![]() |
![]() |
![]() |
This chapter discusses the concepts common to Access Policies and Virtual Private Networks (VPNs). The specific topics discussed are:
The NetScreen ScreenOS classifies the addresses of all other devices by location and netmask. Trusted addresses are located behind the Trusted interface and appear as green in the WebUI. Untrusted addresses are located behind the Untrusted interface and appear as red. DMZ addresses are located behind the DMZ interface (NetScreen-10 and -100) and appear as brown.
Individual hosts have only a single IP address defined and are represented by a single computer icon in the WebUI. Individual hosts must have a netmask setting of 255.255.255.255 (which masks out all but this host).
Subnets have an IP address and a netmask (for example, 255.255.255.0 or 255.255.0.0) and are represented by multiple computer icons in the WebUI.
Before you can configure Access Policies to permit, deny, or tunnel traffic to and from individual hosts and subnets, you must make entries for them in the Trusted, Untrusted, and DMZ (NetScreen-10 and -100) sections of the NetScreen address book.
Before you can set up many of the NetScreen firewall, VPN, and traffic shaping features, you need to define addresses in the address book. The address book contains the IP addresses or domain names1 of hosts or subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.
In this example, you add the subnet "Santa Clara Eng" with the IP address 192.10.10.0/24 as a Trusted address, and the address www.firenet.com as an Untrusted address.
In this example, you change the address entry for the host "Santa Clara Eng" to reflect that this host has moved to Dallas and reassigned an IP address of 192.10.40.0/24.
Address >> Trusted >> Edit (for Santa Clara Eng): Change the name and IP address to the following, and then click OK:
The previous section explained how you create, modify, and delete address book entries for individual hosts and subnets. As you add addresses to the address book, it becomes difficult to manage how Access Policies affect each address entry. NetScreen allows you to create groups of addresses. Rather than manage a large number of address book entries, you can manage a small number of groups. Changes you make to the group are applied to each address entry in the group.
· You can create address groups with existing users, or you can create empty address groups and then fill them with users.
· NetScreen applies Access Policies to each member of the group by creating individual Access Policies for each group member. While you only have to create one Access Policy for a group, NetScreen actually creates an Access Policy for each member in the group (as well as for each service configured for each user).2
· When an individual address book entry is deleted from the address book, it is also removed from all groups in which it was referenced.
· Address names cannot be the same as group names. If the name "Paris" is used for an individual address entry, it cannot be used for a group name.
· If an address group is referenced in an Access Policy, the group cannot be removed. It can, however, be edited.
· When a single Access Policy is assigned to an address group, it is applied to each group member individually, and the NetScreen device makes an entry for each member in the access control list (ACL). If you are not vigilant, it is possible to exceed the number of available Access Policy resources, especially if both the source and destination are address groups
· You cannot add the predefined addresses: "Outside Any," "Inside Any," "DMZ Any," "All Virtual IPs," and "Dial-Up VPN" to groups.
In the following example, you create a group named "HQ 2nd Floor" that includes "Santa Clara Eng" and "Tech Pubs," two Trusted addresses that you have already entered in the address book.
1. Address >> Trusted >> New Group: Enter the following group name, move the following addresses, and then click OK:
In this example, you add Support (an address that you have already entered in the address book) to the HQ 2nd Floor address group.
In this example, you remove the member Support from the HQ 2nd Floor address group, and how to delete Sales, an address group that you had previously created.
The Virtual IP (VIP) feature provides network flexibility and security. In a Network Address Translation (NAT) environment, host computers use non-routable IP addresses inside the firewall while maintaining full Internet connection and functionality. This feature gives network administrators flexibility to expand their networks without being constrained by the scarcity of legal IP addresses. In addition, NAT also provides better network security by hiding internal network topology and host information from the outside world.
However, to maintain some Internet services (for example, e-mail, POP3, FTP), a server with a legal IP address must be present to service the requests. VIP allows you to map routable IP addresses to internal servers, thereby providing transparent connections for a NAT network to the Internet. Other benefits of using VIP include:
Scalability: As Internet service demand increases, companies need to improve servers' performance in order to maintain the quality of their services. While upgrading the server to a larger, faster machine generally relieves the short-term pressures, the disruption to services and the prohibitive cost of upgrading quickly make this solution undesirable.
Redundancy: With Virtual IP, servers can be assigned to the same IP address and mirrored to provide High Availability (HA) for network services. Individual servers can also be taken off-line for maintenance without disruption to network traffic.
Reduction in capital cost: Multiple domains and Web servers can be mapped to the same physical server, thus reducing the cost of computer equipment as well as the associated administration tasks.
Flexibility in assigning ports: By setting up Virtual IP (VIP) addresses, you can configure your NetScreen device to route traffic destined for many different IP addresses on the subnet of the Untrusted interface to specific addresses on the Trusted network.
The maximum number of VIPs, and the maximum number of services per VIP that are supported by each NetScreen device are as follows:
· The IP address for the VIP, which must be in the same subnet as the Untrusted interface and can even be the same address as the Untrusted interface3
· The port number for communication between the Trusted server and the Untrusted interface on the NetScreen device
In this example, you configure a VIP at 2.2.2.20 to route inbound HTTP traffic to a pool of two Web servers at 172.16.12.10 and 172.16.12.11. (The Untrusted IP address of the NetScreen-100 is 2.2.2.10/24.) The port number for HTTP is translated from 80 (the standard protocol ID number) to 1142.
In this example, you modify the Virtual IP server configuration you just created. In this case, you add an additional server 172.16.12.12.
Mapped IP (MIP) is a direct one-to-one mapping of traffic destined for one IP address to another IP address, and is based solely on IP addresses. When the NetScreen device is operating in NAT mode, an MIP provides a means for incoming traffic to reach a private address on the Trusted network. You can configure an MIP address to route traffic destined for an address on the Untrusted subnet to a different address on the Trusted subnet, regardless of the service and corresponding port number involved.
By setting up MIP addresses, you can configure the NetScreen device to route traffic destined for many different IP addresses on the subnet of the Untrusted interface to specific addresses on the Trusted network.
This example explains how to map incoming traffic destined to the Untrusted IP address 209.122.17.6 to the Trusted IP address 172.16.17.6.
· Authentication User - A network user who must provide a user name and password for authentication when initiating a connection across the firewall.
· IKE Dynamic Peer - A VPN user with a dynamically assigned IP address. The user provides his or her identity using an e-mail address, an IP address, or a domain name. The VPN can use either AutoKey IKE with a preshared key or AutoKey IKE with a certificate.
· VPN Dialup User - A VPN user with a dynamically assigned IP address. The VPN uses the manual key method for encryption and/or authentication.
Before traffic from an authentication user can traverse the firewall, and before a VPN user participate in a VPN, you must create a configuration profile for each one.
· A VPN dialup user named Phil, who is assigned to the dialup user group "Western" and uses 3DES encryption with SHA-1 authentication.
There are a number of different protocols that your NetScreen device can use to verify that a user is who they say they are. These different techniques are discussed in this section.
All NetScreen devices support a built-in user database for authentication. The maximum number of entries supported by each device are:
After entering the user name and password in the database, you must create an Access Policy that requires a user to authenticate him or herself when initiating a specified connection (for example, outbound or inbound HTTP, or Telnet traffic). When the user attempts to initiate traffic for which the Access Policy applies, he or she is prompted to enter his or her name and password. Before granting permission, the NetScreen device validates the user name and password by checking them against those stored in the database.
The Remote Authentication Dial-In User Service (RADIUS) is a protocol for an authentication server which can be modified to run on different kinds of networks, and makes it easy and efficient to manage large modem pools. The focus for RADIUS is the remote user who needs to dial into the network.
RADIUS uses an authentication server to solve the security problems associated with remote computing. Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data.
One RADIUS server can support up to tens of thousands of users, making it a very practical service for rapidly growing networks.
The RADIUS client (that is, the NetScreen device) authenticates users through a series of communications between the client and the server. Basically, RADIUS asks the person logging on to enter his or her user name and password. It then compares these values to those in its database, and once a user is authenticated, the client provides the user with access to the appropriate network services.
The relationship of NetScreen device and a Security Dynamics Technologies® SecurID® ACE server is similar to that of a NetScreen device and a RADIUS server; that is, the NetScreen device acts as a client, forwarding authentication requests to the external server for approval. SecurID differs from RADIUS in that the user password involves a continually changing string of numbers.
SecurID issues a credit card sized device with an LCD window that displays a randomly generated string of numbers that changes every minute. There is no other information on the card besides the number in the LCD display.
Security Dynamics issues a card and a personal ID number (PIN) to a registered user and maintains the user profile in their database. When the user is prompted to authenticate himself, he enters his name and password, which is his PIN followed by the string of numbers currently displayed on his card. The numbers displayed on the card change every minute. The values that display are generated by an algorithm known only by Security Dynamics. This value is saved to the Security Dynamics database entry for this PIN. When the user to be authenticated enters his PIN and the number on his card, Security Dynamics compares these values to those in the database. If they match, the user is authenticated.
Lightweight Directory Access Protocol (LDAP) is a directory server standard developed by Netscape® to help in authenticating users attempting to connect to networks controlled by directory servers.
LDAP is a client-server protocol for accessing a directory service. It can be used as a front-end to X.500, as a stand-alone protocol, or as a directory server.
LDAP does not require the upper layers OSI stack, it is a simpler protocol to implement (especially in clients), and LDAP is under IETF change control and so can more easily evolve to meet Internet requirements.
The LDAP information model is based on the entry, which contains information about some object (for example, a person). Entries are composed of attributes, which have a type and one or move values. Each attribute has a syntax that determines what kind of values are allowed in the attribute and how those values behave during directory operations.
Examples of attribute syntaxes are for IA5 (ASCII) strings, JPEG photographs, u-law encoded sounds, URLs, and Pretty Good Privacy (PGP) keys.
One of the main reasons organizations use VPNs is to allow remote dialup users to be able to traverse the firewall from anywhere in the world and access their data in a secure environment. The VPN tunnel connection from them to the corporate site assures security as well as access.
To manage a number of remote dialup users, NetScreen enables you to create dialup user groups. Rather than manage each user individually, you can aggregate users into a group. Changes you make to the group are then propagated to each group member. The examples that follow illustrate how to create new dialup user groups and then add users to it. Other examples show how to remove members from a group and move members from one group to another.
Services are types of IP traffic for which protocol standards exist. Each service has a port number associated with it, such as 21 for FTP and 23 for Telnet.
The illustration below shows the services supported in ScreenOS 2.5. For information on each service, hold your cursor over the service icon. In this illustration, the mouseover information block is displayed for X-Windows.
When you create an Access Policy, you must specify a service for it. You can select one of the pre-configured services from the service book, or a custom service or service group that you created. You can see which service you can use in an Access Policy by examining the Service drop-down List in the Policy Configuration dialog box (WebUI), or by using the get service command (CLI).
The following section provides examples for viewing the service book and for creating, modifying, and deleting custom services.
· Whether the service uses TCP or UDP protocol, or some other protocol as defined by the Internet specifications. In this example, the protocol is TCP
In this example, you change a custom service. In this case, the Transport is UDP, and the Source Port range changes to 1 through 1000.
Use the set service <name> clear command to remove the definition of a custom service without removing the service from the service book:
A service group is a set of services that you have gathered together under one name. After you create a group containing several services, you can then apply services at the group level to Access Policies, thus simplifying administration.
· Each service group can be referenced by other service groups, providing that a group referencing other groups does not include itself in the reference list.
· Service groups cannot have the same names as services; therefore, if you have a service named "FTP," you cannot have a service group named "FTP."
· If a service group is referenced in an Access Policy, you can edit the group but you cannot remove it until you have first removed the reference to it in the Access Policy.
· If a custom service book entry is deleted from the service book, the entry is also removed from all the groups in which it was referenced.
This example illustrates how you create a custom service named Wiget that supports IKE, FTP, and LDAP services.
1. Service >> Custom >> New Group: Enter the following, move the following services, and then click OK:
Although you cannot modify any of the pre-defined NetScreen services, you can modify existing user-defined custom services and service groups.
In this example, you change the existing user-defined services from IKE, FTP, and LDAP to HTTP, FINGER, IMAP, and H.323 protocols.
Although you cannot remove any of the pre-defined NetScreen services, you can remove existing user-defined custom services and service groups.
A schedule is a configurable object that you can associate with one or more Access Policies to define when they are in effect. Through the application of schedules, you can control network traffic flow and enforce network security.
Schedule Name: The name that appears in the Schedule drop-down list in the Policy Configuration dialog box. Choose a descriptive name to help you identify the schedule. The name must be unique and is limited to 19 characters.
Start and End Times: You must configure both a start time and an end time. You can specify up to two time periods within the same day.
In this example, there is a short-term employee named Tom who is using the company's Internet access for personal pursuits after work. You create a schedule for non-business hours that you can then associate with an Access Policy to deny outbound TCP/IP traffic from that worker's computer (10.10.4.5/24) outside of regular business hours.
7. set schedule "after hours" recurrent saturday start 00:00 stop 23:59 comment "for non-business hours"
1Before you can use domain names for address book entries, you must configure the NetScreen device for Domain Name System (DNS) services.
2The automatic nature by which NetScreen applies Access Policies to address group members, saves you from having to create them one by one for each address. Furthermore, NetScreen writes these Access Polices to ASIC which makes lookups run very fast.
3On the NetScreen-5, the Untrusted interface can receive its Untrusted IP address dynamically via DHCP or PPPoE. If you want to use a VIP in such a situation, do either of the following: In the WebUI (Virtual IP >> Virtual Server IP >> Click here to configure), select the Same as the Untrusted IP address option when setting up the VIP; in the CLI, use the set vip untrust-ip command.
4Using non-standard port numbers adds another layer of security, thwarting attacks that check for services at standard port numbers.
5When initially configuring a VIP, you can only map one service at a time. For example, if you are mapping six services to a Virtual IP, you must enter each one individually.
![]() NetScreen Technologies Inc. http://www.netscreen.com Voice: (408) 730-6000 Fax: (408) 730-6100 sales@netscreen.com |
![]() |
![]() |
![]() |