01-SecurityArchOverview.ppt

8/12/2019 01-SecurityArchOverview.ppt

http://slidepdf.com/reader/full/01-securityarchoverviewppt 1/21

NetScreen Security Concepts



2

Objectives

• Identify requirements that must be met by networksecurity devices

• Name and describe the function of components ofthe NetScreen security architecture, including

– Virtual Systems (VSYS) – Zones

– Policies

– Virtual Routers

– Interfaces

• Describe the packet processing sequence in aNetScreen device

• Select correct deployment scenarios for NetScreen

appliances and systems



3

Security Device Requirements

• Frame/Packet Forwarding – Bridging (Layer 2)

– Routing (Layer 3)

• Firewall

– Filter based on contents of IP, TCP/UDP, and application header

• Network/Port Address Translation

– Private to public address translation

• Virtual Private Networks

– Encapsulation, authentication, and encryption

– Primarily implemented using IPSec



4

Layer 2 Frame Forwarding(Bridging/Switching)

• Transparent Bridge Functions – Learning (based on Source MAC address)

– Forward/Flood/Filter (based on Destination MAC address)

– Loop prevention (Spanning Tree protocol)

MAC Address Table

00c0.01cd.5120 [E1] [E8] 00e0.01ab.cd10

Destination Address Port

00c0.01cd.5120 E1

00e0.01ab.cd10 E8



5

Layer 3 Packet Forwarding (Routing)

• Forward IP packets based on destination address• Maintain Route Table entries

– Static routes

– Dynamic routes (RIP, OSPF, BGP)

– Default routes

10.1.1.110.3.3.10

[E8] 10.2.2.1/24

Network Int. Gateway

10.1.1.0/24 E1 0.0.0.0

10.2.2.0/24 E8 0.0.0.0

10.3.3.0/24 E8 10.2.2.2

208 Route Table

[E1] 10.1.1.1/24

10.2.2.2/24 10.3.3.1/24



6

Firewall

• Packet filter based on packet header – IP (SA, DA, Protocol)

– TCP/UDP (Port #)

• Used to implement security policies

10.1.10.5

SRC-IP

1.1.70.250

DST-IP

36033

SRC-Port

80

DST-Port

6

Protocol





Virtual Private Networks

• Provide secure tunnels across theInternet

– Encapsulation

– Encryption

– Authentication

Trust10.0.0.254

10.1.20.3

10.1.20.4

Untrust1.1.1.1

Untrust2.2.2.1

Trust20.1.20.1

IP Packet

Encrypted Packet

IP Packet

10.0.0.5

10.0.0.6



Traditional Firewall Requirements

• Untrust Network – Internet or another public network

– No control

• Trust Network

– Our private network – We have control

Untrust

Zone

TrustZone

10.0.0.5

10.0.0.6



Web

Server

FTP

Server

Mail

Server

Emergence of the DMZ

• Additional requirements for public access• Emergence of “DMZ”

– Access to services such as Web, Mail, and FTP

10.0.0.5

10.0.0.6

UntrustZone

TrustZone

DMZZone



UntrustZone

Next Step: No Trusted Networks

• Security required within our private network• Introduces new requirements

– Flexible architecture

– Scalability

Web

Server

FTP

Server

Mail

Server

DMZZone

AdministrationZone

MarketingZone

EngineeringZone



NetScreen Security Architecture

• NetScreen solution to new security requirements• Provides flexible, scalable software architecture

• Components:

– Interfaces

– Zones

– Virtual Routers

– Policy

– Virtual Systems



NetScreen Device

VSYS

Virtual System

Security Architecture Components

Virtual Router 1 Virtual Router 2

Virtual Router

R.T.R.T.

Forwarding Table

Zone A Zone B Zone C Zone D

Zones

E1 E2 E3 E4 E5 E6 E7 E8

Interfaces

Flow

1.2.3.4

SRC-IP

5.6.7.8

DST-IP

1234

SRC-Port

80

DST-Port

6

Protocol

Session

5.6.7.8

SRC-IP

1.2.3.4

DST-IP

80

SRC-Port

1234

DST-Port

6

Protocol

Policy Check A -> C

Policy



NetScreen Decision Process/Packet Flow

Inboundpacket

Existingsession?

Destination

lookup

Dest.

reachable?

FORWARDPACKET

DROP

PACKET

Crossingzones/

intra-zoneblock?

Policylookup

OK perpolicy?

No

No

No

Yes

Yes

Yes

Add tosessiontable

FORWARDPACKET

No

Yes



ExternalZone

PrivateZone

1.1.70.250

1.1.70.0/24

10.1.10.5

10.1.20.0/24

B

10.1.10.0/24

PublicZone

10.1.20.5

.254200.5.5.5

A

B

C

D

10.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.7.0/24

1.1.8.0/24

.254 .1

Packet Flow Example



Packet Flow Example

10.1.20.5

SRC-IP

200.5.5.5

DST-IP

1042

SRC-Port

80

DST-Port

6

Protocol

1. Existing Session?No

Address Pair Protocol Port Pair

(no match)

Session Table

2. Destination Reachable? Yes

Net Int NHR

10.1.1.0/24 E1 (connected)

10.1.2.0/24 E2 (connected)

10.1.10.0/24 E1 10.1.1.5

10.1.20.0/24 E2 10.1.2.5

0.0.0.0/0 E8 1.1.8.254

Routing Table

3. Inter-Zone Traffic? Yes

Int Zone

E1 Inside-Private

E2 Inside-Private

E7 Inside-Public

E8 Outside

Zone Table



Packet Flow Example (cont.)

4. Permitted by Policy? Yes

From Private to External

SA DA Service Action

10.1.0.0/16 any FTP permit

10.1.0.0/16 any HTTP permit

10.1.0.0/16 any ping permit

any any any deny

Action: Forward Packet 10.1.20.5

SRC-IP

200.5.5.5

DST-IP

1042

SRC-Port

80

DST-Port

6

Protocol

Action: Add to Session TableAddress Pair Protocol Port Pair

10.1.20.5 200.5.5.5 6 1042 80

Session Table



Deploying NetScreen Devices

• Purpose-Built Security Gateways – Appliances

• Support one (root) VSYS

• Application: Small office/Home Office, small enterprise

– Systems

• Support for multiple VSYS

• Application: large enterprise, service provider

• NetScreen Remote Client

– NetScreen VPN & Firewall Client Software

• VPN Client provides standard-compliant IPsec and L2TP functionality froma desktop or laptop computer across a public or private TCP/IP network.

• Security Client provides personal firewall functionality

• Available in 10, 100 and 1000 user licenses

• Runs on Microsoft™ Windows OS



Juniper Networks Firewall/VPN Products

Carrier/ServiceProvider

NS-Remote

Large

Enterprise

Medium

EnterpriseSmall

Enterprise

NS-5400

NS-5200

NS-500

NS 5GT/HSC

ISG-1000/2000

SSG-20

SSG 520

SSG 550

SSG 5

WirelessSSG 140



Summary

• In this module we covered: – Functions that must be performed by a NetScreen Security Gateway

– Components and operation of the NetScreen Security Architecture

– IP Packet processing sequence in a NetScreen device

– NetScreen Product set and guidelines for deployment



Review Questions

1. Name four functions that a security gateway mustperform.

2. Describe the components that make up theNetScreen security architecture?

3. Describe the IP packet processing sequence in aNetScreen security gateway.

4. How is a NetScreen appliance different from asystem?

Date post:	03-Jun-2018
Category:	Documents
Upload:	moise-guilavogui
View:	215 times
Download:	0 times

01-SecurityArchOverview.ppt

Documents