Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example Configuration - Web redirect for Pass through HTTP traffic with firewall user authentication

0

0

Article ID: KB31391 KB Last Updated: 07 Jan 2017Version: 1.0
Summary:

This article explains how to configure web-redirect for pass through HTTP traffic with firewall user authentication to restrict the clear text credential exchange while authentication.

Symptoms:

During pass through authentication when SRX obtains the HTTP request with clear text user name/password in the HTTP header, it passes the successfully authenticated traffic to the back-end server without the header modification. On all SRX Series devices, after authenticated by pass through firewall user authentication, credentials can be captured in plain text in the following HTTP request to the target server. To mitigate this security vulnerability, from Junos OS version 12.1X47-D35, 12.3X48-D25, 12.3X48-D30, 15.1X49-D35, 15.1X49-D40, or 16.1R1, a commit warning was introduced to use web-redirect for the HTTP traffic. Using web-redirect on an SRX IP address will ensure that the authentication headers are passed only to SRX.

Example commit warning:

root@srx3600# commit check
[edit security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication]
'pass-through'
We recommend that you configure web-redirect for HTTP pass-through instead of using direct HTTP pass-through because web browser may automatically carry credential in subsequential request to target web-server.
configuration check succeeds

Notes:

  • This is a warning message and does not affect the services and features configured on SRX.
  • This issue affects all SRX platforms (branch SRX, high-end SRX, and vSRX platforms) and occurs when pass-through firewall user authentication is used.
Solution:

To mitigate the clear text credential exchange and stop the commit warning messages, configure web-redirect for all the security policies with firewall authentication enabled for pass through traffic.

Refer to Example: Configuring Pass -Through Authentication

Steps to configure web-redirect:

  1. Identify all security policies configured for all the security policies with firewall user authentication enabled for pass through traffic.

  2. Configure web-redirect to the security policy as follows:

    set security policies from-zone untrust to-zone trust policy test then permit firewall-authentication pass-through web-redirect

  3. Enable firewall authentication on the ingress interface for the traffic as follows:

    set interfaces ge-0/0/1 unit 0 family inet address 21.0.0.100/24 preferred
    set interfaces ge-0/0/1 unit 0 family inet address 21.0.0.101/24 web-authentication http
Note: Web-authentication cannot be configured on the IP address assigned to interface. Hence, configure the interface IP address as preferred and configure another free IP address for web-authentication.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search