Tải bản đầy đủ - 0 (trang)
Chapter 11. JUNOS Software with Enhanced Services

Chapter 11. JUNOS Software with Enhanced Services

Tải bản đầy đủ - 0trang

theway.

Thisisnotasecurity-focusedbook,andtherefore,

comprehensivecoverageoftheJUNOSenhancedsecurityand

servicesfeaturesetisnotpossible.Thischaptercovers

migrationofaproductionrouterfromJUNOStoJUNOSsoftware

withenhancedservices,andgetsyoufamiliarwithwhatis

differentinthenewsetofenhancedservices.Itisexpected

thatJUNOSsoftwarewithenhancedserviceswillcontinueto

evolve,resultinginongoingupdatesandadditionstothe

enhancedservicesportfolio.

Forthereaderofthisbook,thechangesrelatedtoJUNOS

softwarewithenhancedservicesimpactthoseservicesthat

werehandledbytheJ-series—forexample,statefulfirewalls,

NetworkAddressTranslation(NAT),andIPSecvirtualprivate

networks(VPNs).WithJUNOSsoftwarewithenhancedservices,

thesefeaturesarenolongerASP-based;instead,theyarenow

basedoncapabilitiesbornoutofScreenOSsecuritysolutions.

Asidefromthechangestosecurityandservices,asfarasboth

configurationandgeneralcapabilities,therestoftheJUNOS

configurationandoperationremainsunchanged.Thecoverage

ofASP-basedservicesetscontinuestoholdtrueforusersofMandT-seriesplatforms,whichdonotsupportJUNOSsoftware

withenhancedservices.



11.1.1.SupportedPlatforms

Asofthiswriting,youcanloadJUNOSsoftwarewithenhanced

servicesonthefollowinghardwareplatforms,mostofwhich

supportdigitalsignallevel3(DS3)orT3,T1,GigabitEthernet,

FastEthernet,E3,E1,serial,AsynchronousTransferModeover

asymmetricaldigitalsubscriberline(ATMoverADSL),ATMover

symmetrichigh-speeddigitalsubscriberline(ATMoverSHDSL),

channelizedT1/E1/IntegratedServicesDigitalNetwork(ISDN)

PrimaryRateInterface(PRI),andISDNBasicRateInterface

(BRI)interfaces:

J2320andJ2350(DS3andE3interfacesarenotsupported)



J4350

J6350

SSG320mandSSG350m(requiresconversionkit)

SSG520mandSSG550m(requiresconversionkit)

Inthefuture,additionalplatformsmayofferJUNOSsoftware

withenhancedservicessupport,sobesuretochecktheJuniper

Networkswebsiteforthelatestplatformsupport.

UserswhopurchasedNetScreenSecureSecuritygateway

(SSGm)300or500seriesdevicescanconvertthemachinetoa

J-seriesenhancedservicesrouterwiththeappropriate

conversionkit.Theconversionkitprovidesanewcompactflash

withJUNOSsoftwarewithenhancedservicesandinstructions

onhowtoconvert.YoucanalsoconvertfromasupportedJseriesrouterrunningJUNOSsoftwarewithenhancedservicesto

theequivalentJuniperSSGmfirewallrunningScreenOS,as

showninTable11-1,usingasimilarprocess,butthatisbeyond

thescopeofourdiscussion.

Table11-1showsthemappingbetweenSSGmandJ-series

routerplatforms.

Table11-1.J-seriestoSSGmplatformmapping

J-seriesmodel



SSGmmodel



J6350



SSG550m



J4350



SSG520m



J2350



SSG350m



J2320



SSG320m

Onceyouperformaconversion,youmustupdate

yoursupportcontractwiththenewdevice

informationinordertoensureuninterrupted



accesstotechnicalacceptanceandcustomer

support.Instructionsforthisprocedureare

providedintheconversionkitsorJUNOSsoftware

withenhancedservicesconversionguides.



11.1.2.PacketVersusFlow-BasedProcessing

Historically,JuniperNetworksroutersuseapacket-based

forwardingmodel,inwhicheachpacketisindividually

processedandrouted.Incontrast,theJuniperSSGsecurity

devicesarebasedonaflowmodel.Handlingtrafficasflows

offerssignificantbenefitsforstatefulservices.Intheflow

model,theinitialpacketsofacommunicationaretypically

processedinsoftwareandaresubjectedtovariouslevelsof

packetsecurityinspectionsandvaliditychecks,inadditiontoa

singleroutelookup.Oncethepacketisdeemedpermissible,a

correspondingsessionstateisinstalledintotheforwarding

planetofacilitateexpeditedforwardingforsubsequentpackets

belongingtothesameflow.Ineffect,thefirstpacketsare

deeplyscrutinizedbeforebeingrouted,andtheremaining

packetsareswitchedaccordingtothesessiontable.

Aflowisaunidirectionalsequenceofpackets,whencombined,

forasequentialsetofapplicationdatafortheprocessthat

generatedtheflow.Thematchingflowinthereturndirectionis

groupedtoformasession,whichisthereforecomposedoftwo

unidirectionalflows.



11.1.2.1.Securityzones

TounderstandandappreciateJUNOSsoftwarewithenhanced

servicesoperationandcapabilities,youmustfirstbefamiliar

withtheconceptofsecurityzones.TheJuniperScreenOS

IntegratedSecurityGateway(ISG)andSecureServices

Gateway(SSG)appliancesarebasedontheconceptofzones.

Figure11-1illustratestheconceptoftrustanduntrustzones.



Figure11-1.Zonesandthetreeoftrust



Inadefaultconfiguration,thereisatrustzoneandanuntrust

zone.Asecurityzoneisacollectionofoneormorenetwork

segmentsthatregulateinboundandoutboundtrafficvia

policies;policiesareoptionalfortrafficthatoriginatesand

terminatesinthesamezone(intrazone).Theresultisthat

devicesattachedtointerfacesbelongingtothesamezoneare

abletocommunicatefreely,whereasexplicitpolicyisneededto

permitcommunicationbetweenzones,andadditionalchecks

areleveledagainsttrafficflowingbetweenthetrustanduntrust

zones.

Figure11-1showsanetworkcomposedofthreezonesand

illustrateshowintrazonetrafficispermittedbydefaultamong

allinterfacesgroupedintothetrustzone,whereasinterzone

trafficmustbeexplicitlyallowedbyapolicyandmaybe

subjectedtodeeppacketinspectionandothertypesofsecurity

services.Incontrast,intrazoneblockingisenabledbydefault

forinterfacesthatsharethesameuntrustzone,requiringa

policytopermitcommunicationamongdevicesattachedto

differentsegmentsbelongingtothesameuntrustzone.By

groupinginterfacesintozonesandthenmanaginginterzone

policies,youeasilyrestrictandcontrolinterzone

communications.Thezoneconceptisalsousedtooptimize



firewallmatching,asonlyrulesthatapplytothesourceand

destinationzonesneedtobechecked.



11.1.3.DoINeedaRouteroraSecurityDevice?

Inthepast,userswereexpectedtomakesometoughdecisions

whenbuildingoutaneworexistingnetwork.Specifically,they

oftenhadtochooseadevicebasedonwhatwasmore

important:world-classroutingorworld-classservices.When

bothwereequallyimportant,atwo-box,best-of-breedsolution

wasoftenproposed.Inthismodel,youhadservices/security

devicesthatweredeployedinparallelwitharouter

infrastructure.Inadivide-and-conquermodelsuchasthis,each

devicewaslefttodowhatitdidbest,withthecombinedeffect

beingthebestofbothworlds.

Althoughthetwo-boxsolutionwasworkable,andinfactisoften

therecommendedsolutiontoday,suchadesignsuffersfrom

severaldrawbacks:twoboxesaremoreexpensivethanone;

thereisagreaterchanceoffailureduetomorecomponents;

andgenerally,eachnewboxaddedtothenetworkincreases

overalloperationalcosts.



11.1.3.1.Best-of-breedroutingandsecurity

services

ThereleaseofJUNOSsoftwarewithenhancedservicesholds

theveryrealpromiseofeliminatingtheneedforatwo-box

solution.Bycombiningthepowerandprovenperformanceof

JUNOSsoftwareanditsroutingprotocolswithenhanced

securityandservicesfromthebest-in-classScreenOS,users

areabletogetthebestofbothworlds,allinasinglebox.

TheserviceupdatesintheinitialreleaseofJUNOSsoftware

withenhancedservicesprimarilyimpactthesecurityarena,and

therefore,thechangesinsecurity-relatedservicesarethefocus

ofthischapter.Asnotedpreviously,laterupdatesmayadd

nonsecurity-relatedservicestotheJUNOSsoftwarewith

enhancedservicesportfolio.



11.1.4.ArchitectureChanges

JUNOSsoftwarewithenhancedservicesrepresentssome

significantchangesincontrolplanecapabilitiesthroughthe

introductionofnewservicedaemons,andinpacketforwarding

behaviorwiththeadditionofflow-basedprocessing.This

sectionprovidesahigh-leveloverviewofthechanges

associatedwiththeJUNOSsoftwarewithenhancedservices

release.



11.1.4.1.Addingflow-basedforwarding

OneoftheprimarychangesinJUNOSsoftwarewithenhanced

servicesistheadditionofflow-basedprocessing.Thisisalong

withtoexistingpacket-basedprocessingcapabilitiessuchas

statelessfirewallfilters.ThechangesinJUNOSsoftwarewith

enhancedservicesresultinacombinationofpacket-andflowbasedtreatment,asshowninFigure11-2.

Figure11-2.Combinedpacket-andflow-based

processing



Figure11-2showshowtheoriginalpacket-basedforwarding

processknownasfwddhasbeenreplacedwithaflow-based

processcalledflowd,whichdenotesthechangefromapackettoaflow-basedmodel.AtthetopofFigure11-2,youcansee

thatwithJUNOSsoftware,apacketcanbedirectedintoservice

processingasaresultofaninputoroutputfilterorasaresult

ofroutelookup.Inthismodel,forwardingistheprimeconcern

andserviceswere"tackedontopackets"asneeded.The

JUNOSsoftwarewithenhancedservicesdataplaneismore

service-andsecurity-focused.Allflowsareinspectedand

passedthroughpolicytodeterminewhethertheyareallowed,

atwhichpointasingleroutelookupisperformed.The

differencescanbesummarizedasa"routefirst,services

maybe"philosophyinJUNOSversusa"servicesfirst,routeif

permitted"behaviorinJUNOSsoftwarewithenhancedservices.

Packetsareprocessedasflowsafterper-packetingress

handlingandbeforeper-packetegresshandling.Aflowisa

streamofrelatedpacketsthatmeetthesamematchingcriteria

andsharethesamecharacteristics.JUNOSsoftwarewith

enhancedservicestreatspacketsbelongingtothesameflowin

thesamemanner.Specifically,configurationsettingsthat

determinethefateofapacket—suchasthesecuritypolicythat

appliestoit,whetherthepacketissentthroughanIPSec

tunnel,orwhetherNATisapplied—areassessedforthefirst

packetofaflow.Theresultantsetofactionsandservicesis

appliedtotherestofthepacketsintheflow.Thefollowing

criteriaareusedtodeterminewhetherapacketmatchesan

existingflow:

Sourceaddress

Destinationaddress

Sourceport

Destinationport

Protocol



Sessiontoken

Thesessiontokenisaninternalindexnumberthatissetbased

onthepacket'singresszone.Packetsthatmatchanexisting

flowaretreatedaccordingtotheestablishedflowstate.Packets

thatdonotmatcharetreatedasthefirstpacketsinanewflow

andareusedtocreatematchingflowstatefortherelatedflow.



11.1.4.1.1.Flowsandsessions

Thestatefulhandlingofflowsrequiresthecreationofasession.

Asessioniscreatedbasedonthecharacteristicsofthefirst

packetinaflow.Sessionsareusedfor:

Storingsecuritymeasurestobeappliedtothepacketsof

theflow

Cachinginformationaboutthestateoftheflow—thatis,

loggingandcountingdataforaflowiscachedinitssession

AllocatingrequiredresourcesforfeaturessuchasNATand

IPSectunnels

ProvidingaframeworkforfeaturessuchasApplication

LayerGateways(ALGs)andfirewallfeatures

Thecombinedeffectsofflowandsessionstatebringtogether

thefollowingfeaturesandeventsthataffectapacketasit

undergoesflow-basedprocessing:

Flow-basedforwarding

Sessionmanagement,includingsessionagingandchanges

inroutes,policy,andinterfaces

ManagementofVPNs,ALGs,andauthentication

Managementofpolicies,NAT,zones,andscreens

Eachsessionresultingfromaflowisassociatedwithatimeout

value.Forexample,thedefaulttimeoutfortheTransmission



ControlProtocol(TCP)is30minutes;thedefaulttimeoutfor

theUserDatagramProtocol(UDP)is1minute.Whenaflowis

terminated,itismarkedasinvalid,anditstimeoutisreducedto

10seconds.Youcanchangetheidletimeoutvalue;itis

designedtoensurethatsystemresourcesarenottiedup

indefinitelyonanotherwisedefunctflow.



11.1.4.2.JUNOSsoftwarewithenhancedservices

packetwalk

Inthissection,wewillfollowapacketasittraversestheJUNOS

softwarewithenhancedservicesdataplane,whereit

encountersamixofpacket-andflow-basedhandlingsteps.

Figure11-3showswherethenumberedeventstieintothe

packet-handlingstepsdescribedinthefollowingtext.

Figure11-3.JUNOSsoftwarewithenhancedservices

packetwalk



Thestepsshownfortheinitialpathrepresentthefullsetof

checksandserviceinstantiationsthatyoucanperformagainst

theinitialpacketsofacommunicationsflow.Incontrast,the

fastpathrepresentsthestreamlinedstepsexecutedfor

previouslyprocessed(andaccepted)flows.Thetwo-stage

approachprovidestheabilitytodeeplyinspectinitialpackets,

whichiscomputationallyexpensivebutneededfortruesecurity,



whileatthesametimeofferinghighthroughputbyswitching

permittedflowsbasedonestablishedflowstate.Itshouldbe

notedthatnotallpacketsneedtobetouchedatallpossible

processingpoints.Forexample,NATisoptional,andwhennot

configured,NATprocessingisnotevoked.Thepacket

processingstepsareasfollows:

1. Pullthepacketfromthequeue,performclassofservice

(CoS)behavioraggregate(BA)classification,andnotethe

ingressinterface'szoneforlaterpolicylookup.

2. Ingressthepolicer/shaper.

3. Ingressthefirewallfilter;evokethepolicerofmultifieldCoS

classification.

4. Performalookupsession;ifnomatch,followtheinitial

path:

a. Conductafirewallscreencheck.Whenenabled,



screencheckslogorfilteroutpacketswith

anomalouscharacteristicssuchasanattach

signature.

b. Performaroutelookuptodeterminetheegress



interface.

c. Locatethedestination(outgoing)zone,basedon



theroutelookupresult.

d. Lookupandexecutepolicybasedonincoming



andoutgoingzones;resultsincludepermit,

deny,andreject.

e. AllocatetheNATaddressbasedonthe



destination,source,ordestination/sourceNAT

policydirective.

f. SetupALGsasneededtosupportidentified



applicationswhenNATisactive.

g. Installasessiontupleforfastpathprocessingof



relatedpackets.

Ifasessionismatched,followthefastpath:

a. PerformTCPcheckstolookforconnection



anomaliesandmatchresponses.

b. ConductNATtranslationwhenevokedbypolicy.

c. PerformALGprocessingasneededbyNAT.

5. Whetherinitialorfastpath,performforwardingserviceson

thepacket.

6. Performegressfirewallfiltering,whichcanevokeapolicer

action.

7. Performegressshapingorinterfacelevelpolicing;schedule

andtransmitthepacket.



11.1.5.JUNOSSoftwarewithEnhancedServices

Summary

ThereleaseofJUNOSsoftwarewithenhancedservicesisa

significantmilestoneinJUNOSsoftwareevolution.Lookingback

atFigure11-3,youcanappreciatethecombinedone-twopunch

ofJUNOSsoftwarewithenhancedservices.Youcannowhave

thebestofallworlds:thefamiliarJUNOSsoftwareCLI,its

provenmodulardesignthatseparatesthecontrolanddata

planes,thetwo-stagecommitprocess,commitandoperational

scripts,andworld-classroutingprotocolimplementations.On

topofthis,youalsogetsignificantsecurityandservicefeatures

andenhancements.Intheinitialrelease,theseenhancements

arelargelysecurity-basedandarederivedfromfeatures

availableinScreenOS.LaterJUNOSsoftwarewithenhanced

servicesreleasesmaycontainadditional,nonsecurity-focused



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 11. JUNOS Software with Enhanced Services

Tải bản đầy đủ ngay(0 tr)

×