.30.2.2

Redundant Group ID: 3 Priority: 1 Master Priority: 2 Backup

IP Address of ethernet5, (bound to Untrusted zone): 211.30.2.2

IP Address of ethernet4, (bound to Trusted zone): 10.10.2.2

HA IP Address of ethernet4, (bound to Trusted zone): 10.10.2.2

Note: In this example, interface ethernet8 serves as the HA interface. To function as the HA interface, the interface must be bound to the HA zone. On some NetScreen devices, the ethernet8 interface is bound to the HA zone by default. If the interface you choose for HA is not already bound to the HA zone, you must perform this binding before proceeding with the WebUI instructions that follow. The CLI command for binding an interface to the HA zone is set interface <int_name> zone HA. For example, to bind interface ethernet8 to the HA zone, the command is set interface ethernet8 zone HA.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

:HE8,
Master Unit 1. Interfaces >> Physical >> Edit (ethernet4): Enter the following, and then click Save: IP Address: 10.10.2.2 Netmask: 255.255.255.0 Manage IP: 10.10.2.20 Zone Name: Trust 2. Interfaces >> Physical >> Edit (ethernet5): Enter the following, and then click Save: IP Address: 211.30.2.2 Netmask: 255.255.255.0 Manage IP: 211.30.2.20 Zone Name: Untrust 3. Configure >> HA: Enter the following, and then click Apply: HA Port: ethernet8 Group ID: 3 Priority: 1 Backup Unit 1. Interfaces >> Physical >> Edit (ethernet4): Enter the following, and then click Save : IP Address: 10.10.2.2 Netmask: 255.255.255.0 Manage IP: 10.10.2.30 Zone Name: Trust

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

2. Interfaces >> Physical >> Edit (ethernet5): Enter the following, and then click Save : IP Address: 211.30.2.2 Netmask: 255.255.255.0 Manage IP: 211.30.2.30 Zone Name: Untrust 3. Configure >> HA: Enter the following, and then click Apply: HA Port: ethernet8 Group ID: 3 Priority: 2

&/,
Master Unit 1. set interface ethernet4 zone trust 2. set interface ethernet4 ip 10.10.2.2/24 3. set interface ethernet4 manage-ip 10.10.2.20 4. set interface ethernet5 zone untrust 5. set interface ethernet5 ip 211.30.2.2/24 6. set interface ethernet5 manage-ip 211.30.2.20 7. set interface ethernet8 zone ha 8. set ha interface ethernet8 9. set ha group 3 10. set ha priority 1

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

5HGXQGDQW *URXSV

Backup Unit 1. set interface ethernet4 zone trust 2. set interface ethernet4 10.10.2.2/24 3. set interface ethernet4 manage-ip 10.10.2.30 4. set interface ethernet5 zone untrust 5. set interface ethernet5 ip 211.30.2.2/24 6. set interface ethernet5 manage-ip 211.30.2.30 7. set interface ethernet8 zone ha 8. set ha interface ethernet8 9. set ha group 3 10. save config ha-master 11. reset Configuration modified, save? [y]/n (Type n.) System reset, are you sure? y/[n] (Type y.)

'LVDEOLQJ +$
You can disable HA functionality by removing a device from its redundant group. You can do this by setting the group ID to 0 (in the WebUI or CLI), or by using the CLI command unset ha group.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

6HFXULQJ +$ &RPPXQLFDWLRQV

6(&85,1* +$ &20081,&$7,216
To secure HA communications, you can configure the clustered NetScreen devices to authenticate and encrypt all exchanged HA traffic. To perform this configuration, you enable authentication and encryption and then specify passwords. The NetScreen passwords are used as seed material for the device to generate the preshared key. All master and backup units in the same redundant group must have the same authorization password and the same encryption password, although the authorization password can be different from the encryption password.

([DPSOH (QDEOLQJ $XWKHQWLFDWLRQ DQG (QFU\SWLRQ


The two devices in the redundant group authenticate and encrypt HA communications. The authentication password is p6NE9mKq and the encryption password is 45Zg8HB1.

:HE8,
1. Configure >> HA: Select HA Authentication Password, and type p6NE9mKq. 2. Configure >> HA: Select HA Encryption Password, type 45Zg8HB1, and then click Apply.

&/,
1. set ha authentication password p6NE9mKq 2. set ha encryption password 45Zg8HB1 3. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

3DWK 0RQLWRULQJ

3$7+ 021,725,1*
Path monitoring checks the network connection between a NetScreen interface and the interface on another device. Path monitoring can occur at both layer 2 (Ethernet) and layer 3 (IP). Path monitoring for the Ethernet link state occurs automatically. Layer 3 (IP) path monitoring functions by sending a ping request at determined intervals and then monitoring if the target replies with a ping reply. A successful attempt indicates that layer 3 connectivity is possible over the network. A failed attempt indicates that the two devices cannot make a layer 3 connection. Path monitoring is a useful tool for devices within a redundant group to determine whether the network connectivity of a master unit is better than or as good as a backup unit. If backup unit has a better success rate than the master unit (for example, the backup unit gets 5 ping replies and the master gets only 4), then it automatically is promoted to master, and the master unit is demoted to backup. When using path monitoring, you must set a Manage IP address for the physical interface, or interfaces, from which the NetScreen devices ping. The backup unit uses the Manage IP address to distinguish itself from the master unit, which uses the physical IP address shared by all the devices in the redundant group. Note: The Manage IP address is also the address with which you can configure a backup unit.

([DPSOH (QDEOLQJ 3DWK 7UDFNLQJ


Two NetScreen devices are in a redundant group. Both are set to ping the IP addresses of four Web servers every 10 seconds. The alarm threshold is set to 3 failures. Not receiving a ping response after 3 consecutive attempts is considered a failed attempt. In this example, the master unit has a 100% success rate, while the backup unit succeeds only 50% of the time. Note: In this example, the interface bound to the Untrust zone is assumed to be ethernet6, although this is not necessarily the interface you might use for your configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

3DWK 0RQLWRULQJ

Web Servers Solid lines = successful ping attempts Broken lines = failed ping attempts Internet 216.115.105.6 Master

HA Link

209.125.198.2

Backup 208.158.245.146

207.46.230.229

:HE8,
1. Configure >> HA >> New Track IP: Enter the following, and then click OK: Track IP: 216.115.105.6 Interval (sec): 10 Threshold: 3 Interface: Ethernet6

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

3DWK 0RQLWRULQJ

2. Configure >> HA >> New Track IP: Enter the following, and then click OK: Track IP: 209.125.198.2 Interval (sec): 10 Threshold: 3 Interface: Ethernet6 3. Configure >> HA >> New Track IP: Enter the following, and then click OK: Track IP: 208.158.245.146 Interval (sec): 10 Threshold: 3 Interface: Ethernet6 4. Configure >> HA >> New Track IP: Enter the following, and then click OK: Track IP: 207.46.230.229 Interval (sec): 10 Threshold: 3 Interface: Ethernet6 5. Configure >> HA: Select Track IP, and then click Apply.

&/,
1. 2. 3. 4. 5. set ha track ip 216.115.105.6 interface Ethernet6 set ha track ip 216.115.105.6 interval 10 set ha track ip 216.115.105.6 threshold 3 set ha track ip 209.125.198.2 interface Ethernet6 set ha track ip 209.125.198.2 interval 10

6. set ha track ip 209.125.198.2 threshold 3

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

3DWK 0RQLWRULQJ

7. set ha track ip 208.158.245.146 interface Ethernet6 8. set ha track ip 208.158.245.146 interval 10 9. set ha track ip 208.158.245.146 threshold 3 10. set ha track ip 207.46.230.229 interface Ethernet6 11. set ha track ip 207.46.230.229 interval 10 12. set ha track ip 207.46.230.229 threshold 3 13. set ha track ip 14. save

1HW6FUHHQ &RQFHSWV

([DPSOHV



&KDSWHU  +LJK $YDLODELOLW\

3DWK 0RQLWRULQJ

1HW6FUHHQ &RQFHSWV

([DPSOHV



6rqv6

6103 0,% )LOHV

NetScreen provides MIB files to support SNMP communication between your organizations applications and the SNMP Agent in the NetScreen device. To obtain the latest MIB files, download them from www.netscreen.support. The MIB files for the current ScreenOS version are fully compatible with SNMP agents in previous versions of ScreenOS. The NetScreen MIB files are organized in a two-tier hierarchical structure: The Primary-Level MIB File Folders on page II Secondary-Level MIB Folders on page IV netScreenIds on page IV netscreenVpn on page IV netscreenQos on page V netscreenSetting on page V netscreenPolicy on page V netscreenNAT on page VI netscreenService on page VI netscreenSchedule on page VI netscreenResource on page VI netscreenIp on page VI

1HW6FUHHQ &RQFHSWV

([DPSOHV

$,

$SSHQGL[ $ 6103 0,% )LOHV

7KH 3ULPDU\/HYHO 0,% )LOH )ROGHUV


The MIB files are arranged in a hierarchical folder structure. The primary-level MIB folders are as follows.

Each folder contains a category of MIB files.


netscreenProducts netscreenTrapInfo netscreenIDS netscreenVpn netscreenQos Assigns Object Identifiers (OIDs) to different NetScreen product series. Defines enterprise traps sent by the NetScreen device. Defines the NetScreen device intrusion detection service (IDS) configuration. Defines NetScreen device VPN configuration and runtime information. Defines NetScreen device Quality of Service configuration.

1HW6FUHHQ &RQFHSWV

([DPSOHV

$,,

$SSHQGL[ $ 6103 0,% )LOHV

netscreenSetting netscreenZone netscreenInterface netscreenPolicy netscreenNAT netscreenAddr netscreenService netscreenSchedule netscreenVsys netscreenResource netscreenIp

Defines miscellaneous NetScreen device configuration settings, such as DHCP, email, authentication, and administrator. Defines zone information residing in the NetScreen Device. Defines the NetScreen devices interface configuration, including the virtual interface. Defines the outgoing and incoming policy configuration for the NetScreen device. Defines NAT configuration, including Map IP, Dynamic IP and Virtual IP. Represents the address table on a NetScreen interface. Describes services (including user-defined) recognized by the NetScreen device. Defines NetScreen device task schedule information, configured by the user. Defines NetScreen device virtual system (VSYS) configuration. Accesses information regarding the NetScreen devices resource utilization. Accesses NetScreen device private IP-related information.

1HW6FUHHQ &RQFHSWV

([DPSOHV

$,,,

$SSHQGL[ $ 6103 0,% )LOHV

6HFRQGDU\/HYHO 0,% )ROGHUV


Most of the primary-level MIB folders contain secondary-level folders.

QHW6FUHHQ,GV
nsldsProtect nsldsProtectSetTable nsldsProtectThreshTable nsldsAttkMonTable IDS service on NetScreen device IDS service enabled on NetScreen device IDS service threshold configuration Statistical Information about intrusion attempt

QHWVFUHHQ9SQ
netscreenVpnMon nsVpnManualKey nsVpnIke nsVpnGateway nsVpnPhaseOneCfg nsVpnPhaseTwoCfg nsVpnCert nsVpnL2TP nsVpnPool nsVpnUser Show SA information of vpn tunnel Manual key configuration IKE configuration VPN tunnel gateway configuration IPSec Phase One configuration IPSec Phase Two configuration Certification configuration L2TP configuration IP pool configuration VPN user configuration

1HW6FUHHQ &RQFHSWV

([DPSOHV

$,9

$SSHQGL[ $ 6103 0,% )LOHV

QHWVFUHHQ4RV
nsQosPly QoS configuration on policy

QHWVFUHHQ6HWWLQJ
nsSetGeneral nsSetAuth nsSetDNS nsSetURLFilter nsSetDHCP nsSetSysTime nsSetEmail nsSetLog nsSetSNMP nsSetGlbMng nsSetAdminUser nsSetWebUI General configuration of NS device Authentication method configuration DNS server setting URL filter setting DHCP server setting System time setting Email setting Syslog setting SNMP agent configuration Global management configuration Administration user configuration Web UI configuration

QHWVFUHHQ3ROLF\
NsPlyTable NsPlyMonTable Policy configuration Statistical Information about each policy

1HW6FUHHQ &RQFHSWV

([DPSOHV

$9

$SSHQGL[ $ 6103 0,% )LOHV

QHWVFUHHQ1$7
nsNatMipTable nsNatDipTable nsNatVip Mapped IP configuration Dynamic IP configuration Virtual IP Configuration

QHWVFUHHQ6HUYLFH
nsServiceTable nsServiceGroupTable nsServiceGrpMemberTable Service Information Service Group Information Service Group Member Info

QHWVFUHHQ6FKHGXOH
nschOnceTable nschRecurTable One-time schedule information Re-occur schedule information

QHWVFUHHQ5HVRXUFH
nsresCPU nsresMem nsresSession CPU utilization Memory utilization Session utilization

QHWVFUHHQ,S
nslpArp ARP table

1HW6FUHHQ &RQFHSWV

([DPSOHV

$9,

6rqv7

*ORVVDU\

10BaseT: The most common form of Ethernet is called 10BaseT, which denotes a peak transmission speed of 10 Mbps using copper twisted-pair cable. Ethernet is a standard for connecting computers into a local area network (LAN). The maximum cable distance is 100 meters (325 feet), the maximum devices per segment is 1, and the maximum devices per network are 1024. See also 100BaseT and Unshielded Twisted Pair (UTP). 100BaseT: Another term for fast Ethernet, an upgraded standard for connecting computers into a local area network (LAN). 100BaseT Ethernet works just like regular Ethernet except that it can transfer data at a peak rate of 100 Mbps. It is also more expensive and less common than its slower 10BaseT sibling. See also 10BaseT. Access Policies: Access Policies provide the initial protection mechanism for the firewall, allowing you to determine what traffic passes across it based on IP session details. They protect the Trusted network from outsider attacks, such as the scanning of Trusted servers. Access Policies create an environment in which you set up security Policies to monitor traffic attempting to cross your firewall. Authentication Header (AH): See ESP/AH. Authentication: Authentication ensures that digital data transmissions are delivered to the intended receiver. Authentication also assures the receiver of the integrity of the message and its source (where or whom it came from). The simplest form of authentication requires a user name and password to gain access to a particular account. Authentication protocols can also be based on secret-key encryption, such as DES or 3DES, or on public-key systems using digital signatures. Bridge: A device that forwards traffic between network segments based on data link layer information. These segments have a common network layer address. Circuit-level Proxy: Proxy or Proxy Server is a technique used to cache information on a Web server and acts as an intermediary between a Web client and that Web server. It basically holds the most commonly and recently used content from the World Wide Web for users in order to provide quicker access and to increase server security. This is common for an ISP especially if they have a slow link to the Internet. On the Web, a proxy first attempts to find data locally, and if its not there, fetches it from the remote server where the data resides permanently. Proxy servers are also constructs that allow direct Internet access from behind a firewall. They open a socket on the server, and

1HW6FUHHQ &RQFHSWV

([DPSOHV

%,

$SSHQGL[ % *ORVVDU\

allow communication via that socket to the Internet. For example, if your computer is inside a protected network, and you want to browse the Web using Netscape, you would set up a proxy server on a firewall. The proxy server would be configured to allow requests from your computer, trying for port 80, to connect to its port 1080, and it would then redirect all requests to the proper places. Data Encryption Standard (DES): A 40- and 56-bit encryption algorithm that was developed by the National Institute of Standards and Technology (NIST). DES is a block encryption method originally developed by IBM. It has since been certified by the U.S. government for transmission of any data that is not classified top secret. DES uses an algorithm for private-key encryption. The key consists of 64 bits of data, which are transformed and combined with the first 64 bits of the message to be sent. To apply the encryption, the message is broken up into 64-bit blocks so that each can be combined with the key using a complex 16-step process. Although DES is fairly weak, with only one iteration, repeating it using slightly different keys can provide excellent security. Data Encryption Standard-Cipher Block Chaining (DES-CBC): Until recently, the most significant use of triple-DES (3DES) was for the encryption of single DES keys, and there was really no need to consider how one might implement various block cipher modes when the block cipher in question is actually one derived from multiple encryption. However, as DES nears the end of its useful lifetime, more thought is being given to an increasingly widespread use of triple-DES. In particular, there are two obvious ways to implement the CBC mode for triple-DES. With single-DES in CBC mode, the ciphertext is exclusive-ored with the plaintext before encryption. With triple-DES however, we might use feedback around all three DES operations from the ciphertext to the plaintext, something which is called outer-CBC. Alternatively, we might run the feedback around each individual encryption component, thereby making, in effect, triple-(DES-CBC). This is referred to as inner-CBC, since there are internal feedbacks that are never seen by the crypto-analyst. Performance-wise, there can be some advantages to use the inner-CBC option, but research has established that outer-CBC is in fact more secure. Outer-CBC is the recommended way for using triple-DES in the CBC mode. De-Militarized Zone (DMZ): From the military term for an area between two opponents where fighting is prevented. DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or internal. External DMZ Ethernets link regional networks with routers.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%,,

$SSHQGL[ % *ORVVDU\

Encryption: Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data. Public-key encryption schemes use two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it. With this method, anyone may send a message encrypted with the owners public key, but only the owner has the private key necessary to decrypt it. DES (Data Encryption Standard) and 3DES (Triple DES) are two of the most popular public-key encryption schemes. ESP/AH: The IP level security protocols, AH and ESP, were originally proposed by the Network Working Group focused on IP security mechanisms, IPSec. The term IPSec is used loosely here to refer to packets, keys, and routes that are associated with these protocols. The IP Authentication Header (AH) protocol provides authentication. The Encapsulating Security Protocol (ESP) provides both authentication and encryption. Ethernet: A local area network technology invented at the Xerox Corporation, Palo Alto Research Center. Ethernet is a best-effort delivery system that uses CSMA/CD technology. Ethernet can be run over a variety of cable schemes, including thick coaxial, thin coaxial, twisted pair, and fiber optic cable. Ethernet is a standard for connecting computers into a local area network (LAN). The most common form of Ethernet is called 10BaseT, which denotes a peak transmission speed of 10 Mbps using copper twisted-pair cable. Extranet: The connecting of two or more intranets. If an intranet as a companys internal Web site which allows users inside the company to communicate and exchange information, an extranet connects that virtual space with another companys intranet, thus allowing these two (or more) companies to share resources and communicate over the Internet in their own virtual space. This technology greatly enhances business to business communications. Filtering, dynamic: IP service that can be used within VPN tunnels. Filters are one way the NetScreen-10/100 controls traffic from one network to another. When TCP/IP sends data packets to the firewall, the filtering function in the firewall looks at the header information in the packets and directs them accordingly. The filters operate on criteria such as IP source or destination address range, TCP ports, UDP, Internet Control Message Protocol (ICMP), or TCP responses. See also Tunneling and Virtual Private Network (VPN). Firewall: A device that protects and controls the connection of one network to another, for traffic both entering and leaving. Firewalls are used by companies that want to protect any network-connected server from damage (intentional or otherwise) by those who log in to it. This could be a dedicated computer equipped with security measures or it could be a software-based protection. GBIC: A Gigabit Interface Connector (GBIC) is the kind of interface module card used on the NetScreen-500 for connecting to a fiber optic network.
1HW6FUHHQ &RQFHSWV ([DPSOHV %,,,

$SSHQGL[ % *ORVVDU\

Hub: This hardware is used to network computers together (usually over an Ethernet connection). It serves as a common wiring point so that information can flow through one central location to any other computer on the network thus enabling centralized management. A hub is a hardware device that repeats signals at the physical Ethernet layer. A hub retains the behavior of a standard bus type network (such as Thinnet), but produces a star topology with the hub at the center of the star. This configuration enables centralized management. Internet Control Message Protocol (ICMP): Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes the protocol, the Internet Control Message Protocol (ICMP), is used. ICMP uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. Internet: Also known as the Net. Originally designed by the U.S. Defense Department so that a communication signal could withstand a nuclear war and serve military institutions worldwide. The Internet was first known as the ARPAnet. A system of linked computer networks, international in scope, that facilitates data communication services such as remote login, file transfer, electronic mail, and newsgroups. The Internet is a way of connecting existing computer networks that greatly extends the reach of each participating system. Internet Key Exchange (IKE). The method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet. Internet Protocol (IP): An Internet standard protocol that defines a basic unit of data called a datagram. A datagram is used in a connectionless, best-effort, delivery system. The Internet protocol defines how information gets passed between systems across the Internet.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%,9

$SSHQGL[ % *ORVVDU\

IP Address: Each node on a TCP/IP network usually has an IP address. The IP address has a network number portion and a host number portion, as shown in the following table of IP address classes and formats:
Table C-1

Class A B C

Number of Nodes > 32,768 25632,768 <256

Address Format nnn.hhh.hhh.hhh nnn.nnn.hhh.hhh nnn.nnn.nnn.hhh

This format is called decimal-dot format. The n represents a digit of a network number and h represents a digit of a host number; for example, 128.11.2.30. If you are sending data outside of your network, such as to the Internet, you need to obtain the network number from a central authority, currently the Network Information Center. See also Netmask and Subnet Mask. IP Gateway: Also called a router, a gateway is a program or a special-purpose device that transfers IP datagrams from one network to another until the final destination is reached. IP Security (IPSec): Security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite that provides everything you need for secure communicationsauthentication, integrity, and confidentiality and makes key exchange practical even in larger networks. See also DES-CBC, and ESP/AH. ISAKMP: The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for Internet key management and provides the specific protocol support for negotiation of security attributes. By itself, it does not establish session keys, however it can be used with various session key establishment protocols to provide a complete solution to Internet key management. Intranet: A play on the word Internet, an intranet is a restricted-access network that works like the Web, but isn't on it. Usually owned and managed by a corporation, an intranet enables a company to share its resources with its employees without confidential information being made available to everyone with Internet access. Key Management: The only reasonable way to protect the integrity and privacy of information is to rely upon the use of secret information in the form of private keys for signing and/or encryption. The management and handling of these pieces of secret information is generally referred to as key management. This includes the activities of selection, exchange, storage, certification, expiration, revocation, changing, and transmission of keys. Most of the work in managing information security systems lies in the key management.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%9

$SSHQGL[ % *ORVVDU\

Load balancing: Load balancing is the mapping (or re-mapping) of work to two or more processors, with the intent of improving the efficiency of a concurrent computation. Local Area Network (LAN): Any network technology that interconnects resources within an office environment, usually at high speeds, such as Ethernet. A local area network is a short-distance network used to link a group of computers together within a building. 10BaseT Ethernet is the most commonly used form of LAN. A hardware device called a hub serves as the common wiring point, enabling data to be sent from one machine to another over the network. LANs are typically limited to distances of less than 500 meters and provide low-cost, high-bandwidth networking capabilities within a small geographical area. Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP address. MD5: Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a fingerprint of the input, to verify authenticity. Media Access Control (MAC) Address: An address that uniquely identifies the network interface card, such as an Ethernet adapter. For Ethernet, the MAC address is a 6 octet address assigned by IEEE. On a LAN or other network, the MAC address is a computer's unique hardware number. (On an Ethernet LAN, it's the same as the Ethernet address.) When you're connected to the Internet from your computer (or host as the Internet protocol thinks of it), a correspondence table relates your IP address to your computer's physical (MAC) address on the LAN. The MAC address is used by the Media Access Control sublayer of the Data-Link Control (DLC) layer of telecommunication protocols. There is a different MAC sublayer for each physical device type. Netmask: A netmask indicates which part of an IP address indicates network identification and which part indicates the host identification. For example, the IP address and netmask 10.20.30.1 255.255.255.0 (or 10.20.30.1/24) refers to all the hosts in the 10.20.30.0 subnet. The IP address and netmask 10.20.30.1 255.255.255.255 (or 10.20.30.1/32) refers to a single host. See also IP Address and Subnet Mask. Network Address Translation (NAT): A standard for translating secure IP addresses to temporary, external, registered IP address from the address pool. This allows Trusted networks with privately assigned IP addresses to have access to the Internet. This also means that you dont have to get a registered IP address for every machine in your network. RJ-45: Resembling a standard phone connector, an RJ-45 connector is twice as wide (with eight wires) and is used for hooking up computers to local area networks (LANs) or phones with multiple lines.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%9,

$SSHQGL[ % *ORVVDU\

Router: This hardware device routes data from a local area network (LAN) to a phone lines long distance line. Routers also act as traffic cops, allowing only authorized machines to transmit data into the local network so that private information can remain secure. In addition to supporting these dial-in and leased connections, routers also handle errors, keep network usage statistics, and handle security issues. Security Association: An SA is a unidirectional agreement between the VPN participants regarding the methods and parameters to use in securing a communication channel. For bidirectional communication, there must be at least two SAs, one for each direction. The VPN participants negotiate and agree to Phase 1 and Phase 2 SAs during an AutoKey IKE negotiation. See also Security Parameters Index. Security Parameters Index: (SPI) is a hexadecimal value which uniquely identifies each tunnel. It also tells the NetScreen device which key to use to decrypt packets. Security Zone: A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic via access policies. SHA-1: Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.) Subinterface: A subinterface is a logical division of a physical interface that borrows the bandwidth it needs from the physical interface from which it stems. A subinterface is an abstraction that functions identically to an interface for a physically present port and is distinguished by 802.1Q VLAN tagging. Subnet Mask: In larger networks, the subnet mask lets you define subnetworks. For example, if you have a class B network, a subnet mask of 255.255.255.0 specifies that the first two portions of the decimal dot format are the network number, while the third portion is a subnet number. The fourth portion is the host number. If you do not want to have a subnet on a class B network, you would use a subnet mask of 255.255.0.0. A network can be subnetted into one or more physical networks which form a subset of the main network. The Subnet mask is the part of the IP address which is used to represent a subnetwork within a network. Using Subnet masks allows you to use network address space which is normally unavailable and ensures that network traffic does not get sent to the whole network unless intended. See also IP address and Netmask.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%9,,

$SSHQGL[ % *ORVVDU\

Three-Way Handshake: A TCP connection is established with a triple exchange of packets known as a three-way handshake. The procedure transpires as follows: 1. 2. 3. 4. The initiator sends a SYN (synchronize/start) packet. The recipient replies with a SYN/ACK (synchronize/acknowledge) packet. The initiator responds with an ACK (acknowledge) packet. At this point, the two endpoints of the connection have been established and data transmission can commence.

Transmission Control Protocol/Internet Protocol (TCP/IP): A set of communications protocols that support peer-to-peer connectivity functions for both local and wide area networks. A communications protocol which allows computers with different operating systems to communicate with each other. Controls how data is transferred between computers on the Internet. Trunk Port: A trunk port allows a switch to bundle traffic from several VLANs through a single physical port, sorting the various packets by the VLAN identifier (VID) in their frame headers. Tunneling: A method of data encapsulation.With VPN tunneling, a mobile professional dials into a local Internet Service Providers Point of Presence (POP) instead of dialing directly into their corporate network. This means that no matter where mobile professionals are located, they can dial a local Internet Service Provider that supports VPN tunneling technology and gain access to their corporate network, incurring only the cost of a local telephone call. When remote users dial into their corporate network using an Internet Service Provider that supports VPN tunneling,

1HW6FUHHQ &RQFHSWV

([DPSOHV

%9,,,

$SSHQGL[ % *ORVVDU\

the remote user as well as the organization knows that it is a secure connection. All remote dial-in users are authenticated by an authenticating server at the Internet Service Providers site and then again by another authenticating server on the corporate network. This means that only authorized remote users can access their corporate network, and can access only the hosts that they are authorized to use. Tunnel Interface: A tunnel interfaces is the opening, or doorway, through which traffic to or from a VPN tunnel passes. A tunnel interface can be numbered (that is, assigned an IP address) or unnumbered. A numbered tunnel interface can be in either a tunnel zone or security zone. An unnumbered tunnel interface can only be in a security zone that contains at least one security zone interface. The unnumbered tunnel interface borrows the IP address from the security zone interface. Tunnel Zone: A tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnel zone is associated with a security zone that acts as its carrier. User Datagram Protocol (UDP): A protocol in the TCP/IP protocol suite, the User Datagram Protocol or UDP allows an application program to send datagrams to other application programs on a remote machine. Basically UDP is a protocol that provides an unreliable and connectionless datagram service where delivery and duplicate detection are not guaranteed. It does not use acknowledgments, or control the order of arrival. Universal Resource Locator (URL): A standard way developed to specify the location of a resource available electronically.Also referred to as a location or address, URLs specify the location of files on servers. A general URL has the syntax protocol://address. For example, http://www.srl.rmit.edu.au/pd/index.html specifies that the protocol is http and the address is www.srl.rmit.edu.au/pd/index.html. Unshielded Twisted Pair (UTP): Also known as 10BaseT. This is the standard cabling used for telephone lines. It is also used for Ethernet connections. See also 10BaseT. Virtual IP Address. A VIP address maps traffic received at one IP address to another address based on the destination port number in the packet header. Virtual Local Area Network (VLAN): A logical rather than physical grouping of devices that constitute a single broadcast domain. VLAN members are not identified by their location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data. VLANs are described in the IEEE 802.1Q standard.

1HW6FUHHQ &RQFHSWV

([DPSOHV

%,;

$SSHQGL[ % *ORVVDU\

Virtual Private Network (VPN): A VPN is an easy, cost-effective and secure way for corporations to provide telecommuters and mobile professionals local dial-up access to their corporate network or to another Internet Service Provider (ISP). Secure private connections over the Internet are more cost-effective than dedicated private lines. VPNs are possible because of technologies and standards such as tunneling, screening, encryption, and IPSec. Virtual Router: A virtual router is the component of ScreenOS that performs routing functions. By default, a NetScreen device supports two virtual routers: Untrust-VR and Trust-VR. Virtual System: A virtual system (vsys) is a subdivision of the main system that appears to the user to be a stand-alone entity. Virtual systems reside separately from each other in the same NetScreen device. Each one can be managed by its own virtual system administrator. Windows Internet Naming Service (WINS): WINS is a service for mapping IP addresses to NetBIOS computer names on Windows NT server-based networks. A WINS server maps a NetBIOS name used in a Windows network environment to an IP address used on an IP-based network. Zone: A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performs a specific function (a function zone).

1HW6FUHHQ &RQFHSWV

([DPSOHV

%;

,QGH[

,QGH[
1XPHULFV $
3DES 276, 459 Address book adding addresses 197 editing group entries 202 entries 197 groups 199 modifying addresses 198 removing addresses 203 address groups 199, 252 creating 201 editing 202 options 200 removing entries 203 address sweep attack 69 Addresses defined 252 in Access Policies 252 Administration CLI (Command Line Interface) 130 restricting 143, 144 WebUI 125 Administrative traffic 148 AES (Advanced Encryption Standard) 276 Aggressive Mode 280, 459 AH 271, 275 Alarms 175 clearing 175 E-mail alert 175 event 175 thresholds 256 traffic 175 attacks address sweep 69 bad IP option 70 block Java/ActiveX/.zip/.exe component 70 Denial of Service 69 detection 73 Filter IP source route option 69 FIN bit with no ACK bit 73 ICMP flood 71 IP security option 71 IP spoofing 69 IP stream option 71 IP strict source route option 71 IP timestamp option 71 Land attack 69 loose source route option 71 Malicious URL 70 Ping of Death 69 port scan 68 record route option 71 Replay 282 SYN attack 68 TCP packet without flag 73 Tear Drop 69 Trojan horse 70 UDP flood 68 unknown protocol 71 WinNuke 70 authentication access policies 254 IPSec B-I users 209, 211, 212, 254 Authentication Header See AH AutoKey IKE VPN 150, 277 management 277

access control list See ACL Access Policies 3, 7, 249 ACL 250 actions in 253 address groups 252 addresses in 252 alarms 256 authentication 111, 254 bidirectional VPNs 253, 259, 386 changing 267 counting 256 definition B-I deny 253 functions of 249 icons 258 L2TP 254 location 261 management 258 order 268 order of 267 permit 253 removing 268 root system 250 root-level 514 schedules 256 service book 224 service groups 241 services in 223, 252 size restrictions 201 traffic logging 255 tunnel 253 viewing 258 VPN dialup user groups 252 ACL 7, 15, 250, 284

bad IP option 70 Bandwidth 257 guaranteed 257, 486 managing 486 maximum 257 maximum specification 486 unlimited maximum 486 block Java/ActiveX/.zip/.exe component 70 bridges B-I browser requirements 125

&

CA (certificate authority) 304 CA certificates 294, 298 cables, serial 133

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;,

,QGH[

Certificates 278 CA 294, 298 loading 301 local 298 requesting 299 revocation 297, 308 via e-mail 298 CLI 130, 149 conventions xx save 108 set HA 527, 528 client-server protocol 118 clock 122 Command line interface See CLI configuration settings browser requirements 125 downloading 106 uploading 106 connectors GBIC, definition B-III RJ-45, definition B-VI conventions CLI xx WebUI xix Counting 256 Creating address groups 201 keys 128 MIP addresses 479 multiple-type users 213 new users 210 service groups 242 zones 34 CRL (Certificate Revocation List) 296, 308 configuring server settings 303 default settings 303 loading 296

DES 276, B-II DHCP 56, 61, 100 client 86 HA 87 relay agent 86 server 86 Dialup groups creating 218, 221 deleting a group 220 moving a member 219 removing a member 219 Diffie-Hellman exchange 281 Diffie-Hellman groups 281 DiffServ 257 See DS Codepoint Marking digital signature 292 DIP 59 See also Dynamic IP pools PAT 473 Directory server 118 DMZ, definition B-II DN (distinguished name) 220 DNS 82 lookup 83 server 101 status table 84 Domain name system See DNS DoS 69 DS Codepoint Marking 486, 495 DSL 98, 101 Dynamic IP pools 253

Event alarms 176 log 172 extranet, definition B-III

'

Data Encryption Standard See DES Defining new user dialup groups 218, 221 subinterfaces 506 zones 34

Editing address groups 202 VIP configuration 208 zones 35 E-mail alert notification 163, 177 Encapsulating Security Payload See ESP encryption, definition B-III ESP 271, 275, 276, 459 Ethernet, definition B-III

Facility 164 Filter IP source route option 69 filtering, packets B-III FIN bit with no ACK bit 73 FIPS xiii firewall address sweep attack 69 bad IP option 70 block Java/ActiveX/.zip/.exe component 70 definition xiii, B-III Denial of Service 69 Filter IP source route option 69 FIN bit with no ACK bit 73 ICMP flood 71 IP security option 71 IP spoofing 69 IP stream option 71 IP strict source route option 71 IP timestamp option 71 Land attack 69 loose source route option 71 malicious URL 70 Ping of Death 69 Port Scan attack 68 record route option 71 settings 6777 SYN attack 68 TCP packet without flag 73 Tear Drop attack 69 UDP flood 68 unknown protocol 71 WinNuke attack 70 Function Zone Interfaces 41 HA Interface 41 Management Interface 41

gatekeeper devices 227 gateway, definition B-V global zone 206

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;,,

,QGH[

Graphs, historical 256 Group addresses 199 services 241 user dialup 218, 221

H.323 protocol 227 HA CLI 527, 528 DHCP 87 disabling 528 link-up-on-slave 524 path monitoring 530 redundant groups 523 secondary path 524 split-brain 524 status LEDs 523 synchronizing files 524 Virtual HA Interface 41 Hash-based message authentication code See HMAC High Availability See HA Historical graphs 256 HMAC 275 HTTP 127 hubs, definition B-IV Hypertext Transfer Protocol See HTTP

ICMP flood 71 ICMP, definition B-IV Icons access policy 258 defined 258 single computer 196 idle session timeout 120 IEEE 802.1Q VLAN standard 499 IETF 118 IKE 277, 334, 394, 417 ISAKMP B-V key management B-V Users 209, 211, 212

interface MGT physical 3 subinterface B-VII subinterfaces 504 system 145 tunnel 42, 192, B-IX Virtual HA 41 Internal database 111 Internet Key Exchange See IKE Internet, definition B-IV intranet, definition B-V IP addresses defining for each port 197 definition B-V Manage 145, 523 non-routable 205 system 145 virtual 204 IP Security See IPSec IP security option 71 IP spoofing 69 IP stream option 71 IP strict source route option 71 IP timestamp option 71 IP, definition B-IV IPSec 271 AH 270, B-III authentication B-I definition B-V digital signature 292 encryption B-III ESP 270, 459, B-III SAs 270, 278, 279, 281, B-VII SPI 270 SPI, definition B-VII transport mode 272, 447, 459 tunnel 270 tunnel mode 273 tunnel negotiation 279 ISAKMP B-V

keepalive frequency, NAT-T 287 L2TP 457 Keys creating 128 management B-V

L2TP Access Policies 254 Keep Alive 457 L2TP-only on Windows 2000 447 operational mode 447 Users 209, 211, 212 Windows 2000 464 L2TP-over-IPSec 272 LAN, definition B-VI Land attack 69 LDAP 118 Lightweight directory access protocol See LDAP load balancing B-VI Local certificate 298 Logging 255 Logging on 512 Virtual System 510 logs event 172 self 174 traffic 173 loose source route option 71

MAC address 523 definition B-VI Main Mode 280 malicious URL 70 Manage IP 145, 523 Management client IP addresses 143 Management information base II See MIB II Management interface 148 See MGT interface

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;,,,

,QGH[

Management methods CLI 130 console 133 SCS 131 SSL 128 Telnet 130 WebUI 125 Manual Key 323, 385 management 277 User 209, 212, 213 VPNs 150 Mapped IP See MIP MD5 275 definition B-VI Message Digest version 5 See MD5 Messages critical 162 debug 162 error 162 info 162 notice 162 warning 162 WebTrends 164 MGT 148 MGT interface 41 MIB files A-I MIB folders primary A-II secondary A-IV MIB II 65, 135, 165 MIP 14, 476 creating addresses 479 definition B-VI NAT 253 virtual system 501 modulus 281

NAT, policy-based 58, 253 NAT-T 285 enabling 289 keepalive frequency 287 NAT-Traversal See NAT-T NetInfo 86 netmasks 252 definition B-VI, B-VII NetScreen-Remote AutoKey IKE VPN 417 dynamic peer 355, 423 Manual Key VPN 411 NAT-T option 285 Network bandwidth 486 topology 205

trunk 500 trunk ports B-VIII PPPoE 56, 61, 100 defined 100 Pre-Shared Key 277 Preshared secret 417 proposals Phase 1 279 Phase 2 281 proxy servers B-I Public key infrastructure See PKI Public/private key pair 295

2 3

QoS xiii, 486 Quality-of-service See QoS

Operating system 130

NAT definition B-VI IPSec and NAT 285 NAT servers 285 NAT mode 5257, 205, 501 interface settings 54

packet filtering B-III packet flow 1315 Password 512 forgetting 141 PAT 473 path monitoring 530 PC card 106, 108 Phase 1 279 proposals 279 Phase 2 281 proposals 281 Ping 169 Ping of Death 69 PKI 294 encryption B-III key 128 policy-based NAT 58, 253, 471484 Port Address Translation See PAT Port scan attack 68 ports port numbers 207 switch 500

RADIUS 113, 141 record route option 71 redundant groups 523 Remote dialup users 217 Remote authentication dial in user service See RADIUS Removing dialup group members 219 VIP 208 replay protection 282 reset scheduled 134 to factory defaults 144 Restricting, administration 143 Route mode 5862 interface settings 59 policy-based NAT 58 route priority 186 Route table 185 metric statement 186 static routes 185 tunnel interface 192 routers, definition B-VII

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;,9

,QGH[

routing route exporting 184 route redistribution 183 route table 185 tunnel interfaces 192

SAs 278, 279, 281 definition B-VII Scalability 205 SCEP (Simple Certificate Enrollment Protocol) 304 scheduled reset 134 Schedules 245, 256 ScreenOS xiv updating 108 SCS (Secure Command Shell) 131, 135 Secure Hash Algorithm-1 See SHA-1 Secure Sockets Layer See SSL SecurID 115 security association See SAs security facility 164 security zones 2, B-VII destination zone determination 14 global 2 interfaces 3, 40 physical interfaces 40 predefined 2 source zone determination 14 subinterfaces 40 self log 174 serial cables 133 Service book adding service 225 custom service 224 custom service (CLI) 225 deleting service group 244 modifying entries (CLI) 226 modifying entries (Web UI) 243 pre-configured services 224 removing entries (CLI) 227 service groups (Web UI) 241 viewing (CLI) 224 Service drop-down list 224

Service groups 241 creating 242 deleting 244 modifying 243 Services 223 defined 252 in Access Policies 252 sessions, idle timeout 120 settings downloading 106 importing 106 saving 106 uploading 106 SHA-1 275, 459 definition B-VII SMTP server IP 177 SNMP 135, 165, 519 authentication failure trap 165 cold start trap 165 community, private 167 community, public 167 configuration 167 encryption 150, 166 implementation 166 MIB files A-I MIB folders, primary A-II MIB folders, secondary A-IV system alarm traps 165 traffic alarm traps 165 trap types 165 traps 165 VPN monitoring 168169 SNMP traps 100, hardware problems 165 200, firewall problems 165 300, software problems 165 400, traffic problems 165 500, VPN problems 165 allow or deny 166 Software key 109 updating 108 uploading and downloading 108 SPI, definition B-VII SSH (Secure Shell) 131 SSL 128

SSL Handshake Protocol See SSLHP SSLHP 128 stateful inspection 68 subinterfaces 4, 504, B-VII defining 504, 506 vsys, trusted 499 subnet masks, definition B-VII switch port 500 SYN alarm threshold 77 attack threshold 76 flood attack 73 queue size 76 threshold 74 timeout 76 SYN attack 68 syslog encryption 150, 162 host 162 host name 163 host port 163 messages 162 System IP address 145, 273, 320, 382 parameters 81

TCP three-way handshake B-VIII TCP packet without flag 73 TCP/IP, definition B-VIII Tear Drop attack 69 Telnet 130, 135 TFTP server 106, 108 Three-way handshake 73 Traffic 173 alarms 175 counting 256 flow 173 log 173 logging 255 priority 257 routing 479 shaping xiii, 486 shaping, automatic 486

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;9

,QGH[

Transparent mode 4551 transport mode 272, 447, 453, 459 Triple DES See 3DES Trunk port defined 500 trunk ports 500 manually setting 500 trunk ports, definition B-VIII tunnel interfaces 42, 192 definition B-IX tunnel mode 273 tunnel zones IX definition B-IX

UDP checksum 287 definition B-IX NAT-T encapsulation 285 UDP flood 68 Universal Security Gateway Architecture See USGA unknown protocol 71 Update now 171 URL filtering Blocked URL message type 105 blocking or permitting all 105 Communication timeout 104 NetScreen blocked URL message 105 Server status 105 Websense server name 104 Websense server port 104 URL, definition B-IX Users authentication 211, 212 dialup groups 217, 218, 221 IKE 209, 211, 212 L2TP 209, 211, 212 Manual Key 209, 212, 213 multiple administrative users 136 multiple-type users 213 new user 210 profiles 116

USGA access policies 3, 7 function zones 37 global zone 33, 206 interface, physical 3 overview 130 packet flow 1315 security zone interfaces 3 security zones 2, 33, 182, B-VII security zones, global 2 security zones, predefined 2 subinterfaces 4 tunnel interfaces 433 tunnel zones 34, 431, 433, IX virtual systems 1012 virtual systems, interfaces 11 virtual systems, VRs 12 virtual systems, zones 11 VPNs 8 zones 3137

VIP 14, 205 configuring 206 definition B-IX editing 208 global zone 206 removing 208 required information 205 virtual system 501 Virtual HA interface 41 Virtual IP See VIP Virtual LAN See VLAN Virtual private network See VPNs virtual routers definition B-X See VRs Virtual system 1012, 499517 administrators 137, 499 creating 502 defined 137 definition B-X establishing 501

interfaces 11 overlapping subnets 505 Transparent mode 500 VRs 12 zones 11 Virtual System Administrator changing password 512 Virtual systems read-only admins 137 VLAN 499 communicating with another VLAN 514 subinterfaces 504 tag 500, 505 VLAN1 Interface 46, 47 Zones 46 VLANs definition B-IX tags 4, VII trunking 11 voice-over IP communication 227 VPNs xiii, 8, 131 Access Policies 253 Aggressive mode 280 AutoKey IKE 150, 277 definition B-X Diffie-Hellman exchange 281 Diffie-Hellman groups 281 for administrative traffic 150 Main mode 280 Manual Key 150 monitoring 177 Phase 1 279 Phase 2 281 policy-based NAT 431 replay protection 282 SAs 278 tunnel interfaces 192, 433 tunnel zones 34, 431 tunneling, definition B-VIII virtual systems 501 VRs 179193 creating 180 deleting 182 introduction 56 modifying 181

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;9,

,QGH[

route exporting 184 route redistribution 6, 183 routing tables 6

Web browser requirements 125 Web user interface See WebUI

Websense 104 WebTrends 163 encryption 150, 163 messages 164 WebUI 125, 149 conventions xix WinNuke attack 70 WINS, definition B-X

zones 3137 definition B-X function 37 global 33, 206 security 33, B-VII tunnel 34, 431, 433, B-IX, IX VR binding 182

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;9,,

,QGH[

1HW6FUHHQ &RQFHSWV

([DPSOHV

,;9,,,