Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Attack Protection Overview for ScreenOS 5.0

0

0

Article ID: KB4242 KB Last Updated: 07 Jun 2010Version: 5.0
Summary:

Attack Protection Overview for ScreenOS 5.0

Symptoms:


 

Solution:

note: This article applies to ScreenOS 5.0 and above.

ScreenOS version 5.0 has several new features and updates for attack protection.

Attack Protection Aggressive Aging - When the session table nears its maximum capacity, the NetScreen device aggressively ages out the oldest entries from its session table. You need to set the following three parameters:

  • A high-watermark, at which point the aging-out process begins.
  • A low-watermark, at which point the aging-out process stops.
  • An early age-out time, which is the time that must elapse before aggressively aging out a session after the number of sessions exceeds the high-watermark and before it retreats below the low-watermark. When the number of sessions is under the low-watermark setting, the normal session age-out time takes effect.

 

Antivirus Scanning - NetScreen devices can scan certain types of traffic for the presence of virus patterns. Some NetScreen devices support an internal AntiVirus (AV) scanner and some can connect to an external AV scanner (the Trend Micro VirusWall scanner). After loading the appropriate license key and virus pattern file for internal AV scanning, you can create policies requiring the scanning of HTTP, SMTP, and (for internal AV scanning) POP3 packets permitted by the firewall.

Deep Inspection - NetScreen devices can inspect OSI Layers 3 and 4 packet headers and Layer 7 application content for protocol anomalies and attack signatures. After loading the appropriate license key and attack object database on the NetScreen device, you can create policies requiring the deep inspection of packets permitted by the firewall. If the Deep Inspection module detects an anomaly or signature, it then performs a user-specified action, such as dropping the packet.

Destination-Based Session Limit - A new ScreenOS option allows you to set a limit for the number of concurrent sessions directed to a single destination. This option permits the NetScreen device to deflect a flood of traffic targeting a host, such as a web server, at a specific IP address.

Fragment Reassembly - You can enable the reassembly of fragmented IP packets and TCP segments, so that the NetScreen firewall can examine them for content-based attack signatures that might be indiscernible when fragmented. The NetScreen device performs fragment reassembly only if the service is HTTP or FTP.

Granular Blocking of HTTP Components - You can selectively choose which HTTP components ActiveX controls, Java applets, .exe files, and .zip files that you want the NetScreen device to block.

Layer 2 and Layer 3 IP Spoof Checking - A NetScreen device in Transparent mode (Layer 2) can detect packets whose source IP address has been spoofed. Layer 2 and Layer 3 IP spoof checking make use of different elements in the configuration.

  • Layer 3 - When the NetScreen device is operating in Route or NAT mode, the mechanism to detect IP spoofing relies on route table entries. For example, if a packet with source IP address 10.1.1.1 arrives at ethernet2, but the NetScreen device has a route to 10.1.1.0/24 through ethernet1, IP spoof checking notes that the packet arrived at an invalid interface (as defined in the route table, a valid packet from 10.1.1.1 can only arrive via ethernet1, not ethernet2). Therefore, the device concludes that the packet has a spoofed source IP address and discards it.
  • Layer 2 - When the NetScreen device is operating in Transparent mode, the IP spoof checking mechanism makes use of address book entries. For example, you have defined an address for webserver A as 200.1.1.1/32 in the V1-DMZ zone. If a packet with source IP address 200.1.1.1 arrives at a V1-Untrust zone interface, IP spoof checking notes that the packet arrived at an invalid interface (because the address belongs to the V1-DMZ zone, not to the V1-Untrust zone). Therefore, the device concludes that packet has a spoofed source IP address and discards it.

 

RADIUS Access-Challenge Support - NetScreen devices can process access-challenge packets from an external RADIUS server when an authentication user attempts to log on via Telnet. Access-challenge presents an additional condition to the login process after the approval of an admin name and password. After an authentication user responds to a login prompt with the correct admin name and password, the RADIUS server sends an access-challenge to the NetScreen device, which the NetScreen device then forwards to the user. When the user replies, the NetScreen device sends a new access-request with the user's response to the RADIUS server. If the user's response is correct, the authentication process concludes successfully.


 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search